Edit tour

Windows Analysis Report
NFeNFCe.msi

Overview

General Information

Sample Name:	NFeNFCe.msi
Analysis ID:	813983
MD5:	4de4b3f5e51dd6957ef3044baba3db7c
SHA1:	e92941ce86e4b573154b509a72bab2442b8257c4
SHA256:	b65345186c0259851a4c3fa827bf8616b6b98dd04f3e427888378b751e929dd5
Tags:	msi
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Overwrites code with function prologues

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Creates a start menu entry (Start Menu\Programs\Startup)

PE file contains more sections than normal

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 1236 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NFeNFCe.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5092 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5748 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F976ACED0B98CECA5DED949820F67829 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

Transfer.exe (PID: 1900 cmdline: C:\Users\user\AppData\Roaming\Transfer.exe MD5: E04F15D35A1807C4D74D2538D5FE28C9)

Transfer.exe (PID: 1416 cmdline: "C:\Users\user\AppData\Roaming\Transfer.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\drivespan.dll

Joe Sandbox ML: detected

Source:	Binary string: c:\builds\workspace\Applications\Transfer_common\src\Release\Transfer.pdb source: Transfer.exe, 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000003.00000000.325846732.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000004.00000002.440480411.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000004.00000000.398793827.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A475CA FindFirstFileExW,

3_2_00A475CA

Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Transfer.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Transfer.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Transfer.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Transfer.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Transfer.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Transfer.exe, 00000003.00000002.577353515.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000003.432756248.0000000002750000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.nero.com
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Transfer.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Transfer.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://feliz2023.correio.biz/pipoca/postUP.php
Source: Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: https://rentry.co/e6oicv/raw
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown

DNS traffic detected: queries for: feliz2023.correio.biz

Source: Transfer.exe, 00000003.00000002.577187631.000000000115A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: drivespan.dll.1.dr	Static PE information: section name: ."NA
Source: drivespan.dll.1.dr	Static PE information: section name: .@#D

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5B40.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\6953fd.msi

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A4CD15

3_2_00A4CD15

Source: NFeNFCe.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs NFeNFCe.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Section loaded: libeay32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Section loaded: security.dll	Jump to behavior

Source: drivespan.dll.1.dr

Static PE information: Number of sections : 12 > 10

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Transfer.exe 7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI5B40.tmp FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NFeNFCe.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F976ACED0B98CECA5DED949820F67829
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Transfer.exe C:\Users\user\AppData\Roaming\Transfer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Transfer.exe "C:\Users\user\AppData\Roaming\Transfer.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F976ACED0B98CECA5DED949820F67829	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\Transfer.exe C:\Users\user\AppData\Roaming\Transfer.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: Transfer.exe.lnk.3.dr

LNK file: ..\..\..\..\..\Transfer.exe

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\acrobat pdf

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF0CACAD3964164C30.TMP

Jump to behavior

Source: classification engine

Classification label: mal76.evad.winMSI@7/25@1/1

Source: C:\Users\user\AppData\Roaming\Transfer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A41510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00A41510

Source: NFeNFCe.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Mutant created: \Sessions\1\BaseNamedObjects\B9297DB4-C17F-42DD-B67C-7A713E42F839

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Command line argument: -Restart	3_2_00A417A0
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Command line argument: drivespan.dll	3_2_00A417A0
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Command line argument: drivespan.dll	3_2_00A417A0
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Command line argument: run	3_2_00A417A0

Source: C:\Users\user\AppData\Roaming\Transfer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Window found: window name: TEdit

Jump to behavior

Source: NFeNFCe.msi

Static file information: File size 18899456 > 1048576

Source:	Binary string: c:\builds\workspace\Applications\Transfer_common\src\Release\Transfer.pdb source: Transfer.exe, 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000003.00000000.325846732.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000004.00000002.440480411.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe, 00000004.00000000.398793827.0000000000A4F000.00000002.00000001.01000000.00000003.sdmp, Transfer.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A43016 push ecx; ret

3_2_00A43029

Source: drivespan.dll.1.dr	Static PE information: section name: .didata
Source: drivespan.dll.1.dr	Static PE information: section name: ."NA
Source: drivespan.dll.1.dr	Static PE information: section name: .LmE
Source: drivespan.dll.1.dr	Static PE information: section name: .@#D

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A41000 SHGetFolderPathW,PathFileExistsW,PathFileExistsW,PathFileExistsW,MoveFileExW,PathFileExistsW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_00A41000

Source: initial sample

Static PE information: section where entry point is pointing to: .@#D

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Transfer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E31.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D06.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\drivespan.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B40.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5E31.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D06.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Transfer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F10005 value: E9 FB 99 E5 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 77D69A00 value: E9 0A 66 1A 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F30007 value: E9 7B 4C E7 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 77DA4C80 value: E9 8E B3 18 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F40005 value: E9 FB BF DF 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 77D3C000 value: E9 0A 40 20 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F60008 value: E9 AB E0 E1 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 77D7E0B0 value: E9 60 1F 1E 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F70005 value: E9 CB 5A 66 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 775D5AD0 value: E9 3A A5 99 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F80005 value: E9 5B B0 67 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 775FB060 value: E9 AA 4F 98 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: F90005 value: E9 DB F8 B9 73	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 74B2F8E0 value: E9 2A 07 46 8C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: FA0005 value: E9 FB 42 BB 73	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1900 base: 74B54300 value: E9 0A BD 44 8C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 710005 value: E9 FB 99 65 77	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 77D69A00 value: E9 0A 66 9A 88	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 720007 value: E9 7B 4C 68 77	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 77DA4C80 value: E9 8E B3 97 88	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 730005 value: E9 FB BF 60 77	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 77D3C000 value: E9 0A 40 9F 88	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 750008 value: E9 AB E0 62 77	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 77D7E0B0 value: E9 60 1F 9D 88	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 760005 value: E9 CB 5A E7 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 775D5AD0 value: E9 3A A5 18 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 770005 value: E9 5B B0 E8 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 775FB060 value: E9 AA 4F 17 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 980005 value: E9 DB F8 1A 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 74B2F8E0 value: E9 2A 07 E5 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 990005 value: E9 FB 42 1C 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 74B54300 value: E9 0A BD E3 8B	Jump to behavior

Overwrites code with function prologues

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 77D3C000 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 775D5AD0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 775FB060 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 74B2F8E0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Memory written: PID: 1416 base: 74B54300 value: 8B FF 55 8B EC	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Transfer.exe, 00000004.00000002.440382936.0000000000788000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Special instruction interceptor: First address: 000000006BDDA999 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Special instruction interceptor: First address: 000000006BD964AD instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006BCCE849 second address: 000000006BCCE853 instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 clc 0x00000005 shr eax, 0Fh 0x00000008 xor bl, cl 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006CAAEC45 second address: 000000006BD80A3D instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 push ecx 0x00000004 jmp 00007F2AFFDB27BBh 0x00000009 mov esi, dword ptr [esp+28h] 0x0000000d rcr edi, 08h 0x00000010 ror esi, 03h 0x00000013 rol bx, cl 0x00000016 not esi 0x00000018 cmc 0x00000019 ror esi, 02h 0x0000001c cwde 0x0000001d movsx bx, dh 0x00000021 movsx ebx, ax 0x00000024 inc esi 0x00000025 not dh 0x00000027 ror ebp, FFFFFFA4h 0x0000002a movzx edi, bx 0x0000002d bswap esi 0x0000002f cmc 0x00000030 rcl bl, cl 0x00000032 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006CB5016A second address: 000000006CB5017C instructions: 0x00000000 rdtsc 0x00000002 cmovnle edx, eax 0x00000005 pushfd 0x00000006 sbb eax, 5BFA255Bh 0x0000000b push ebx 0x0000000c add si, 3567h 0x00000011 stc 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006BDC1814 second address: 000000006BDC1818 instructions: 0x00000000 rdtsc 0x00000002 pop esi 0x00000003 lahf 0x00000004 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006AE1C818 second address: 0000000069FDD39A instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 push ecx 0x00000004 jmp 00007F2AFFBB3F85h 0x00000009 mov esi, dword ptr [esp+28h] 0x0000000d rcr edi, 08h 0x00000010 ror esi, 03h 0x00000013 rol bx, cl 0x00000016 not esi 0x00000018 cmc 0x00000019 ror esi, 02h 0x0000001c cwde 0x0000001d movsx bx, dh 0x00000021 movsx ebx, ax 0x00000024 inc esi 0x00000025 not dh 0x00000027 ror ebp, FFFFFFA4h 0x0000002a movzx edi, bx 0x0000002d bswap esi 0x0000002f cmc 0x00000030 rcl bl, cl 0x00000032 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006B6FF680 second address: 000000006B6FF68A instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 clc 0x00000005 shr eax, 0Fh 0x00000008 xor bl, cl 0x0000000a rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006AAA5C0F second address: 000000006AAA5C21 instructions: 0x00000000 rdtsc 0x00000002 cmovnle edx, eax 0x00000005 pushfd 0x00000006 sbb eax, 5BFA255Bh 0x0000000b push ebx 0x0000000c add si, 3567h 0x00000011 stc 0x00000012 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006A0A23C2 second address: 000000006B554797 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 cmp ah, FFFFFFEEh 0x00000006 lea edi, dword ptr [edi-00000008h] 0x0000000c clc 0x0000000d cmc 0x0000000e cmp di, 1EC7h 0x00000013 mov dword ptr [edi], edx 0x00000015 ror dl, FFFFFFEDh 0x00000018 rol dh, FFFFFFBBh 0x0000001b mov dword ptr [edi+04h], eax 0x0000001e adc dl, 0000003Fh 0x00000021 bswap dx 0x00000024 mov edx, dword ptr [ebp+00h] 0x00000028 cmp esi, 174417F7h 0x0000002e jmp 00007F2B0214C702h 0x00000033 lea ebp, dword ptr [ebp+00000004h] 0x00000039 stc 0x0000003a test si, dx 0x0000003d cmc 0x0000003e xor edx, ebx 0x00000040 test edi, 30BD7C4Eh 0x00000046 cmp ah, FFFFFFAFh 0x00000049 neg edx 0x0000004b inc edx 0x0000004c ror edx, 02h 0x0000004f stc 0x00000050 cmp ah, bh 0x00000052 add edx, 2FC63096h 0x00000058 test al, 7Ch 0x0000005a test si, si 0x0000005d xor ebx, edx 0x0000005f test dl, 00000005h 0x00000062 cmc 0x00000063 add esi, edx 0x00000065 jmp 00007F2AFF9B42D5h 0x0000006a jmp 00007F2B012BB8BFh 0x0000006f lea edx, dword ptr [esp+60h] 0x00000073 clc 0x00000074 test sp, 3D1Ch 0x00000079 cmp edi, edx 0x0000007b ja 00007F2AFFB96365h 0x00000081 jmp esi 0x00000083 mov ecx, dword ptr [edi] 0x00000085 inc edx 0x00000086 movzx eax, sp 0x00000089 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 0000000069EC2481 second address: 000000006AAA5C0F instructions: 0x00000000 rdtsc 0x00000002 movzx ax, cl 0x00000006 pop ebp 0x00000007 jmp 00007F2B00BCAB01h 0x0000000c pop ebx 0x0000000d movsx eax, ax 0x00000010 pop esi 0x00000011 cmovne edi, esp 0x00000014 cwde 0x00000015 pop edi 0x00000016 xchg ah, cl 0x00000018 pop ecx 0x00000019 setnb dl 0x0000001c lahf 0x0000001d pop edx 0x0000001e jmp 00007F2B00840F1Bh 0x00000023 pop eax 0x00000024 jmp 00007F2B0039C432h 0x00000029 ret 0x0000002a call 00007F2B0082FE95h 0x0000002f push ebp 0x00000030 pushfd 0x00000031 mov ebp, 33616804h 0x00000036 mov dword ptr [esp+08h], 66DA69C3h 0x0000003e mov ebp, dword ptr [esp+ebp*2-66C2D004h] 0x00000045 call 00007F2B0199AAC8h 0x0000004a add dword ptr [esp+00h], 0073CC21h 0x00000052 ret 0x00000053 push dword ptr [esp+00h] 0x00000057 popfd 0x00000058 lea esp, dword ptr [esp+08h] 0x0000005c call 00007F2B001A5B47h 0x00000061 push ebp 0x00000062 jmp 00007F2B00E43E0Dh 0x00000067 push edx 0x00000068 xchg dx, dx 0x0000006b push edi 0x0000006c bswap di 0x0000006f push eax 0x00000070 cbw 0x00000072 push esi 0x00000073 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006CAAEC45 second address: 000000006BD80A3D instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 push ecx 0x00000004 jmp 00007F2AFFCC51FBh 0x00000009 mov esi, dword ptr [esp+28h] 0x0000000d rcr edi, 08h 0x00000010 ror esi, 03h 0x00000013 rol bx, cl 0x00000016 not esi 0x00000018 cmc 0x00000019 ror esi, 02h 0x0000001c cwde 0x0000001d movsx bx, dh 0x00000021 movsx ebx, ax 0x00000024 inc esi 0x00000025 not dh 0x00000027 ror ebp, FFFFFFA4h 0x0000002a movzx edi, bx 0x0000002d bswap esi 0x0000002f cmc 0x00000030 rcl bl, cl 0x00000032 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006AE1C818 second address: 0000000069FDD39A instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 push ecx 0x00000004 jmp 00007F2AFFCA1545h 0x00000009 mov esi, dword ptr [esp+28h] 0x0000000d rcr edi, 08h 0x00000010 ror esi, 03h 0x00000013 rol bx, cl 0x00000016 not esi 0x00000018 cmc 0x00000019 ror esi, 02h 0x0000001c cwde 0x0000001d movsx bx, dh 0x00000021 movsx ebx, ax 0x00000024 inc esi 0x00000025 not dh 0x00000027 ror ebp, FFFFFFA4h 0x0000002a movzx edi, bx 0x0000002d bswap esi 0x0000002f cmc 0x00000030 rcl bl, cl 0x00000032 rdtsc
Source: C:\Users\user\AppData\Roaming\Transfer.exe	RDTSC instruction interceptor: First address: 000000006A0A23C2 second address: 000000006B554797 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 cmp ah, FFFFFFEEh 0x00000006 lea edi, dword ptr [edi-00000008h] 0x0000000c clc 0x0000000d cmc 0x0000000e cmp di, 1EC7h 0x00000013 mov dword ptr [edi], edx 0x00000015 ror dl, FFFFFFEDh 0x00000018 rol dh, FFFFFFBBh 0x0000001b mov dword ptr [edi+04h], eax 0x0000001e adc dl, 0000003Fh 0x00000021 bswap dx 0x00000024 mov edx, dword ptr [ebp+00h] 0x00000028 cmp esi, 174417F7h 0x0000002e jmp 00007F2B0205F142h 0x00000033 lea ebp, dword ptr [ebp+00000004h] 0x00000039 stc 0x0000003a test si, dx 0x0000003d cmc 0x0000003e xor edx, ebx 0x00000040 test edi, 30BD7C4Eh 0x00000046 cmp ah, FFFFFFAFh 0x00000049 neg edx 0x0000004b inc edx 0x0000004c ror edx, 02h 0x0000004f stc 0x00000050 cmp ah, bh 0x00000052 add edx, 2FC63096h 0x00000058 test al, 7Ch 0x0000005a test si, si 0x0000005d xor ebx, edx 0x0000005f test dl, 00000005h 0x00000062 cmc 0x00000063 add esi, edx 0x00000065 jmp 00007F2AFF8C6D15h 0x0000006a jmp 00007F2B011CE2FFh 0x0000006f lea edx, dword ptr [esp+60h] 0x00000073 clc 0x00000074 test sp, 3D1Ch 0x00000079 cmp edi, edx 0x0000007b ja 00007F2AFFAA8DA5h 0x00000081 jmp esi 0x00000083 mov ecx, dword ptr [edi] 0x00000085 inc edx 0x00000086 movzx eax, sp 0x00000089 rdtsc

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A41510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00A41510

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5E31.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5D06.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Transfer.exe

API coverage: 4.6 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A475CA FindFirstFileExW,

3_2_00A475CA

Source: C:\Users\user\AppData\Roaming\Transfer.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: Transfer.exe, 00000003.00000002.577187631.0000000001189000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A42DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00A42DC9

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A41510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_00A41510

Source: C:\Users\user\AppData\Roaming\Transfer.exe

3_2_00A41000

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A49302 GetProcessHeap,

3_2_00A49302

Source: C:\Users\user\AppData\Roaming\Transfer.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A46268 mov eax, dword ptr fs:[00000030h]

3_2_00A46268

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\Transfer.exe C:\Users\user\AppData\Roaming\Transfer.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe	Code function: 3_2_00A42F17 SetUnhandledExceptionFilter,	3_2_00A42F17
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Code function: 3_2_00A42821 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A42821
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Code function: 3_2_00A42DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A42DC9
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Code function: 3_2_00A455D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A455D7

Source: Transfer.exe, 00000003.00000002.577353515.000000000302F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER1
Source: Transfer.exe, 00000003.00000002.577353515.0000000002F68000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerperience Host\Transfer.exe
Source: Transfer.exe, 00000003.00000002.577353515.000000000302F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Transfer.exe, 00000003.00000002.577353515.000000000302F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER@
Source: Transfer.exe, 00000003.00000002.577353515.000000000302F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Transfer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A4305C cpuid

3_2_00A4305C

Source: C:\Users\user\AppData\Roaming\Transfer.exe

Code function: 3_2_00A42CB2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00A42CB2

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	2 Command and Scripting Interpreter	2 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	1 System Time Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Input Capture	551 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	22 Virtualization/Sandbox Evasion	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	224 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NFeNFCe.msi	10%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\drivespan.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Transfer.exe	0%	ReversingLabs
C:\Windows\Installer\MSI5B40.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5D06.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5DC3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5E31.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://rentry.co/e6oicv/raw	0%	Avira URL Cloud	safe
https://feliz2023.correio.biz/pipoca/postUP.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
feliz2023.correio.biz	186.202.153.91	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.advancedinstaller.com	NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	false		high
https://rentry.co/e6oicv/raw	Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	Transfer.exe, 00000003.00000002.577353515.0000000002FC0000.00000004.00001000.00020000.00000000.sdmp, Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000003.432756248.0000000002750000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	Transfer.exe.1.dr	false		high
https://www.thawte.com/cps0/	NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	false		high
http://www.symauth.com/cps0(	Transfer.exe.1.dr	false		high
http://www.symauth.com/rpa00	Transfer.exe.1.dr	false		high
https://www.thawte.com/repository0W	NFeNFCe.msi, 6953fd.msi.1.dr, MSI5D06.tmp.1.dr	false		high
http://ocsp.thawte.com0	Transfer.exe.1.dr	false	URL Reputation: safe	unknown
http://www.nero.com	Transfer.exe.1.dr	false		high
https://feliz2023.correio.biz/pipoca/postUP.php	Transfer.exe, 00000003.00000002.577640433.0000000069881000.00000020.00000001.01000000.00000004.sdmp, Transfer.exe, 00000004.00000002.440566834.0000000069881000.00000020.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
186.202.153.91	feliz2023.correio.biz	Brazil		27715	LocawebServicosdeInternetSABR	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	813983
Start date and time:	2023-02-23 09:59:31 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	NFeNFCe.msi
Detection:	MAL
Classification:	mal76.evad.winMSI@7/25@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 100% (good quality ratio 91.7%) Quality average: 75% Quality standard deviation: 31.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: NFeNFCe.msi

