Create Interactive Tour

Windows Analysis Report executable.3496.exe

Overview

General Information

Sample Name:	executable.3496.exe
Analysis ID:	472876
MD5:	829f581ea7ed786659c108d120b5b6a9
SHA1:	4ae15eb539b2cd0e8fb24d8f3542c57a35771095
SHA256:	2a3699b5ab055f7811ed19efbebd7e6774f27e5410303e7b82b80c72809f7793
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found large amount of non-executed APIs

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

executable.3496.exe (PID: 6332 cmdline: 'C:\Users\user\Desktop\executable.3496.exe' MD5: 829F581EA7ED786659C108D120B5B6A9)

WerFault.exe (PID: 6392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

• AV Detection
• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: executable.3496.exe	Virustotal: Detection: 58%			Perma Link
Source: executable.3496.exe	ReversingLabs: Detection: 80%

Machine Learning detection for sample

Show sources

Source: executable.3496.exe

Joe Sandbox ML: detected

Source: executable.3496.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_35012593 FindFirstFileExW,

0_2_35012593

Source: executable.3496.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\executable.3496.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 244

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_35017755

0_2_35017755

Source: executable.3496.exe	Virustotal: Detection: 58%
Source: executable.3496.exe	ReversingLabs: Detection: 80%

Source: executable.3496.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\executable.3496.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\executable.3496.exe 'C:\Users\user\Desktop\executable.3496.exe'
Source: C:\Users\user\Desktop\executable.3496.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 244

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6332

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER98C9.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.winEXE@2/4@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: executable.3496.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_3500E416 push ecx; ret

0_2_3500E429

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\executable.3496.exe

API coverage: 3.0 %

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_35012593 FindFirstFileExW,

0_2_35012593

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_3500E1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_3500E1CC

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_3500FC20 mov eax, dword ptr fs:[00000030h]

0_2_3500FC20

Source: C:\Users\user\Desktop\executable.3496.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_35013F9E GetProcessHeap,

0_2_35013F9E

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_35012CAC KiUserExceptionDispatcher,LdrInitializeThunk,

0_2_35012CAC

Source: C:\Users\user\Desktop\executable.3496.exe	Code function: 0_2_3500E1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_3500E1CC
Source: C:\Users\user\Desktop\executable.3496.exe	Code function: 0_2_3500E5EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_3500E5EC
Source: C:\Users\user\Desktop\executable.3496.exe	Code function: 0_2_3500E31A SetUnhandledExceptionFilter,	0_2_3500E31A
Source: C:\Users\user\Desktop\executable.3496.exe	Code function: 0_2_35011B2A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_35011B2A

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_3500E42B cpuid

0_2_3500E42B

Source: C:\Users\user\Desktop\executable.3496.exe

Code function: 0_2_3500E0B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_3500E0B5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery12	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
executable.3496.exe	59%	Virustotal		Browse
executable.3496.exe	81%	ReversingLabs	Win32.Ransomware.Ryuk
executable.3496.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	472876
Start date:	27.08.2021
Start time:	16:34:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	executable.3496.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winEXE@2/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 90.8%) Quality average: 76.9% Quality standard deviation: 32.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 23.54.113.53, 20.189.173.21 Excluded domains from analysis (whitelisted): www.bing.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, dual-a-0001.dc-msedge.net, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, arc.trafficmanager.net, watson.telemetry.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
16:35:47	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_executable.3496._2f4d489d292467db7bb9c60377a24cefa18a9ce_c02d03de_18b9a0d7\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.7656477668981436
Encrypted:	false
SSDEEP:	192:OpqrtRokIHBUZMXBgJjx/u7sAS274ItMtPY:tHkBUZMXojx/u7sAX4ItEY
MD5:	A7FA68C449B035ED7FFD387E40BFD8B4
SHA1:	2C2CCB292B5D5B5F2A76860EEDD96C0FE807F5B1
SHA-256:	B303CE1A12BF2E1B02F59B032982EE3BA16DEA8BD3CF4D009C13D4B9F6AD7875
SHA-512:	94C665CF53B780CDF4D8F38271EFBF5A046963BA4D948D69047C2E765138959A1D46DE0A2A7A4250F41F21D9BE0854F2488FE027435FAB27D99B0146F8A6C804
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.4.5.8.0.9.4.4.9.7.8.9.3.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.4.5.8.0.9.4.5.6.3.5.1.6.9.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.0.a.9.a.7.6.6.-.a.9.9.1.-.4.1.c.6.-.a.0.d.6.-.b.a.3.c.a.d.6.4.5.5.a.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.2.d.a.b.7.9.4.-.e.d.a.f.-.4.7.6.c.-.9.e.4.b.-.e.e.1.7.e.7.8.9.2.f.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.e.c.u.t.a.b.l.e...3.4.9.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.b.c.-.0.0.0.1.-.0.0.1.7.-.0.e.6.d.-.3.b.4.0.9.c.9.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.2.5.a.6.2.3.5.3.6.2.9.3.d.0.0.c.2.c.2.7.0.c.d.b.f.2.8.5.7.8.3.0.0.0.0.f.f.f.f.!.0.0.0.0.4.a.e.1.5.e.b.5.3.9.b.2.c.d.0.e.8.f.b.2.4.d.8.f.3.5.4.2.c.5.7.a.3.5.7.7.1.0.9.5.!.e.x.e.c.u.t.a.b.l.e...3.4.9.6...e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER98C9.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Aug 27 23:35:45 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	30934
Entropy (8bit):	2.104562275316761
Encrypted:	false
SSDEEP:	192:sMzaQXSzA/i03wB4xHPh2nHpJ7HCWo1GDI3z3m:ssizAFgB4FPYvuW1I3jm
MD5:	B128E8104287CEB29A6D5CFDF39F5CAC
SHA1:	10D4041CAF5AA05DDBB5E8560FB6A9564EAD845C
SHA-256:	6BE4D9588BE9BD564D951558F4273833B4EF882E0F80D10EE6D52A524CC01B1A
SHA-512:	CA5892BB70679287BC4C0B3943C9D54020B9CFA1EC37DF27169FDEF04474F518F400B90A440DDB7BC554D40AEE943D123908A87E0E8B3FEA0EB79A32BC2DEDE4
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........v)a...................U...........B..............GenuineIntelW...........T............v)a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER99F3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.691949168889117
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi2sR6fSuJ6YSZSUVfSZywGgmfXIRSECprn89bAwsfDAm:RrlsNiF6fSuJ6YMSUVfXgmfSSkADfh
MD5:	BE4C2DBD109FCCD2F1592E9AD7A90E10
SHA1:	79E7F398EF3B33E8B73125DD84A44B2E65750EAA
SHA-256:	D428B558A1B561A7D064A5AF87B0DF7CEB4C410E2AD75B55D9FD3226B912C6A5
SHA-512:	E1C85C572960260C98BC064C36A1DF74B9F84CF53D28D98D7E72A4F92E2B5216F2B5EA6E7802D7B03CFEA6D0D554A55635985D4BDACF5DC6763ECC81CEE3DE55
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ABF.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.452944670999602
Encrypted:	false
SSDEEP:	48:cvIwSD8zsTJgtWI96MWSC8B58fm8M4JnLEhFkm+q8aWEiFYdyd:uITftJlSN0JnAgm1WxYdyd
MD5:	6DEB431831BD689040206BE6A2EB9BFA
SHA1:	096372C9DD5E6BED47C9ACE20A620F4F55C63E19
SHA-256:	08DCBBAF82998BF10158781C5FC96B716694947C95B1D32235655AF67E5F6AB5
SHA-512:	394D6DBE9EB370E832A34F766E0DB6CFEEF0082A2886DF29DD0AAA2D25E9FFA62C428A8B1E4105F2A259D05D52BDF8C1D04D54F79DC4C5B25BF052B8A68B108C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1141006" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.356513503075238
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	executable.3496.exe
File size:	139776
MD5:	829f581ea7ed786659c108d120b5b6a9
SHA1:	4ae15eb539b2cd0e8fb24d8f3542c57a35771095
SHA256:	2a3699b5ab055f7811ed19efbebd7e6774f27e5410303e7b82b80c72809f7793
SHA512:	0f31f485ee4f5eea300dfe08bf320657936a662d7021b97663c365af8f25fe5d70f367266086c39f398dda63bbda42f5effc40e7022c4dfb19c8249eb7ead5f4
SSDEEP:	1536:tpZd1G9590t6Kgc04DiMYdFETPHTcQUzRpl4PHOA14yLU0VeXA8W6QM88xRNiv:MKgSkEHezRpl4vOA19o26/883Ev
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.UgY.UgY.UgY.....\gY.....,gY.....MgY..9Z.FgY..9\.HgY..9].GgY.\...PgY.UgX.6gY..9\.WgY..9[.TgY.RichUgY.........PE..L.....k`...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x3500de43
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x35000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x606BE28E [Tue Apr 6 04:24:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	cbfa324cd4feacb8ad7b2aeb97b2deec