Simulations

Behavior and APIs

Time	Type	Description
10:00:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LocawebServicosdeInternetSABR	fCzZcr3P7m.elf	Get hash	malicious	Mirai	Browse	191.252.188.3
	http://mgx.g3inkor.com.br/#bWFyc3phbGVrQGx1YmVsc2tpZS5wbA==	Get hash	malicious	HTMLPhisher	Browse	191.252.118.159
	Mfhfd5S1Q2.elf	Get hash	malicious	Mirai, Moobot	Browse	186.202.203.35
	u1CBC3tHpv.exe	Get hash	malicious	SmokeLoader	Browse	186.202.153.7
	O11Vx8VJED.dll	Get hash	malicious	Emotet	Browse	189.126.111.200
	xyKFtTuCr6.dll	Get hash	malicious	Emotet	Browse	189.126.111.200
	oubAt2KfB9.elf	Get hash	malicious	Mirai, Moobot	Browse	177.52.143.25
	VlBtqs8BxH.elf	Get hash	malicious	Unknown	Browse	186.202.215.32
	LLdpawvfCk.elf	Get hash	malicious	Mirai, Moobot	Browse	191.252.78.204
	llFfEL66MK.elf	Get hash	malicious	Mirai	Browse	179.188.242.126
	2iFcgjKJQo.elf	Get hash	malicious	Mirai, Moobot	Browse	179.188.154.141
	bM6m50vEPA.elf	Get hash	malicious	Unknown	Browse	201.76.54.185
	http://ow.ly/f4FE50LX5tw#a.al@a.com	Get hash	malicious	Unknown	Browse	191.252.37.11
	yQWRcSoJ2F.elf	Get hash	malicious	Mirai	Browse	187.45.241.60
	SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll	Get hash	malicious	Luca Stealer	Browse	191.252.51.12
	#U260e#Ufe0f vm_6316080857_20220526 (1).htm	Get hash	malicious	HTMLPhisher	Browse	191.252.144.80
	Thomas Anderson 9562 Cgs.htm	Get hash	malicious	HTMLPhisher	Browse	191.252.144.80
	SDQb9uiEp9.elf	Get hash	malicious	Gafgyt, Mirai	Browse	191.252.96.241
	Modulo.msi	Get hash	malicious	DanaBot	Browse	186.202.13.35
	imguser.dll	Get hash	malicious	Unknown	Browse	179.188.11.20

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Transfer.exe	Fct63e39.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI5B40.tmp	banload.html	Get hash	malicious	Unknown	Browse
	Rec1b0_fev_0223.msi	Get hash	malicious	Unknown	Browse
	Fct63e39.msi	Get hash	malicious	Unknown	Browse
	autorizacaoBUWFZCZN.msi	Get hash	malicious	Unknown	Browse
	autorizacaoBUWFZCZN.msi	Get hash	malicious	Unknown	Browse
	https://cld.pt/dl/download/9a9d89b2-99bf-4ca6-b445-5187b14ce9dc/TRANSF-A4-SIMPLEX-TLLK_B25293309_20230117.zip	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\6953ff.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1339
Entropy (8bit):	5.641679839241022
Encrypted:	false
SSDEEP:	24:Sgg5AT07UJr6XL315A2q5A8oC5ARE95AEpUvCFPzH+BLDhiSvifW:SNAI7Uo7rAfA8VAR+AmLPDaD8SkW
MD5:	D4327A36495F2CF7D33ED35F86C21396
SHA1:	ABAF86FB5C7A1570ADCC63A82A334912E3064ADA
SHA-256:	6302B29E60A819D747CA05EEEA2BCAB6AE08C278EA9F068F9D523B0ED68561A4
SHA-512:	CA9570AB1DDAADAD45E3D2D8CF62C2FA27B290EC81EA5581241EFD851137080E4F939ACB8F737106A073D3D0A796168D2B543197FDDF95DE8F5A181B38E73D02
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.PWV.@.....@.....@.....@.....@.....@......&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}..acrobat pdf..NFeNFCe.msi.@.....@.....@.....@........&.{79C71D52-1192-4E50-B15B-B92DA75398A5}.....@.....@.....@.....@.......@.....@.....@.......@......acrobat pdf......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{C94B97F4-2302-498F-9C12-29D9B0E8C0DA}&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}.@......&.{05198137-3B87-4BBF-A714-8156A1FF1DAA}&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}.@......&.{1817CCE1-A3E0-4592-BE27-02EA786E90B2}&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}.@......&.{59B6F458-143D-4EA5-A213-A9B16749A387}&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}.@........CreateFolders..Creating folders..Folder: [1]#.7.C:\Users\user\AppData\Roaming\acrobat pdf\acrobat pdf\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\Users\user\AppData\Roaming\....,.C:\Users\user\

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\Transfer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Jun 24 10:27:04 2019, mtime=Thu Feb 23 08:00:35 2023, atime=Mon Jun 24 10:27:04 2019, length=138520, window=hide
Category:	dropped
Size (bytes):	857
Entropy (8bit):	4.962019385878129
Encrypted:	false
SSDEEP:	24:8skX43qHC69Dy3/A1aeCortZIze+IzeMBm:8skX43qHJ9Dy3IIVovp+pu
MD5:	3F23F91293EA5089B8B8B2443896CCDA
SHA1:	74D79A726C8EDEAE68ECECEE347DFB6150A7F271
SHA-256:	3A47326E9D92C5738CF2F8E6C180968B2D70C3DBEC255A086C9F2A411F45DF2B
SHA-512:	18B562B3B6BEE76048A8F8EA9AC6BEB650AEB66D0E4425817A1E22C647712CA9C57729BB7D3B6CCE40F528BB34706E47492FA62E22D62AD01DD3A3F0E095DCD0
Malicious:	false
Reputation:	low
Preview:	L..................F.... ........T.~JeG...............................z.:..DG..Yr?.D..U..k0.&...&...........-...X..u.....IXeG......t...CFSF..1......N....AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......N..WV.H.....Y....................yN\|.A.p.p.D.a.t.a...B.V.1.....WV.H..Roaming.@.......N..WV.H.....Y........................R.o.a.m.i.n.g.....f.2......Nb[ .Transfer.exe..J.......Nb[WV.H.....~........................T.r.a.n.s.f.e.r...e.x.e.......Z...............-.......Y....................C:\Users\user\AppData\Roaming\Transfer.exe....D.r.i.v.e.r.S.p.a.n.......\.....\.....\.....\.....\.T.r.a.n.s.f.e.r...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.`.......X.......745481...........!a..%.H.VZAj...0!r.h............!a..%.H.VZAj...0!r.h...........E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Transfer.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138520
Entropy (8bit):	5.97678172694547
Encrypted:	false
SSDEEP:	3072:h1tkoMvK2ZjKlrH5ySykwTzwk5aOz1b3aDczMns53:h1tkpZyCj1mDcIu3
MD5:	E04F15D35A1807C4D74D2538D5FE28C9
SHA1:	9A42B387BABDEA719D54C1E11BAAE9FDB9897F71
SHA-256:	7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
SHA-512:	0FA81E472CC65AC3E0DC6427D72002905C577B61C98CBB2859829EF5A139B1AC81FA09D680614C4EA94D599919E67C62F28475AF813400106DDDABE57180AAE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Fct63e39.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`u.h$.f;$.f;$.f;...;-.f;...;].f;...;<.f;.Je:6.f;.Jc:..f;.Jb:6.f;..;-.f;$.g;y.f;.Jo:&.f;.J.;%.f;$..;%.f;.Jd:%.f;Rich$.f;........PE..L....&.].........."..................(............@..........................@......Q.....@.................................DI..d.......8................3...0......@;..p............................;..@...............4............................text.../........................... ..`.rdata..L`.......b..................@..@.data........`.......8..............@....gfids...............B..............@..@.rsrc...8............D..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\drivespan.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17835520
Entropy (8bit):	7.994241608661634
Encrypted:	true
SSDEEP:	393216:9IpF6reJxg/Yh1OgZZwP2qvytnhg0NNnDWHH+u4kMPNP:6pFkKE+1ZZwP7yJ66DWHHP47
MD5:	AB19352276FB2A23F8C4705F66039E81
SHA1:	78E251ADC1B495936C854F2771E998ABB770FF88
SHA-256:	5E11F05F7EB748D1A7B10C07770F7F366A1008B71F54C91F038A00F54A738A29
SHA-512:	F76E7F68B8420441158E7864C9E0B15213891C8F2202D00D756BA86F398667FB3387CA329185E9A4912F6A4DE4C3517DCE0171357D6DD42E59B7FFB67492A22B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L...w..c................../..V........(......@/...@.......................................@.........................@.<......@V.X.............................................................................................E......................text............................... ..`.itext..,$..../..................... ..`.data...p....@/.....................@....bss....ho...P0..........................idata...=....0.....................@....didata.......1.....................@....edata........1.....................@..@.rdata..D.... 1.....................@..@."NA.....d...01..................... ..`.LmE................................@....@#D................................ ..`.reloc............... ..............@..B.............................................................@.......r..............@..@........................................................

C:\Windows\Installer\6953fd.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {79C71D52-1192-4E50-B15B-B92DA75398A5}, Number of Words: 10, Subject: acrobat pdf, Author: acrobat pdf, Name of Creating Application: acrobat pdf (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install acrobat pdf. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	18899456
Entropy (8bit):	7.973938304665172
Encrypted:	false
SSDEEP:	393216:MPwXMT+bs37l4T2rOE8M0aa2vytYC+/7ntvCrGtUtkSuwx:DXEYa6At8M0ahyGZjZCrGatPx
MD5:	4DE4B3F5E51DD6957EF3044BABA3DB7C
SHA1:	E92941CE86E4B573154B509A72BAB2442B8257C4
SHA-256:	B65345186C0259851A4C3FA827BF8616B6B98DD04F3E427888378B751E929DD5
SHA-512:	3D49474F877799FC6A91D621E31193175FEEE9716910D97784182C4A5DF56D779F51DA2EACC4D9E10A0D884F159A9D69AF5CE35DFD1D91F1F3112D7C4D09355E
Malicious:	false
Preview:	......................>...................!...................................E.......a.......n.......................................o.......6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...\|...}...~...........................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI5B40.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: banload.html, Detection: malicious, Browse Filename: Rec1b0_fev_0223.msi, Detection: malicious, Browse Filename: Fct63e39.msi, Detection: malicious, Browse Filename: autorizacaoBUWFZCZN.msi, Detection: malicious, Browse Filename: autorizacaoBUWFZCZN.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5D06.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5DC3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5E31.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	570784
Entropy (8bit):	6.45015034296188
Encrypted:	false
SSDEEP:	6144:j+Sud3L4YgAc8wjVMeKRtGnm3CCRloVywX9gDAOJVafv5khoJQCmR+:j+SuPgAc8+MjGCCslegDTwX5/OCmR+
MD5:	2C9C51AC508570303C6D46C0571EA3A1
SHA1:	E3E0FE08FA11A43C8BCA533F212BDF0704C726D5
SHA-256:	FF86C76A8D5846B3A1AD58FF2FD8E5A06A84EB5899CDEE98E59C548D33335550
SHA-512:	DF5F1DEF5AAC44F39A2DFDE9C6C73F15F83A7374B4AD42B67E425CCB7AC99A64C5701B676AE46D2F7167A04A955158031A839E7878D100AAF8FAB0CE2059F127
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&r.gb..4b..4b..4.a.5o..4.a.5...4-o.5s..4-o.5z..4-o.5(..4.a.5{..4.a.5c..4.a.5E..4b..4...4.o.5...4.o.5c..4.ou4c..4b..4c..4.o.5c..4Richb..4................PE..L....}.c.........."!..."..................................................................@.....................................,....`...................#...p...b..8Y..p....................Y......xX..@...............<............................text...6........................... ..`.rdata..X...........................@..@.data...."...0......................@....rsrc........`.......&..............@..@.reloc...b...p...d..................@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI60B3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1845
Entropy (8bit):	5.470933781395438
Encrypted:	false
SSDEEP:	48:3NAI7UZabAS2O4Y6YP33M7OpriyND8SjK:36vcbAPY6YEUxjK
MD5:	E97D98F35F12D2AB51F975F5B084C6FD
SHA1:	0B8BCB93FDDBBC5E900D039BA337B1CCFFD27356
SHA-256:	5F41180FE0B87665C43EB1726E5CD787C9911F36FC8BAE2DFE2C630A11005690
SHA-512:	A5591D351CFB5483F396C0C6E80998EE42027B3074A47397B35CF4C173F61A21A09DBEBB94D6A485258A33381292F73FB6A41627DD261B4B5D95DCE1A8BF5FFA
Malicious:	false
Preview:	...@IXOS.@.....@.PWV.@.....@.....@.....@.....@.....@......&.{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}..acrobat pdf..NFeNFCe.msi.@.....@.....@.....@........&.{79C71D52-1192-4E50-B15B-B92DA75398A5}.....@.....@.....@.....@.......@.....@.....@.......@......acrobat pdf......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{C94B97F4-2302-498F-9C12-29D9B0E8C0DA}7.C:\Users\user\AppData\Roaming\acrobat pdf\acrobat pdf\.@.......@.....@.....@......&.{05198137-3B87-4BBF-A714-8156A1FF1DAA},.01:\Software\acrobat pdf\acrobat pdf\Version.@.......@.....@.....@......&.{1817CCE1-A3E0-4592-BE27-02EA786E90B2},.C:\Users\user\AppData\Roaming\drivespan.dll.@.......@.....@.....@......&.{59B6F458-143D-4EA5-A213-A9B16749A387}+.C:\Users\user\AppData\Roaming\Transfer.exe.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".7.C:\Users\user\AppData\Roaming\acrobat pdf

C:\Windows\Installer\SourceHash{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1624554651731813
Encrypted:	false
SSDEEP:	12:JSbX72FjXfAGiLIlHVRpY5h/7777777777777777777777777vDHF3yIAlHJpdlN:JFQI5eQmF
MD5:	3EEB77401CDBF24A26EAE0819361F184
SHA1:	2B02606BA16F8D4E3950EB458B7329093F2CCE59
SHA-256:	B6270A2C75542265ECAFEEFC2A86F7E927E91BAA0AC3917B205337E21BAFE919
SHA-512:	25C4562DEFC8CBA26AAFC40A9119CFD66FE39FEF68761CA2911E8EEA08A7FE2FCA497B3E3FCA13F5FA5AF47C30BDC9DF810C275C759C7B97BE0245AAA786A16E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5362760833827802
Encrypted:	false
SSDEEP:	48:q8Ph8uRc06WXJenT5gRX8SCmAECiCyro/S8SCMTY:1h811nTysFECTl
MD5:	3A841D2A96CBC9380783E1CDFDCB66AC
SHA1:	5B6821AC9FB59FA73821F3F1CB7566461CB0ABEE
SHA-256:	FD53D63573295D8E657D94A47C3258867DD350D8A5A0E59555861B1E713AA704
SHA-512:	94E8F569C73B9B5FFBD3C942924E2D6C4EDFD584C0E99D9546934477A804C9556BBCAC85F046D7D687DAEFE5BCF81A4C1A8081DA7784A348A68ED3D673FF7300
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.282051879756832
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyi8:yXs9UogeWeH29qclhmwYyi8
MD5:	FEBC051832465E14DD92E6EABA226994
SHA1:	C40F9508348189C2FDFDDC6C1122313D74F4B7B4
SHA-256:	CE9925D1C6957D9B3AB9D8014C7AAF11D17D4413280078BF85773734A296E2BF
SHA-512:	4A2147D80CDA7EF4385D308B8B4810007376ED6B528C51EE6A96FC1D8D667410B28BDEE87711C12A098F854E08FF364264B40593F32F3776153A18D7D04B21AD
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF0CACAD3964164C30.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.12746235073211917
Encrypted:	false
SSDEEP:	24:ACpqTxkrXJKipVkrXJQkrXJKipVkrXJ4AEVkryjCynrV2BwGF6f+U:vUTe8SCZ8SCmAECiCyro/i5
MD5:	3CE1249C764A7D93C11359B76E178793
SHA1:	1A6CF513C4F0D52645D9D95E4E71FD96311565D1
SHA-256:	44C1EB75DE12F0140D762049DADAA34A6C9699E6D95F14BE11CB531DBE15E8DB
SHA-512:	B98BE603022BBC06E82D3EB7B79FE2013F3E5A9E6DF42F535E99A063F0DC19ECD530526840026B4495D718D2022287DF14F9241F59467F9CE2C360215362F679
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF153C34D9E0DC4893.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1A63BA499784C4C6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1F376605ABAABBDD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2331359870694363
Encrypted:	false
SSDEEP:	48:Ix0uFM+CFXJ9T5YRX8SCmAECiCyro/S8SCMTY:g0nVT6sFECTl
MD5:	3A1487EFF94C3A11DB32BF40E2F9CEDD
SHA1:	F76BBB203BB2573A4F0009EA9FB48037E1EB5DEB
SHA-256:	A900EEAA3106E4814FB45DC65E5BEF9AEE5804E5B5330540BDC1D138E7125B64
SHA-512:	37A9ED552C5365172E4F120891D9049EB82994F726FEF1D3DD2D3C529988773B584C6625AEEB5DD6C34ADB67CFD154BEF4D9C3AA83AFC4D413913822DF695AFA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF471A6EBA7F5FE3DE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5362760833827802
Encrypted:	false
SSDEEP:	48:q8Ph8uRc06WXJenT5gRX8SCmAECiCyro/S8SCMTY:1h811nTysFECTl
MD5:	3A841D2A96CBC9380783E1CDFDCB66AC
SHA1:	5B6821AC9FB59FA73821F3F1CB7566461CB0ABEE
SHA-256:	FD53D63573295D8E657D94A47C3258867DD350D8A5A0E59555861B1E713AA704
SHA-512:	94E8F569C73B9B5FFBD3C942924E2D6C4EDFD584C0E99D9546934477A804C9556BBCAC85F046D7D687DAEFE5BCF81A4C1A8081DA7784A348A68ED3D673FF7300
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4805B34F8A59DAA2.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF77745BD0AC417036.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7CB7A19DC0877E92.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA13AD808A317D84E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5362760833827802
Encrypted:	false
SSDEEP:	48:q8Ph8uRc06WXJenT5gRX8SCmAECiCyro/S8SCMTY:1h811nTysFECTl
MD5:	3A841D2A96CBC9380783E1CDFDCB66AC
SHA1:	5B6821AC9FB59FA73821F3F1CB7566461CB0ABEE
SHA-256:	FD53D63573295D8E657D94A47C3258867DD350D8A5A0E59555861B1E713AA704
SHA-512:	94E8F569C73B9B5FFBD3C942924E2D6C4EDFD584C0E99D9546934477A804C9556BBCAC85F046D7D687DAEFE5BCF81A4C1A8081DA7784A348A68ED3D673FF7300
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB26169C7AB405949.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.06991049405144978
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOzTyIAX11Oidv1qVky6lf1:2F0i8n0itFzDHF3yIAlHrd
MD5:	48A02018EA21D576D0416DA4769D363F
SHA1:	1BEED0CFD8D6CD51722B7EDED0E8BA93526021FB
SHA-256:	650CF3BCE804A8D7B8F6C2ED95D9793F52C1D6EA04BD199F268C6A8DFCEFEB2E
SHA-512:	026485E9D5315A0BA52903699C10CEBA55F913DF6A3594315D22A1163F3075CD7E83C8C62BE55727BEC0FA33BCD81C1D6FA5A2C2837A7DBDF0CD79384AE0040A
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDD1B51B220FBE269.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2331359870694363
Encrypted:	false
SSDEEP:	48:Ix0uFM+CFXJ9T5YRX8SCmAECiCyro/S8SCMTY:g0nVT6sFECTl
MD5:	3A1487EFF94C3A11DB32BF40E2F9CEDD
SHA1:	F76BBB203BB2573A4F0009EA9FB48037E1EB5DEB
SHA-256:	A900EEAA3106E4814FB45DC65E5BEF9AEE5804E5B5330540BDC1D138E7125B64
SHA-512:	37A9ED552C5365172E4F120891D9049EB82994F726FEF1D3DD2D3C529988773B584C6625AEEB5DD6C34ADB67CFD154BEF4D9C3AA83AFC4D413913822DF695AFA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFBC59CFAC078C8F8.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2331359870694363
Encrypted:	false
SSDEEP:	48:Ix0uFM+CFXJ9T5YRX8SCmAECiCyro/S8SCMTY:g0nVT6sFECTl
MD5:	3A1487EFF94C3A11DB32BF40E2F9CEDD
SHA1:	F76BBB203BB2573A4F0009EA9FB48037E1EB5DEB
SHA-256:	A900EEAA3106E4814FB45DC65E5BEF9AEE5804E5B5330540BDC1D138E7125B64
SHA-512:	37A9ED552C5365172E4F120891D9049EB82994F726FEF1D3DD2D3C529988773B584C6625AEEB5DD6C34ADB67CFD154BEF4D9C3AA83AFC4D413913822DF695AFA
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {79C71D52-1192-4E50-B15B-B92DA75398A5}, Number of Words: 10, Subject: acrobat pdf, Author: acrobat pdf, Name of Creating Application: acrobat pdf (Evaluation Installer), Template: ;1033, Comments: This installer database contains the logic and data required to install acrobat pdf. (Evaluation Installer), Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.973938304665172
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	NFeNFCe.msi
File size:	18899456
MD5:	4de4b3f5e51dd6957ef3044baba3db7c
SHA1:	e92941ce86e4b573154b509a72bab2442b8257c4
SHA256:	b65345186c0259851a4c3fa827bf8616b6b98dd04f3e427888378b751e929dd5
SHA512:	3d49474f877799fc6a91d621e31193175feee9716910d97784182c4a5df56d779f51da2eacc4d9e10a0d884f159a9d69af5ce35dfd1d91f1f3112d7c4d09355e
SSDEEP:	393216:MPwXMT+bs37l4T2rOE8M0aa2vytYC+/7ntvCrGtUtkSuwx:DXEYa6At8M0ahyGZjZCrGatPx
TLSH:	86173322A2C7CA32D11E027BF529FE1D0538BE73073111F7B7A4395F59B58C1A6B9A42
File Content Preview:	........................>...................!...................................E.......a.......n.......................................o.......6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q..

File Icon


Icon Hash:	a2a0b496b2caca72

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2023 10:00:58.936852932 CET	49696	443	192.168.2.4	186.202.153.91
Feb 23, 2023 10:00:58.936923981 CET	443	49696	186.202.153.91	192.168.2.4
Feb 23, 2023 10:00:58.937031984 CET	49696	443	192.168.2.4	186.202.153.91
Feb 23, 2023 10:00:58.951488972 CET	49696	443	192.168.2.4	186.202.153.91
Feb 23, 2023 10:00:58.951632977 CET	443	49696	186.202.153.91	192.168.2.4
Feb 23, 2023 10:00:58.951793909 CET	49696	443	192.168.2.4	186.202.153.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2023 10:00:58.085864067 CET	50911	53	192.168.2.4	8.8.8.8
Feb 23, 2023 10:00:58.924004078 CET	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 23, 2023 10:00:58.085864067 CET	192.168.2.4	8.8.8.8	0xfb97	Standard query (0)	feliz2023.correio.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 23, 2023 10:00:58.924004078 CET	8.8.8.8	192.168.2.4	0xfb97	No error (0)	feliz2023.correio.biz		186.202.153.91	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 1236, Parent PID: 3528

General

Target ID:	0
Start time:	10:00:29
Start date:	23/02/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\NFeNFCe.msi"
Imagebase:	0x7ff728480000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 5092, Parent PID: 576

General

Target ID:	1
Start time:	10:00:29
Start date:	23/02/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff728480000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 5748, Parent PID: 5092

General

Target ID:	2
Start time:	10:00:32
Start date:	23/02/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F976ACED0B98CECA5DED949820F67829
Imagebase:	0x1210000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Transfer.exePID: 1900, Parent PID: 5092

General

Target ID:	3
Start time:	10:00:35
Start date:	23/02/2023
Path:	C:\Users\user\AppData\Roaming\Transfer.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Transfer.exe
Imagebase:	0xa40000
File size:	138520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Transfer.exePID: 1416, Parent PID: 3528

General

Target ID:	4
Start time:	10:01:09
Start date:	23/02/2023
Path:	C:\Users\user\AppData\Roaming\Transfer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Transfer.exe"
Imagebase:	0xa40000
File size:	138520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Transfer.exePID: 1900, Parent PID: 5092COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1345
Total number of Limit Nodes:	27

Executed Functions

Function 00A41000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00A41000(struct HINSTANCE__* __ecx, void* __eflags) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				short _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				char _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				char _v636;
				struct HINSTANCE__* _v640;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				char* _v664;
				intOrPtr _v668;
				char _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t118;
				signed int _t119;
				char* _t125;
				intOrPtr _t128;
				struct HINSTANCE__* _t131;
				struct HINSTANCE__* _t134;
				void* _t137;
				int _t142;
				struct HINSTANCE__* _t148;
				struct HINSTANCE__* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t158;
				struct HINSTANCE__* _t168;
				struct HINSTANCE__* _t173;
				char* _t174;
				_Unknown_base(*)()* _t180;
				struct HINSTANCE__* _t184;
				void* _t204;
				void* _t205;
				char* _t207;
				intOrPtr* _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t233;
				void* _t237;
				void* _t240;
				intOrPtr _t243;
				void* _t246;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t249;

				_t118 =  *0xa56004; // 0x78a0cd96
				_t119 = _t118 ^ _t249;
				_v20 = _t119;
				 *[fs:0x0] =  &_v16;
				_t247 = __ecx;
				_v640 = __ecx;
				_v672 = 0;
				_v568 = 7;
				_v572 = 0;
				_v588 = 0;
				E00A41A90(_t204,  &_v588, L"drivespan.dll");
				_v8 = 0;
				E00A44940(_t239,  &_v540, 0, 0x208);
				_t125 =  &_v540;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t125, 0xd, _t119, _t239, _t246, _t204,  *[fs:0x0], E00A4E012, 0xffffffff); // executed
				if(_t125 < 0) {
					E00A41960(_t247,  &_v588);
					L44:
					_t128 = _v568;
					__eflags = _t128 - 8;
					if(_t128 < 8) {
						L47:
						 *[fs:0x0] = _v16;
						_pop(_t240);
						_pop(_t248);
						_pop(_t205);
						return E00A425A8(_t205, _v20 ^ _t249, _t240, _t248);
					}
					_t131 = _t128 + 1;
					__eflags = _t131;
					_push(_t131);
					L46:
					_push(_v588);
					E00A41C00(_t204, _t236, _t239);
					goto L47;
				}
				_v544 = 7;
				_v548 = 0;
				_v564 = 0;
				if(_v540 != 0) {
					_t217 =  &_v540;
					_t237 = _t217 + 2;
					do {
						_t134 =  *_t217;
						_t217 = _t217 + 2;
						__eflags = _t134;
					} while (_t134 != 0);
					_t218 = _t217 - _t237;
					__eflags = _t218;
					_t219 = _t218 >> 1;
					goto L6;
				} else {
					_t219 = 0;
					L6:
					_push(_t219);
					E00A41A90(_t204,  &_v564,  &_v540);
					_t236 =  &_v564;
					_v8 = 1;
					_t137 = E00A420F0( &_v636,  &_v564, L"\\Nero\\Transfer\\Update\\");
					_t241 = _t137;
					if( &_v564 != _t137) {
						_t199 = _v544;
						if(_v544 >= 8) {
							E00A41C00(_t204,  &_v564, _t241, _v564, _t199 + 1);
						}
						_v544 = 7;
						_v548 = 0;
						_v564 = 0;
						E00A41B90( &_v564, _t241);
					}
					_v8 = 1;
					_t139 = _v616;
					if(_v616 >= 8) {
						E00A41C00(_t204, _t236, _t241, _v636, _t139 + 1);
					}
					_t239 = PathFileExistsW;
					_t141 =  >=  ? _v564 :  &_v564;
					_t142 = PathFileExistsW( >=  ? _v564 :  &_v564); // executed
					if(_t142 != 0) {
						E00A420F0( &_v636,  &_v564, L"new_drivespan.dll");
						_v8 = 3;
						_t236 =  &_v564;
						E00A42200( &_v612, _t236,  &_v588);
						_v8 = 4;
						__eflags = _v616 - 8;
						_t147 =  >=  ? _v636 :  &_v636;
						_t148 = PathFileExistsW( >=  ? _v636 :  &_v636);
						__eflags = _t148;
						if(_t148 != 0) {
							__eflags = _v592 - 8;
							_t231 =  >=  ? _v612 :  &_v612;
							__eflags = _v616 - 8;
							_t189 =  >=  ? _v636 :  &_v636;
							MoveFileExW( >=  ? _v636 :  &_v636,  >=  ? _v612 :  &_v612, 1);
						}
						__eflags = _v592 - 8;
						_t150 =  >=  ? _v612 :  &_v612;
						_t151 = PathFileExistsW( >=  ? _v612 :  &_v612);
						__eflags = _t151;
						if(_t151 == 0) {
							E00A41960(_t247,  &_v588);
							_t154 = _v592;
							__eflags = _t154 - 8;
							if(_t154 >= 8) {
								__eflags = _t154 + 1;
								E00A41C00(_t204, _t236, _t239, _v612, _t154 + 1);
							}
							_v592 = 7;
							_v612 = 0;
							_t156 = _v616;
							_v596 = 0;
							__eflags = _t156 - 8;
							if(_t156 >= 8) {
								__eflags = _t156 + 1;
								E00A41C00(_t204, _t236, _t239, _v636, _t156 + 1);
							}
							_v616 = 7;
							_v636 = 0;
							_t158 = _v544;
							_v620 = 0;
							__eflags = _t158 - 8;
							if(_t158 >= 8) {
								__eflags = _t158 + 1;
								E00A41C00(_t204, _t236, _t239, _v564, _t158 + 1);
							}
							_v544 = 7;
							_v548 = 0;
							_v564 = 0;
							goto L44;
						} else {
							__eflags = _v592 - 8;
							asm("xorps xmm0, xmm0");
							_t167 =  >=  ? _v612 :  &_v612;
							asm("movlpd [ebp-0x288], xmm0");
							_t168 = LoadLibraryW( >=  ? _v612 :  &_v612);
							_v640 = _t168;
							__eflags = _t168;
							if(_t168 == 0) {
								_v656 = _v648;
								_v648 = _v652;
							} else {
								_t184 = GetProcAddress(_t168, "ver");
								__eflags = _t184;
								if(_t184 == 0) {
									_v656 = _v648;
									_v648 = _v652;
									FreeLibrary(_v640);
								} else {
									_v648 = _t184->i();
									_v656 = _t236;
									FreeLibrary(_v640);
								}
							}
							__eflags = _v568 - 8;
							asm("xorps xmm0, xmm0");
							_t172 =  >=  ? _v588 :  &_v588;
							asm("movlpd [ebp-0x298], xmm0");
							_t173 = LoadLibraryW( >=  ? _v588 :  &_v588);
							_v640 = _t173;
							__eflags = _t173;
							if(_t173 == 0) {
								_t207 = _v664;
								_t243 = _v668;
							} else {
								_t180 = GetProcAddress(_t173, "ver");
								__eflags = _t180;
								if(_t180 == 0) {
									_t207 = _v664;
									_t243 = _v668;
									FreeLibrary(_v640);
								} else {
									_t243 =  *_t180();
									_t207 = _t236;
									FreeLibrary(_v640);
								}
							}
							__eflags = _v656 - _t207;
							if(__eflags < 0) {
								L35:
								_t174 =  &_v588;
								goto L34;
							} else {
								if(__eflags > 0) {
									L33:
									_t174 =  &_v612;
									L34:
									E00A41960(_t247, _t174);
									E00A41920( &_v612);
									E00A41920( &_v636);
									E00A41920( &_v564);
									E00A41920( &_v588);
									goto L47;
								}
								__eflags = _v648 - _t243;
								if(_v648 <= _t243) {
									goto L35;
								}
								goto L33;
							}
						}
					} else {
						E00A41960(_t247,  &_v588);
						_t193 = _v544;
						if(_v544 >= 8) {
							E00A41C00(_t204, _t236, PathFileExistsW, _v564, _t193 + 1);
						}
						_t233 = _v568;
						_v544 = 7;
						_v548 = 0;
						_v564 = 0;
						if(_t233 < 8) {
							goto L47;
						} else {
							_push(_t233 + 1);
							goto L46;
						}
					}
				}
			}

0x00a41017
0x00a4101c
0x00a4101e
0x00a41028
0x00a4102e
0x00a41030
0x00a4103a
0x00a4104f
0x00a41059
0x00a41063
0x00a4106a
0x00a4107a
0x00a41084
0x00a4108c
0x00a4109b
0x00a410a3
0x00a414d4
0x00a414d9
0x00a414d9
0x00a414df
0x00a414e2
0x00a414f1
0x00a414f6
0x00a414fe
0x00a414ff
0x00a41500
0x00a4150e
0x00a4150e
0x00a414e4
0x00a414e4
0x00a414e5
0x00a414e6
0x00a414e6
0x00a414ec
0x00000000
0x00a414ec
0x00a410ab
0x00a410b5
0x00a410bf
0x00a410cd
0x00a410d3
0x00a410d9
0x00a410e0
0x00a410e0
0x00a410e3
0x00a410e6
0x00a410e6
0x00a410eb
0x00a410eb
0x00a410ed
0x00000000
0x00a410cf
0x00a410cf
0x00a410ef
0x00a410ef
0x00a410fd
0x00a41107
0x00a4110d
0x00a41117
0x00a4111f
0x00a41129
0x00a4112b
0x00a41134
0x00a4113e
0x00a4113e
0x00a41145
0x00a41156
0x00a41160
0x00a41167
0x00a41167
0x00a4116c
0x00a41170
0x00a41179
0x00a41183
0x00a41183
0x00a41195
0x00a4119b
0x00a411a3
0x00a411a7
0x00a41213
0x00a4121e
0x00a41223
0x00a4122f
0x00a41237
0x00a41241
0x00a41248
0x00a41250
0x00a41252
0x00a41254
0x00a41256
0x00a41265
0x00a41272
0x00a4127a
0x00a41282
0x00a41282
0x00a41288
0x00a41295
0x00a4129d
0x00a4129f
0x00a412a1
0x00a41425
0x00a4142a
0x00a41430
0x00a41433
0x00a41435
0x00a4143d
0x00a4143d
0x00a41444
0x00a4144e
0x00a41455
0x00a4145b
0x00a41465
0x00a41468
0x00a4146a
0x00a41472
0x00a41472
0x00a41479
0x00a41483
0x00a4148a
0x00a41490
0x00a4149a
0x00a4149d
0x00a4149f
0x00a414a7
0x00a414a7
0x00a414ae
0x00a414b8
0x00a414c2
0x00000000
0x00a412a7
0x00a412a7
0x00a412ba
0x00a412bd
0x00a412c5
0x00a412cd
0x00a412d5
0x00a412db
0x00a412dd
0x00a4133f
0x00a4134b
0x00a412df
0x00a412e5
0x00a412e7
0x00a412e9
0x00a41319
0x00a41325
0x00a41331
0x00a412eb
0x00a412f3
0x00a412f9
0x00a412ff
0x00a412ff
0x00a412e9
0x00a41351
0x00a4135e
0x00a41361
0x00a41369
0x00a41371
0x00a41373
0x00a41379
0x00a4137b
0x00a413b7
0x00a413bd
0x00a4137d
0x00a41383
0x00a41385
0x00a41387
0x00a413a3
0x00a413a9
0x00a413af
0x00a41389
0x00a41391
0x00a41393
0x00a41395
0x00a41395
0x00a41387
0x00a413c3
0x00a413c9
0x00a41414
0x00a41414
0x00000000
0x00a413cb
0x00a413cb
0x00a413d5
0x00a413d5
0x00a413db
0x00a413de
0x00a413e9
0x00a413f4
0x00a413ff
0x00a4140a
0x00000000
0x00a4140a
0x00a413cd
0x00a413d3
0x00000000
0x00000000
0x00000000
0x00a413d3
0x00a413c9
0x00a411a9
0x00a411b2
0x00a411b7
0x00a411c0
0x00a411ca
0x00a411ca
0x00a411cf
0x00a411d7
0x00a411e1
0x00a411eb
0x00a411f5
0x00000000
0x00a411fb
0x00a411fc
0x00000000
0x00a411fc
0x00a411f5
0x00a411a7

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00A4109B
PathFileExistsW.KERNELBASE(?,?), ref: 00A411A3
PathFileExistsW.SHLWAPI(?), ref: 00A41250
MoveFileExW.KERNEL32(?,?,00000001), ref: 00A41282
PathFileExistsW.SHLWAPI(?), ref: 00A4129D
LoadLibraryW.KERNEL32(?), ref: 00A412CD
GetProcAddress.KERNEL32(00000000,ver), ref: 00A412E5
FreeLibrary.KERNEL32(?), ref: 00A412FF
FreeLibrary.KERNEL32(?), ref: 00A41331
LoadLibraryW.KERNEL32(?), ref: 00A41371
GetProcAddress.KERNEL32(00000000,ver), ref: 00A41383
FreeLibrary.KERNEL32(?), ref: 00A41395
FreeLibrary.KERNEL32(?), ref: 00A413AF

Strings

\Nero\Transfer\Update\, xrefs: 00A41102
new_drivespan.dll, xrefs: 00A41202
drivespan.dll, xrefs: 00A41044
ver, xrefs: 00A412DF, 00A4137D

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: Library$FileFreePath$Exists$AddressLoadProc$FolderMove
String ID: \Nero\Transfer\Update\$drivespan.dll$new_drivespan.dll$ver
API String ID: 2307531666-2570186640
Opcode ID: ad8680c0c43a54173566ad2105b41bfd071fa9c9a517ce8cc241e4ae1f7a2cf3
Instruction ID: 79e34b7f0e8b1183335d885891fc6f344c813eae9beca7bc45c993d451dd5c46
Opcode Fuzzy Hash: ad8680c0c43a54173566ad2105b41bfd071fa9c9a517ce8cc241e4ae1f7a2cf3
Instruction Fuzzy Hash: E9D155789152289ADF60DB64CD9CBADB7B8FF84344F1005E9E409A2250EB35AFC5CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A417A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00A417A0(void* __ebx, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v72;
				char _v76;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t27;
				void* _t29;
				struct HINSTANCE__* _t33;
				_Unknown_base(*)()* _t34;
				void* _t46;
				intOrPtr* _t47;
				signed int _t48;
				signed int _t49;
				void* _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				struct HINSTANCE__* _t64;
				void* _t65;
				signed int _t66;
				signed int _t68;