Entrypoint Preview

Instruction
call 00007F9C2C800852h
jmp 00007F9C2C800473h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F9C2C8005FBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F9C2C8005ECh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F9C2C8005EEh
add edx, 28h
cmp edx, esi
jne 00007F9C2C8005CCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F9C2C8005DBh
call 00007F9C2C800D1Eh
test eax, eax
jne 00007F9C2C8005E5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 3502A420h
mov edx, dword ptr [eax+04h]
jmp 00007F9C2C8005E6h
cmp edx, eax
je 00007F9C2C8005F2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F9C2C8005D2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F9C2C8005E9h
mov byte ptr [3502A43Ch], 00000001h
call 00007F9C2C800B35h
call 00007F9C2C80155Bh
test al, al
jne 00007F9C2C8005E6h
xor al, al
pop ebp
ret
call 00007F9C2C80363Eh
test al, al
jne 00007F9C2C8005ECh
push 00000000h
call 00007F9C2C80156Ch
pop ecx
jmp 00007F9C2C8005CBh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0Ch
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e39c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1dce0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1dd18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19000	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x17dc7	0x17e00	False	0.41540207788	data	5.57319886808	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x19000	0x5a6e	0x5c00	False	0.271144701087	data	3.8361973718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1f000	0xbf44	0x4200	False	0.491714015152	b.out overlay separate segmented standalone executable V2.3 V3.0 86 Large Data Huge Objects Enabled	4.97072422041	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x2b000	0xac	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

GetProcAddress, VirtualFree, GetCurrentProcess, CreateThread, GetCurrentThread, SetLastError, WaitForMultipleObjects, Sleep, SetEndOfFile, CloseHandle, WinExec, GetLocalTime, GetTickCount, LoadLibraryA, GetSystemDirectoryA, CreateFileW, DecodePointer, WriteConsoleW, SetFilePointerEx, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, TerminateProcess, RtlUnwind, GetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleCP, GetConsoleMode, RaiseException

WS2_32.dll

htons, htonl, bind, inet_addr

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 27, 2021 16:35:38.169054031 CEST	51281	53	192.168.2.3	8.8.8.8
Aug 27, 2021 16:35:38.204761028 CEST	53	51281	8.8.8.8	192.168.2.3
Aug 27, 2021 16:35:38.212332964 CEST	49199	53	192.168.2.3	8.8.8.8
Aug 27, 2021 16:35:38.247772932 CEST	53	49199	8.8.8.8	192.168.2.3
Aug 27, 2021 16:35:40.967178106 CEST	50620	53	192.168.2.3	8.8.8.8
Aug 27, 2021 16:35:40.998542070 CEST	53	50620	8.8.8.8	192.168.2.3
Aug 27, 2021 16:35:46.327852964 CEST	64938	53	192.168.2.3	8.8.8.8
Aug 27, 2021 16:35:46.347826958 CEST	53	64938	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

• executable.3496.exe
• WerFault.exe

Click to jump to process

Memory Usage

• executable.3496.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• executable.3496.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: executable.3496.exe PID: 6332 Parent PID: 3352

Function Logs

General

Start time:	16:35:42
Start date:	27/08/2021
Path:	C:\Users\user\Desktop\executable.3496.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\executable.3496.exe'
Imagebase:	0x35000000
File size:	139776 bytes
MD5 hash:	829F581EA7ED786659C108D120B5B6A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Chronological Activities