				_t46 = __ebx;
				_t68 = (_t66 & 0xfffffff8) - 0x40;
				_t23 =  *0xa56004; // 0x78a0cd96
				_v8 = _t23 ^ _t68;
				_t60 = _a12;
				_v40 = 8;
				_v36 = 0x80a0;
				__imp__InitCommonControlsEx( &_v40, _t59, _t62);
				_v48 = 7;
				_v52 = 0;
				_v68 = 0;
				if( *_t60 != 0) {
					_t47 = _t60;
					_t58 = _t47 + 2;
					do {
						_t27 =  *_t47;
						_t47 = _t47 + 2;
						__eflags = _t27;
					} while (_t27 != 0);
					_t48 = _t47 - _t58;
					__eflags = _t48;
					_t49 = _t48 >> 1;
					L5:
					_push(_t49);
					E00A41A90(_t46,  &_v68, _t60);
					_t29 = E00A422E0( &_v76, L"-Restart");
					_t52 = _v60;
					_t63 = _t29;
					if(_v60 >= 8) {
						E00A41C00(_t46, _t58, _t60, _v72, _t52 + 1);
					}
					_t72 = _t63;
					if(_t63 == 0) {
						E00A41510();
					}
					E00A41000( &_v40, _t72); // executed
					_t32 =  >=  ? _v40 :  &_v40;
					_t33 = LoadLibraryW( >=  ? _v40 :  &_v40); // executed
					_t64 = _t33;
					if(_t64 != 0) {
						L12:
						_t34 = GetProcAddress(_t64, "run");
						if(_t34 != 0) {
							 *_t34(_t64, _t60, _a16);
							_t68 = _t68 + 0xc;
						}
						goto L14;
					} else {
						if(E00A422E0( &_v40, L"drivespan.dll") == 0) {
							L14:
							FreeLibrary(_t64);
							_t36 = _v20;
							if(_v20 >= 8) {
								E00A41C00(_t46, _t58, _t60, _v40, _t36 + 1);
							}
							_pop(_t61);
							_pop(_t65);
							return E00A425A8(_t46, _v16 ^ _t68, _t61, _t65);
						}
						_t64 = LoadLibraryW(L"drivespan.dll");
						if(_t64 == 0) {
							goto L14;
						}
						goto L12;
					}
				}
				_t49 = 0;
				goto L5;
			}

0x00a417a0
0x00a417a6
0x00a417a9
0x00a417b0
0x00a417b6
0x00a417be
0x00a417c6
0x00a417ce
0x00a417d6
0x00a417de
0x00a417e6
0x00a417ee
0x00a417f4
0x00a417f6
0x00a41800
0x00a41800
0x00a41803
0x00a41806
0x00a41806
0x00a4180b
0x00a4180b
0x00a4180d
0x00a4180f
0x00a4180f
0x00a41815
0x00a41823
0x00a41828
0x00a4182c
0x00a41831
0x00a41839
0x00a41839
0x00a4183e
0x00a41840
0x00a41842
0x00a41842
0x00a4184b
0x00a41859
0x00a4185f
0x00a41865
0x00a41869
0x00a4188e
0x00a41894
0x00a4189c
0x00a418a3
0x00a418a5
0x00a418a5
0x00000000
0x00a4186b
0x00a4187b
0x00a418a8
0x00a418a9
0x00a418af
0x00a418b6
0x00a418be
0x00a418be
0x00a418c9
0x00a418ca
0x00a418d5
0x00a418d5
0x00a41888
0x00a4188c
0x00000000
0x00000000
0x00000000
0x00a4188c
0x00a41869
0x00a417f0
0x00000000

APIs

InitCommonControlsEx.COMCTL32 ref: 00A417CE
LoadLibraryW.KERNELBASE(?,?,?,?,-Restart,?,?), ref: 00A4185F
LoadLibraryW.KERNEL32(drivespan.dll,drivespan.dll,?,?,?,-Restart,?,?), ref: 00A41882
GetProcAddress.KERNEL32(00000000,run), ref: 00A41894
FreeLibrary.KERNEL32(00000000,?,?,?,-Restart,?,?), ref: 00A418A9

Strings

-Restart, xrefs: 00A4181A
drivespan.dll, xrefs: 00A4186B, 00A4187D
run, xrefs: 00A4188E

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: Library$Load$AddressCommonControlsFreeInitProc
String ID: -Restart$drivespan.dll$run
API String ID: 1924428465-1486268468
Opcode ID: 43e5b9eca2b0add8ce685e7c40924ba6afdcc72d6875682f651def6a628a28a9
Instruction ID: a98ccf78d7dbd2a465bf1d41db3bb5e0969562751041e00e1f1b473efbff5b61
Opcode Fuzzy Hash: 43e5b9eca2b0add8ce685e7c40924ba6afdcc72d6875682f651def6a628a28a9
Instruction Fuzzy Hash: 64319E39514301AFC714EB64DD45A6FB7E8FFC5386F404A2CF88292190EB71DA45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A42F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A42F17() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00A42F23); // executed
				return _t1;
			}

0x00a42f1c
0x00a42f22

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00002F23,00A426A2), ref: 00A42F1C

Strings

Pdqt, xrefs: 00A42F1C

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID: Pdqt
API String ID: 3192549508-3302706896
Opcode ID: fa5514063249bcf27121d7b6d0d9fd885f9baa9df44c2107bb2baf72a9b2158a
Instruction ID: 4302eaf986d1f2f5033381476a0fc4c1b6a5a5f27a1b3f3784830acce1374540
Opcode Fuzzy Hash: fa5514063249bcf27121d7b6d0d9fd885f9baa9df44c2107bb2baf72a9b2158a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00A48654 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00A48654(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E00A46BDB(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E00A4842B(0, _t28, _t33, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E00A46B10(0);
				return _t31;
			}

0x00a48659
0x00a4865a
0x00a48661
0x00a48666
0x00a4866a
0x00a4866e
0x00a48671
0x00a48677
0x00a48677
0x00a4867d
0x00a4867f
0x00a48682
0x00a48682
0x00a48685
0x00a48687
0x00a4868d
0x00a48691
0x00a48696
0x00a4869a
0x00a4869c
0x00a4869f
0x00a486a5
0x00a486ac
0x00a486b0
0x00a486b4
0x00a486b7
0x00a486b7
0x00a486bb
0x00a486be
0x00a48673
0x00a48673
0x00a48673
0x00a486c0
0x00a486cd

APIs

Part of subcall function 00A46BDB: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00A46C1C

_free.LIBCMT ref: 00A486C0

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d3ebc13b0ebbb74cb065b0f551faa43160cc8f1f2a8b1336f13c8a4004e98a34
Instruction ID: e83d44bc9abb1fae45ce7a458c3a861cbce51461f376611a742fe978bb72e7c5
Opcode Fuzzy Hash: d3ebc13b0ebbb74cb065b0f551faa43160cc8f1f2a8b1336f13c8a4004e98a34
Instruction Fuzzy Hash: 0B01D67A2003456BE7218F659881D5EFBE9EBC5370F26051DE58497280EB34A905C664

Uniqueness

Uniqueness Score: -1.00%

Function 00A46BDB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00A46BDB(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0xa57358, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00A464E4();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00A473D2())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00A45815(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00a46bdb
0x00a46be1
0x00a46be6
0x00a46bf4
0x00a46bf4
0x00a46bfa
0x00a46bfc
0x00a46bfc
0x00a46c13
0x00a46c1c
0x00a46c24
0x00000000
0x00000000
0x00a46c04
0x00a46c06
0x00a46c28
0x00a46c2d
0x00a46c33
0x00000000
0x00a46c33
0x00a46c09
0x00a46c0e
0x00a46c0f
0x00a46c11
0x00000000
0x00000000
0x00a46c11
0x00000000
0x00a46c13
0x00a46bec
0x00a46bf2
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00A46C1C

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6926f55ecc7f9b86b7a621270ac3898f88b9c37f9c2a30a3067b86bf7f7381c2
Instruction ID: 701006dfc14f0795972f3bb0cfc1bb5dd4839d4699f3af1834694c3b51b461ed
Opcode Fuzzy Hash: 6926f55ecc7f9b86b7a621270ac3898f88b9c37f9c2a30a3067b86bf7f7381c2
Instruction Fuzzy Hash: 8EF0E93D945625ABDB319B629D45B5A7B98EFC3770B148021EC84DB191CF30DC0286E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A41510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E00A41510() {
				int _v8;
				char _v16;
				signed int _v20;
				short _v540;
				int _v544;
				intOrPtr _v548;
				int _v552;
				char _v568;
				char _v1096;
				intOrPtr _v1124;
				void* _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				char _v1160;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t50;
				intOrPtr _t55;
				void* _t62;
				long _t65;
				intOrPtr _t66;
				signed int _t79;
				signed int _t80;
				void* _t90;
				long _t91;
				void* _t92;
				intOrPtr* _t93;
				signed int _t95;
				intOrPtr* _t106;
				intOrPtr _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t114;
				void* _t115;
				signed int _t116;

				_push(0xffffffff);
				_push(E00A4E051);
				_push( *[fs:0x0]);
				_t49 =  *0xa56004; // 0x78a0cd96
				_t50 = _t49 ^ _t116;
				_v20 = _t50;
				_push(_t90);
				_push(_t109);
				_push(_t50);
				 *[fs:0x0] =  &_v16;
				GetModuleFileNameW(0,  &_v540, 0x100);
				_v548 = 7;
				_v552 = 0;
				_v568 = 0;
				if(_v540 != 0) {
					_t93 =  &_v540;
					_t108 = _t93 + 2;
					do {
						_t55 =  *_t93;
						_t93 = _t93 + 2;
					} while (_t55 != 0);
					_t95 = _t93 - _t108 >> 1;
				} else {
					_t95 = 0;
				}
				_push(_t95);
				E00A41A90(_t90,  &_v568,  &_v540);
				_v8 = 0;
				_v544 = 0x5c;
				_t62 = E00A418E0( &_v568,  &_v1160, E00A419F0( &_v568,  &_v544) + 1, _v552 - _t59 - 1);
				_t113 = _t62;
				if( &_v568 != _t62) {
					_t85 = _v548;
					if(_v548 >= 8) {
						E00A41C00(_t90, _t108, _t109, _v568, _t85 + 1);
					}
					_v548 = 7;
					_v552 = 0;
					_v568 = 0;
					E00A41B90( &_v568, _t113);
				}
				_t64 = _v1140;
				if(_v1140 >= 8) {
					E00A41C00(_t90, _t108, _t109, _v1160, _t64 + 1);
				}
				_t65 = GetCurrentProcessId();
				_t110 = Process32NextW;
				_t91 = _t65;
				_t66 = 0;
				_v1132 = 0x22c;
				asm("o16 nop [eax+eax]");
				while(_t66 < 0x32) {
					_v544 = 0;
					_v1136 = _t66 + 1;
					_t115 = CreateToolhelp32Snapshot(2, 0);
					_push( &_v1132);
					if(Process32FirstW(_t115) == 1 && Process32NextW(_t115,  &_v1132) == 1) {
						do {
							_t106 =  &_v1096;
							_t79 =  >=  ? _v568 :  &_v568;
							asm("o16 nop [eax+eax]");
							while(1) {
								_t108 =  *_t106;
								if(_t108 !=  *_t79) {
									break;
								}
								if(_t108 == 0) {
									L20:
									_t80 = 0;
								} else {
									_t108 =  *((intOrPtr*)(_t106 + 2));
									if(_t108 !=  *((intOrPtr*)(_t79 + 2))) {
										break;
									} else {
										_t106 = _t106 + 4;
										_t79 = _t79 + 4;
										if(_t108 != 0) {
											continue;
										} else {
											goto L20;
										}
									}
								}
								L22:
								if(_t80 != 0 || _v1124 == _t91) {
									goto L24;
								} else {
									_v544 = 1;
									Sleep(0x64);
								}
								goto L27;
							}
							asm("sbb eax, eax");
							_t80 = _t79 | 0x00000001;
							goto L22;
							L24:
						} while (Process32NextW(_t115,  &_v1132) == 1);
					}
					L27:
					CloseHandle(_t115);
					_t66 = _v1136;
					if(_v544 != 0) {
						continue;
					}
					break;
				}
				Sleep(0xc8);
				_t67 = _v548;
				if(_v548 >= 8) {
					E00A41C00(_t91, _t108, _t110, _v568, _t67 + 1);
				}
				 *[fs:0x0] = _v16;
				_pop(_t111);
				_pop(_t114);
				_pop(_t92);
				return E00A425A8(_t92, _v20 ^ _t116, _t111, _t114);
			}

0x00a41513
0x00a41515
0x00a41520
0x00a41527
0x00a4152c
0x00a4152e
0x00a41531
0x00a41533
0x00a41534
0x00a41538
0x00a4154c
0x00a41554
0x00a4155e
0x00a41568
0x00a41576
0x00a4157c
0x00a41582
0x00a41585
0x00a41585
0x00a41588
0x00a4158b
0x00a41592
0x00a41578
0x00a41578
0x00a41578
0x00a41594
0x00a415a2
0x00a415aa
0x00a415b7
0x00a415e6
0x00a415eb
0x00a415f5
0x00a415f7
0x00a41600
0x00a4160a
0x00a4160a
0x00a41611
0x00a41622
0x00a4162c
0x00a41633
0x00a41633
0x00a41638
0x00a41641
0x00a4164b
0x00a4164b
0x00a41650
0x00a41656
0x00a4165c
0x00a4165e
0x00a41660
0x00a4166a
0x00a41670
0x00a4167c
0x00a41688
0x00a41694
0x00a4169c
0x00a416a7
0x00a416c0
0x00a416cd
0x00a416d3
0x00a416da
0x00a416e0
0x00a416e0
0x00a416e6
0x00000000
0x00000000
0x00a416eb
0x00a41702
0x00a41702
0x00a416ed
0x00a416ed
0x00a416f5
0x00000000
0x00a416f7
0x00a416f7
0x00a416fa
0x00a41700
0x00000000
0x00000000
0x00000000
0x00000000
0x00a41700
0x00a416f5
0x00a4170b
0x00a4170d
0x00000000
0x00a41728
0x00a4172a
0x00a41734
0x00a41734
0x00000000
0x00a4170d
0x00a41706
0x00a41708
0x00000000
0x00a41717
0x00a41721
0x00a41726
0x00a4173a
0x00a4173b
0x00a41748
0x00a4174e
0x00000000
0x00000000
0x00000000
0x00a4174e
0x00a41759
0x00a4175f
0x00a41768
0x00a41772
0x00a41772
0x00a4177a
0x00a41782
0x00a41783
0x00a41784
0x00a41792

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000100,78A0CD96), ref: 00A4154C
GetCurrentProcessId.KERNEL32(?,00000001,-00000001,?), ref: 00A41650
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A4168E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00A4169E
Process32NextW.KERNEL32(00000000,0000022C), ref: 00A416B5
Process32NextW.KERNEL32(00000000,0000022C), ref: 00A4171F
Sleep.KERNEL32(00000064), ref: 00A41734
CloseHandle.KERNEL32(00000000), ref: 00A4173B
Sleep.KERNEL32(000000C8), ref: 00A41759

Strings

\, xrefs: 00A415B7

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: Process32$NextSleep$CloseCreateCurrentFileFirstHandleModuleNameProcessSnapshotToolhelp32
String ID: \
API String ID: 8921262-2967466578
Opcode ID: a0c6fd2300b46fc2d14b5c210c6a181dfbc794297b3fa327ec49323d53aea969
Instruction ID: 53a1d3d9d604a1faba22d889144f496146569c25668c5d83a9e353d56e54adc9
Opcode Fuzzy Hash: a0c6fd2300b46fc2d14b5c210c6a181dfbc794297b3fa327ec49323d53aea969
Instruction Fuzzy Hash: 4D617D799011199EDB20EB60CD89BEAB7B8FF95344F0001E9E50AE2151EB35AFC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A455D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E00A455D7(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0xa56004; // 0x78a0cd96
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00A42F64(_t41);
					_pop(_t62);
				}
				E00A44940(_t67,  &_v804, 0, 0x50);
				E00A44940(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00A42F64(_t57);
				}
				return E00A425A8(_t61, _v8 ^ _t70, _t68, _t69);
			}

0x00a455d7
0x00a455d7
0x00a455d7
0x00a455e2
0x00a455e7
0x00a455e9
0x00a455f1
0x00a455f3
0x00a455f6
0x00a455fb
0x00a455fb
0x00a45607
0x00a4561a
0x00a45628
0x00a4562e
0x00a45634
0x00a4563a
0x00a45640
0x00a45646
0x00a4564c
0x00a45652
0x00a45658
0x00a4565e
0x00a45665
0x00a4566c
0x00a45673
0x00a4567a
0x00a45681
0x00a45688
0x00a45689
0x00a45692
0x00a45698
0x00a4569b
0x00a456a1
0x00a456ae
0x00a456b7
0x00a456c0
0x00a456c9
0x00a456d7
0x00a456d9
0x00a456ee
0x00a456fa
0x00a456fd
0x00a45702
0x00a45711

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00A4330B), ref: 00A456CF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00A4330B), ref: 00A456D9
UnhandledExceptionFilter.KERNEL32(00000016,?,?,?,?,?,00A4330B), ref: 00A456E6

Strings

`VqtPPqt, xrefs: 00A456CF
Pdqt, xrefs: 00A456D9

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID: Pdqt$`VqtPPqt
API String ID: 3906539128-2827380007
Opcode ID: f9cbe9b0eb066b623e2e4e9168d4309a5ca34bab1be2c70c6f3c55dfc980ade2
Instruction ID: 704551be97c5b49337523ad938d5abd118a017cd670df8cce708525f47ed59e8
Opcode Fuzzy Hash: f9cbe9b0eb066b623e2e4e9168d4309a5ca34bab1be2c70c6f3c55dfc980ade2
Instruction Fuzzy Hash: 2631D478901228ABCB21DF64DD8978DBBF8BF88710F5041EAE80CA7251E7309F858F45

Uniqueness

Uniqueness Score: -1.00%

Function 00A46268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A46268(int _a4) {
				void* _t14;
				void* _t15;
				void* _t17;
				void* _t18;

				if(E00A48597(_t14, _t15, _t17, _t18) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00A462ED(_t15, _a4);
				ExitProcess(_a4);
			}

0x00a46274
0x00a46290
0x00a46290
0x00a46299
0x00a462a2

APIs

GetCurrentProcess.KERNEL32(00000003,?,00A4623E,00000003,00A54638,0000000C,00A46395,00000003,00000002,00000000,?,00A46BDA,00000003), ref: 00A46289
TerminateProcess.KERNEL32(00000000,?,00A4623E,00000003,00A54638,0000000C,00A46395,00000003,00000002,00000000,?,00A46BDA,00000003), ref: 00A46290
ExitProcess.KERNEL32 ref: 00A462A2

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 8acbcd6755e9d7b9df1a16433c5ef27a7f81026b67d59bf65a8ae49be7dcd948
Instruction ID: 7ec6fb352cae09b0094f22aaa3c4d3b4e26380f1d667a2815d34dca3bd369e3e
Opcode Fuzzy Hash: 8acbcd6755e9d7b9df1a16433c5ef27a7f81026b67d59bf65a8ae49be7dcd948
Instruction Fuzzy Hash: A6E0BF39500144AFDF11AF94DE09A9D3B69EBC6351F105424F90586122DB76ED42CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00A475CA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00A475CA(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v28;
				signed int _v32;
				WCHAR* _v36;
				signed int _v48;
				intOrPtr _v556;
				intOrPtr _v558;
				struct _WIN32_FIND_DATAW _v604;
				intOrPtr* _v608;
				signed int _v612;
				signed int _v616;
				intOrPtr _v644;
				intOrPtr _v648;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				signed int _t45;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				signed char _t53;
				signed int _t62;
				void* _t64;
				union _FINDEX_INFO_LEVELS _t66;
				signed int _t71;
				intOrPtr* _t72;
				signed int _t75;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t89;
				WCHAR* _t90;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr _t97;
				void* _t99;
				signed int _t100;
				intOrPtr* _t104;
				signed int _t107;
				void* _t110;
				intOrPtr _t111;
				void* _t112;
				void* _t114;
				void* _t115;
				signed int _t117;
				void* _t118;
				union _FINDEX_INFO_LEVELS _t119;
				void* _t120;
				void* _t123;
				void* _t124;
				void* _t125;
				signed int _t126;
				void* _t127;
				void* _t128;
				signed int _t132;
				void* _t133;
				signed int _t134;
				void* _t135;
				void* _t136;

				_push(__ecx);
				_t94 = _a4;
				_t2 = _t94 + 2; // 0x2
				_t110 = _t2;
				do {
					_t40 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t40 != 0);
				_t117 = _a12;
				_t97 = (_t94 - _t110 >> 1) + 1;
				_v8 = _t97;
				if(_t97 <= (_t40 | 0xffffffff) - _t117) {
					_t5 = _t117 + 1; // 0x1
					_t89 = _t5 + _t97;
					_t124 = E00A46BDB(_t97, _t89, 2);
					_t99 = _t123;
					__eflags = _t117;
					if(_t117 == 0) {
						L6:
						_push(_v8);
						_t89 = _t89 - _t117;
						_t45 = E00A4734E(_t99, _t124 + _t117 * 2, _t89, _a4);
						_t134 = _t133 + 0x10;
						__eflags = _t45;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t82 = E00A47843(_a16, __eflags, _t124);
							E00A46B10(0);
							_t84 = _t82;
							goto L8;
						}
					} else {
						_push(_t117);
						_t85 = E00A4734E(_t99, _t124, _t89, _a8);
						_t134 = _t133 + 0x10;
						__eflags = _t85;
						if(_t85 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00A457CE();
							asm("int3");
							_t132 = _t134;
							_t135 = _t134 - 0x260;
							_t48 =  *0xa56004; // 0x78a0cd96
							_v48 = _t48 ^ _t132;
							_t111 = _v28;
							_t100 = _v32;
							_push(_t89);
							_t90 = _v36;
							_push(_t124);
							_push(_t117);
							_t125 = 0x5c;
							_v644 = _t111;
							_v648 = 0x2f;
							_t118 = 0x3a;
							while(1) {
								__eflags = _t100 - _t90;
								if(_t100 == _t90) {
									break;
								}
								_t50 =  *_t100 & 0x0000ffff;
								__eflags = _t50 - _v612;
								if(_t50 != _v612) {
									__eflags = _t50 - _t125;
									if(_t50 != _t125) {
										__eflags = _t50 - _t118;
										if(_t50 != _t118) {
											_t100 = _t100 - 2;
											__eflags = _t100;
											continue;
										}
									}
								}
								break;
							}
							_t126 =  *_t100 & 0x0000ffff;
							__eflags = _t126 - _t118;
							if(_t126 != _t118) {
								L19:
								_t51 = _t126;
								_t119 = 0;
								_t112 = 0x2f;
								__eflags = _t51 - _t112;
								if(_t51 == _t112) {
									L23:
									_t53 = 1;
									__eflags = 1;
								} else {
									_t114 = 0x5c;
									__eflags = _t51 - _t114;
									if(_t51 == _t114) {
										goto L23;
									} else {
										_t115 = 0x3a;
										__eflags = _t51 - _t115;
										if(_t51 == _t115) {
											goto L23;
										} else {
											_t53 = 0;
										}
									}
								}
								_t103 = (_t100 - _t90 >> 1) + 1;
								asm("sbb eax, eax");
								_v612 =  ~(_t53 & 0x000000ff) & (_t100 - _t90 >> 0x00000001) + 0x00000001;
								E00A44940(_t119,  &_v604, _t119, 0x250);
								_t136 = _t135 + 0xc;
								_t127 = FindFirstFileExW(_t90, _t119,  &_v604, _t119, _t119, _t119);
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									_t104 = _v608;
									_t62 =  *((intOrPtr*)(_t104 + 4)) -  *_t104;
									__eflags = _t62;
									_v616 = _t62 >> 2;
									_t64 = 0x2e;
									do {
										__eflags = _v604.cFileName - _t64;
										if(_v604.cFileName != _t64) {
											L36:
											_push(_t104);
											_t66 = E00A475CA(_t104,  &(_v604.cFileName), _t90, _v612);
											_t136 = _t136 + 0x10;
											__eflags = _t66;
											if(_t66 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											__eflags = _v558 - _t119;
											if(_v558 == _t119) {
												goto L37;
											} else {
												__eflags = _v558 - _t64;
												if(_v558 != _t64) {
													goto L36;
												} else {
													__eflags = _v556 - _t119;
													if(_v556 == _t119) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t71 = FindNextFileW(_t127,  &_v604);
										_t104 = _v608;
										__eflags = _t71;
										_t64 = 0x2e;
									} while (_t71 != 0);
									_t72 = _t104;
									_t107 = _v616;
									_t113 =  *_t72;
									_t75 =  *((intOrPtr*)(_t72 + 4)) -  *_t72 >> 2;
									__eflags = _t107 - _t75;
									if(_t107 != _t75) {
										E00A49F50(_t90, _t113 + _t107 * 4, _t75 - _t107, 4, E00A473E5);
									}
								} else {
									_push(_v608);
									_t66 = E00A475CA(_t103, _t90, _t119, _t119);
									L26:
									_t119 = _t66;
								}
								__eflags = _t127 - 0xffffffff;
								if(_t127 != 0xffffffff) {
									FindClose(_t127);
								}
							} else {
								__eflags = _t100 -  &(_t90[1]);
								if(_t100 ==  &(_t90[1])) {
									goto L19;
								} else {
									_push(_t111);
									E00A475CA(_t100, _t90, 0, 0);
								}
							}
							_pop(_t120);
							_pop(_t128);
							__eflags = _v12 ^ _t132;
							_pop(_t91);
							return E00A425A8(_t91, _v12 ^ _t132, _t120, _t128);
						} else {
							goto L6;
						}
					}
				} else {
					_t84 = 0xc;
					L8:
					return _t84;
				}
				L40:
			}

0x00a475cf
0x00a475d0
0x00a475d7
0x00a475d7
0x00a475da
0x00a475da
0x00a475dd
0x00a475e0
0x00a475e5
0x00a475ef
0x00a475f2
0x00a475f7
0x00a475ff
0x00a47602
0x00a4760c
0x00a4760f
0x00a47610
0x00a47612
0x00a47626
0x00a47626
0x00a47629
0x00a47633
0x00a47638
0x00a4763b
0x00a4763d
0x00000000
0x00a4763f
0x00a47643
0x00a4764c
0x00a47652
0x00000000
0x00a47654
0x00a47614
0x00a47614
0x00a4761a
0x00a4761f
0x00a47622
0x00a47624
0x00a4765b
0x00a4765d
0x00a4765e
0x00a4765f
0x00a47660
0x00a47661
0x00a47662
0x00a47667
0x00a4766b
0x00a4766d
0x00a47673
0x00a4767a
0x00a4767d
0x00a47680
0x00a47683
0x00a47684
0x00a47687
0x00a47688
0x00a4768b
0x00a4768e
0x00a47694
0x00a4769e
0x00a476ba
0x00a476ba
0x00a476bc
0x00000000
0x00000000
0x00a476a1
0x00a476a4
0x00a476ab
0x00a476ad
0x00a476b0
0x00a476b2
0x00a476b5
0x00a476b7
0x00a476b7
0x00000000
0x00a476b7
0x00a476b5
0x00a476b0
0x00000000
0x00a476ab
0x00a476be
0x00a476c1
0x00a476c4
0x00a476e0
0x00a476e2
0x00a476e4
0x00a476e6
0x00a476e7
0x00a476ea
0x00a47700
0x00a47702
0x00a47702
0x00a476ec
0x00a476ee
0x00a476ef
0x00a476f2
0x00000000
0x00a476f4
0x00a476f6
0x00a476f7
0x00a476fa
0x00000000
0x00a476fc
0x00a476fc
0x00a476fc
0x00a476fa
0x00a476f2
0x00a4770a
0x00a47712
0x00a47716
0x00a47724
0x00a47729
0x00a4773e
0x00a47740
0x00a47743
0x00a47778
0x00a47783
0x00a47783
0x00a47788
0x00a4778e
0x00a4778f
0x00a4778f
0x00a47796
0x00a477b3
0x00a477b3
0x00a477c2
0x00a477c7
0x00a477ca
0x00a477cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00a47798
0x00a47798
0x00a4779f
0x00000000
0x00a477a1
0x00a477a1
0x00a477a8
0x00000000
0x00a477aa
0x00a477aa
0x00a477b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00a477b1
0x00a477a8
0x00a4779f
0x00000000
0x00a477ce
0x00a477d6
0x00a477dc
0x00a477e2
0x00a477e6
0x00a477e6
0x00a477e9
0x00a477eb
0x00a477f1
0x00a477f8
0x00a477fb
0x00a477fd
0x00a47811
0x00a47816
0x00a47745
0x00a4774b
0x00a4774f
0x00a47757
0x00a47757
0x00a47757
0x00a47759
0x00a4775c
0x00a4775f
0x00a4775f
0x00a476c6
0x00a476c9
0x00a476cb
0x00000000
0x00a476cd
0x00a476cd
0x00a476d3
0x00a476d8
0x00a476cb
0x00a4776a
0x00a4776b
0x00a4776c
0x00a4776e
0x00a47777
0x00000000
0x00000000
0x00000000
0x00a47624
0x00a475f9
0x00a475fb
0x00a47655
0x00a4765a
0x00a4765a
0x00000000

Strings

/, xrefs: 00A47694

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 475d211d5a52ab736dcb4bde487f86906e861f120644e2978a1c6a8dd233444c
Instruction ID: 4f1c911e0e1844f291c67aaba6329159119b50b6a52e07b87e5680f2bd01fbb1
Opcode Fuzzy Hash: 475d211d5a52ab736dcb4bde487f86906e861f120644e2978a1c6a8dd233444c
Instruction Fuzzy Hash: 9641297A900659AFCB249FB8DC89EAFB7B9EBC5310F604268F905DB181E7309D41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A4CD15 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E00A4CD15(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00A4AA1F(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00A4A985(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x00a4cd23
0x00a4cd2a
0x00a4cd2f
0x00a4cd35
0x00a4cd38
0x00a4cd3e
0x00a4cd43
0x00a4cd48
0x00a4cd48
0x00a4cd4e
0x00a4cd53
0x00a4cd58
0x00a4cd58
0x00a4cd5f
0x00a4cd64
0x00a4cd69
0x00a4cd69
0x00a4cd70
0x00a4cd75
0x00a4cd7a
0x00a4cd7a
0x00a4cd81
0x00a4cd86
0x00a4cd8b
0x00a4cd8b
0x00a4cd93
0x00a4cda3
0x00a4cdb5
0x00a4cdc7
0x00a4cdda
0x00a4cdec
0x00a4cdf4
0x00a4cdf9
0x00a4cdfe
0x00a4cdfe
0x00a4ce05
0x00a4ce0a
0x00a4ce0a
0x00a4ce11
0x00a4ce16
0x00a4ce16
0x00a4ce1d
0x00a4ce22
0x00a4ce22
0x00a4ce29
0x00a4ce2e
0x00a4ce2e
0x00a4ce38
0x00a4ce3a
0x00a4ce74
0x00a4ce3c
0x00a4ce41
0x00a4ce65
0x00a4ce6d
0x00a4ce61
0x00a4ce61
0x00a4ce77
0x00a4ce7e
0x00a4ce80
0x00a4cea2
0x00a4ceaa
0x00a4cead
0x00a4cead
0x00a4ceaf
0x00a4ceaf
0x00a4ceba
0x00a4cec0
0x00a4cec5
0x00a4cecc
0x00a4cf06
0x00a4cf11
0x00a4cf17
0x00a4cf1a
0x00a4cf1d
0x00a4cf29
0x00a4cf31
0x00a4cece
0x00a4ced1
0x00a4cedd
0x00a4cee3
0x00a4cee9
0x00a4ceec
0x00a4cef5
0x00a4cef5
0x00a4cf34
0x00a4cf42
0x00a4cf48
0x00a4cf4f
0x00a4cf51
0x00a4cf51
0x00a4cf58
0x00a4cf5a
0x00a4cf5a
0x00a4cf61
0x00a4cf63
0x00a4cf63
0x00a4cf6a
0x00a4cf6c
0x00a4cf6c
0x00a4cf73
0x00a4cf75
0x00a4cf75
0x00a4cf82
0x00a4cf85
0x00a4cfbc
0x00a4cf87
0x00a4cf87
0x00a4cf8a
0x00a4cfb5
0x00a4cfaa
0x00a4cfaa
0x00a4cfbe
0x00a4cfc6
0x00a4cfc9
0x00a4cfe8
0x00a4cfed
0x00a4cfed
0x00a4cfef
0x00a4cff4
0x00a4d000
0x00a4cff6
0x00a4cff9
0x00a4cff9
0x00a4d005
0x00a4d005
0x00a4cfcb
0x00a4cfce
0x00a4cfdd
0x00000000
0x00a4cfdd
0x00a4cfd0
0x00a4cfd3
0x00a4cfd5
0x00a4cfd5
0x00000000
0x00a4cfd3
0x00a4cf8c
0x00a4cf8f
0x00a4cfa5
0x00000000
0x00a4cfa5
0x00a4cf94
0x00a4cf96
0x00a4cf96
0x00a4cf94
0x00000000
0x00a4cf85
0x00a4ce87
0x00a4ce95
0x00a4ce9d
0x00000000
0x00a4ce9d
0x00a4ce8b
0x00a4ce90
0x00a4ce90
0x00000000
0x00a4ce8b
0x00a4ce48
0x00a4ce56
0x00a4ce5e
0x00000000
0x00a4ce5e
0x00a4ce4c
0x00a4ce51
0x00a4ce51
0x00a4ce4c

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00A4CD10,?,?,00000008,?,?,00A4C9B0,00000000), ref: 00A4CF42

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3508bdf4a0fe91cde7be289ed75f2068531a249746a5349991f545e3501c85c3
Instruction ID: 0d7f084da672c844fbf72c63799f3782d25afeb5e442f71c840509cfe48b06ac
Opcode Fuzzy Hash: 3508bdf4a0fe91cde7be289ed75f2068531a249746a5349991f545e3501c85c3
Instruction Fuzzy Hash: 95B16D39211608DFD759CF28C48AB647BE1FF85364F258658E89ECF2A1C339E995CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00A49302 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A49302() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0xa57358 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00a49302
0x00a4930a
0x00a49312

APIs

GetProcessHeap.KERNEL32 ref: 00A49302

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fedf8cbe62094217d2b7ab5eca40d0d200c89194e03fa7d76899fca0a09594eb
Instruction ID: e984faf78b06bcb778019a69817eba2584249da7824ecc1ae09566ef5973db66
Opcode Fuzzy Hash: fedf8cbe62094217d2b7ab5eca40d0d200c89194e03fa7d76899fca0a09594eb
Instruction Fuzzy Hash: CBA01234104340CF4300CF74A94820C379466515B130800249400C4020D72040816600

Uniqueness

Uniqueness Score: -1.00%

Function 00A48F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A48F76(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0xa56648) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00A46B10(_t46);
							E00A48AF0( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00A46B10(_t47);
							E00A48BEE( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00A46B10( *((intOrPtr*)(_t74 + 0x7c)));
						E00A46B10( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00A46B10( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00A46B10( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00A46B10( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00A46B10( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00A490E9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0xa56638) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00A46B10(_t31);
							E00A46B10( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00A46B10(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00A46B10(_t74);
			}

0x00a48f7e
0x00a48f82
0x00a48f8a
0x00a48f93
0x00a48f98
0x00a48f9f
0x00a48fa7
0x00a48faf
0x00a48fba
0x00a48fc0
0x00a48fc1
0x00a48fc9
0x00a48fd1
0x00a48fdc
0x00a48fe2
0x00a48fe6
0x00a48ff1
0x00a48ff7
0x00a48f98
0x00a48ff8
0x00a49000
0x00a49013
0x00a49026
0x00a49034
0x00a4903f
0x00a49044
0x00a4904d
0x00a49055
0x00a49056
0x00a4905c
0x00a4905f
0x00a49062
0x00a49069
0x00a4906b
0x00a4906f
0x00a49077
0x00a4907e
0x00a49084
0x00a49085
0x00a49085
0x00a4908c
0x00a4908e
0x00a49093
0x00a4909b
0x00a490a0
0x00a490a1
0x00a490a1
0x00a490a4
0x00a490a7
0x00a490aa
0x00a490ad
0x00a490ad
0x00a490bf

APIs

___free_lconv_mon.LIBCMT ref: 00A48FBA

Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B0D
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B1F
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B31
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B43
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B55
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B67
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B79
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B8B
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48B9D
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48BAF
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48BC1
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48BD3
Part of subcall function 00A48AF0: _free.LIBCMT ref: 00A48BE5

_free.LIBCMT ref: 00A48FAF

Part of subcall function 00A46B10: HeapFree.KERNEL32(00000000,00000000,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?), ref: 00A46B26
Part of subcall function 00A46B10: GetLastError.KERNEL32(?,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?,?), ref: 00A46B38

_free.LIBCMT ref: 00A48FD1
_free.LIBCMT ref: 00A48FE6
_free.LIBCMT ref: 00A48FF1
_free.LIBCMT ref: 00A49013
_free.LIBCMT ref: 00A49026
_free.LIBCMT ref: 00A49034
_free.LIBCMT ref: 00A4903F
_free.LIBCMT ref: 00A49077
_free.LIBCMT ref: 00A4907E
_free.LIBCMT ref: 00A4909B
_free.LIBCMT ref: 00A490B3

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 014f974617eff915fb7f77505eb314c2bdce383ffd9610114e6e62f4a2757b40
Instruction ID: 876378f0f75c86f6ab6b7cd645d2c530d3735d3d9bea8654c6de2c64dec5b016
Opcode Fuzzy Hash: 014f974617eff915fb7f77505eb314c2bdce383ffd9610114e6e62f4a2757b40
Instruction Fuzzy Hash: BE314939600600AFEB20AB38E945F9B73E9EFC1390F10482AE458D7191DF76ECA58B15

Uniqueness

Uniqueness Score: -1.00%

Function 00A46F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A46F39(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0xa4fad8) {
					E00A46B10(_t52);
					_t26 = _a4;
				}
				E00A46B10( *((intOrPtr*)(_t26 + 0x3c)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x30)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x34)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x38)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x28)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x2c)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x40)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x44)));
				E00A46B10( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00A46DFF(5,  &_v8);
				_v8 =  &_a4;
				return E00A46E4F(4,  &_v8);
			}

0x00a46f3f
0x00a46f42
0x00a46f4a
0x00a46f4d
0x00a46f52
0x00a46f55
0x00a46f59
0x00a46f64
0x00a46f6f
0x00a46f7a
0x00a46f85
0x00a46f90
0x00a46f9b
0x00a46fa6
0x00a46fb4
0x00a46fbc
0x00a46fc5
0x00a46fcd
0x00a46fe1

APIs

_free.LIBCMT ref: 00A46F4D

Part of subcall function 00A46B10: HeapFree.KERNEL32(00000000,00000000,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?), ref: 00A46B26
Part of subcall function 00A46B10: GetLastError.KERNEL32(?,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?,?), ref: 00A46B38

_free.LIBCMT ref: 00A46F59
_free.LIBCMT ref: 00A46F64
_free.LIBCMT ref: 00A46F6F
_free.LIBCMT ref: 00A46F7A
_free.LIBCMT ref: 00A46F85
_free.LIBCMT ref: 00A46F90
_free.LIBCMT ref: 00A46F9B
_free.LIBCMT ref: 00A46FA6
_free.LIBCMT ref: 00A46FB4

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aa6dea1c8a87a4b9b37b47428a16a1f7e56853fee820dbf4d24850e53928e5e6
Instruction ID: 3a9944426a50460a09774f01f360aa47c5048749fb94053d56aaf9d926f25247
Opcode Fuzzy Hash: aa6dea1c8a87a4b9b37b47428a16a1f7e56853fee820dbf4d24850e53928e5e6
Instruction Fuzzy Hash: 2711DA7A640518BFCB01EF54CA52DDE3BB5EF853D0B1144A5FA088F232DA31EE519B82