Analysis Process: WerFault.exe PID: 6392 Parent PID: 6332

Function Logs

General

Start time:	16:35:44
Start date:	27/08/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 244
Imagebase:	0x120000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Written

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window Created

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: executable.3496.exe PID: 6332 Parent PID: 3352 executable.3496.exeCOMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	1647
Total number of Limit Nodes:	23

Executed Functions

Function 35012CAC, Relevance: .1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E35012CAC(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t31;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E3501153C(__ebx, __ecx, __edx);
				E35012DCB(__ebx, __ecx, __edx, _t81); // executed
				_t31 = E35012A40(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t70 = E3501103F(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000;
					_t75 = E35012E6D(_t51, _t70,  *(_v8 + 0x48), __eflags, _v16, _t70);
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E35010952();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x35022cf8;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x35022cf8) {
								E35011005( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x35022f78 & 0x00000001;
							if(( *0x35022f78 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E35012916("true",  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x35022f18; // 0x5c8620
									 *0x350229e4 = _t44;
								}
							}
						}
						L6:
						E35011005(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E35011856())) = 0x16;
						goto L5;
					}
				}
			}

0x35012cac
0x35012cb9
0x35012cbc
0x35012cc4
0x35012ccd
0x35012cd0
0x35012cd6
0x00000000
0x35012cd8
0x35012cdc
0x35012ce9
0x35012ceb
0x35012cef
0x35012cf1
0x35012d21
0x35012d21
0x00000000
0x35012cf3
0x35012d00
0x35012d06
0x35012d0e
0x35012d12
0x35012d14
0x35012d33
0x35012d37
0x35012d39
0x35012d39
0x35012d44
0x35012d48
0x35012d49
0x35012d4b
0x35012d4e
0x35012d55
0x35012d5a
0x35012d5f
0x35012d55
0x35012d60
0x35012d66
0x35012d6b
0x35012d6d
0x35012d70
0x35012d73
0x35012d7a
0x35012d7c
0x35012d83
0x35012d88
0x35012d91
0x35012d96
0x35012d9c
0x35012d9e
0x35012da3
0x35012da3
0x35012d9c
0x35012d83
0x35012d23
0x35012d24
0x00000000
0x35012d16
0x35012d1b
0x00000000
0x35012d1b
0x35012d14

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ErrorLast_abort
String ID:
API String ID: 933726692-0
Opcode ID: 27043c72e71ca26885eebab3e74a6255753ff24abc5661e008f4ddf01b024fb2
Instruction ID: 798316fb5f089618554b045157fd33217864361a5cf6ca9d6d52d02fca9c3d11
Opcode Fuzzy Hash: 27043c72e71ca26885eebab3e74a6255753ff24abc5661e008f4ddf01b024fb2
Instruction Fuzzy Hash: 2831A179A0424AAFE705DBAAE540B9977F5EF403A0F6100DAEC149B290DB739F418B52

Uniqueness

Uniqueness Score: -1.00%

Function 350110D0, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E350110D0(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t16;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x3502aefc, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E35010A11();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E35011856())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E3501409D(_t15, _t16, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				_t16 = _t13 % _t18;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x350110d0
0x350110d6
0x350110db
0x350110e9
0x350110e9
0x350110ef
0x350110f1
0x350110f1
0x35011108
0x35011111
0x35011119
0x00000000
0x00000000
0x350110f9
0x350110fb
0x3501111d
0x35011122
0x35011128
0x00000000
0x35011128
0x350110fe
0x35011103
0x35011104
0x35011106
0x00000000
0x00000000
0x35011106
0x00000000
0x35011108
0x350110e1
0x350110e2
0x350110e7
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,350115F1,00000001,00000364,?,35013F7A,?,00000004,00000000,?,?,?,35010D0A), ref: 35011111

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 96c35d24764864b09ddc16096aede8b4bef4dc5e595a64a40a2a310f3fe212db
Instruction ID: b44d5f9f626fb2b2c4cee6695a15f86d1637b140f7a40536fb591e1a713ea73c
Opcode Fuzzy Hash: 96c35d24764864b09ddc16096aede8b4bef4dc5e595a64a40a2a310f3fe212db
Instruction Fuzzy Hash: 08F02B3DA082A067DB195A72FD05A4EB798BF406E0F548091AC05E6040CE73D60246E3

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 35011B2A, Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E35011B2A(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x350228f8; // 0x43699f2c
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E3500E367(_t41);
					_pop(_t62);
				}
				E3500CC80( &_v804, 0, 0x50);
				E3500CC80( &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E3500E367(_t57);
				}
				return E3500E5DB(_v8 ^ _t70);
			}

0x35011b2a
0x35011b2a
0x35011b2a
0x35011b2a
0x35011b35
0x35011b3a
0x35011b3c
0x35011b44
0x35011b46
0x35011b49
0x35011b4e
0x35011b4e
0x35011b5a
0x35011b6d
0x35011b7b
0x35011b81
0x35011b87
0x35011b8d
0x35011b93
0x35011b99
0x35011b9f
0x35011ba5
0x35011bab
0x35011bb1
0x35011bb8
0x35011bbf
0x35011bc6
0x35011bcd
0x35011bd4
0x35011bdb
0x35011bdc
0x35011be5
0x35011beb
0x35011bee
0x35011bf4
0x35011c01
0x35011c0a
0x35011c13
0x35011c1c
0x35011c2a
0x35011c2c
0x35011c41
0x35011c4d
0x35011c50
0x35011c55
0x35011c64

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 35011C22
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 35011C2C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 35011C39

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ddb55360e348f0b6710b0a84a20256854a06445c3242247efbfee11cc51fe514
Instruction ID: e678cafd98e22da39f2939c2f6964c46e8559c9c067663ecf1758501a959a872
Opcode Fuzzy Hash: ddb55360e348f0b6710b0a84a20256854a06445c3242247efbfee11cc51fe514
Instruction Fuzzy Hash: 2931E7B490132C9BCB21DF64E988B8DBBB8BF08710F5041DAE81CA7250EB319B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 3500FC20, Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E3500FC20(int _a4) {
				void* _t14;
				void* _t16;

				if(E350121B5(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E3500FCA5(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x3500fc2c
0x3500fc48
0x3500fc48
0x3500fc51
0x3500fc5a