Uniqueness

Uniqueness Score: -1.00%

Function 00A4A33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00A4A33F(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				void* _t80;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				void* _t99;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0xa56004; // 0x78a0cd96
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00A4AB48(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t99);
					_pop(_t104);
					_pop(_t80);
					return E00A425A8(_t80, _v8 ^ _t106, _t99, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00A48ED9(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00A4848D(_t81, _t85, _v12, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00A48ED9(_t101);
									goto L36;
								}
								_t62 = E00A4848D(_t81, _t87, _t101, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00A48ED9(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00A46B4A(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00A4D5B0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00A4848D(_t81, 0, _t100, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00A46B4A(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00A4D5B0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00a4a344
0x00a4a345
0x00a4a346
0x00a4a34d
0x00a4a352
0x00a4a358
0x00a4a35e
0x00a4a364
0x00a4a367
0x00a4a367
0x00a4a36a
0x00a4a36c
0x00a4a36c
0x00a4a36a
0x00a4a36e
0x00a4a373
0x00a4a37a
0x00a4a37d
0x00a4a37d
0x00a4a399
0x00a4a39f
0x00a4a3a4
0x00a4a537
0x00a4a53a
0x00a4a53b
0x00a4a53c
0x00a4a54a
0x00a4a3aa
0x00a4a3aa
0x00a4a3ad
0x00a4a3b2
0x00a4a3b6
0x00a4a40a
0x00a4a40a
0x00a4a40c
0x00a4a40e
0x00a4a52c
0x00a4a52c
0x00a4a52e
0x00a4a52f
0x00000000
0x00a4a535
0x00a4a41f
0x00a4a425
0x00a4a427
0x00000000
0x00000000
0x00a4a42d
0x00a4a43f
0x00a4a444
0x00a4a448
0x00000000
0x00000000
0x00a4a455
0x00a4a48f
0x00a4a492
0x00a4a495
0x00a4a497
0x00a4a499
0x00a4a49b
0x00a4a4e7
0x00a4a4e7
0x00a4a4e9
0x00a4a4e9
0x00a4a4eb
0x00a4a525
0x00a4a526
0x00000000
0x00a4a52b
0x00a4a4ff
0x00a4a504
0x00a4a506
0x00000000
0x00000000
0x00a4a50a
0x00a4a50b
0x00a4a50c
0x00a4a50f
0x00a4a54b
0x00a4a54e
0x00a4a511
0x00a4a511
0x00a4a512
0x00a4a512
0x00a4a51f
0x00a4a521
0x00a4a523
0x00a4a554
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4a523
0x00a4a49d
0x00a4a4a0
0x00a4a4a2
0x00a4a4a4
0x00a4a4a6
0x00a4a4a9
0x00a4a4ae
0x00a4a4c9
0x00a4a4cb
0x00a4a4d5
0x00a4a4d7
0x00a4a4d8
0x00a4a4da
0x00000000
0x00000000
0x00a4a4dc
0x00a4a4e2
0x00a4a4e2
0x00000000
0x00a4a4e2
0x00a4a4b0
0x00a4a4b2
0x00a4a4b6
0x00a4a4bb
0x00a4a4bd
0x00a4a4bf
0x00000000
0x00000000
0x00a4a4c1
0x00000000
0x00a4a4c1
0x00a4a457
0x00a4a45c
0x00000000
0x00000000
0x00a4a462
0x00a4a464
0x00000000
0x00000000
0x00a4a47b
0x00a4a480
0x00a4a484
0x00000000
0x00000000
0x00000000
0x00a4a48a
0x00a4a3bd
0x00a4a3bf
0x00a4a3c1
0x00a4a3c9
0x00a4a3e8
0x00a4a3ea
0x00a4a3f4
0x00a4a3f6
0x00a4a3f7
0x00a4a3f9
0x00000000
0x00000000
0x00a4a3ff
0x00a4a405
0x00a4a405
0x00000000
0x00a4a405
0x00a4a3cd
0x00a4a3d1
0x00a4a3d6
0x00a4a3da
0x00000000
0x00000000
0x00a4a3e0
0x00000000
0x00a4a3e0

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00A4A590,?,?,00000000), ref: 00A4A399
__alloca_probe_16.LIBCMT ref: 00A4A3D1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00A4A590,?,?,00000000,?,?,?), ref: 00A4A41F
__alloca_probe_16.LIBCMT ref: 00A4A4B6
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00A4A519
__freea.LIBCMT ref: 00A4A526

Part of subcall function 00A46B4A: RtlAllocateHeap.NTDLL(00000000,00A4330B,?), ref: 00A46B7C

__freea.LIBCMT ref: 00A4A52F
__freea.LIBCMT ref: 00A4A554

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 73b730dbd6b2a1361daf884ec172076d589f829e98f754a28f7870f028212e0d
Instruction ID: 0a86dc3db92cf2299e8620f6b2fbbe33f16327e7b691363f01b4404c5220bc29
Opcode Fuzzy Hash: 73b730dbd6b2a1361daf884ec172076d589f829e98f754a28f7870f028212e0d
Instruction Fuzzy Hash: 0F51F07B640206AFDB258F64DD45EBF77AAEBE4710F254228FD05D6180EB74DC40CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A4AC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00A4AC93(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t115;
				signed int _t117;
				signed char _t122;
				signed char _t127;
				intOrPtr _t128;
				signed int _t130;
				signed char* _t131;
				intOrPtr* _t132;
				signed int _t133;
				void* _t134;

				_t78 =  *0xa56004; // 0x78a0cd96
				_v8 = _t78 ^ _t133;
				_t80 = _a8;
				_t117 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t131 = _a12;
				_v52 = _t131;
				_v48 = _t117;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0xa57148 + _t117 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t131;
				_t86 = GetConsoleCP();
				_t132 = _a4;
				_v60 = _t86;
				 *_t132 = 0;
				 *((intOrPtr*)(_t132 + 4)) = 0;
				 *((intOrPtr*)(_t132 + 8)) = 0;
				while(_t131 < _v40) {
					_v28 = 0;
					_v31 =  *_t131;
					_t128 =  *((intOrPtr*)(0xa57148 + _v48 * 4));
					_t122 =  *(_t128 + _t115 + 0x2d);
					if((_t122 & 0x00000004) == 0) {
						if(( *(E00A48ACA(_t115, _t128) + ( *_t131 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t131);
							goto L8;
						} else {
							if(_t131 >= _v40) {
								_t130 = _v48;
								 *((char*)( *((intOrPtr*)(0xa57148 + _t130 * 4)) + _t115 + 0x2e)) =  *_t131;
								 *( *((intOrPtr*)(0xa57148 + _t130 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0xa57148 + _t130 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
							} else {
								_t112 = E00A49C7C( &_v28, _t131, 2);
								_t134 = _t134 + 0xc;
								if(_t112 != 0xffffffff) {
									_t131 =  &(_t131[1]);
									goto L9;
								}
							}
						}
					} else {
						_t127 = _t122 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t128 + _t115 + 0x2e));
						_push(2);
						_v15 = _t127;
						 *(_t128 + _t115 + 0x2d) = _t127;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00A49C7C();
						_t134 = _t134 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t131 =  &(_t131[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t132 = GetLastError();
								} else {
									 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 8)) - _v52 + _t131;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t132 + 8)) =  *((intOrPtr*)(_t132 + 8)) + 1;
													 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t132 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00A425A8(_t115, _v8 ^ _t133, _t131, _t132);
			}

0x00a4ac9b
0x00a4aca2
0x00a4aca5
0x00a4acad
0x00a4acb1
0x00a4acbd
0x00a4acc0
0x00a4acc3
0x00a4acca
0x00a4acd2
0x00a4acd5
0x00a4acdb
0x00a4ace1
0x00a4ace6
0x00a4ace8
0x00a4aceb
0x00a4acf0
0x00a4acfa
0x00a4ad01
0x00a4ad04
0x00a4ad0b
0x00a4ad12
0x00a4ad3e
0x00a4ad64
0x00a4ad66
0x00000000
0x00a4ad40
0x00a4ad43
0x00a4ae0a
0x00a4ae16
0x00a4ae21
0x00a4ae26
0x00a4ad49
0x00a4ad50
0x00a4ad55
0x00a4ad5b
0x00a4ad61
0x00000000
0x00a4ad61
0x00a4ad5b
0x00a4ad43
0x00a4ad14
0x00a4ad18
0x00a4ad1b
0x00a4ad21
0x00a4ad23
0x00a4ad26
0x00a4ad2a
0x00a4ad67
0x00a4ad6a
0x00a4ad6b
0x00a4ad70
0x00a4ad76
0x00a4ad7c
0x00a4ad8b
0x00a4ad91
0x00a4ad97
0x00a4ad9c
0x00a4adb8
0x00a4ae2b
0x00a4ae31
0x00a4adba
0x00a4adc2
0x00a4adcb
0x00a4add1
0x00000000
0x00a4add3
0x00a4add5
0x00a4add8
0x00a4adf1
0x00000000
0x00a4adf3
0x00a4adf7
0x00a4adf9
0x00a4adfc
0x00000000
0x00a4adfc
0x00a4adf7
0x00a4adf1
0x00a4add1
0x00a4adcb
0x00a4adb8
0x00a4ad9c
0x00a4ad76
0x00000000
0x00a4adff
0x00a4adff
0x00a4ae33
0x00a4ae45

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00A4B408,?,00000000,?,00000000,00000000), ref: 00A4ACD5
__fassign.LIBCMT ref: 00A4AD50
__fassign.LIBCMT ref: 00A4AD6B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00A4AD91
WriteFile.KERNEL32(?,?,00000000,00A4B408,00000000,?,?,?,?,?,?,?,?,?,00A4B408,?), ref: 00A4ADB0
WriteFile.KERNEL32(?,?,00000001,00A4B408,00000000,?,?,?,?,?,?,?,?,?,00A4B408,?), ref: 00A4ADE9

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 984617a1fc954f502ab5086638c49e4be38d3b353c33fc4c1a3a4f7b4ca3bc99
Instruction ID: ea9af4b36b31b817adec468cf183409edbb65abc84d6976caca961831fa6944e
Opcode Fuzzy Hash: 984617a1fc954f502ab5086638c49e4be38d3b353c33fc4c1a3a4f7b4ca3bc99
Instruction Fuzzy Hash: DE51B0B9E002099FCB10CFA8D885AEEBBF4FF99300F14415AE956E7291E7309941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00A48C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A48C93(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00A48C57(_t45, 7);
					E00A48C57(_t45 + 0x1c, 7);
					E00A48C57(_t45 + 0x38, 0xc);
					E00A48C57(_t45 + 0x68, 0xc);
					E00A48C57(_t45 + 0x98, 2);
					E00A46B10( *((intOrPtr*)(_t45 + 0xa0)));
					E00A46B10( *((intOrPtr*)(_t45 + 0xa4)));
					E00A46B10( *((intOrPtr*)(_t45 + 0xa8)));
					E00A48C57(_t45 + 0xb4, 7);
					E00A48C57(_t45 + 0xd0, 7);
					E00A48C57(_t45 + 0xec, 0xc);
					E00A48C57(_t45 + 0x11c, 0xc);
					E00A48C57(_t45 + 0x14c, 2);
					E00A46B10( *((intOrPtr*)(_t45 + 0x154)));
					E00A46B10( *((intOrPtr*)(_t45 + 0x158)));
					E00A46B10( *((intOrPtr*)(_t45 + 0x15c)));
					return E00A46B10( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x00a48c99
0x00a48c9e
0x00a48ca7
0x00a48cb2
0x00a48cbd
0x00a48cc8
0x00a48cd6
0x00a48ce1
0x00a48cec
0x00a48cf7
0x00a48d05
0x00a48d13
0x00a48d24
0x00a48d32
0x00a48d40
0x00a48d4b
0x00a48d56
0x00a48d61
0x00000000
0x00a48d71
0x00a48d76

APIs

Part of subcall function 00A48C57: _free.LIBCMT ref: 00A48C80

_free.LIBCMT ref: 00A48CE1

Part of subcall function 00A46B10: HeapFree.KERNEL32(00000000,00000000,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?), ref: 00A46B26
Part of subcall function 00A46B10: GetLastError.KERNEL32(?,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?,?), ref: 00A46B38

_free.LIBCMT ref: 00A48CEC
_free.LIBCMT ref: 00A48CF7
_free.LIBCMT ref: 00A48D4B
_free.LIBCMT ref: 00A48D56
_free.LIBCMT ref: 00A48D61
_free.LIBCMT ref: 00A48D6C

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction ID: f1bf5918d191fb54fb426972d15a96cb832f2827c4433ec79804de8624170c53
Opcode Fuzzy Hash: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction Fuzzy Hash: 2B118135681B24BADA20B7B0DE47FCF779C9F81701F400C18B299A6052DF3DB5554665

Uniqueness

Uniqueness Score: -1.00%

Function 00A44AE0 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00A44AE0(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0xa56020 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00A4534E(__eflags,  *0xa56020);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00A45388(__eflags,  *0xa56020, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E00A46BDB(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00A45388(__eflags,  *0xa56020, 0);
								} else {
									__eflags = E00A45388(__eflags,  *0xa56020, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00A46B10(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00a44ae7
0x00a44afa
0x00a44b01
0x00a44b04
0x00a44b07
0x00a44b20
0x00a44b20
0x00a44b09
0x00a44b09
0x00a44b0b
0x00a44b15
0x00a44b1b
0x00a44b1c
0x00a44b1e
0x00a44b2e
0x00a44b32
0x00a44b34
0x00a44b48
0x00a44b48
0x00a44b51
0x00a44b36
0x00a44b44
0x00a44b46
0x00a44b5a
0x00a44b5c
0x00a44b5c
0x00000000
0x00000000
0x00000000
0x00a44b46
0x00a44b5f
0x00000000
0x00000000
0x00000000
0x00a44b1e
0x00a44b0b
0x00a44b67
0x00a44b71
0x00a44ae9
0x00a44aeb
0x00a44aeb

APIs

GetLastError.KERNEL32(?,?,00A44AD7,00A43E74,00A544D8,00000010,00A4363C,?,?,?,?,?,00000000,?), ref: 00A44AEE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00A44AFC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00A44B15
SetLastError.KERNEL32(00000000,00A44AD7,00A43E74,00A544D8,00000010,00A4363C,?,?,?,?,?,00000000,?), ref: 00A44B67

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0ff5caad9bd44f9b585d46acfc6d482a2cc983da96b01a616c7e8837fa4d249e
Instruction ID: fed4db8e47dd28885e1481a2b0892e2e10a80b8bf39fc5a213163ae445598ae8
Opcode Fuzzy Hash: 0ff5caad9bd44f9b585d46acfc6d482a2cc983da96b01a616c7e8837fa4d249e
Instruction Fuzzy Hash: ED01D83EA49B115EA7286BB4BC85B576A98FFD93B63300329F121860E1EE518C035144

Uniqueness

Uniqueness Score: -1.00%

Function 00A4702E Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E00A4702E(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_push(_t30);
				_t36 = GetLastError();
				_t2 =  *0xa56044; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00A46BDB(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00A483D2(_t20, _t25, _t31, __eflags,  *0xa56044, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00A46E9F(_t25, _t31, 0xa5734c);
							E00A46B10(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00A46B10();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00A46B98(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0xa56044; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00A46BDB(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00A483D2(_t21, _t27, _t32, __eflags,  *0xa56044, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00A46E9F(_t27, _t32, 0xa5734c);
									E00A46B10(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00A46B10();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00A4837C(0, _t25, _t31, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00A4837C(__ebx, _t23, _t30, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00a4702e
0x00a4702e
0x00a4702e
0x00a47031
0x00a47038
0x00a4703a
0x00a4703f
0x00a47042
0x00a47050
0x00a47057
0x00a4705c
0x00a4705f
0x00a47062
0x00a47074
0x00a47079
0x00a4707b
0x00a47086
0x00a4708d
0x00a47092
0x00a47095
0x00a47097
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4707d
0x00a4707d
0x00000000
0x00a4707d
0x00a47064
0x00a47064
0x00a47065
0x00a47065
0x00a4706a
0x00a470a5
0x00a470a6
0x00a470ac
0x00a470b1
0x00a470b4
0x00a470b5
0x00a470b6
0x00a470bd
0x00a470bf
0x00a470c1
0x00a470c6
0x00a470c9
0x00a470d7
0x00a470e3
0x00a470e6
0x00a470e9
0x00a470fb
0x00a47100
0x00a47102
0x00a4710d
0x00a47113
0x00a4711b
0x00a4711d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a47104
0x00a47104
0x00000000
0x00a47104
0x00a470eb
0x00a470eb
0x00a470ec
0x00a470ec
0x00a4711f
0x00a47120
0x00a47120
0x00a470cb
0x00a470d1
0x00a470d5
0x00a47128
0x00a47129
0x00a4712f
0x00000000
0x00000000
0x00000000
0x00a470d5
0x00a47136
0x00a47136
0x00a47044
0x00a4704a
0x00a4704e
0x00a47099
0x00a4709a
0x00a470a4
0x00000000
0x00000000
0x00000000
0x00a4704e

APIs

GetLastError.KERNEL32(?,?,00A46A8B,00A546C0,0000000C,00A42F63), ref: 00A47032
_free.LIBCMT ref: 00A47065
_free.LIBCMT ref: 00A4708D
SetLastError.KERNEL32(00000000), ref: 00A4709A
SetLastError.KERNEL32(00000000), ref: 00A470A6
_abort.LIBCMT ref: 00A470AC

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b06f418dfcfed257b297f96a5c513adf58e5acbf8ee6d4a67ac91159846321b8
Instruction ID: c61fba85aba9ca8ac6ff3aa8aa18097e803580383f44c07cb4527bfa039a8fa6
Opcode Fuzzy Hash: b06f418dfcfed257b297f96a5c513adf58e5acbf8ee6d4a67ac91159846321b8
Instruction Fuzzy Hash: A4F0C23E249A506AD622B374BD0EF5F2669EFC2B72F210524F914E6292FF65D8034121

Uniqueness

Uniqueness Score: -1.00%

Function 00A462ED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00A4629E,00000003,?,00A4623E,00000003,00A54638,0000000C,00A46395,00000003,00000002), ref: 00A4630D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00A46320
FreeLibrary.KERNEL32(00000000,?,?,?,00A4629E,00000003,?,00A4623E,00000003,00A54638,0000000C,00A46395,00000003,00000002,00000000), ref: 00A46343

Strings

mscoree.dll, xrefs: 00A46306
CorExitProcess, xrefs: 00A46318

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 4e2086cbdffb39eecd06aeaeddc6a2917cafe9a8d4a622389ac343126ae25065
Instruction ID: b26b9f96b0ffb6257e70523c07b20e732a64eb90718e20ee9d8d0b254312fb99
Opcode Fuzzy Hash: 4e2086cbdffb39eecd06aeaeddc6a2917cafe9a8d4a622389ac343126ae25065
Instruction Fuzzy Hash: DAF04F7CA00218FFCB119F94DD09B9EBFB4EFC6716F405168F805A61A0DB719942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00A46731 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00A46731(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0xa56004; // 0x78a0cd96
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00A4611D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00A42A2D(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00A42A2D(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00A42A2D(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00A4928A(_t56);
						_t40 = E00A46B10(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00A4928A(_t56);
						E00A46B10(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0xa56004;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x00a46731
0x00a4673b
0x00a4673f
0x00a46741
0x00a46745
0x00a4674f
0x00a46760
0x00a46765
0x00a46767
0x00a46769
0x00a4676b
0x00a4676d
0x00a46771
0x00a4682b
0x00a46839
0x00a4683b
0x00a46840
0x00a46847
0x00a46849
0x00a46857
0x00a46866
0x00a46869
0x00a4686b
0x00000000
0x00a4686c
0x00a46779
0x00a4677e
0x00a46783
0x00a46785
0x00a46785
0x00a46787
0x00a4678c
0x00a46790
0x00a46790
0x00a46793
0x00a467b2
0x00a467b2
0x00a467b4
0x00a467b7
0x00a467c0
0x00a467c3
0x00a467c8
0x00a467cb
0x00a467d0
0x00000000
0x00000000
0x00a467d2
0x00000000
0x00a46795
0x00a46795
0x00a46797
0x00a467a0
0x00a467a3
0x00a467a8
0x00a467ab
0x00a467b0
0x00a467da
0x00a467dd
0x00a467df
0x00a467e2
0x00a467ea
0x00a467f0
0x00a467f7
0x00a467f9
0x00a46801
0x00a46810
0x00a46814
0x00a46816
0x00a46819
0x00000000
0x00000000
0x00a4681b
0x00a4681e
0x00a46820
0x00a46820
0x00a46821
0x00a46823
0x00a46826
0x00000000
0x00a46820
0x00000000
0x00a467b0
0x00a46793
0x00000000

APIs

_free.LIBCMT ref: 00A467A3
_free.LIBCMT ref: 00A467C3

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bdbf27b5a143c4edc35f7b3a80290c297189aec6e5eb084a8548ba6eafa8ef26
Instruction ID: 1773404b8206065e020faa0d535ee0d1713464054118d69bf6fcfea26f239a64
Opcode Fuzzy Hash: bdbf27b5a143c4edc35f7b3a80290c297189aec6e5eb084a8548ba6eafa8ef26
Instruction Fuzzy Hash: 4E41E23AA00200AFCB20DF78C981A5AB7F1EFC9314F5545A9E515EB381DB31AD01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00A48DBC Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00A48DBC(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t54;
				int _t56;
				signed int _t62;
				int _t65;
				short* _t66;
				signed int _t67;
				short* _t68;

				_t34 =  *0xa56004; // 0x78a0cd96
				_v8 = _t34 ^ _t67;
				E00A46C38(_t54,  &_v28, __edx, _a4);
				_t56 = _a24;
				if(_t56 == 0) {
					_t53 =  *(_v24 + 8);
					_t56 = _t53;
					_a24 = _t53;
				}
				_t65 = 0;
				_t40 = MultiByteToWideChar(_t56, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00A425A8(_t54, _v8 ^ _t67, _t65, _t66);
				}
				_t54 = _t40 + _t40;
				_t17 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t66 = 0;
					L11:
					if(_t66 != 0) {
						E00A44940(_t65, _t66, _t65, _t54);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t66, _v12);
						if(_t46 != 0) {
							_t65 = GetStringTypeW(_a8, _t66, _t46, _a20);
						}
					}
					L14:
					E00A48ED9(_t66);
					goto L15;
				}
				_t20 = _t54 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t54 + 8; // 0x8
				_t62 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t66 = E00A46B4A(_t62, _t48 & _t62);
					if(_t66 == 0) {
						goto L14;
					}
					 *_t66 = 0xdddd;
					L9:
					_t66 =  &(_t66[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00A4D5B0();
				_t66 = _t68;
				if(_t66 == 0) {
					goto L14;
				}
				 *_t66 = 0xcccc;
				goto L9;
			}

0x00a48dc4
0x00a48dcb
0x00a48dd7
0x00a48ddc
0x00a48de1
0x00a48de6
0x00a48de9
0x00a48deb
0x00a48deb
0x00a48df0
0x00a48e09
0x00a48e0f
0x00a48e14
0x00a48eb3
0x00a48eb7
0x00a48ebc
0x00a48ebc
0x00a48ed8
0x00a48ed8
0x00a48e1a
0x00a48e1d
0x00a48e22
0x00a48e26
0x00a48e72
0x00a48e74
0x00a48e76
0x00a48e7b
0x00a48e92
0x00a48e9a
0x00a48eaa
0x00a48eaa
0x00a48e9a
0x00a48eac
0x00a48ead
0x00000000
0x00a48eb2
0x00a48e28
0x00a48e2d
0x00a48e2f
0x00a48e31
0x00a48e31
0x00a48e39
0x00a48e56
0x00a48e60
0x00a48e65
0x00000000
0x00000000
0x00a48e67
0x00a48e6d
0x00a48e6d
0x00000000
0x00a48e6d
0x00a48e3d
0x00a48e41
0x00a48e46
0x00a48e4a
0x00000000
0x00000000
0x00a48e4c
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00A48E09
__alloca_probe_16.LIBCMT ref: 00A48E41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00A48E92
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00A48EA4
__freea.LIBCMT ref: 00A48EAD

Part of subcall function 00A46B4A: RtlAllocateHeap.NTDLL(00000000,00A4330B,?), ref: 00A46B7C

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9dfb6061cfa06ad494de7a696566acfb8c995f27d479cd5a7970a267eac54af6
Instruction ID: a4b72992a10f7fdc35e6a08b62dc1b6d6269d929ab3764b901471060c9f92cad
Opcode Fuzzy Hash: 9dfb6061cfa06ad494de7a696566acfb8c995f27d479cd5a7970a267eac54af6
Instruction Fuzzy Hash: 0A31AD7AA0020AAFDF25DFA5EC46EAF7BA5EB81710B140128FC04D6191EB39DD51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A470B2 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00A470B2(void* __ecx) {
				void* __ebx;
				void* __edi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				void* _t16;
				long _t17;

				_t11 = __ecx;
				_t17 = GetLastError();
				_t10 = 0;
				_t2 =  *0xa56044; // 0x6
				_t20 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t16 = E00A46BDB(_t11, 1, 0x364);
					_pop(_t13);
					if(_t16 != 0) {
						_t4 = E00A483D2(_t10, _t13, _t16, __eflags,  *0xa56044, _t16);
						__eflags = _t4;
						if(_t4 != 0) {
							E00A46E9F(_t13, _t16, 0xa5734c);
							E00A46B10(_t10);
							__eflags = _t16;
							if(_t16 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t16);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00A46B10();
						L8:
						SetLastError(_t17);
					}
				} else {
					_t16 = E00A4837C(0, _t11, _t15, _t20, _t2);
					if(_t16 != 0) {
						L9:
						SetLastError(_t17);
						_t10 = _t16;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x00a470b2
0x00a470bd
0x00a470bf
0x00a470c1
0x00a470c6
0x00a470c9
0x00a470d7
0x00a470e3
0x00a470e6
0x00a470e9
0x00a470fb
0x00a47100
0x00a47102
0x00a4710d
0x00a47113
0x00a4711b
0x00a4711d
0x00000000
0x00000000
0x00000000
0x00000000
0x00a47104
0x00a47104
0x00000000
0x00a47104
0x00a470eb
0x00a470eb
0x00a470ec
0x00a470ec
0x00a4711f
0x00a47120
0x00a47120
0x00a470cb
0x00a470d1
0x00a470d5
0x00a47128
0x00a47129
0x00a4712f
0x00000000
0x00000000
0x00000000
0x00a470d5
0x00a47136

APIs

GetLastError.KERNEL32(00A4330B,00A4330B,?,00A473D7,00A46B8D,?,?,00A447F0,?,?,00000000,?,?,00A4322E,00A4330B,?), ref: 00A470B7
_free.LIBCMT ref: 00A470EC
_free.LIBCMT ref: 00A47113
SetLastError.KERNEL32(00000000,?,00A4330B), ref: 00A47120
SetLastError.KERNEL32(00000000,?,00A4330B), ref: 00A47129

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 373aa47eeb2b0827f5e109a7293afe7d3f62d177f8c2bd746c53d63f8723ca88
Instruction ID: 9052db6a773fd448077d5456dcbc2105ee7dcb805150355ff2f5da6d3e5076ec
Opcode Fuzzy Hash: 373aa47eeb2b0827f5e109a7293afe7d3f62d177f8c2bd746c53d63f8723ca88
Instruction Fuzzy Hash: 0B01283E249B407B8322A7786D86D2F366DEBC67727200224F915E71A2FF79CC034021

Uniqueness

Uniqueness Score: -1.00%

Function 00A48BEE Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00A48BEE(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0xa56648; // 0xa5663c
					if(_t23 != 0) {
						E00A46B10(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0xa5664c; // 0xa57350
					if(_t24 != 0) {
						E00A46B10(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0xa56650; // 0xa57350
					if(_t25 != 0) {
						E00A46B10(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0xa56678; // 0xa56640
					if(_t26 != 0) {
						E00A46B10(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0xa5667c; // 0xa57354
					if(_t27 != 0) {
						return E00A46B10(_t6);
					}
				}
				return _t6;
			}

0x00a48bf4
0x00a48bf9
0x00a48bfd
0x00a48c03
0x00a48c06
0x00a48c0b
0x00a48c0f
0x00a48c15
0x00a48c18
0x00a48c1d
0x00a48c21
0x00a48c27
0x00a48c2a
0x00a48c2f
0x00a48c33
0x00a48c39
0x00a48c3c
0x00a48c41
0x00a48c42
0x00a48c45
0x00a48c4b
0x00000000
0x00a48c53
0x00a48c4b
0x00a48c56

APIs

_free.LIBCMT ref: 00A48C06

Part of subcall function 00A46B10: HeapFree.KERNEL32(00000000,00000000,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?), ref: 00A46B26
Part of subcall function 00A46B10: GetLastError.KERNEL32(?,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?,?), ref: 00A46B38

_free.LIBCMT ref: 00A48C18
_free.LIBCMT ref: 00A48C2A
_free.LIBCMT ref: 00A48C3C
_free.LIBCMT ref: 00A48C4E

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d01eb441008dd55356370f617ce4071b695348e8549135830a281d580cc189c8
Instruction ID: d0cf128a0239919dc031533ad08d8935d573a75a1bc00669542cd97d2fb18e1e
Opcode Fuzzy Hash: d01eb441008dd55356370f617ce4071b695348e8549135830a281d580cc189c8
Instruction Fuzzy Hash: BBF01276506720BB8668EBA4F6D6C9A73EDFA817517A40C09F004D7901CF38FC828A64

Uniqueness

Uniqueness Score: -1.00%

Function 00A46980 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A46980(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0xa56570; // 0x116d230
					if(_t7 != 0xa56350) {
						E00A46B10(_t7);
						 *0xa56570 = 0xa56350;
					}
				}
				E00A46B10( *0xa5736c);
				 *0xa5736c = 0;
				E00A46B10( *0xa57370);
				 *0xa57370 = 0;
				E00A46B10( *0xa57058);
				 *0xa57058 = 0;
				E00A46B10( *0xa5705c);
				 *0xa5705c = 0;
				return 1;
			}

0x00a46989
0x00a4698d
0x00a4698f
0x00a4699b
0x00a4699e
0x00a469a4
0x00a469a4
0x00a4699b
0x00a469b0
0x00a469bd
0x00a469c3
0x00a469ce
0x00a469d4
0x00a469df
0x00a469e5
0x00a469ed
0x00a469f6

APIs

_free.LIBCMT ref: 00A4699E

Part of subcall function 00A46B10: HeapFree.KERNEL32(00000000,00000000,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?), ref: 00A46B26
Part of subcall function 00A46B10: GetLastError.KERNEL32(?,?,00A48C85,?,00000000,?,00000000,?,00A48CAC,?,00000007,?,?,00A4910E,?,?), ref: 00A46B38

_free.LIBCMT ref: 00A469B0
_free.LIBCMT ref: 00A469C3
_free.LIBCMT ref: 00A469D4
_free.LIBCMT ref: 00A469E5

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b78b383b0dc1aa76cdd5b20c111394eef5e078dee5ad527c5682423bc11dd49f
Instruction ID: 7c76fc11ed37475e507af24f65af7f43cbd5942606a40b5df8babd8d8fba8754
Opcode Fuzzy Hash: b78b383b0dc1aa76cdd5b20c111394eef5e078dee5ad527c5682423bc11dd49f
Instruction Fuzzy Hash: 50F05EB8948720AB8A01EFA4BD1188D3BF4F7567B23000546F814EB3B6DB3259139F96

Uniqueness

Uniqueness Score: -1.00%

Function 00A45AFF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00A45AFF(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0xa56ca8, 0x104);
					_t48 =  *0xa57064; // 0x1151b9c
					 *0xa57068 = 0xa56ca8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0xa56ca8;
					}
					_v8 = 0;
					_v16 = 0;
					E00A45C1E(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E00A45DA4(_v8, _v16, 2);
					if(_t61 != 0) {
						E00A45C1E(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00A478FF(_t48, 0, _t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0xa57054 = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0xa5705c = _t56;
									L16:
									E00A46B10(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0xa57054 = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0xa5705c = _t42;
						goto L10;
					} else {
						_t43 = E00A473D2();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00A46B10(_t61);
						return _t49;
					}
				} else {
					_t44 = E00A473D2();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00A457A1();
					return _t62;
				}
			}

0x00a45b0c
0x00a45b3a
0x00a45b40
0x00a45b46
0x00a45b4e
0x00a45b55
0x00a45b55
0x00a45b5a
0x00a45b61
0x00a45b68
0x00a45b7a
0x00a45b81
0x00a45ba0
0x00a45bac
0x00a45bc7
0x00a45bca
0x00a45bd1
0x00a45bd7
0x00a45bde
0x00a45be1
0x00a45be3
0x00a45be7
0x00a45bf1
0x00a45bf1
0x00a45bf3
0x00a45bf9
0x00a45bfc
0x00a45bfe
0x00a45c04
0x00a45c05
0x00a45c0b
0x00000000
0x00000000
0x00000000
0x00000000
0x00a45be9
0x00a45be9
0x00a45be9
0x00a45bec
0x00a45bed
0x00000000
0x00a45be9
0x00a45bd9
0x00000000
0x00a45bd9
0x00a45bb2
0x00a45bb7
0x00a45bb9
0x00a45bbb
0x00000000
0x00a45b83
0x00a45b83
0x00a45b88
0x00a45b8a
0x00a45b8b
0x00a45bc0
0x00a45bc0
0x00a45c0e
0x00a45c0f
0x00000000
0x00a45c18
0x00a45b14
0x00a45b14
0x00a45b1b
0x00a45b1c
0x00a45b1e
0x00000000
0x00a45b23

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Transfer.exe,00000104), ref: 00A45B3A
_free.LIBCMT ref: 00A45C05
_free.LIBCMT ref: 00A45C0F

Strings

C:\Users\user\AppData\Roaming\Transfer.exe, xrefs: 00A45B31, 00A45B38, 00A45B67, 00A45B9F

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\Transfer.exe
API String ID: 2506810119-665239336
Opcode ID: 0ce302a7fc9184ce068f44a0421858713bbbdad02491f65117f0745a40466591
Instruction ID: 00ad9090cbbbaa586fe3fffbcd2fad81ae62324b11c673dd9ee8e6f6d22acfce
Opcode Fuzzy Hash: 0ce302a7fc9184ce068f44a0421858713bbbdad02491f65117f0745a40466591
Instruction Fuzzy Hash: 43313E79E04758EFDB21DFA99985C9EBBFCEBC5710B1040A6F80497252E6708E46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A41E40 Relevance: 6.1, APIs: 4, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A41E40(signed int __ecx, signed int _a4, signed int _a8) {
				signed int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				signed int _t33;
				void* _t36;
				void* _t37;
				signed int _t38;
				signed int _t39;
				signed int _t41;
				signed int _t42;
				intOrPtr _t47;
				unsigned int _t51;
				signed int _t52;
				unsigned int _t57;
				signed int _t62;
				signed int _t68;
				signed int _t71;
				signed int _t73;
				void* _t74;
				intOrPtr _t75;

				_push(0xffffffff);
				_push(E00A4E080);
				_push( *[fs:0x0]);
				_t75 = _t74 - 0xc;
				_push(_t51);
				_t30 =  *0xa56004; // 0x78a0cd96
				_push(_t30 ^ _t73);
				 *[fs:0x0] =  &_v16;
				_v20 = _t75;
				_t71 = __ecx;
				_v24 = __ecx;
				_t33 = _a4;
				_t68 = _t33 | 0x00000007;
				if(_t68 <= 0x7ffffffe) {
					_t51 =  *(__ecx + 0x14);
					_t57 = _t51 >> 1;
					_t64 = 0xaaaaaaab * _t68 >> 0x20 >> 1;
					__eflags = _t57 - 0xaaaaaaab * _t68 >> 0x20 >> 1;
					if(_t57 > 0xaaaaaaab * _t68 >> 0x20 >> 1) {
						_t68 = _t57 + _t51;
						__eflags = _t51 - 0x7ffffffe - _t57;
						if(_t51 > 0x7ffffffe - _t57) {
							_t68 = 0x7ffffffe;
						}
					}
				} else {
					_t68 = _t33;
				}
				_t11 = _t68 + 1; // 0x7fffffff
				_t36 = _t11;
				_v8 = 0;
				if(_t36 != 0) {
					__eflags = _t36 - 0x7fffffff;
					if(__eflags > 0) {
						_t36 = E00A432DD(_t51, _t68, _t71, __eflags);
					}
					_t37 = _t36 + _t36;
					__eflags = _t37 - 0x1000;
					if(__eflags < 0) {
						_t38 = E00A425B9(_t51, _t68, _t71, __eflags, _t37);
						_t75 = _t75 + 4;
						_t52 = _t38;
					} else {
						_t13 = _t37 + 0x23; // 0x23
						_t63 = _t13;
						__eflags = _t13 - _t37;
						if(__eflags <= 0) {
							E00A432DD(_t51, _t68, _t71, __eflags);
						}
						_t47 = E00A425B9(_t51, _t68, _t71, __eflags, _t63);
						_t75 = _t75 + 4;
						_t14 = _t47 + 0x23; // 0x23
						_t52 = _t14 & 0xffffffe0;
						 *((intOrPtr*)(_t52 - 4)) = _t47;
					}
				} else {
					_t52 = 0;
				}
				_t39 = _a8;
				if(_t39 != 0) {
					if( *(_t71 + 0x14) < 8) {
						_t62 = _t71;
					} else {
						_t62 =  *_t71;
					}
					if(_t39 != 0) {
						E00A4D7F0(_t52, _t62, _t39 + _t39);
					}
				}
				_t40 =  *(_t71 + 0x14);
				if( *(_t71 + 0x14) >= 8) {
					E00A41C00(_t52, _t64, _t68,  *_t71, _t40 + 1);
				}
				 *(_t71 + 0x14) = 7;
				 *(_t71 + 0x10) = 0;
				if( *(_t71 + 0x14) < 8) {
					_t41 = _t71;
				} else {
					_t41 =  *_t71;
				}
				 *_t41 = 0;
				_t42 = _a8;
				 *_t71 = _t52;
				 *(_t71 + 0x14) = _t68;
				 *(_t71 + 0x10) = _t42;
				if( *(_t71 + 0x14) >= 8) {
					_t71 = _t52;
				}
				 *((short*)(_t71 + _t42 * 2)) = 0;
				 *[fs:0x0] = _v16;
				return _t42;
			}