APIs

GetCurrentProcess.KERNEL32(00000003,?,3500FBF6,00000003,3501E070,0000000C,3500FD4D,00000003,00000002,00000000,?,350110CF,00000003), ref: 3500FC41
TerminateProcess.KERNEL32(00000000,?,3500FBF6,00000003,3501E070,0000000C,3500FD4D,00000003,00000002,00000000,?,350110CF,00000003), ref: 3500FC48
ExitProcess.KERNEL32 ref: 3500FC5A

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f122b7a1e158ca80bfe853631ca62b27d2261d48b7b076ccfc4ee845d63122aa
Instruction ID: 038f86b68f245557586d9740af52c6ef52d80e022127da3befaff8ef95912523
Opcode Fuzzy Hash: f122b7a1e158ca80bfe853631ca62b27d2261d48b7b076ccfc4ee845d63122aa
Instruction Fuzzy Hash: FAE0BF39120608AFDF065F65EB09E883B7AFB54291B054454FD4657121CB37EA43DA52

Uniqueness

Uniqueness Score: -1.00%

Function 3500E42B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E3500E42B(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x3502a45c =  *0x3502a45c & 0x00000000;
				 *0x350228f0 =  *0x350228f0 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x350228f0 =  *0x350228f0 | 0x00000002;
				 *0x3502a45c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x3502a460; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x3502a460 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x350228f0 =  *0x350228f0 | 0x00000004;
						 *0x3502a45c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x350228f0; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x3502a45c = 3;
								 *0x350228f0 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x3502a45c = 5;
									 *0x350228f0 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x3502a460; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x3502a460 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}

0x3500e42b
0x3500e42e
0x3500e43c
0x3500e44b
0x3500e5c8
0x3500e5ce
0x3500e5ce
0x3500e451
0x3500e457
0x3500e462
0x3500e468
0x3500e46b
0x3500e46c
0x3500e470
0x3500e471
0x3500e473
0x3500e476
0x3500e47b
0x3500e484
0x3500e495
0x3500e4a0
0x3500e4a6
0x3500e4a7
0x3500e4af
0x3500e4b5
0x3500e4b7
0x3500e4ba
0x3500e4bd
0x3500e4c0
0x3500e505
0x3500e505
0x3500e50b
0x3500e512
0x3500e515
0x3500e518
0x3500e51b
0x3500e51e
0x3500e522
0x3500e525
0x3500e526
0x3500e52b
0x3500e52e
0x3500e530
0x3500e533
0x3500e536
0x3500e539
0x3500e541
0x3500e544
0x3500e547
0x3500e54c
0x3500e54c
0x3500e547
0x3500e559
0x3500e55b
0x3500e562
0x3500e571
0x3500e57c
0x3500e57f
0x3500e582
0x3500e593
0x3500e599
0x3500e59e
0x3500e5a1
0x3500e5af
0x3500e5b4
0x3500e5b9
0x3500e5c3
0x3500e5c3
0x3500e5b4
0x3500e593
0x3500e571
0x00000000
0x3500e559
0x3500e4c5
0x3500e4cf
0x3500e4f4
0x3500e4fa
0x3500e4fd
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 3500E444

Strings

, xrefs: 3500E5AB

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 8822eef830f3b8352b8abd60221e82e487ca98a6b890e16e7162c8bb5b5231f3
Instruction ID: 2821575a53912d76fdf8d1660d157987aafe4b16b726f13f3e37b1cf988cb1e0
Opcode Fuzzy Hash: 8822eef830f3b8352b8abd60221e82e487ca98a6b890e16e7162c8bb5b5231f3
Instruction Fuzzy Hash: 345159B1D153098FEB04CFA9E58569ABBF4FB48715F6084AAD815F7240EB72E502CF90

Uniqueness

Uniqueness Score: -1.00%

Function 35012593, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E35012593(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_push(__ebx);
				_push(__edi);
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_push(__esi);
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E350110D0(_t97, _t89, 2);
					_pop(_t99);
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E350123A3(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E3501280C(_a16, _t110, __eflags, _t124);
							E35011005(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E350123A3(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E35011D04();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0x350228f8; // 0x43699f2c
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E3500CC80( &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E35012593(_t90, _t104, _t119, _t127,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E35014D30(_t90, _t119, _t127, _t113 + _t107 * 4, _t75 - _t107, 4, E350123AE);
									}
								} else {
									_push(_v608);
									_t66 = E35012593(_t90, _t103, _t119, _t127, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E35012593(_t90, _t100, 0, _t126, _t90, 0, 0);
								}
							}
							__eflags = _v12 ^ _t132;
							return E3500E5DB(_v12 ^ _t132);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}

0x35012598
0x35012599
0x3501259c
0x3501259d
0x350125a0
0x350125a0
0x350125a3
0x350125a3
0x350125a6
0x350125a9
0x350125ae
0x350125b8
0x350125bb
0x350125c0
0x350125c7
0x350125c8
0x350125cb
0x350125d5
0x350125d8
0x350125d9
0x350125db
0x350125ef
0x350125ef
0x350125f2
0x350125fc
0x35012601
0x35012604
0x35012606
0x00000000
0x35012608
0x3501260c
0x35012615
0x3501261b
0x00000000
0x3501261d
0x350125dd
0x350125dd
0x350125e3
0x350125e8
0x350125eb
0x350125ed
0x35012624
0x35012626
0x35012627
0x35012628
0x35012629
0x3501262a
0x3501262b
0x35012630
0x35012634
0x35012636
0x3501263c
0x35012643
0x35012646
0x35012649
0x3501264c
0x3501264d
0x35012650
0x35012651
0x35012654
0x35012657
0x3501265d
0x35012667
0x35012683
0x35012683
0x35012685
0x00000000
0x00000000
0x3501266a
0x3501266d
0x35012674
0x35012676
0x35012679
0x3501267b
0x3501267e
0x35012680
0x35012680
0x00000000
0x35012680
0x3501267e
0x35012679
0x00000000
0x35012674
0x35012687
0x3501268a
0x3501268d
0x350126a9
0x350126ab
0x350126ad
0x350126af
0x350126b0
0x350126b3
0x350126c9
0x350126cb
0x350126cb
0x350126b5
0x350126b7
0x350126b8
0x350126bb
0x00000000
0x350126bd
0x350126bf
0x350126c0
0x350126c3
0x00000000
0x350126c5
0x350126c5
0x350126c5
0x350126c3
0x350126bb
0x350126d3
0x350126db
0x350126df
0x350126ed
0x350126f2
0x35012707
0x35012709
0x3501270c
0x35012741
0x3501274c
0x3501274c
0x35012751
0x35012757
0x35012758
0x35012758
0x3501275f
0x3501277c
0x3501277c
0x3501278b
0x35012790
0x35012793
0x35012795
0x00000000
0x00000000
0x00000000
0x00000000
0x35012761
0x35012761
0x35012768
0x00000000
0x3501276a
0x3501276a
0x35012771
0x00000000
0x35012773
0x35012773
0x3501277a
0x00000000
0x00000000
0x00000000
0x00000000
0x3501277a
0x35012771
0x35012768
0x00000000
0x35012797
0x3501279f
0x350127a5
0x350127ab
0x350127af
0x350127af
0x350127b2
0x350127b4
0x350127ba
0x350127c1
0x350127c4
0x350127c6
0x350127da
0x350127df
0x3501270e
0x35012714
0x35012718
0x35012720
0x35012720
0x35012720
0x35012722
0x35012725
0x35012728
0x35012728
0x3501268f
0x35012692
0x35012694
0x00000000
0x35012696
0x35012696
0x3501269c
0x350126a1
0x35012694
0x35012735
0x35012740
0x00000000
0x00000000
0x00000000
0x350125ed
0x350125c2
0x350125c4
0x3501261e
0x35012623
0x35012623
0x00000000

Strings

/, xrefs: 3501265D

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 0183239ccd17daf80cb388206c410d6a07fe3ad3e33c625dfb95c034e53d4226
Instruction ID: 6db3704be8b142cdd0ade29d92b3d92abc96c60d35eb358df2a1f56619b96c48
Opcode Fuzzy Hash: 0183239ccd17daf80cb388206c410d6a07fe3ad3e33c625dfb95c034e53d4226
Instruction Fuzzy Hash: 6A413A7DA0021A6FDB149FBAEC88EAB77B9FB84354F5041A8FD05D7180E6729B41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 35017755, Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E35017755(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E350154AF(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E35015415(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x35017763
0x3501776a
0x3501776f
0x35017775
0x35017778
0x3501777e
0x35017783
0x35017788
0x35017788
0x3501778e
0x35017793
0x35017798
0x35017798
0x3501779f
0x350177a4
0x350177a9
0x350177a9
0x350177b0
0x350177b5
0x350177ba
0x350177ba
0x350177c1
0x350177c6
0x350177cb
0x350177cb
0x350177d3
0x350177e3
0x350177f5
0x35017807
0x3501781a
0x3501782c
0x35017834
0x35017839
0x3501783e
0x3501783e
0x35017845
0x3501784a
0x3501784a
0x35017851
0x35017856
0x35017856
0x3501785d
0x35017862
0x35017862
0x35017869
0x3501786e
0x3501786e
0x35017878
0x3501787a
0x350178b4
0x3501787c
0x35017881
0x350178a5
0x350178ad
0x350178a1
0x350178a1
0x350178b7
0x350178be
0x350178c0
0x350178e2
0x350178ea
0x350178ed
0x350178ed
0x350178ef
0x350178ef
0x350178fa
0x35017900
0x35017905
0x3501790c
0x35017946
0x35017951
0x35017957
0x3501795a
0x3501795d
0x35017969
0x35017971
0x3501790e
0x35017911
0x3501791d
0x35017923
0x35017929
0x3501792c
0x35017935
0x35017935
0x35017974
0x35017982
0x35017988
0x3501798f
0x35017991
0x35017991
0x35017998
0x3501799a
0x3501799a
0x350179a1
0x350179a3
0x350179a3
0x350179aa
0x350179ac
0x350179ac
0x350179b3
0x350179b5
0x350179b5
0x350179c2
0x350179c5
0x350179fc
0x350179c7
0x350179c7
0x350179ca
0x350179f5
0x350179ea
0x350179ea
0x350179fe
0x35017a06
0x35017a09
0x35017a28
0x35017a2d
0x35017a2d
0x35017a2f
0x35017a34
0x35017a40
0x35017a36
0x35017a39
0x35017a39
0x35017a45
0x35017a45
0x35017a0b
0x35017a0e
0x35017a1d
0x00000000
0x35017a1d
0x35017a10
0x35017a13
0x35017a15
0x35017a15
0x00000000
0x35017a13
0x350179cc
0x350179cf
0x350179e5
0x00000000
0x350179e5
0x350179d4
0x350179d6
0x350179d6
0x350179d4
0x00000000
0x350179c5
0x350178c7
0x350178d5
0x350178dd
0x00000000
0x350178dd
0x350178cb
0x350178d0
0x350178d0
0x00000000
0x350178cb
0x35017888
0x35017896
0x3501789e
0x00000000
0x3501789e
0x3501788c
0x35017891
0x35017891
0x3501788c

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,35017750,?,?,00000008,?,?,350173F0,00000000), ref: 35017982

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 55ac5d9566ac172992a11bcd9480047c1f8ff98aa51d1dde477ad61b49b72e01
Instruction ID: 052206e625d2e742678feaa4cfadf240921335b4db8da4e232e251268f9a564b
Opcode Fuzzy Hash: 55ac5d9566ac172992a11bcd9480047c1f8ff98aa51d1dde477ad61b49b72e01
Instruction Fuzzy Hash: D9B17C79610608DFE705CF28D486B547BE0FF45364F658698EC9ACF2A2C736EA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 3500E31A, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E3500E31A() {

				return SetUnhandledExceptionFilter(E3500E326);
			}

0x3500e325

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E326,3500DCCE), ref: 3500E31F

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 721230703d49807b7d963db3f8141deac540b065f23f9fde6472140b42b96465
Instruction ID: 5fdfec83f4d7a9fad39c035f195b8b3129ec35469a2a65c95bfa9a947321522a
Opcode Fuzzy Hash: 721230703d49807b7d963db3f8141deac540b065f23f9fde6472140b42b96465
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 35013F9E, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E35013F9E() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x3502aefc = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x35013f9e
0x35013fa6
0x35013fae

APIs

GetProcessHeap.KERNEL32 ref: 35013F9E

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6ce8fabec0f71d34eb9dc0adbd5a4a386b3e3976ededef25a0d04d3f7726b5a3
Instruction ID: 9c974ec53546dd79d2679431e0e8f705bfce7e8cde00fe23c0c494ec4c0bad89
Opcode Fuzzy Hash: 6ce8fabec0f71d34eb9dc0adbd5a4a386b3e3976ededef25a0d04d3f7726b5a3
Instruction Fuzzy Hash: 2CA012305103018F4B004E32510820836A4A74558031880546401E0500DE6240C34F01

Uniqueness

Uniqueness Score: -1.00%

Function 350156CE, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E350156CE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x350228f8; // 0x43699f2c
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x3502acf0 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x3502acf0 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E350116E5(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x3502acf0 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x3502acf0 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x3502acf0 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E350149C2( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E350149C2();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, "true", 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E3500E5DB(_v8 ^ _t136);
			}

0x350156d6
0x350156dd
0x350156e0
0x350156e8
0x350156ec
0x350156f8
0x350156fb
0x350156fe
0x35015705
0x3501570d
0x35015710
0x35015716
0x3501571c
0x35015721
0x35015723
0x35015726
0x3501572b
0x35015735
0x3501573c
0x3501573f
0x35015746
0x3501574d
0x35015779
0x3501579f
0x350157a1
0x00000000
0x3501577b
0x3501577e
0x35015845
0x35015851
0x3501585c
0x35015861
0x35015784
0x3501578b
0x35015790
0x35015796
0x3501579c
0x00000000
0x3501579c
0x35015796
0x3501577e
0x3501574f
0x35015753
0x35015756
0x3501575c
0x3501575e
0x35015761
0x35015765
0x350157a2
0x350157a5
0x350157a6
0x350157ab
0x350157b1
0x350157b7
0x350157c6
0x350157cc
0x350157d2
0x350157d7
0x350157f3
0x35015866
0x3501586c
0x350157f5
0x350157fd
0x35015806
0x3501580c
0x00000000
0x3501580e
0x35015810
0x35015813
0x3501582c
0x00000000
0x3501582e
0x35015832
0x35015834
0x35015837
0x00000000
0x35015837
0x35015832
0x3501582c
0x3501580c
0x35015806
0x350157f3
0x350157d7
0x350157b1
0x00000000
0x3501583a
0x3501583a
0x3501586e
0x35015880

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,35015E43,?,00000000,?,00000000,00000000), ref: 35015710
__fassign.LIBCMT ref: 3501578B
__fassign.LIBCMT ref: 350157A6
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,00000000), ref: 350157CC
WriteFile.KERNEL32(?,?,00000000,35015E43,00000000,?,?,?,?,?,?,?,?,?,35015E43,?), ref: 350157EB
WriteFile.KERNEL32(?,?,00000001,35015E43,00000000,?,?,?,?,?,?,?,?,?,35015E43,?), ref: 35015824

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fb209abdda784d589e6b4ca3bf22124c4c0b4869ca6ad8465bed0c0039b810c4
Instruction ID: c24473b279848fc30f5744cff8fb360864e6e4020052cf49dd9f8dcb81084c36
Opcode Fuzzy Hash: fb209abdda784d589e6b4ca3bf22124c4c0b4869ca6ad8465bed0c0039b810c4
Instruction Fuzzy Hash: 6851B478A002459FDB00CFA4E881AEEBBF5FF18710F14415AE956F7281EB719641CF61

Uniqueness

Uniqueness Score: -1.00%

Function 350118A2, Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E350118A2(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x350228f8; // 0x43699f2c
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E35014B3E(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E3500E5DB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E35011B0A(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E350120AB(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E35011B0A(_t101);
									goto L36;
								}
								_t62 = E350120AB(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E35011B0A(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E3501103F(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E35017F80();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E350120AB(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E3501103F(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E35017F80();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x350118a7
0x350118a8
0x350118a9
0x350118b0
0x350118b4
0x350118b5
0x350118bb
0x350118c1
0x350118c7
0x350118ca
0x350118ca
0x350118cd
0x350118cf
0x350118cf
0x350118cd
0x350118d1
0x350118d6
0x350118dd
0x350118e0
0x350118e0
0x350118fc
0x35011902
0x35011907
0x35011a9a
0x35011aad
0x3501190d
0x3501190d
0x35011910
0x35011915
0x35011919
0x3501196d
0x3501196d
0x3501196f
0x35011971
0x35011a8f
0x35011a8f
0x35011a91
0x35011a92
0x00000000
0x35011a98
0x35011982
0x35011988
0x3501198a
0x00000000
0x00000000
0x35011990
0x350119a2
0x350119a7
0x350119ab
0x00000000
0x00000000
0x350119b8
0x350119f2
0x350119f5
0x350119f8
0x350119fa
0x350119fc
0x350119fe
0x35011a4a
0x35011a4a
0x35011a4c
0x35011a4c
0x35011a4e
0x35011a88
0x35011a89
0x00000000
0x35011a8e
0x35011a62
0x35011a67
0x35011a69
0x00000000
0x00000000
0x35011a6d
0x35011a6e
0x35011a6f
0x35011a72
0x35011aae
0x35011ab1
0x35011a74
0x35011a74
0x35011a75
0x35011a75
0x35011a82
0x35011a84
0x35011a86
0x35011ab7
0x00000000
0x00000000
0x00000000
0x00000000
0x35011a86
0x35011a00
0x35011a03
0x35011a05
0x35011a07
0x35011a09
0x35011a0c
0x35011a11
0x35011a2c
0x35011a2e
0x35011a38
0x35011a3a
0x35011a3b
0x35011a3d
0x00000000
0x00000000
0x35011a3f
0x35011a45
0x35011a45
0x00000000
0x35011a45
0x35011a13
0x35011a15
0x35011a19
0x35011a1e
0x35011a20
0x35011a22
0x00000000
0x00000000
0x35011a24
0x00000000
0x35011a24
0x350119ba
0x350119bf
0x00000000
0x00000000
0x350119c5
0x350119c7
0x00000000
0x00000000
0x350119de
0x350119e3
0x350119e7
0x00000000
0x00000000
0x00000000
0x350119ed
0x35011920
0x35011922
0x35011924
0x3501192c
0x3501194b
0x3501194d
0x35011957
0x35011959
0x3501195a
0x3501195c
0x00000000
0x00000000
0x35011962
0x35011968
0x35011968
0x00000000
0x35011968
0x35011930
0x35011934
0x35011939
0x3501193d
0x00000000
0x00000000
0x35011943
0x00000000
0x35011943

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,35011AF3,?,?,00000003), ref: 350118FC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,?,?,?,35011AF3,?,?,00000003), ref: 35011982
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000003,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 35011A7C
__freea.LIBCMT ref: 35011A89

Part of subcall function 3501103F: HeapAlloc.KERNEL32(00000000,?,00000004,?,35015167,?,00000000,?,35013F7A,?,00000004,00000000,?,?,?,35010D0A), ref: 35011071

__freea.LIBCMT ref: 35011A92
__freea.LIBCMT ref: 35011AB7

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocHeap
String ID:
API String ID: 3147120248-0
Opcode ID: b363928003026e63c13a05783eee67d3811b8e740b4e02b3bf4bdb82c83bcae7
Instruction ID: 2163c32e41c917ae99f0f817a88c9325b1ab5a920b9f80903e25fa590e7a029e
Opcode Fuzzy Hash: b363928003026e63c13a05783eee67d3811b8e740b4e02b3bf4bdb82c83bcae7
Instruction Fuzzy Hash: A551E67A610356AEEB198E60EC40EAF3BFAFB44650F9146A8FD05D7140EB72DE40C752

Uniqueness

Uniqueness Score: -1.00%

Function 3500FCA5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,3500FC56,00000003,?,3500FBF6,00000003,3501E070,0000000C,3500FD4D,00000003,00000002), ref: 3500FCC5
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 3500FCD8
FreeLibrary.KERNEL32(00000000,?,?,?,3500FC56,00000003,?,3500FBF6,00000003,3501E070,0000000C,3500FD4D,00000003,00000002,00000000), ref: 3500FCFB

Strings

CorExitProcess, xrefs: 3500FCD0
mscoree.dll, xrefs: 3500FCBE

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5e230ce3bdd230496745a70b6a8f79930ae950e090d1ffcaca4df18efb5c5fe2
Instruction ID: 82fdcd75ce45bdfddd9470f063fe21ce40b8eedb81c3c6049bea178be89e6534
Opcode Fuzzy Hash: 5e230ce3bdd230496745a70b6a8f79930ae950e090d1ffcaca4df18efb5c5fe2
Instruction Fuzzy Hash: 53F04478524219BFDB019BA0E949B9DBBB5FF08751F5144A4FC07B3140DF329A42DE91

Uniqueness

Uniqueness Score: -1.00%

Function 35013A78, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E35013A78(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x350228f8; // 0x43699f2c
				_v8 = _t34 ^ _t70;
				E3500F607(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E3500E5DB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x10f
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E3500CC80(_t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E35011B0A(_t69);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x10f
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x10f
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E3501103F(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E35017F80();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x35013a80
0x35013a87
0x35013a93
0x35013a98
0x35013a9d
0x35013aa2
0x35013aa5
0x35013aa7
0x35013aa7
0x35013aac
0x35013ac5
0x35013acb
0x35013ad0
0x35013b6f
0x35013b73
0x35013b78
0x35013b78
0x35013b94
0x35013b94
0x35013ad6
0x35013ad9
0x35013ade
0x35013ae2
0x35013b2e
0x35013b30
0x35013b32
0x35013b37
0x35013b4e
0x35013b56
0x35013b66
0x35013b66
0x35013b56
0x35013b68
0x35013b69
0x00000000
0x35013b6e
0x35013ae4
0x35013ae9
0x35013aeb
0x35013aed
0x35013aed
0x35013af5
0x35013b12
0x35013b1c
0x35013b21
0x00000000
0x00000000
0x35013b23
0x35013b29
0x35013b29
0x00000000
0x35013b29
0x35013af9
0x35013afd
0x35013b02
0x35013b06
0x00000000
0x00000000
0x35013b08
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000107,00000000,?,00000001,00000000,00000000,?,?,00000107,3500F7B4,00000001,?,?,00000001,?,3500F826), ref: 35013AC5
MultiByteToWideChar.KERNEL32(00000107,00000001,?,00000001,00000000,00000001,?,?,00000107,3500F7B4,00000001,?,?,00000001,?,3500F826), ref: 35013B4E
GetStringTypeW.KERNEL32(?,00000000,00000000,3500F7B4,?,?,00000107,3500F7B4,00000001,?,?,00000001,?,3500F826,00000107,?), ref: 35013B60
__freea.LIBCMT ref: 35013B69

Part of subcall function 3501103F: HeapAlloc.KERNEL32(00000000,?,00000004,?,35015167,?,00000000,?,35013F7A,?,00000004,00000000,?,?,?,35010D0A), ref: 35011071

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ByteCharMultiWide$AllocHeapStringType__freea
String ID:
API String ID: 573072132-0
Opcode ID: 3c260f152014c3cd71b206d9219e8a3d6617e2951a693a530221a201484b45a6
Instruction ID: 9152acde5e1518218b3a8762608a7092c647da57b88e1aba40dd92453bede919
Opcode Fuzzy Hash: 3c260f152014c3cd71b206d9219e8a3d6617e2951a693a530221a201484b45a6
Instruction Fuzzy Hash: C731C0BAA1020AABDB158F74ED81DEF3BB5FB40650F4002A8FD05D7190EB36DA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 35011E73, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E35011E73(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x3502abe0 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x3501aa90 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x43699f2d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x35011e78
0x35011e7c
0x35011e83
0x35011e87
0x35011e95
0x35011eab
0x35011eaf
0x35011ed8
0x35011eda
0x35011ede
0x35011ee1
0x35011ee1
0x35011ee7
0x35011ee9
0x00000000
0x35011eea
0x35011eb1
0x35011eba
0x35011ec9
0x35011ebc
0x35011ebf
0x35011ec5
0x35011ec5
0x35011ecd
0x00000000
0x35011ecf
0x35011ed2
0x35011ed4
0x00000000
0x35011ed4
0x35011ecd
0x35011e89
0x35011e8e
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,35011E1A,00000000,00000000,00000000,00000000,?,35012017,00000006,FlsSetValue), ref: 35011EA5
GetLastError.KERNEL32(?,35011E1A,00000000,00000000,00000000,00000000,?,35012017,00000006,FlsSetValue,3501AF48,3501AF50,00000000,00000364,?,3501160E), ref: 35011EB1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,35011E1A,00000000,00000000,00000000,00000000,?,35012017,00000006,FlsSetValue,3501AF48,3501AF50,00000000), ref: 35011EBF

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: d4b87ccdf4485cad9bbe24aa3ae87242f27b5a5ca1a4d1284dc322f96c9a895b
Instruction ID: 5afaf8a9c19edeaec032985d97870c9a2b67fcfbac91f623d49ca9142914f4e6
Opcode Fuzzy Hash: d4b87ccdf4485cad9bbe24aa3ae87242f27b5a5ca1a4d1284dc322f96c9a895b
Instruction Fuzzy Hash: 9301F53E621322AFD7168DF9FC44E8777E8AF08AA0B100560FD06E3140DB23C602C6E6

Uniqueness

Uniqueness Score: -1.00%

Function 3501153C, Relevance: 6.0, APIs: 4, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E3501153C(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x35022924; // 0x2
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E350110D0(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E35011FF0(_t25, _t36, __eflags,  *0x35022924, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E350113AE(_t25, _t31, 0x3502aa94);
							E35011005(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E35011005();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E3501108D(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x35022924; // 0x2
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E350110D0(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E35011FF0(_t27, _t37, __eflags,  *0x35022924, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E350113AE(_t27, _t32, 0x3502aa94);
									E35011005(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E35011005();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E35011F9A(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E35011F9A(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x3501153c
0x3501153c
0x3501153c
0x35011546
0x35011548
0x3501154d
0x35011550
0x3501155e
0x35011565
0x3501156a
0x3501156d
0x35011570
0x35011582
0x35011587
0x35011589
0x35011594
0x3501159b
0x350115a0
0x350115a3
0x350115a5
0x00000000
0x00000000
0x00000000
0x00000000
0x3501158b
0x3501158b
0x00000000
0x3501158b
0x35011572
0x35011572
0x35011573
0x35011573
0x35011578
0x350115b3
0x350115b4
0x350115ba
0x350115bf
0x350115c2
0x350115c3
0x350115c4
0x350115cb
0x350115cd
0x350115cf
0x350115d4
0x350115d7
0x350115e5
0x350115f1
0x350115f4
0x350115f7
0x35011609
0x3501160e
0x35011610
0x3501161b
0x35011621
0x35011629
0x3501162b
0x00000000
0x00000000
0x00000000
0x00000000
0x35011612
0x35011612
0x00000000
0x35011612
0x350115f9
0x350115f9
0x350115fa
0x350115fa
0x3501162d
0x3501162e
0x3501162e
0x350115d9
0x350115df
0x350115e3
0x35011636
0x35011637
0x3501163d
0x00000000
0x00000000
0x00000000
0x350115e3
0x35011644
0x35011644
0x35011552
0x35011558
0x3501155c
0x350115a7
0x350115a8
0x350115b2
0x00000000
0x00000000
0x00000000
0x3501155c

APIs

GetLastError.KERNEL32(?,?,35010FDA,3501E0F8,0000000C,3500E366), ref: 35011540
SetLastError.KERNEL32(00000000), ref: 350115A8
SetLastError.KERNEL32(00000000), ref: 350115B4
_abort.LIBCMT ref: 350115BA

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 0f287474e4161ce5a5d4078c8e418205cb32e42c1bac0a85d22ddf9256a5b659
Instruction ID: b1675671f5664fda7cd8bb914803ab694c0e304d08791b0532bdc80c8739b47a
Opcode Fuzzy Hash: 0f287474e4161ce5a5d4078c8e418205cb32e42c1bac0a85d22ddf9256a5b659
Instruction Fuzzy Hash: FBF0863EB08685AAD70F5674FE05B1A36B7AFD56A1B220594FD16A2180EF6387035123

Uniqueness

Uniqueness Score: -1.00%

Function 3500EE56, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E3500EE56() {
				void* _t4;
				void* _t8;

				E3500F4A5();
				E3500F439();
				if(E3500F199() != 0) {
					_t4 = E3500F14B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E3500F1D5();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x3500ee56
0x3500ee5b
0x3500ee67
0x3500ee6c
0x3500ee71
0x3500ee73
0x3500ee7e
0x3500ee75
0x3500ee75
0x00000000
0x3500ee75
0x3500ee69
0x3500ee69
0x3500ee6b
0x3500ee6b

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 3500EE56
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 3500EE5B
___vcrt_initialize_locks.LIBVCRUNTIME ref: 3500EE60

Part of subcall function 3500F199: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 3500F1AA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 3500EE75

Memory Dump Source

Source File: 00000000.00000002.217126058.000000003500C000.00000020.00020000.sdmp, Offset: 35000000, based on PE: true

Associated: 00000000.00000002.217106555.0000000035000000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217109610.0000000035002000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217113234.0000000035004000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217116503.0000000035006000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217119478.0000000035008000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217122613.000000003500A000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.217135653.0000000035019000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217139047.000000003501D000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.217142134.000000003501F000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.217145363.0000000035022000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.217148176.000000003502A000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_35000000_executable.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 8c67abd60f9a6ca8c6b1d0b004b65b0f0d130c5a0190c72de743de95ecb48f1a
Instruction ID: 31c58eb4d88e0ddef436963cf016af817b16956068048b8eb3ec4e4a4f2d26cb
Opcode Fuzzy Hash: 8c67abd60f9a6ca8c6b1d0b004b65b0f0d130c5a0190c72de743de95ecb48f1a
Instruction Fuzzy Hash: 18C0016834838A503C906EB0B3109DE53BA2AB6AD4BA814C58CA0274029B87000A3E22

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report executable.3496.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: executable.3496.exe PID: 6332 Parent PID: 3352

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Registry Activities