0x00a41e43
0x00a41e45
0x00a41e50
0x00a41e51
0x00a41e54
0x00a41e57
0x00a41e5e
0x00a41e62
0x00a41e68
0x00a41e6b
0x00a41e6d
0x00a41e70
0x00a41e75
0x00a41e7e
0x00a41e84
0x00a41e90
0x00a41e92
0x00a41e94
0x00a41e96
0x00a41e9d
0x00a41ea2
0x00a41ea4
0x00a41ea6
0x00a41ea6
0x00a41ea4
0x00a41e80
0x00a41e80
0x00a41e80
0x00a41eab
0x00a41eab
0x00a41eae
0x00a41eb7
0x00a41ebd
0x00a41ec2
0x00a41ec4
0x00a41ec4
0x00a41ec9
0x00a41ecb
0x00a41ed0
0x00a41ef3
0x00a41ef8
0x00a41efb
0x00a41ed2
0x00a41ed2
0x00a41ed2
0x00a41ed5
0x00a41ed7
0x00a41ed9
0x00a41ed9
0x00a41edf
0x00a41ee4
0x00a41ee7
0x00a41eea
0x00a41eed
0x00a41eed
0x00a41eb9
0x00a41eb9
0x00a41eb9
0x00a41f25
0x00a41f2a
0x00a41f30
0x00a41f36
0x00a41f32
0x00a41f32
0x00a41f32
0x00a41f3a
0x00a41f41
0x00a41f46
0x00a41f3a
0x00a41f49
0x00a41f4f
0x00a41f55
0x00a41f55
0x00a41f5a
0x00a41f65
0x00a41f6c
0x00a41f72
0x00a41f6e
0x00a41f6e
0x00a41f6e
0x00a41f76
0x00a41f79
0x00a41f7c
0x00a41f7e
0x00a41f85
0x00a41f88
0x00a41f8a
0x00a41f8a
0x00a41f8e
0x00a41f95
0x00a41fa3

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A41EC4

Part of subcall function 00A432DD: __CxxThrowException@8.LIBVCRUNTIME ref: 00A432F4

Concurrency::cancel_current_task.LIBCPMT ref: 00A41ED9
new.LIBCMT ref: 00A41EDF
new.LIBCMT ref: 00A41EF3

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: e1548ffa668bafe02ab43fee409eff6638375a3151b6f72db809d3b67857da1c
Instruction ID: 2188700c2f6f6f2b2233d5e5def824b77ae21325dd5f16642596ea695de802b9
Opcode Fuzzy Hash: e1548ffa668bafe02ab43fee409eff6638375a3151b6f72db809d3b67857da1c
Instruction Fuzzy Hash: 3C41C479A00600DBC724DF24D98166AB7F8FBC4750B200B2EF866C7790E775E989C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00A48255 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00A48255(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0xa57070 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0xa4fdc0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x78a0cd97
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00a4825a
0x00a4825e
0x00a48265
0x00a48269
0x00a48277
0x00a4828d
0x00a48291
0x00a482ba
0x00a482bc
0x00a482c0
0x00a482c3
0x00a482c3
0x00a482c9
0x00a482cb
0x00000000
0x00a482cc
0x00a48293
0x00a4829c
0x00a482ab
0x00a4829e
0x00a482a1
0x00a482a7
0x00a482a7
0x00a482af
0x00000000
0x00a482b1
0x00a482b4
0x00a482b6
0x00000000
0x00a482b6
0x00a482af
0x00a4826b
0x00a48270
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00A481FC,?,00000000,00000000,00000000,?,00A483F9,00000006,FlsSetValue), ref: 00A48287
GetLastError.KERNEL32(?,00A481FC,?,00000000,00000000,00000000,?,00A483F9,00000006,FlsSetValue,00A50278,00A50280,00000000,00000364,?,00A47100), ref: 00A48293
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00A481FC,?,00000000,00000000,00000000,?,00A483F9,00000006,FlsSetValue,00A50278,00A50280,00000000), ref: 00A482A1

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 49c15f3ab53db41019776abc655138bf9070166ae4c7716438b68d171fd0804a
Instruction ID: f91b8159f8a7139a5bf0c709ffb1e708c0c30b8384e86277e01e4cc102d06e85
Opcode Fuzzy Hash: 49c15f3ab53db41019776abc655138bf9070166ae4c7716438b68d171fd0804a
Instruction Fuzzy Hash: 7601AC3E611622EFC7218FA9FC44AAE7798AFC67617200630F926D7141DBA5D801C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00A435F7 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 21%

			E00A435F7(void* __ebx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t31 = __esi;
				_t29 = __edx;
				_t27 = __ebx;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E00A43C46(__ebx, _t30, __esi);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00A44DF3(_t28);
				_push(_t31);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E00A43E48(_t27, _t28, _t29, _t30, _t32);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00A43401(_t27, _t29, _t30, _t32, _t37);
				if(_t25 != 0) {
					E00A44DC1(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00a435f7
0x00a435f7
0x00a435f7
0x00a435ff
0x00a43602
0x00a43604
0x00a43607
0x00a4360a
0x00a4360b
0x00a4360e
0x00a43613
0x00a43613
0x00a43616
0x00a4361a
0x00a4361d
0x00a43622
0x00a4361f
0x00a4361f
0x00a4361f
0x00a43625
0x00a4362a
0x00a4362b
0x00a4362e
0x00a43630
0x00a43633
0x00a43636
0x00a43637
0x00a43640
0x00a43645
0x00a43648
0x00a4364e
0x00a43651
0x00a43654
0x00a43657
0x00a43658
0x00a4365b
0x00a43666
0x00a4366a
0x00000000
0x00a4366a
0x00a43671

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00A4360E

Part of subcall function 00A43C46: ___AdjustPointer.LIBCMT ref: 00A43C90

_UnwindNestedFrames.LIBCMT ref: 00A43625
___FrameUnwindToState.LIBVCRUNTIME ref: 00A43637
CallCatchBlock.LIBVCRUNTIME ref: 00A4365B

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction ID: bd2aae25c9b2fcaaffe2d721c4646f9dba24d422521b22bbc88d2530b3c4d49f
Opcode Fuzzy Hash: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction Fuzzy Hash: 8B01D336400109BBCF126F55CD41EDABBBAEF8C754F168118FA1866221D732E961ABA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A42090 Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00A42090(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int* _v0;
				signed int _v12;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				void* __ebp;
				intOrPtr _t29;
				signed int _t33;
				short* _t36;
				void* _t37;
				signed int _t39;
				signed int _t42;
				intOrPtr* _t43;
				signed int _t44;
				void* _t45;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t52;
				signed int _t53;
				intOrPtr* _t55;
				signed int _t56;
				signed int* _t58;
				signed int _t59;
				signed int _t60;
				signed int* _t66;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int* _t73;
				signed int* _t74;
				signed int* _t76;
				intOrPtr* _t79;
				signed int _t83;

				_t78 = __esi;
				_t75 = __edi;
				_t72 = __edx;
				_t50 = __ebx;
				_t29 = _a4;
				if(_t29 != 0) {
					__eflags = _t29 - 0x7fffffff;
					if(__eflags > 0) {
						E00A432DD(__ebx, __edi, __esi, __eflags);
						goto L8;
					} else {
						_t45 = _t29 + _t29;
						__eflags = _t45 - 0x1000;
						if(__eflags < 0) {
							return E00A425B9(__ebx, __edi, __esi, __eflags, _t45);
						} else {
							_t55 = _t45 + 0x23;
							__eflags = _t55 - _t45;
							if(__eflags <= 0) {
								L8:
								E00A432DD(_t50, _t75, _t78, __eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(0xffffffff);
								_push(E00A4E0B9);
								_push( *[fs:0x0]);
								_push(_t50);
								_push(_t78);
								_push(_t75);
								_t33 =  *0xa56004; // 0x78a0cd96
								_push(_t33 ^ _t83);
								 *[fs:0x0] =  &_v20;
								_t51 = _t72;
								_v28 = _t51;
								_t79 = _t55;
								_v32 = _t79;
								_v24 = 0;
								 *(_t79 + 0x10) = 0;
								 *(_t79 + 0x14) = 0;
								 *(_t79 + 0x14) = 7;
								__eflags =  *(_t79 + 0x14) - 8;
								 *(_t79 + 0x10) = 0;
								if( *(_t79 + 0x14) < 8) {
									_t36 = _t79;
								} else {
									_t36 =  *_t79;
								}
								_t56 = 0;
								 *_t36 = 0;
								_t76 = _v0;
								_v12 = 0;
								_t52 =  *((intOrPtr*)(_t51 + 0x10));
								_v24 = 1;
								__eflags =  *_t76;
								if( *_t76 != 0) {
									_t66 = _t76;
									_t74 =  &(_t66[0]);
									do {
										_t44 =  *_t66;
										_t66 =  &(_t66[0]);
										__eflags = _t44;
									} while (_t44 != 0);
									_t67 = _t66 - _t74;
									__eflags = _t67;
									_t56 = _t67 >> 1;
								}
								_t37 = _t56 + _t52;
								_t53 =  *(_t79 + 0x10);
								__eflags = _t53 - _t37;
								if(_t53 <= _t37) {
									__eflags =  *(_t79 + 0x14) - _t37;
									if( *(_t79 + 0x14) != _t37) {
										_t42 = E00A41C60(_t79, _t37, 1);
										__eflags = _t42;
										if(_t42 != 0) {
											__eflags =  *(_t79 + 0x14) - 8;
											 *(_t79 + 0x10) = _t53;
											if( *(_t79 + 0x14) < 8) {
												_t43 = _t79;
											} else {
												_t43 =  *_t79;
											}
											__eflags = 0;
											 *((short*)(_t43 + _t53 * 2)) = 0;
										}
									}
								}
								_push(0xffffffff);
								E00A424A0(_t53, _t79, _t76, _t79, _v28, 0);
								__eflags =  *_t76;
								if( *_t76 != 0) {
									_t58 = _t76;
									_t73 =  &(_t58[0]);
									do {
										_t39 =  *_t58;
										_t58 =  &(_t58[0]);
										__eflags = _t39;
									} while (_t39 != 0);
									_t59 = _t58 - _t73;
									__eflags = _t59;
									_t60 = _t59 >> 1;
								} else {
									_t60 = 0;
								}
								_push(_t60);
								_push(_t76);
								E00A42370(_t53, _t79, _t76, _t79);
								 *[fs:0x0] = _v20;
								return _t79;
							} else {
								_t47 = E00A425B9(__ebx, __edi, __esi, __eflags, _t55);
								_t3 = _t47 + 0x23; // 0x23
								_t70 = _t3 & 0xffffffe0;
								__eflags = _t70;
								 *((intOrPtr*)(_t70 - 4)) = _t47;
								return _t70;
							}
						}
					}
				} else {
					return 0;
				}
			}

0x00a42090
0x00a42090
0x00a42090
0x00a42090
0x00a42093
0x00a42098
0x00a420a2
0x00a420a7
0x00a420e0
0x00000000
0x00a420a9
0x00a420a9
0x00a420ab
0x00a420b0
0x00a420dd
0x00a420b2
0x00a420b2
0x00a420b5
0x00a420b7
0x00a420e5
0x00a420e5
0x00a420ea
0x00a420eb
0x00a420ec
0x00a420ed
0x00a420ee
0x00a420ef
0x00a420f3
0x00a420f5
0x00a42100
0x00a42104
0x00a42105
0x00a42106
0x00a42107
0x00a4210e
0x00a42112
0x00a42118
0x00a4211a
0x00a4211d
0x00a4211f
0x00a42122
0x00a42129
0x00a42130
0x00a42137
0x00a4213e
0x00a42142
0x00a42149
0x00a4214f
0x00a4214b
0x00a4214b
0x00a4214b
0x00a42151
0x00a42153
0x00a42156
0x00a42159
0x00a4215c
0x00a4215f
0x00a42166
0x00a42169
0x00a4216b
0x00a4216d
0x00a42170
0x00a42170
0x00a42173
0x00a42176
0x00a42176
0x00a4217b
0x00a4217b
0x00a4217d
0x00a4217d
0x00a4217f
0x00a42182
0x00a42185
0x00a42187
0x00a42189
0x00a4218c
0x00a42193
0x00a42198
0x00a4219a
0x00a4219c
0x00a421a0
0x00a421a3
0x00a421a9
0x00a421a5
0x00a421a5
0x00a421a5
0x00a421ab
0x00a421ad
0x00a421ad
0x00a4219a
0x00a4218c
0x00a421b1
0x00a421ba
0x00a421bf
0x00a421c3
0x00a421c9
0x00a421cb
0x00a421d0
0x00a421d0
0x00a421d3
0x00a421d6
0x00a421d6
0x00a421db
0x00a421db
0x00a421dd
0x00a421c5
0x00a421c5
0x00a421c5
0x00a421df
0x00a421e0
0x00a421e3
0x00a421ed
0x00a421fb
0x00a420b9
0x00a420ba
0x00a420c2
0x00a420c5
0x00a420c5
0x00a420c8
0x00a420ce
0x00a420ce
0x00a420b7
0x00a420b0
0x00a4209a
0x00a4209f
0x00a4209f

APIs

new.LIBCMT ref: 00A420BA

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction ID: 397cffdecea1946af3028031d13297914ffca98c9818c834d62297f0b7e089b4
Opcode Fuzzy Hash: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction Fuzzy Hash: 08F0A7B77042040AEB18E774AD56B6E76D88BF43507904639F11AC72C1F961DD94C35A

Uniqueness

Uniqueness Score: -1.00%

Function 00A448B6 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A448B6() {
				void* _t4;
				void* _t8;

				E00A45477();
				E00A4540B();
				if(E00A4514E() != 0) {
					_t4 = E00A44B72(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00A4518A();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00a448b6
0x00a448bb
0x00a448c7
0x00a448cc
0x00a448d1
0x00a448d3
0x00a448de
0x00a448d5
0x00a448d5
0x00000000
0x00a448d5
0x00a448c9
0x00a448c9
0x00a448cb
0x00a448cb

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00A448B6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00A448BB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00A448C0

Part of subcall function 00A4514E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00A4515F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00A448D5

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction ID: 83987993f8959d8fa75751c7808583c59b30910b847f2f2f116ad7f332d835e5
Opcode Fuzzy Hash: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction Fuzzy Hash: 1FC04C1D814A81971C247FF523123AD43411CEA785BA026C1E8911B4039A05084B1977

Uniqueness

Uniqueness Score: -1.00%

Function 00A488DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00A488DC(void* __edi) {
				void** _v8;
				struct _STARTUPINFOW* _v24;
				short _v26;
				char _v76;
				void* __ebx;
				void* __esi;
				void* __ebp;
				struct _STARTUPINFOW* _t19;
				long _t23;
				void** _t24;
				LPWSTR* _t32;
				void* _t35;
				signed char _t38;
				void* _t40;
				void* _t41;
				signed int _t42;
				long _t45;

				_t41 = __edi;
				_t19 =  &_v76;
				GetStartupInfoW(_t19);
				if(_v26 == 0) {
					L17:
					return _t19;
				}
				_t19 = _v24;
				if(_t19 == 0) {
					goto L17;
				}
				_t45 = _t19->cb;
				_t32 =  &(_t19->lpReserved);
				_v8 = _t32 + _t45;
				if(_t45 >= 0x2000) {
					_t45 = 0x2000;
				}
				_push(_t45);
				E00A48703(_t32, _t41, _t45);
				_t23 =  *0xa57348; // 0x40
				if(_t45 > _t23) {
					_t45 = _t23;
				}
				_push(_t41);
				_t42 = 0;
				if(_t45 == 0) {
					L16:
					return _t23;
				} else {
					_t24 = _v8;
					do {
						_t35 =  *_t24;
						if(_t35 != 0xffffffff && _t35 != 0xfffffffe) {
							_t38 =  *_t32;
							if((_t38 & 0x00000001) != 0) {
								if((_t38 & 0x00000008) != 0 || GetFileType(_t35) != 0) {
									_t40 = (_t42 & 0x0000003f) * 0x30 +  *((intOrPtr*)(0xa57148 + (_t42 >> 6) * 4));
									 *(_t40 + 0x18) =  *_v8;
									 *((char*)(_t40 + 0x28)) =  *_t32;
								}
								_t24 = _v8;
							}
						}
						_t42 = _t42 + 1;
						_t24 =  &(_t24[1]);
						_t32 =  &(_t32[0]);
						_v8 = _t24;
					} while (_t42 != _t45);
					goto L16;
				}
			}

0x00a488dc
0x00a488e4
0x00a488e8
0x00a488f3
0x00a48991
0x00a48991
0x00a48991
0x00a488f9
0x00a488fe
0x00000000
0x00000000
0x00a48906
0x00a48908
0x00a4890e
0x00a48918
0x00a4891a
0x00a4891a
0x00a4891c
0x00a4891d
0x00a48922
0x00a4892a
0x00a4892c
0x00a4892c
0x00a4892e
0x00a4892f
0x00a48933
0x00a4898b
0x00000000
0x00a48935
0x00a48935
0x00a48938
0x00a48938
0x00a4893d
0x00a48944
0x00a48949
0x00a4894e
0x00a4896b
0x00a48974
0x00a48979
0x00a48979
0x00a4897c
0x00a4897c
0x00a48949
0x00a4897f
0x00a48980
0x00a48983
0x00a48984
0x00a48987
0x00000000
0x00a48938

APIs

GetStartupInfoW.KERNEL32(?), ref: 00A488E8
GetFileType.KERNEL32 ref: 00A48951

Strings

PPqt, xrefs: 00A488E8

Memory Dump Source

Source File: 00000003.00000002.576996156.0000000000A41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true

Associated: 00000003.00000002.576986711.0000000000A40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577025828.0000000000A4F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577047815.0000000000A56000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.577064613.0000000000A58000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_a40000_Transfer.jbxd

Similarity

API ID: FileInfoStartupType
String ID: PPqt
API String ID: 3016745765-3887661980
Opcode ID: 130ae5400b417b9493ac0ea7037cd02c31e558508ae84025cdb4398a973fa0dc
Instruction ID: 7ecc55964495bd9e3eea9e39bfbdbb8e478b4d1d601eaab5f133dab80fba35ec
Opcode Fuzzy Hash: 130ae5400b417b9493ac0ea7037cd02c31e558508ae84025cdb4398a973fa0dc
Instruction Fuzzy Hash: D521D53AA009158FDB24CF6CE8846BDB7A5EFC5364B180295E845E7362DB34DD42C792

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NFeNFCe.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6953ff.rbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Transfer.exe.lnk

C:\Users\user\AppData\Roaming\Transfer.exe

C:\Users\user\AppData\Roaming\drivespan.dll

C:\Windows\Installer\6953fd.msi

C:\Windows\Installer\MSI5B40.tmp

C:\Windows\Installer\MSI5D06.tmp

C:\Windows\Installer\MSI5DC3.tmp

C:\Windows\Installer\MSI5E31.tmp

C:\Windows\Installer\MSI60B3.tmp

C:\Windows\Installer\SourceHash{122E16A6-CC3B-481F-BCCC-B5F82FD14C3C}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF0CACAD3964164C30.TMP

C:\Windows\Temp\~DF153C34D9E0DC4893.TMP

C:\Windows\Temp\~DF1A63BA499784C4C6.TMP

C:\Windows\Temp\~DF1F376605ABAABBDD.TMP

C:\Windows\Temp\~DF471A6EBA7F5FE3DE.TMP

C:\Windows\Temp\~DF4805B34F8A59DAA2.TMP

C:\Windows\Temp\~DF77745BD0AC417036.TMP

C:\Windows\Temp\~DF7CB7A19DC0877E92.TMP

Windows Analysis Report
NFeNFCe.msi

Function 00A41000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Function 00A417A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 98
libraryloaderCOMMON

Function 00A42F17 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 3
COMMON

Function 00A48654 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Function 00A46BDB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 00A41510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Function 00A455D7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78
COMMONLIBRARYCODE

Function 00A46268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 00A475CA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Function 00A4CD15 Relevance: 1.8, APIs: 1, Instructions: 269
COMMONLIBRARYCODECrypto

Function 00A49302 Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Function 00A48F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 00A46F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 00A4A33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Function 00A4AC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 00A48C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Function 00A44AE0 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Function 00A4702E Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre